From 9e738a5cdeee9ee38334db53d91ee4f02a834c32 Mon Sep 17 00:00:00 2001 From: svetterIO <2234705+svetterIO@users.noreply.github.com> Date: Thu, 15 Aug 2019 17:48:23 +0200 Subject: [PATCH 1/2] 2 Features: junctions [ltpa] + junctions_servers [local_ip] +1 Function: Compare LTPA files for idempotency on junction creation +1 Feature: add local_ip as possible junction parameter + 1 typo in comment of entry.py --- .../web/reverse_proxy/configuration/entry.py | 2 +- .../isam/web/reverse_proxy/junctions.py | 20 ++++++++++++++++++- .../web/reverse_proxy/junctions_server.py | 5 ++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/ibmsecurity/isam/web/reverse_proxy/configuration/entry.py b/ibmsecurity/isam/web/reverse_proxy/configuration/entry.py index 31009b06..1886d115 100644 --- a/ibmsecurity/isam/web/reverse_proxy/configuration/entry.py +++ b/ibmsecurity/isam/web/reverse_proxy/configuration/entry.py @@ -82,7 +82,7 @@ def set(isamAppliance, reverseproxy_id, stanza_id, entries, check_mode=False, fo """ Set a configuration entry or entries by stanza - Reverse Proxy - Note: entries has to be [['key', 'value1'], ['key', 'value2]], cannot provide [['key', ['value1', 'value2']]] + Note: entries has to be [['key', 'value1'], ['key', 'value2']], cannot provide [['key', ['value1', 'value2']]] get() returns the second format - thus lots of logic to handle this discrepancy. Smart enough to update only that which is needed. diff --git a/ibmsecurity/isam/web/reverse_proxy/junctions.py b/ibmsecurity/isam/web/reverse_proxy/junctions.py index 8fec8d67..ccf2e329 100644 --- a/ibmsecurity/isam/web/reverse_proxy/junctions.py +++ b/ibmsecurity/isam/web/reverse_proxy/junctions.py @@ -309,7 +309,7 @@ def set(isamAppliance, reverseproxy_id, junction_point, server_hostname, server_ http2_junction=None, http2_proxy=None, sni_name=None): """ Setting a standard or virtual junction - compares with existing junction and replaces if changes are detected - TODO: Compare all the parameters in the function - LTPA, BA are some that are not being compared + TODO: Compare all the parameters in the function - BA are some that are not being compared """ warnings = [] add_required = False @@ -500,6 +500,24 @@ def set(isamAppliance, reverseproxy_id, junction_point, server_hostname, server_ sni_name = None else: jct_json['sni_name'] = sni_name + if insert_ltpa_cookies is not None: + if insert_ltpa_cookies != 'no': + jct_json['insert_ltpa_cookies'] = insert_ltpa_cookies + + if ltpa_keyfile is not None: + jct_json['ltpa_keyfile'] = ltpa_keyfile + + if version_two_cookies is not None: + jct_json['version_two_cookies'] = version_two_cookies + + if ltpa_keyfile_password is not None: + if not force: + logger.debug("Skipping ltpa_keyfile_password for idempotency.") + warnings.append("Module can not compare ltpa_keyfile_password with server. Skipping parameter for idempotency. Force update of ltpa_keyfile_password by setting force=true.") + if 'ltpa_keyfile_password' in exist_jct: + del exist_jct['ltpa_keyfile_password'] + else: + jct_json['ltpa_keyfile_password'] = ltpa_keyfile_password # TODO: Not sure of how to match following attributes! Need to revisit. # TODO: Not all function parameters are being checked - need to add! diff --git a/ibmsecurity/isam/web/reverse_proxy/junctions_server.py b/ibmsecurity/isam/web/reverse_proxy/junctions_server.py index 86631515..f61d8876 100644 --- a/ibmsecurity/isam/web/reverse_proxy/junctions_server.py +++ b/ibmsecurity/isam/web/reverse_proxy/junctions_server.py @@ -22,7 +22,7 @@ def search(isamAppliance, reverseproxy_id, junction_point, server_hostname, serv def add(isamAppliance, reverseproxy_id, junction_point, server_hostname, junction_type, server_port, server_dn=None, stateful_junction='no', case_sensitive_url='no', windows_style_url='no', virtual_hostname=None, virtual_https_hostname=None, query_contents=None, https_port=None, http_port=None, proxy_hostname=None, - proxy_port=None, sms_environment=None, vhost_label=None, server_uuid=None, check_mode=False, force=False): + proxy_port=None, sms_environment=None, vhost_label=None, server_uuid=None, local_ip=None, check_mode=False, force=False): """ Adding a back-end server to an existing standard or virtual junctions @@ -46,6 +46,7 @@ def add(isamAppliance, reverseproxy_id, junction_point, server_hostname, junctio :param sms_environment: :param vhost_label: :param server_uuid: + :param local_ip: :param check_mode: :param force: :return: @@ -89,6 +90,8 @@ def add(isamAppliance, reverseproxy_id, junction_point, server_hostname, junctio jct_srv_json["query_contents"] = query_contents if server_uuid is not None and server_uuid != '': jct_srv_json["server_uuid"] = server_uuid + if local_ip is not None and local_ip != '': + jct_srv_json['local_ip'] = local_ip return isamAppliance.invoke_put( "Adding a back-end server to an existing standard or virtual junctions", From f618ccf5d2afd17d5ed14f3870f8580322f5c5c2 Mon Sep 17 00:00:00 2001 From: Sebastian Vetter <2234705+svetterIO@users.noreply.github.com> Date: Tue, 27 Oct 2020 15:59:18 +0100 Subject: [PATCH 2/2] Fix: junctions.set -> use ignore_password_for_idempotency instead of force Using ignore_password_for_idempotency on set function for junction creation/modification instead of force parameter. Same logic as already used for module_chains: (https://github.com/IBM-Security/ibmsecurity/blob/master/ibmsecurity/isam/fed/sts/module_chains.py) --- ibmsecurity/isam/web/reverse_proxy/junctions.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/ibmsecurity/isam/web/reverse_proxy/junctions.py b/ibmsecurity/isam/web/reverse_proxy/junctions.py index ccf2e329..dd7587d8 100644 --- a/ibmsecurity/isam/web/reverse_proxy/junctions.py +++ b/ibmsecurity/isam/web/reverse_proxy/junctions.py @@ -306,7 +306,7 @@ def set(isamAppliance, reverseproxy_id, junction_point, server_hostname, server_ client_ip_http=None, version_two_cookies=None, ltpa_keyfile=None, authz_rules=None, fsso_config_file=None, username=None, password=None, server_uuid=None, local_ip=None, ltpa_keyfile_password=None, delegation_support=None, scripting_support=None, insert_ltpa_cookies=None, check_mode=False, force=False, - http2_junction=None, http2_proxy=None, sni_name=None): + http2_junction=None, http2_proxy=None, sni_name=None, ignore_password_for_idempotency=False): """ Setting a standard or virtual junction - compares with existing junction and replaces if changes are detected TODO: Compare all the parameters in the function - BA are some that are not being compared @@ -511,9 +511,8 @@ def set(isamAppliance, reverseproxy_id, junction_point, server_hostname, server_ jct_json['version_two_cookies'] = version_two_cookies if ltpa_keyfile_password is not None: - if not force: - logger.debug("Skipping ltpa_keyfile_password for idempotency.") - warnings.append("Module can not compare ltpa_keyfile_password with server. Skipping parameter for idempotency. Force update of ltpa_keyfile_password by setting force=true.") + if ignore_password_for_idempotency: + warnings.append("Request made to ignore ltpa_keyfile_password for idempotency check.") if 'ltpa_keyfile_password' in exist_jct: del exist_jct['ltpa_keyfile_password'] else: @@ -564,7 +563,7 @@ def set(isamAppliance, reverseproxy_id, junction_point, server_hostname, server_ insert_ltpa_cookies=insert_ltpa_cookies, check_mode=check_mode, force=True, http2_junction=http2_junction, http2_proxy=http2_proxy, sni_name=sni_name, warnings=warnings) - return isamAppliance.create_return_object() + return isamAppliance.create_return_object(warnings=warnings) def compare(isamAppliance1, isamAppliance2, reverseproxy_id, reverseproxy_id2=None):