search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 48 forks source link

Param VDOM is forgotten module fortios_log_fact #270

Open dot-mike opened 9 months ago

dot-mike commented 9 months ago

Module fortios_log_fact does not pass on the vdom parameter from https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/blob/bd71eceeb846b7c7c94894c2a7cbfc5f214b7389/plugins/modules/fortios_log_fact.py#L2686 to --> https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/blob/bd71eceeb846b7c7c94894c2a7cbfc5f214b7389/plugins/modules/fortios_log_fact.py#L2311

For example, this fails:

    - name: Get SSL-VPN logs
      fortinet.fortios.fortios_log_fact:
        enable_log: true
        access_token: "{{ vault_fortios_access_token }}"
        selector: "disk_event_vpn"
        vdom: "USER"
        filters:
          - tunneltype: "ssl"
        params:
          rows: 1
      register: sslvpn_logs

Results in this log:

2023-09-29 15:39:53.012904: login with access token succeeded
2023-09-29 15:39:53.012980: Sending request: METHOD:GET URL:/api/v2/log/disk/event/vpn?access_token=XYZ&filter=%7B%27tunneltype%27%3A%20%27ssl%27%7D&rows=1 DA
TA:
2023-09-29 15:39:53.089376: using access token - no auth update needed: XYZ
2023-09-29 15:39:53.089465: response data: {

The following task below works (only because I pass vdom as part of params, which is not according to docs!)

    - name: Get SSL-VPN logs
      fortinet.fortios.fortios_log_fact:
        enable_log: true
        access_token: "{{ vault_fortios_access_token }}"
        selector: "disk_event_vpn"
        filters:
          - tunneltype: "ssl"
        params:
          rows: 1
          vdom: "USER"
      register: sslvpn_logs

Results in this log:

2023-09-29 15:41:04.689981: login with access token succeeded
2023-09-29 15:41:04.689999: Sending request: METHOD:GET URL:/api/v2/log/disk/event/vpn?access_token=XYZ&filter=%7B%27tunneltype%27%3A%20%27ssl%27%7D&rows=1&vdom=USER DATA:
2023-09-29 15:41:04.874811: using access token - no auth update needed: XYZ
2023-09-29 15:41:04.874962: response data: {
JieX19 commented 9 months ago

Hi @dot-mike,

Did the ansible task execute successfully? The 'params' attribute you mentioned above actually accepts all the supported parameters in a specific selector, for example, 'disk_event_vpn', which accepts parameters including start, rows, session_id, serial_no, is_ha_member, filter and extra. The 'vdom' should not be here. There should be an error and the task should be failed as expected.

You can run the playbook by adding -vvvvv at the tail of the command, all the outputs will show on the screen, or you can write them to a file.

If you take a close look at the log, there should be an exception in the log, I just paste what I got in the log as following:

2023-10-23 11:38:49.047843: login with access token succeeded 2023-10-23 11:38:49.047852: pre login succeeded 2023-10-23 11:38:49.047874: Sending request: METHOD:GET URL:/api/v2/log/disk/event/vpn?access_token=xxxxxxxxxxxxxxxxxxx&filter=%7B%27tunneltype%27%3A%20%27ssl%27%7D&rows=1&vdom=user DATA: 2023-10-23 11:38:49.081006: Exception thrown from handling http: HTTP Error 403: Forbidden 2023-10-23 11:38:49.081118: using access token - no auth update needed: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2023-10-23 11:38:49.081128: response data: { "http_method":"GET", "status":"error", "http_status":403,

mahoutukaisali commented 7 months ago

The same issue here. Although I specify vdom in a playbook, fortios_log_fact module always returns root vdom.

Steps to reproduce

Run the below task:

tasks:
    - name: resource output
      fortios_log_fact:
        vdom:   "testvdom"
        selectors: 
          - selector: "memory_traffic_forward"

Module returns the below:

ok: [fortinet01] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_token": null,
            "enable_log": false,
            "filters": null,
            "formatters": null,
            "params": null,
            "selector": null,
            "selectors": [
                {
                    "filters": null,
                    "formatters": null,
                    "params": null,
                    "selector": "memory_traffic_forward",
                    "sorters": null
                }
            ],
            "sorters": null,
            "vdom": "testvdom"
        }
    },

(...)

"meta": [
        {
            "rows": 400,
            "serial": "XXXXX",
            "session_id": 46,
            "start": 1,
            "status": "success",
            "subcategory": "forward",
            "total_lines": 292,
            "vdom": "root",
            "version": "v7.4.1"
        }

Research

  1. Looking through fortios_log_fact, I think it misses passing vdom parameter to the thrown API since there is no logic to pass vdom.

https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/blob/main/plugins/modules/fortios_log_fact.py#L2288

def fortios_log_fact(params, fos):
    valid, result = validate_parameters(params, fos)
    if not valid:
        return True, False, result

    selector = params["selector"]

    url_params = dict()
    if params["filters"] and len(params["filters"]):
        filter_body = quote(params["filters"][0])
        for filter_item in params["filters"][1:]:
            filter_body = "%s&filter=%s" % (filter_body, quote(filter_item))
        url_params["filter"] = filter_body
    if params["sorters"] and len(params["sorters"]):
        sorter_body = params["sorters"][0]
        for sorter_item in params["sorters"][1:]:
            sorter_body = "%s&sort=%s" % (sorter_body, sorter_item)
        url_params["sort"] = sorter_body
    if params["formatters"] and len(params["formatters"]):
        formatter_body = params["formatters"][0]
        for formatter_item in params["formatters"][1:]:
            formatter_body = "%s|%s" % (formatter_body, formatter_item)
        url_params["format"] = formatter_body
    if params["params"]:
        for selector_param_key, selector_param in params["params"].items():
            url_params[selector_param_key] = selector_param
  1. According to the debug information, the thrown API is here. As we can see, there are no vdom parameters specified in a playbook. 
    log_get: full_url='/api/v2/log/memory/traffic/forward'
log_get: parameters={}

https://github.com/fortinet-ansible-dev/ansible-galaxy-fortios-collection/blob/main/plugins/module_utils/fortios/fortios.py#L531

def log_get(self, url, parameters=None):
    slash_index = url.find('/')
    full_url = self.log_url(url[: slash_index], url[slash_index + 1:])
    import q; q(full_url)  # <---debugging
    q(parameters)  # <---debugging

So, I think this is a module problem.