Code changes for supporting Offline LAS Licensing in restricted mode.

Signed-off-by: lakshmj <[email protected]>

Author: lakshmj

examples/nslaslicense_offline.yaml

@@ -3,7 +3,7 @@
   hosts: demo_netscalers
   gather_facts: false
   tasks:
-    - name: Apply offline LAS license to NetScaler ADC
+    - name: Apply offline LAS license to NetScaler ADC (standard mode)
       delegate_to: localhost
       netscaler.adc.nslaslicense_offline:
         nsip: "{{ nsip }}"
@@ -19,3 +19,21 @@
     - name: Display license result
       ansible.builtin.debug:
         var: lic_result
+
+    - name: Apply offline LAS license to NetScaler ADC (restricted mode)
+      delegate_to: localhost
+      netscaler.adc.nslaslicense_offline:
+        nsip: "{{ nsip }}"
+        nitro_user: "{{ nitro_user }}"
+        nitro_pass: "{{ nitro_pass }}"
+        nitro_protocol: "{{ nitro_protocol | default('https') }}"
+        validate_certs: false
+        entitlement_name: "VPX 10000 Premium"
+        is_fips: false
+        las_secrets_json: /path/to/las_secrets.json
+        restricted_mode: true
+      register: lic_result_restricted
+
+    - name: Display restricted mode license result
+      ansible.builtin.debug:
+        var: lic_result_restricted

plugins/module_utils/las_utils.py

@@ -299,6 +299,17 @@ def import_offline_activation_request(self, request_file, fingerprint, bearer, l
             loglines.append("ERROR: import_offline_activation_request: {0}".format(str(e)))
             return "EXCEPTION ERROR"
 
+    def import_restricted_offline_activation_request(self, lsid, pubkey, bearer, loglines):
+        url = "{0}/support/{1}/importrestrictedofflineactivationrequest".format(self._base_url, self._ccid)
+        headers = {"Content-Type": "application/json", "Authorization": "CWSAuth bearer={0}".format(bearer)}
+        payload = {"ver": "1.0", "lsid": lsid, "pubkey": pubkey}
+        try:
+            result = self._post_json(url, headers, payload)
+            return result.get("importrequesttoken", "")
+        except Exception as e:
+            loglines.append("ERROR: import_restricted_offline_activation_request: {0}".format(str(e)))
+            return "EXCEPTION ERROR"
+
     def generate_offline_activation(self, import_token, bearer, ent_name, loglines):
         url = "{0}/{1}/{2}/generateofflineactivation".format(self._base_url, self._ccid, self.endpoint)
         headers = {"Content-Type": "application/json", "Authorization": "CWSAuth bearer={0}".format(bearer)}
@@ -458,7 +469,8 @@ def get_offline_request_package(nitro, ip, username, password, local_dir, new_ap
 # ---------------------------------------------------------------------------
 
 
-def extract_lsguid(file_path, loglines):
+def extract_request_fields(file_path, loglines):
+    """Extract lsguid, lsid, and pubkey from the NS offline activation request tgz in one pass."""
     dest_dir = os.path.dirname(file_path)
     # Validate that file_path is within dest_dir to guard against path traversal.
     real_file_path = os.path.realpath(file_path)
@@ -504,8 +516,12 @@ def extract_lsguid(file_path, loglines):
         loglines.append("DEBUG: Could not remove temp file lasData.tgz: {0}".format(str(e)))
 
     lsguid = data["lsguid"]
+    inner = data.get("data", {})
+    lsid = inner["lsid"]
+    pubkey = inner["pubkey"]
     loglines.append("INFO: Extracted lsguid: {0}".format(lsguid))
-    return lsguid
+    loglines.append("INFO: Extracted lsid: {0}".format(lsid))
+    return lsguid, lsid, pubkey
 
 
 # ---------------------------------------------------------------------------
@@ -558,7 +574,7 @@ def get_ent_name(request_pem, request_ed, is_fips, loglines):
 # ---------------------------------------------------------------------------
 
 
-def generate_offline_package(lsguid, request_file, output_file, ent_name, secret_file, loglines):
+def generate_offline_package(lsguid, request_file, output_file, ent_name, secret_file, loglines, restricted_mode=False, lsid=None, pubkey=None):
     client = LASClient(lsguid, secret_file)
 
     bearer = client.validate_bearer_cache()
@@ -572,13 +588,16 @@ def generate_offline_package(lsguid, request_file, output_file, ent_name, secret
         loglines.append("ERROR: Failed to obtain bearer token from LAS")
         return None
 
-    fingerprint = client.get_fingerprint_for_lsguid(bearer, loglines)
-    if "ERROR" in str(fingerprint):
-        loglines.append("ERROR: Failed to get device fingerprint for lsguid {0}".format(lsguid))
-        return None
-    loglines.append("INFO: Device fingerprint in LAS: {0!r}".format(fingerprint))
+    if restricted_mode:
+        import_token = client.import_restricted_offline_activation_request(lsid, pubkey, bearer, loglines)
+    else:
+        fingerprint = client.get_fingerprint_for_lsguid(bearer, loglines)
+        if "ERROR" in str(fingerprint):
+            loglines.append("ERROR: Failed to get device fingerprint for lsguid {0}".format(lsguid))
+            return None
+        loglines.append("INFO: Device fingerprint in LAS: {0!r}".format(fingerprint))
+        import_token = client.import_offline_activation_request(request_file, fingerprint, bearer, loglines)
 
-    import_token = client.import_offline_activation_request(request_file, fingerprint, bearer, loglines)
     if not import_token or "ERROR" in import_token:
         loglines.append("ERROR: Failed to import offline activation request")
         return None

plugins/modules/nslaslicense_offline.py

@@ -78,6 +78,13 @@
       - The file must contain the keys C(ccid), C(client), C(password), C(las_endpoint), and C(cc_endpoint).
     type: str
     required: true
+  restricted_mode:
+    description:
+      - Set to C(true) to use the restricted offline activation request flow.
+      - When enabled, the module extracts C(lsid) and C(pubkey) from the activation request package
+        and calls the restricted import endpoint instead of the standard file-upload endpoint.
+    type: bool
+    default: false
 """
 
 EXAMPLES = r"""
@@ -112,6 +119,19 @@
     nitro_pass: "{{ nitro_pass }}"
     entitlement_name: "MPX 8905 Standard"
     las_secrets_json: ./path/to/las_secrets.json
+
+- name: Generate and apply offline LAS license using restricted mode (no file upload)
+  delegate_to: localhost
+  netscaler.adc.nslaslicense_offline:
+    nsip: 10.102.201.230
+    nitro_user: nsroot
+    nitro_pass: "{{ nitro_pass }}"
+    nitro_protocol: https
+    validate_certs: false
+    entitlement_name: "VPX 10000 Premium"
+    is_fips: false
+    las_secrets_json: ./path/to/las_secrets.json
+    restricted_mode: true
 """
 
 RETURN = r"""
@@ -156,7 +176,7 @@
     apply_license_blob_ns,
     check_if_new_api,
     check_ns_version,
-    extract_lsguid,
+    extract_request_fields,
     generate_offline_package,
     get_offline_request_package,
 )
@@ -177,6 +197,7 @@ def main():
         entitlement_name=dict(required=True, type="str"),
         is_fips=dict(type="bool", default=False),
         las_secrets_json=dict(required=True, type="str", no_log=False),
+        restricted_mode=dict(type="bool", default=False),
     )
 
     module = AnsibleModule(
@@ -196,6 +217,7 @@ def main():
     ent_name = module.params["entitlement_name"]
     is_fips = module.params["is_fips"]
     las_secrets_json = module.params["las_secrets_json"]
+    restricted_mode = module.params["restricted_mode"]
     if username != "nsroot":
         module.fail_json(msg="Only the 'nsroot' account is supported. Got: '{0}'".format(username), **result)
 
@@ -289,20 +311,23 @@ def main():
         request_file = os.path.join(temp_dir, ns_file_name)
         loglines.append("INFO: Got request package: {0}".format(request_file))
 
-        # Extract lsguid (retry once on parse failure)
+        # Extract lsguid (always) and lsid+pubkey (retry once on parse failure)
         try:
-            lsguid = extract_lsguid(request_file, loglines)
+            lsguid, lsid, pubkey = extract_request_fields(request_file, loglines)
         except Exception as e:
             loglines.append("WARNING: First parse attempt failed ({0}), re-downloading package".format(str(e)))
             ns_file_name = get_offline_request_package(nitro, ip, username, password, temp_dir, new_api, loglines)
             if not ns_file_name:
                 module.fail_json(msg="Re-download of activation request package failed", **result)
             request_file = os.path.join(temp_dir, ns_file_name)
-            lsguid = extract_lsguid(request_file, loglines)
+            lsguid, lsid, pubkey = extract_request_fields(request_file, loglines)
 
         # Generate offline token from LAS cloud
         output_file = "offline_token_{0}_activation.blob.tgz".format(ip)
-        if generate_offline_package(lsguid, request_file, output_file, ent_name, las_secrets_json, loglines) is None:
+        if generate_offline_package(
+            lsguid, request_file, output_file, ent_name, las_secrets_json, loglines,
+            restricted_mode=restricted_mode, lsid=lsid if restricted_mode else None, pubkey=pubkey if restricted_mode else None,
+        ) is None:
             module.fail_json(msg="Failed to generate offline license token from LAS", **result)
 
         # Apply license blob to device