Add bindings to website #20
Conversation
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 38s |
shahargolshani
force-pushed
the
feature/add-bindings-to-website
branch
from
964eabb to
e1154d6
Compare
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 36s |
shahargolshani
force-pushed
the
feature/add-bindings-to-website
branch
from
e1154d6 to
a5fa173
Compare
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 5m 44s |
shahargolshani
force-pushed
the
feature/add-bindings-to-website
branch
from
a5fa173 to
227d354
Compare
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 7m 53s |
plugins/modules/website.ps1
Outdated
| require_server_name_indication = @{ type = 'bool'; default = $false } | ||
| use_centrelized_certificate_store = @{ type = 'bool'; default = $false } | ||
| certificate_hash = @{ type = 'str' } | ||
| certificate_store_name = @{ type = 'str' } |
There was a problem hiding this comment.
I think we should have a default here, looks like win_iis_webbinding used my https://docs.ansible.com/ansible/latest/collections/community/windows/win_iis_webbinding_module.html#parameter-certificate_store_name. This means we don't need the required_together option below when we have a default.
There was a problem hiding this comment.
I thought about removing it because in the community module this default was set in code and not in $params
#apply default for cert store name
If (-Not $certificateStoreName) {
$certificateStoreName = 'my'
}
community $params specified -default ([string]::Empty) an empty string as the default and then used it to inform the user that this value cannot be set together with CCS
When the default is set in $spec I didn't find a way to know if the value came from the user or from the default value
Will it be ok to just ignore it if it was set by the user but not used ?
We can also use the same approach the community used, but I guess it is not the best practice to set a default outside the $spec and more error prone.
There was a problem hiding this comment.
Will it be ok to just ignore it if it was set by the user but not used ?
I think so, having this as a default, especially to My would cover most scenarios allowing people to only need to set it if they have it stored elsewhere. I think for the CCS check we should only check if the certificate hash option is set and just ignore this value.
There was a problem hiding this comment.
Default value "my" was added to certificate_store_name
plugins/modules/website.ps1
Outdated
| require_server_name_indication = @{ type = 'bool'; default = $false } | ||
| use_centrelized_certificate_store = @{ type = 'bool'; default = $false } |
There was a problem hiding this comment.
I think we should still keep this as ssl_flags but but set the choices to the more human friendly names
| require_server_name_indication = @{ type = 'bool'; default = $false } | |
| use_centrelized_certificate_store = @{ type = 'bool'; default = $false } | |
| ssl_flags = @{ | |
| type = 'str' | |
| choices = @('none', 'use_sni', 'use_centralized_store', 'use_centralized_store_and_sni') | |
| default = 'none' | |
| } |
The reason why I went this direction is that we can easily map the string values to the raw integer one and we don't know what future values may be added. Using two separate options here could be problematic if MS ever add more options that aren't tied specifically to some combination of SNI and the centralised store setup whereas now with ssl_flags we just reflect the underlying value with a human friendly label.
There was a problem hiding this comment.
I agree this is applicable for ssl_flags 0-3
And we really need to think which approach we are taking here
if we go with pwsh:
New-WebBinding -SslFlags $ssl_flags
or with IIS GUI checkboxes
I got the idea of separating it from this community issue:
ansible-collections/community.windows#584
Apparently sslFlags can have values above 3 as a combination of the selected SSL options
SNI and CCS are not really tied to each other it is just set by MS in a single value
If in the future we decide to include more ssl_flags
having a single ssl_flags parameter will make the ssl_flags choices long and complicated because we'll have to include all combinations.
so if there are 3 ssl options we get to 8 ssl_flags choices if we include all 7 options we'll need 128 (2^7) choices
which is of course not reasonable. (In theory, In practice some combinations are not possible but still it's too many options)
I don't know why MS documents sslFlags as 0-3 and also limits the cli to those values i.e.
New-WebBinding : Parameter 'SslFlags' value is out of range: 0-3
While it can be set to values above 3
Regarding setting the ssl_flags int value out of a human friendly value it can be done
as MS set every option in the power of 2 so it can be easily map to integer value with
x = 1/2/4/8/16/32/64/128
ssl_flags += x
And derived in the info module with
[math]::Floor($ssl_flags / x)
and $ssl_flags % 2
There was a problem hiding this comment.
Ah ok, that's a pity these extra flags are not documented on that page, it made it seem like they were enum values and not bit fields.
It makes more sense to have them as separate options like you've done here because of that, basically 0-3 can be calculated through a combination of these two options being true/false. I think maybe we should rename them to something a bit shorter like the below and just expand the acronyms in the description
use_sniuse_ccs
It does bring into question how does the hostname value work if use_sni is false. Can you have an empty hostname in either scenario. Does it need to be set if use_sni is true.
If we ever do support those extra flags in the future we could expose them either as a list/str under ssl_flags or their own bool option. The calculation internally would become
$ssl_flags = 0
if ($disable_http2) {
$ssl_flags = $ssl_flags -bor 4
}But we don't need to worry about that for this implementation., as long as it is possible to do so in the future and I think what you've done enables that here.
plugins/modules/website.ps1
Outdated
| @@ -130,6 +151,84 @@ Try { | |||
| $module.Result.changed = $true | |||
| } | |||
| } | |||
| # Add Remove or Set bindings if needed | |||
| if ($bindings) { | |||
There was a problem hiding this comment.
In pwsh an empty hashtable is automatically true when checked like this. If we are wanting to see if add/remove/set is present we would need to do the following to check the entry count as a truthy value where 0 is $false.
| if ($bindings) { | |
| if ($bindings.Count) { |
There was a problem hiding this comment.
Yes, I see that even when set/add/remove are all null still
$bindings.Count is
3
So maybe go further here with
if ( $null -ne $bindings.set -or $bindings.add.Count -gt 0 -or $bindings.remove.Count -gt 0 )
There was a problem hiding this comment.
Ah yes because the default module args would be to populate the inner dictionary with the add/set/remove defaults. I think what you've proposed makes sense to me.
plugins/modules/website.yml
Outdated
| @@ -64,16 +181,26 @@ EXAMPLES: | | |||
| physical_path: C:\inetpub\wwwroot | |||
| state: started | |||
|
|
|||
| - name: Create a website, set all values and start it | |||
| - name: Create a website with two bindings, set all values and starts it | |||
There was a problem hiding this comment.
We should look at adding a few more examples for things like
set: []to remove all bindings- Some with add/remove to show how they can be specified.
There was a problem hiding this comment.
More examples were added
plugins/modules/website_info.ps1
Outdated
| if ($certificate_hash) { | ||
| $psObject | Add-Member -MemberType NoteProperty -Name "certificate_hash" -Value $certificate_hash | ||
| } | ||
| if ($certificate_store_name) { | ||
| $psObject | Add-Member -MemberType NoteProperty -Name "certificate_store_name" -Value $certificate_store_name | ||
| } |
There was a problem hiding this comment.
We should always add these, just keep them $null if unset.
There was a problem hiding this comment.
certificate_hash & certificate_store_name always returned
| $WebsiteInfoDict = @{ | ||
| name = $site.Name | ||
| id = $site.ID | ||
| site_id = $site.ID |
There was a problem hiding this comment.
Any reason for this change, we would need to update the return documentation to show this new new.
There was a problem hiding this comment.
The original community parameter is site_id
I believe we should return the same parameter name site_id in the info module and it was missed in the initial website module migration so I fixed it here.
I will fix the documentation accordingly
There was a problem hiding this comment.
Makes sense, thanks for clarifying.
| RequestType = Cert | ||
| dest: "{{ item.dest }}" | ||
| with_items: | ||
| - {name: test.com, dest: 'c:\windows\temp\certreq1.txt'} |
There was a problem hiding this comment.
There's only 1 entry here so the loops here and below are not really needed. We should also look at using remote_tmp_path instead of C:\windows\temp to ensure it is cleaned up after the test.
There was a problem hiding this comment.
All loops with a single iteration were removed
remote_tmp_path is used now for the certificate files
cleanup task of removing the files was removed from main.yml as it is redundant now
|
|
||
| - name: remove certs | ||
| raw: 'remove-item cert:\localmachine\my\{{ item }} -force -ea silentlycontinue' | ||
| with_items: |
There was a problem hiding this comment.
We will want a when on this to check that thumbprint1 is defined. This is just so that if a test failed this will also not fail and stop the cleanup/hide the original error.
| with_items: | |
| when: thumbprint1 is defined | |
| with_items: |
There was a problem hiding this comment.
Added
when: thumbprint1 is defined
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 45s |
shahargolshani
force-pushed
the
feature/add-bindings-to-website
branch
2 times, most recently
from
48e5a4b to
263cb23
Compare
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 43s |
plugins/modules/website.ps1
Outdated
| use_sni = @{ type = 'bool'; default = $false } | ||
| use_ccs = @{ type = 'bool'; default = $false } |
There was a problem hiding this comment.
I think the default should be unset here (ultimately $null). That way we can differentiate between keep existing value (when null) or set/unset, e.g.
if ($null -ne $use_sni) {
if ($use_sni) {
'test SNI'
}
else {
'unset SNI'
}
}If we are creating a binding we can then treat null as false.
This will most likely make your SSLFlag builder a bit more complicated but you can probably get it working by adding in a parameter that is -DefaultSNI and -DefaultCCS that is set to the SNI and CCS value of the existing binding or $false if no binding is present. That way you can still validate all the necessary info, don't modify if the user hasn't set a value, and still have a sane default when creating the binding from scratch.
There was a problem hiding this comment.
That makes sense,
If so then what about protocol that has a default value of http
Does it also need to be treated the same way ? and keep the same value that exist on the binding if $null ?
Regarding the unset of default ($null) from use_sni & use_ccs
In case of a new binding (toAdd) both $false/$null will not get into
if ($BindingInfo.use_sni)
if ($BindingInfo.use_ccs)
So no change is needed
In case of an existing binding (toEdit)
We can set the user values use_sni and/or use_ccs to the site existing values and then run
the function Get-SSLFlagFromBinding over it.
There was a problem hiding this comment.
Yep, I think what you've said makes sense. Essentially the module arg spec has $null as the default to help distinguish between "keep existing value", turn on, turn off. If we are going from a http to https binding I think $null should also mean $false.
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 56s |
fix func/param naming conventions
shahargolshani
force-pushed
the
feature/add-bindings-to-website
branch
from
fc7cb00 to
4ba3963
Compare
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 23s |
SUMMARY
ISSUE TYPE
COMPONENT NAME
plugins/modules/website.ps1
plugins/modules/website.yml
plugins/modules/website_info.ps1
plugins/modules/website_info.yml
tests/integration/targets/website/tasks/bindings.yml
tests/integration/targets/website/tasks/main.yml
tests/integration/targets/website/tasks/tests.yml
tests/integration/targets/website_info/tasks/tests.yml
ADDITIONAL INFORMATION