diff options
Diffstat (limited to 'tests')
47 files changed, 3460 insertions, 24 deletions
diff --git a/tests/integration/targets/vyos_firewall_rules/defaults/main.yaml b/tests/integration/targets/vyos_firewall_rules/defaults/main.yaml new file mode 100644 index 0000000..852a6be --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/defaults/main.yaml @@ -0,0 +1,3 @@ +--- +testcase: '[^_].*' +test_items: [] diff --git a/tests/integration/targets/vyos_firewall_rules/meta/main.yaml b/tests/integration/targets/vyos_firewall_rules/meta/main.yaml new file mode 100644 index 0000000..7413320 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/meta/main.yaml @@ -0,0 +1,3 @@ +--- +dependencies: + - prepare_vyos_tests diff --git a/tests/integration/targets/vyos_firewall_rules/tasks/cli.yaml b/tests/integration/targets/vyos_firewall_rules/tasks/cli.yaml new file mode 100644 index 0000000..93eb2fe --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tasks/cli.yaml @@ -0,0 +1,19 @@ +--- +- name: Collect all cli test cases + find: + paths: '{{ role_path }}/tests/cli' + patterns: '{{ testcase }}.yaml' + use_regex: true + register: test_cases + delegate_to: localhost + +- name: Set test_items + set_fact: test_items="{{ test_cases.files | map(attribute='path') | list }}" + +- name: Run test case (connection=ansible.netcommon.network_cli) + include: '{{ test_case_to_run }}' + vars: + ansible_connection: ansible.netcommon.network_cli + with_items: '{{ test_items }}' + loop_control: + loop_var: test_case_to_run diff --git a/tests/integration/targets/vyos_firewall_rules/tasks/main.yaml b/tests/integration/targets/vyos_firewall_rules/tasks/main.yaml new file mode 100644 index 0000000..a3db933 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tasks/main.yaml @@ -0,0 +1,4 @@ +--- +- include: cli.yaml + tags: + - cli diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg new file mode 100644 index 0000000..b54c109 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg @@ -0,0 +1,25 @@ +set firewall group address-group 'inbound' +set firewall ipv6-name UPLINK default-action 'accept' +set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' +set firewall ipv6-name UPLINK rule 1 action 'accept' +set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' +set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' +set firewall ipv6-name UPLINK rule 2 action 'accept' +set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' +set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' +set firewall name INBOUND default-action 'accept' +set firewall name INBOUND description 'IPv4 INBOUND rule set' +set firewall name INBOUND rule 101 action 'accept' +set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' +set firewall name INBOUND rule 101 ipsec 'match-ipsec' +set firewall name INBOUND rule 102 action 'reject' +set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' +set firewall name INBOUND rule 102 ipsec 'match-ipsec' +set firewall name INBOUND rule 103 action 'accept' +set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' +set firewall name INBOUND rule 103 destination group address-group 'inbound' +set firewall name INBOUND rule 103 source address '192.0.2.0' +set firewall name INBOUND rule 103 state established 'enable' +set firewall name INBOUND rule 103 state invalid 'disable' +set firewall name INBOUND rule 103 state new 'disable' +set firewall name INBOUND rule 103 state related 'enable' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml new file mode 100644 index 0000000..551736e --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml @@ -0,0 +1,27 @@ +--- +- name: Setup + vars: + lines: "set firewall group address-group 'inbound'\nset firewall ipv6-name UPLINK\ + \ default-action 'accept'\nset firewall ipv6-name UPLINK description 'This\ + \ is ipv6 specific rule-set'\nset firewall ipv6-name UPLINK rule 1 action\ + \ 'accept'\nset firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule\ + \ 1 is configured by Ansible'\nset firewall ipv6-name UPLINK rule 1 ipsec\ + \ 'match-ipsec'\nset firewall ipv6-name UPLINK rule 2 action 'accept'\nset\ + \ firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured\ + \ by Ansible'\nset firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'\n\ + set firewall name INBOUND default-action 'accept'\nset firewall name INBOUND\ + \ description 'IPv4 INBOUND rule set'\nset firewall name INBOUND rule 101\ + \ action 'accept'\nset firewall name INBOUND rule 101 description 'Rule 101\ + \ is configured by Ansible'\nset firewall name INBOUND rule 101 ipsec 'match-ipsec'\n\ + set firewall name INBOUND rule 102 action 'reject'\nset firewall name INBOUND\ + \ rule 102 description 'Rule 102 is configured by Ansible'\nset firewall name\ + \ INBOUND rule 102 ipsec 'match-ipsec'\nset firewall name INBOUND rule 103\ + \ action 'accept'\nset firewall name INBOUND rule 103 description 'Rule 103\ + \ is configured by Ansible'\nset firewall name INBOUND rule 103 destination\ + \ group address-group 'inbound'\nset firewall name INBOUND rule 103 source\ + \ address '192.0.2.0'\nset firewall name INBOUND rule 103 state established\ + \ 'enable'\nset firewall name INBOUND rule 103 state invalid 'disable'\nset\ + \ firewall name INBOUND rule 103 state new 'disable'\nset firewall name INBOUND\ + \ rule 103 state related 'enable'\n" + ansible.netcommon.cli_config: + config: '{{ lines }}' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml new file mode 100644 index 0000000..acb0803 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml @@ -0,0 +1,6 @@ +--- +- name: Remove Config + vars: + lines: "delete firewall ipv6-name\ndelete firewall name\n" + ansible.netcommon.cli_config: + config: '{{ lines }}' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml new file mode 100644 index 0000000..7acfe65 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml @@ -0,0 +1,60 @@ +--- +- debug: + msg: Start vyos_firewall_rules deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete firewall rule set. + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv6 + rule_sets: + + - name: UPLINK + + - afi: ipv4 + rule_sets: + + - name: INBOUND + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_rs['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_rs['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_rs['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml new file mode 100644 index 0000000..e20670d --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml @@ -0,0 +1,54 @@ +--- +- debug: + msg: Start vyos_firewall_rules deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete firewall rule. + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv6 + + - afi: ipv4 + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_afi_all['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['after'])\ + \ |length == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['before'])\ + \ |length == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml new file mode 100644 index 0000000..16e563c --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml @@ -0,0 +1,50 @@ +--- +- debug: + msg: Start vyos_firewall_rules deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete all the firewall rules. + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_afi_all['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['after'])\ + \ |length == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['before'])\ + \ |length == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml new file mode 100644 index 0000000..d77e2a9 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml @@ -0,0 +1,58 @@ +--- +- debug: + msg: Start vyos_firewall_rules deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete firewall rule. + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv6 + rule_sets: + + - name: UPLINK + rules: + + - number: 1 + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_r['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_r['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_r['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/empty_config.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/empty_config.yaml new file mode 100644 index 0000000..c30cf03 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/empty_config.yaml @@ -0,0 +1,60 @@ +--- +- debug: + msg: START vyos_firewall_rules empty_config integration tests on connection={{ + ansible_connection }} + +- name: Merged with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_firewall_rules: + config: + state: merged + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state merged' + +- name: Replaced with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_firewall_rules: + config: + state: replaced + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state replaced' + +- name: Overridden with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_firewall_rules: + config: + state: overridden + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state overridden' + +- name: Parsed with empty running_config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_firewall_rules: + running_config: + state: parsed + +- assert: + that: + - result.msg == 'value of running_config parameter must not be empty for state + parsed' + +- name: Rendered with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_firewall_rules: + config: + state: rendered + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state rendered' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml new file mode 100644 index 0000000..cdc8e51 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml @@ -0,0 +1,34 @@ +--- +- debug: + msg: START vyos_firewall_rules gathered integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Merge the provided configuration with the exisiting running configuration + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + state: gathered + + - name: Assert that gathered dicts was correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['gathered']) |length == 0\ + \ }}" + + - name: Gather the existing running configuration (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml new file mode 100644 index 0000000..adf7e47 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml @@ -0,0 +1,102 @@ +--- +- debug: + msg: START vyos_firewall_rules merged integration tests on connection={{ ansible_connection + }} + +- include_tasks: _populate.yaml + +- include_tasks: _remove_config.yaml + +- block: + + - name: Merge the provided configuration with the exisiting running configuration + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv6 + rule_sets: + + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + rules: + + - number: 1 + action: accept + description: Fwipv6-Rule 1 is configured by Ansible + ipsec: match-ipsec + + - number: 2 + action: accept + description: Fwipv6-Rule 2 is configured by Ansible + ipsec: match-ipsec + + - afi: ipv4 + rule_sets: + + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + destination: + group: + address_group: inbound + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true + state: merged + + - name: Assert that before dicts were correctly generated + assert: + that: "{{ merged['before'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + + - name: Assert that correct set of commands were generated + assert: + that: + - "{{ merged['commands'] | symmetric_difference(result['commands']) |length\ + \ == 0 }}" + + - name: Assert that after dicts was correctly generated + assert: + that: + - "{{ merged['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Merge the provided configuration with the existing running configuration + (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + + - name: Assert that before dicts were correctly generated + assert: + that: + - "{{ merged['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml new file mode 100644 index 0000000..6acc951 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml @@ -0,0 +1,69 @@ +--- +- debug: + msg: START vyos_firewall_rules overridden integration tests on connection={{ + ansible_connection }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Overrides all device configuration with provided configuration + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv4 + rule_sets: + + - name: Downlink + description: IPv4 INBOUND rule set + default_action: accept + rules: + + - number: 501 + action: accept + description: Rule 501 is configured by Ansible + ipsec: match-ipsec + + - number: 502 + action: reject + description: Rule 502 is configured by Ansible + ipsec: match-ipsec + state: overridden + + - name: Assert that before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that correct commands were generated + assert: + that: + - "{{ overridden['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that after dicts were correctly generated + assert: + that: + - "{{ overridden['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Overrides all device configuration with provided configurations (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + + - name: Assert that before dicts were correctly generated + assert: + that: + - "{{ overridden['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml new file mode 100644 index 0000000..a793ac5 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml @@ -0,0 +1,41 @@ +--- +- debug: + msg: START vyos_firewall_rules parsed integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Gather firewall_rules facts + register: firewall_rules_facts + vyos.vyos.vyos_facts: + gather_subset: + - default + gather_network_resources: + - firewall_rules + + - name: Provide the running configuration for parsing (config to be parsed) + register: result + vyos.vyos.vyos_firewall_rules: &id001 + running_config: "{{ lookup('file', '_parsed_config.cfg') }}" + state: parsed + + - name: Assert that correct parsing done + assert: + that: "{{ ansible_facts['network_resources']['firewall_rules'] | symmetric_difference(result['parsed'])\ + \ |length == 0 }}" + + - name: Gather the existing running configuration (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml new file mode 100644 index 0000000..f000998 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml @@ -0,0 +1,73 @@ +--- +- debug: + msg: START vyos_firewall_rules rendered integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Structure provided configuration into device specific commands + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv6 + rule_sets: + + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + + - afi: ipv4 + rule_sets: + + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + destination: + group: + address_group: inbound + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true + state: rendered + + - name: Assert that correct set of commands were generated + assert: + that: + - "{{ rendered['commands'] | symmetric_difference(result['rendered'])\ + \ |length == 0 }}" + + - name: Structure provided configuration into device specific commands (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml new file mode 100644 index 0000000..eba1689 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml @@ -0,0 +1,78 @@ +--- +- debug: + msg: START vyos_firewall_rules replaced integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Replace device configurations of listed firewall rules with provided + configurations + register: result + vyos.vyos.vyos_firewall_rules: &id001 + config: + + - afi: ipv6 + rule_sets: + + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + + - afi: ipv4 + rule_sets: + + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + + - number: 104 + action: reject + description: Rule 104 is configured by Ansible + ipsec: match-none + state: replaced + + - name: Assert that correct set of commands were generated + assert: + that: + - "{{ replaced['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that before dicts are correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that after dict is correctly generated + assert: + that: + - "{{ replaced['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Replace device configurations of listed firewall rules with provided + configurarions (IDEMPOTENT) + register: result + vyos.vyos.vyos_firewall_rules: *id001 + + - name: Assert that task was idempotent + assert: + that: + - result['changed'] == false + + - name: Assert that before dict is correctly generated + assert: + that: + - "{{ replaced['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml new file mode 100644 index 0000000..762086f --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml @@ -0,0 +1,101 @@ +--- +- debug: + msg: START vyos_firewall_rules round trip integration tests on connection={{ + ansible_connection }} + +- include_tasks: _remove_config.yaml + +- block: + + - name: Apply the provided configuration (base config) + register: base_config + vyos.vyos.vyos_firewall_rules: + config: + + - afi: ipv6 + rule_sets: + + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + rules: + + - number: 1 + action: accept + description: Fwipv6-Rule 1 is configured by Ansible + ipsec: match-ipsec + + - number: 2 + action: accept + description: Fwipv6-Rule 2 is configured by Ansible + ipsec: match-ipsec + + - afi: ipv4 + rule_sets: + + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + state: merged + + - name: Gather firewall_rules facts + vyos.vyos.vyos_facts: + gather_subset: + - default + gather_network_resources: + - firewall_rules + + - name: Apply the provided configuration (config to be reverted) + register: result + vyos.vyos.vyos_firewall_rules: + config: + + - afi: ipv4 + rule_sets: + + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true + state: merged + + - name: Assert that changes were applied + assert: + that: "{{ round_trip['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Revert back to base config using facts round trip + register: revert + vyos.vyos.vyos_firewall_rules: + config: "{{ ansible_facts['network_resources']['firewall_rules'] }}" + state: overridden + + - name: Assert that config was reverted + assert: + that: "{{ base_config['after'] | symmetric_difference(revert['after']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml new file mode 100644 index 0000000..c15a101 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml @@ -0,0 +1,312 @@ +--- +merged: + before: [] + commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6-name UPLINK rule 1 action 'accept' + - set firewall ipv6-name UPLINK rule 1 + - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured + by Ansible' + - set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' + - set firewall ipv6-name UPLINK rule 2 action 'accept' + - set firewall ipv6-name UPLINK rule 2 + - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured + by Ansible' + - set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 ipsec 'match-ipsec' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 ipsec 'match-ipsec' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' + after: + - afi: ipv6 + rule_sets: + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + rules: + - number: 1 + action: accept + description: Fwipv6-Rule 1 is configured by Ansible + ipsec: match-ipsec + - number: 2 + action: accept + description: Fwipv6-Rule 2 is configured by Ansible + ipsec: match-ipsec + - afi: ipv4 + rule_sets: + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + destination: + group: + address_group: inbound + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true +populate: + - afi: ipv6 + rule_sets: + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + rules: + - number: 1 + action: accept + description: Fwipv6-Rule 1 is configured by Ansible + ipsec: match-ipsec + - number: 2 + action: accept + description: Fwipv6-Rule 2 is configured by Ansible + ipsec: match-ipsec + - afi: ipv4 + rule_sets: + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + destination: + group: + address_group: inbound + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true +replaced: + commands: + - delete firewall ipv6-name UPLINK rule 1 + - delete firewall ipv6-name UPLINK rule 2 + - delete firewall name INBOUND rule 102 + - delete firewall name INBOUND rule 103 + - set firewall name INBOUND rule 104 action 'reject' + - set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' + - set firewall name INBOUND rule 104 + - set firewall name INBOUND rule 104 ipsec 'match-none' + after: + - afi: ipv6 + rule_sets: + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + - afi: ipv4 + rule_sets: + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + - number: 104 + action: reject + description: Rule 104 is configured by Ansible + ipsec: match-none +overridden: + before: + - afi: ipv6 + rule_sets: + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + - afi: ipv4 + rule_sets: + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + - number: 104 + action: reject + description: Rule 104 is configured by Ansible + ipsec: match-none + commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + - set firewall name Downlink default-action 'accept' + - set firewall name Downlink description 'IPv4 INBOUND rule set' + - set firewall name Downlink rule 501 action 'accept' + - set firewall name Downlink rule 501 + - set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' + - set firewall name Downlink rule 501 ipsec 'match-ipsec' + - set firewall name Downlink rule 502 action 'reject' + - set firewall name Downlink rule 502 + - set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' + - set firewall name Downlink rule 502 ipsec 'match-ipsec' + after: + - afi: ipv4 + rule_sets: + - name: Downlink + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 501 + action: accept + description: Rule 501 is configured by Ansible + ipsec: match-ipsec + - number: 502 + action: reject + description: Rule 502 is configured by Ansible + ipsec: match-ipsec +rendered: + commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 ipsec 'match-ipsec' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 ipsec 'match-ipsec' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' +deleted_rs: + commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + after: [] +deleted_afi_all: + commands: + - delete firewall ipv6-name + - delete firewall name + after: [] +deleted_r: + commands: + - delete firewall ipv6-name UPLINK rule 1 + after: + - afi: ipv6 + rule_sets: + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + rules: + - number: 2 + action: accept + description: Fwipv6-Rule 2 is configured by Ansible + ipsec: match-ipsec + - afi: ipv4 + rule_sets: + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + destination: + group: + address_group: inbound + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true +round_trip: + after: + - afi: ipv6 + rule_sets: + - name: UPLINK + description: This is ipv6 specific rule-set + default_action: accept + rules: + - number: 1 + action: accept + description: Fwipv6-Rule 1 is configured by Ansible + ipsec: match-ipsec + - number: 2 + action: accept + description: Fwipv6-Rule 2 is configured by Ansible + ipsec: match-ipsec + - afi: ipv4 + rule_sets: + - name: INBOUND + description: IPv4 INBOUND rule set + default_action: accept + rules: + - number: 101 + action: accept + description: Rule 101 is configured by Ansible + ipsec: match-ipsec + - number: 102 + action: reject + description: Rule 102 is configured by Ansible + ipsec: match-ipsec + - number: 103 + action: accept + description: Rule 103 is configured by Ansible + source: + address: 192.0.2.0 + state: + established: true + new: false + invalid: false + related: true diff --git a/tests/integration/targets/vyos_static_routes/defaults/main.yaml b/tests/integration/targets/vyos_static_routes/defaults/main.yaml new file mode 100644 index 0000000..852a6be --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/defaults/main.yaml @@ -0,0 +1,3 @@ +--- +testcase: '[^_].*' +test_items: [] diff --git a/tests/integration/targets/vyos_static_routes/meta/main.yaml b/tests/integration/targets/vyos_static_routes/meta/main.yaml new file mode 100644 index 0000000..91da2a7 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/meta/main.yaml @@ -0,0 +1,2 @@ +--- +... diff --git a/tests/integration/targets/vyos_static_routes/tasks/cli.yaml b/tests/integration/targets/vyos_static_routes/tasks/cli.yaml new file mode 100644 index 0000000..93eb2fe --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tasks/cli.yaml @@ -0,0 +1,19 @@ +--- +- name: Collect all cli test cases + find: + paths: '{{ role_path }}/tests/cli' + patterns: '{{ testcase }}.yaml' + use_regex: true + register: test_cases + delegate_to: localhost + +- name: Set test_items + set_fact: test_items="{{ test_cases.files | map(attribute='path') | list }}" + +- name: Run test case (connection=ansible.netcommon.network_cli) + include: '{{ test_case_to_run }}' + vars: + ansible_connection: ansible.netcommon.network_cli + with_items: '{{ test_items }}' + loop_control: + loop_var: test_case_to_run diff --git a/tests/integration/targets/vyos_static_routes/tasks/main.yaml b/tests/integration/targets/vyos_static_routes/tasks/main.yaml new file mode 100644 index 0000000..a3db933 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tasks/main.yaml @@ -0,0 +1,4 @@ +--- +- include: cli.yaml + tags: + - cli diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/_parsed_config.cfg b/tests/integration/targets/vyos_static_routes/tests/cli/_parsed_config.cfg new file mode 100644 index 0000000..b2ecd4e --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/_parsed_config.cfg @@ -0,0 +1,6 @@ +set protocols static route 192.0.2.32/28 next-hop '192.0.2.9' +set protocols static route 192.0.2.32/28 next-hop '192.0.2.10' +set protocols static route 192.0.2.32/28 blackhole +set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::1' +set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::2' +set protocols static route6 2001:db8:1000::/36 blackhole distance '2' diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/_populate.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/_populate.yaml new file mode 100644 index 0000000..f292e5d --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/_populate.yaml @@ -0,0 +1,12 @@ +--- +- name: Setup + vars: + lines: "set protocols static route 192.0.2.32/28 next-hop '192.0.2.10'\nset\ + \ protocols static route 192.0.2.32/28 next-hop '192.0.2.9'\nset protocols\ + \ static route 192.0.2.32/28 blackhole\nset protocols static route 192.0.2.32/28\n\ + set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::1'\n\ + set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::2'\n\ + set protocols static route6 2001:db8:1000::/36 blackhole distance '2'\nset\ + \ protocols static route6 2001:db8:1000::/36\n" + ansible.netcommon.cli_config: + config: '{{ lines }}' diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/_remove_config.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/_remove_config.yaml new file mode 100644 index 0000000..5a5cccb --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/_remove_config.yaml @@ -0,0 +1,6 @@ +--- +- name: Remove Config + vars: + lines: "delete protocols static route\ndelete protocols static route6\n" + ansible.netcommon.cli_config: + config: '{{ lines }}' diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/deleted.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/deleted.yaml new file mode 100644 index 0000000..7f098f5 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/deleted.yaml @@ -0,0 +1,62 @@ +--- +- debug: + msg: Start vyos_static_routes deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete static route based on destiation. + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + + - afi: ipv6 + routes: + + - dest: 2001:db8:1000::/36 + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_dest['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_dest['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_dest['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/deleted_afi.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/deleted_afi.yaml new file mode 100644 index 0000000..221f1b5 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/deleted_afi.yaml @@ -0,0 +1,56 @@ +--- +- debug: + msg: Start vyos_static_routes deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete static route based on afi. + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + + - afi: ipv6 + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_afi_all['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['after'])\ + \ |length == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['before'])\ + \ |length == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/deleted_all.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/deleted_all.yaml new file mode 100644 index 0000000..e10f1bc --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/deleted_all.yaml @@ -0,0 +1,50 @@ +--- +- debug: + msg: Start vyos_static_routes deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete all the static routes. + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_afi_all['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['after'])\ + \ |length == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_afi_all['after'] | symmetric_difference(result['before'])\ + \ |length == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/deleted_nh.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/deleted_nh.yaml new file mode 100644 index 0000000..f6075d2 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/deleted_nh.yaml @@ -0,0 +1,68 @@ +--- +- debug: + msg: Start vyos_static_routes deleted integration tests ansible_connection={{ + ansible_connection }} + +- include_tasks: _populate.yaml + +- block: + + - name: Delete static route based on next_hop. + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + next_hops: + + - forward_router_address: 192.0.2.9 + + - afi: ipv6 + routes: + + - dest: 2001:db8:1000::/36 + next_hops: + + - forward_router_address: 2001:db8:2000:2::1 + state: deleted + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that the correct set of commands were generated + assert: + that: + - "{{ deleted_nh['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that the after dicts were correctly generated + assert: + that: + - "{{ deleted_nh['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Delete attributes of given interfaces (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result.changed == false + - result.commands|length == 0 + + - name: Assert that the before dicts were correctly generated + assert: + that: + - "{{ deleted_nh['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/empty_config.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/empty_config.yaml new file mode 100644 index 0000000..f58ef39 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/empty_config.yaml @@ -0,0 +1,60 @@ +--- +- debug: + msg: START vyos_static_routes empty_config integration tests on connection={{ + ansible_connection }} + +- name: Merged with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_static_routes: + config: + state: merged + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state merged' + +- name: Replaced with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_static_routes: + config: + state: replaced + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state replaced' + +- name: Overridden with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_static_routes: + config: + state: overridden + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state overridden' + +- name: Parsed with empty running_config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_static_routes: + running_config: + state: parsed + +- assert: + that: + - result.msg == 'value of running_config parameter must not be empty for state + parsed' + +- name: Rendered with empty config should give appropriate error message + register: result + ignore_errors: true + vyos.vyos.vyos_static_routes: + config: + state: rendered + +- assert: + that: + - result.msg == 'value of config parameter must not be empty for state rendered' diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/gathered.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/gathered.yaml new file mode 100644 index 0000000..d3b84d1 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/gathered.yaml @@ -0,0 +1,34 @@ +--- +- debug: + msg: START vyos_static_routes gathered integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Merge the provided configuration with the exisiting running configuration + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + state: gathered + + - name: Assert that gathered dicts was correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['gathered']) |length == 0\ + \ }}" + + - name: Gather the existing running configuration (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/merged.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/merged.yaml new file mode 100644 index 0000000..999ae86 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/merged.yaml @@ -0,0 +1,78 @@ +--- +- debug: + msg: START vyos_static_routes merged integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- block: + + - name: Merge the provided configuration with the exisiting running configuration + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + blackhole_config: + type: blackhole + next_hops: + + - forward_router_address: 192.0.2.10 + + - forward_router_address: 192.0.2.9 + + - address_families: + + - afi: ipv6 + routes: + + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + + - forward_router_address: 2001:db8:2000:2::1 + + - forward_router_address: 2001:db8:2000:2::2 + state: merged + + - name: Assert that before dicts were correctly generated + assert: + that: "{{ merged['before'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + + - name: Assert that correct set of commands were generated + assert: + that: + - "{{ merged['commands'] | symmetric_difference(result['commands']) |length\ + \ == 0 }}" + + - name: Assert that after dicts was correctly generated + assert: + that: + - "{{ merged['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Merge the provided configuration with the existing running configuration + (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + + - name: Assert that before dicts were correctly generated + assert: + that: + - "{{ merged['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/overridden.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/overridden.yaml new file mode 100644 index 0000000..a9112a5 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/overridden.yaml @@ -0,0 +1,61 @@ +--- +- debug: + msg: START vyos_static_routes overridden integration tests on connection={{ + ansible_connection }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Overrides all device configuration with provided configuration + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 198.0.2.48/28 + next_hops: + + - forward_router_address: 192.0.2.18 + state: overridden + + - name: Assert that before dicts were correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that correct commands were generated + assert: + that: + - "{{ overridden['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that after dicts were correctly generated + assert: + that: + - "{{ overridden['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Overrides all device configuration with provided configurations (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + + - name: Assert that before dicts were correctly generated + assert: + that: + - "{{ overridden['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/parsed.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/parsed.yaml new file mode 100644 index 0000000..4b6e434 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/parsed.yaml @@ -0,0 +1,41 @@ +--- +- debug: + msg: START vyos_static_routes parsed integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Gather static_routes facts + register: static_routes_facts + vyos.vyos.vyos_facts: + gather_subset: + - default + gather_network_resources: + - static_routes + + - name: Provide the running configuration for parsing (config to be parsed) + register: result + vyos.vyos.vyos_static_routes: &id001 + running_config: "{{ lookup('file', '_parsed_config.cfg') }}" + state: parsed + + - name: Assert that correct parsing done + assert: + that: "{{ ansible_facts['network_resources']['static_routes'] | symmetric_difference(result['parsed'])\ + \ |length == 0 }}" + + - name: Gather the existing running configuration (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/rendered.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/rendered.yaml new file mode 100644 index 0000000..ff18523 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/rendered.yaml @@ -0,0 +1,62 @@ +--- +- debug: + msg: START vyos_static_routes rendered integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Structure provided configuration into device specific commands + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + blackhole_config: + type: blackhole + next_hops: + + - forward_router_address: 192.0.2.10 + + - forward_router_address: 192.0.2.9 + + - address_families: + + - afi: ipv6 + routes: + + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + + - forward_router_address: 2001:db8:2000:2::1 + + - forward_router_address: 2001:db8:2000:2::2 + state: rendered + + - name: Assert that correct set of commands were generated + assert: + that: + - "{{ rendered['commands'] | symmetric_difference(result['rendered'])\ + \ |length == 0 }}" + + - name: Structure provided configuration into device specific commands (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that the previous task was idempotent + assert: + that: + - result['changed'] == false + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/replaced.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/replaced.yaml new file mode 100644 index 0000000..80ed801 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/replaced.yaml @@ -0,0 +1,69 @@ +--- +- debug: + msg: START vyos_static_routes replaced integration tests on connection={{ ansible_connection + }} + +- include_tasks: _remove_config.yaml + +- include_tasks: _populate.yaml + +- block: + + - name: Replace device configurations of listed static routes with provided + configurations + register: result + vyos.vyos.vyos_static_routes: &id001 + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + blackhole_config: + distance: 2 + next_hops: + + - forward_router_address: 192.0.2.7 + + - forward_router_address: 192.0.2.8 + + - forward_router_address: 192.0.2.9 + state: replaced + + - name: Assert that correct set of commands were generated + assert: + that: + - "{{ replaced['commands'] | symmetric_difference(result['commands'])\ + \ |length == 0 }}" + + - name: Assert that before dicts are correctly generated + assert: + that: + - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" + + - name: Assert that after dict is correctly generated + assert: + that: + - "{{ replaced['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Replace device configurations of listed static routes with provided + configurarions (IDEMPOTENT) + register: result + vyos.vyos.vyos_static_routes: *id001 + + - name: Assert that task was idempotent + assert: + that: + - result['changed'] == false + + - name: Assert that before dict is correctly generated + assert: + that: + - "{{ replaced['after'] | symmetric_difference(result['before']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/tests/cli/rtt.yaml b/tests/integration/targets/vyos_static_routes/tests/cli/rtt.yaml new file mode 100644 index 0000000..340fde9 --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/tests/cli/rtt.yaml @@ -0,0 +1,90 @@ +--- +- debug: + msg: START vyos_static_routes round trip integration tests on connection={{ + ansible_connection }} + +- include_tasks: _remove_config.yaml + +- block: + + - name: Apply the provided configuration (base config) + register: base_config + vyos.vyos.vyos_static_routes: + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + blackhole_config: + type: blackhole + next_hops: + + - forward_router_address: 192.0.2.10 + + - forward_router_address: 192.0.2.9 + + - address_families: + + - afi: ipv6 + routes: + + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + + - forward_router_address: 2001:db8:2000:2::1 + + - forward_router_address: 2001:db8:2000:2::2 + state: merged + + - name: Gather static_routes facts + vyos.vyos.vyos_facts: + gather_subset: + - default + gather_network_resources: + - static_routes + + - name: Apply the provided configuration (config to be reverted) + register: result + vyos.vyos.vyos_static_routes: + config: + + - address_families: + + - afi: ipv4 + routes: + + - dest: 192.0.2.32/28 + blackhole_config: + distance: 2 + next_hops: + + - forward_router_address: 192.0.2.7 + + - forward_router_address: 192.0.2.8 + + - forward_router_address: 192.0.2.9 + state: merged + + - name: Assert that changes were applied + assert: + that: "{{ round_trip['after'] | symmetric_difference(result['after']) |length\ + \ == 0 }}" + + - name: Revert back to base config using facts round trip + register: revert + vyos.vyos.vyos_static_routes: + config: "{{ ansible_facts['network_resources']['static_routes'] }}" + state: overridden + + - name: Assert that config was reverted + assert: + that: "{{ base_config['after'] | symmetric_difference(revert['after']) |length\ + \ == 0 }}" + always: + + - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_static_routes/vars/main.yaml b/tests/integration/targets/vyos_static_routes/vars/main.yaml new file mode 100644 index 0000000..93b875f --- /dev/null +++ b/tests/integration/targets/vyos_static_routes/vars/main.yaml @@ -0,0 +1,147 @@ +--- +merged: + before: [] + commands: + - set protocols static route 192.0.2.32/28 next-hop '192.0.2.10' + - set protocols static route 192.0.2.32/28 next-hop '192.0.2.9' + - set protocols static route 192.0.2.32/28 blackhole + - set protocols static route 192.0.2.32/28 + - set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::1' + - set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::2' + - set protocols static route6 2001:db8:1000::/36 blackhole distance '2' + - set protocols static route6 2001:db8:1000::/36 + after: + - address_families: + - afi: ipv4 + routes: + - dest: 192.0.2.32/28 + blackhole_config: + type: blackhole + next_hops: + - forward_router_address: 192.0.2.9 + - forward_router_address: 192.0.2.10 + - afi: ipv6 + routes: + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 2001:db8:2000:2::1 + - forward_router_address: 2001:db8:2000:2::2 +populate: + - address_families: + - afi: ipv4 + routes: + - dest: 192.0.2.32/28 + blackhole_config: + type: blackhole + next_hops: + - forward_router_address: 192.0.2.9 + - forward_router_address: 192.0.2.10 + - afi: ipv6 + routes: + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 2001:db8:2000:2::1 + - forward_router_address: 2001:db8:2000:2::2 +replaced: + commands: + - delete protocols static route 192.0.2.32/28 next-hop '192.0.2.10' + - set protocols static route 192.0.2.32/28 next-hop '192.0.2.7' + - set protocols static route 192.0.2.32/28 next-hop '192.0.2.8' + - set protocols static route 192.0.2.32/28 blackhole distance '2' + after: + - address_families: + - afi: ipv4 + routes: + - dest: 192.0.2.32/28 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 192.0.2.7 + - forward_router_address: 192.0.2.8 + - forward_router_address: 192.0.2.9 + - afi: ipv6 + routes: + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 2001:db8:2000:2::1 + - forward_router_address: 2001:db8:2000:2::2 +overridden: + commands: + - delete protocols static route 192.0.2.32/28 + - delete protocols static route6 2001:db8:1000::/36 + - set protocols static route 198.0.2.48/28 next-hop '192.0.2.18' + - set protocols static route 198.0.2.48/28 + after: + - address_families: + - afi: ipv4 + routes: + - dest: 198.0.2.48/28 + next_hops: + - forward_router_address: 192.0.2.18 +rendered: + commands: + - set protocols static route 192.0.2.32/28 next-hop '192.0.2.10' + - set protocols static route 192.0.2.32/28 next-hop '192.0.2.9' + - set protocols static route 192.0.2.32/28 blackhole + - set protocols static route 192.0.2.32/28 + - set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::1' + - set protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::2' + - set protocols static route6 2001:db8:1000::/36 blackhole distance '2' + - set protocols static route6 2001:db8:1000::/36 +deleted_dest: + commands: + - delete protocols static route 192.0.2.32/28 + - delete protocols static route6 2001:db8:1000::/36 + after: [] +deleted_nh: + commands: + - delete protocols static route 192.0.2.32/28 next-hop '192.0.2.9' + - delete protocols static route6 2001:db8:1000::/36 next-hop '2001:db8:2000:2::1' + after: + - address_families: + - afi: ipv4 + routes: + - dest: 192.0.2.32/28 + blackhole_config: + type: blackhole + next_hops: + - forward_router_address: 192.0.2.10 + - afi: ipv6 + routes: + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 2001:db8:2000:2::2 +deleted_afi_all: + commands: + - delete protocols static route + - delete protocols static route6 + after: [] +round_trip: + after: + - address_families: + - afi: ipv4 + routes: + - dest: 192.0.2.32/28 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 192.0.2.7 + - forward_router_address: 192.0.2.8 + - forward_router_address: 192.0.2.9 + - forward_router_address: 192.0.2.10 + - afi: ipv6 + routes: + - dest: 2001:db8:1000::/36 + blackhole_config: + distance: 2 + next_hops: + - forward_router_address: 2001:db8:2000:2::1 + - forward_router_address: 2001:db8:2000:2::2 diff --git a/tests/sanity/ignore-2.10.txt b/tests/sanity/ignore-2.10.txt index d25476f..a62f497 100644 --- a/tests/sanity/ignore-2.10.txt +++ b/tests/sanity/ignore-2.10.txt @@ -45,16 +45,6 @@ plugins/modules/vyos_logging.py validate-modules:undocumented-parameter plugins/modules/vyos_ping.py validate-modules:doc-default-does-not-match-spec plugins/modules/vyos_ping.py validate-modules:doc-required-mismatch plugins/modules/vyos_ping.py validate-modules:parameter-type-not-in-doc -plugins/modules/vyos_static_route.py future-import-boilerplate -plugins/modules/vyos_static_route.py metaclass-boilerplate -plugins/modules/vyos_static_route.py validate-modules:doc-choices-do-not-match-spec -plugins/modules/vyos_static_route.py validate-modules:doc-default-does-not-match-spec -plugins/modules/vyos_static_route.py validate-modules:doc-elements-mismatch -plugins/modules/vyos_static_route.py validate-modules:doc-missing-type -plugins/modules/vyos_static_route.py validate-modules:doc-required-mismatch -plugins/modules/vyos_static_route.py validate-modules:missing-suboption-docs -plugins/modules/vyos_static_route.py validate-modules:parameter-type-not-in-doc -plugins/modules/vyos_static_route.py validate-modules:undocumented-parameter plugins/modules/vyos_system.py future-import-boilerplate plugins/modules/vyos_system.py metaclass-boilerplate plugins/modules/vyos_system.py validate-modules:doc-default-does-not-match-spec diff --git a/tests/sanity/ignore-2.9.txt b/tests/sanity/ignore-2.9.txt index d25476f..a62f497 100644 --- a/tests/sanity/ignore-2.9.txt +++ b/tests/sanity/ignore-2.9.txt @@ -45,16 +45,6 @@ plugins/modules/vyos_logging.py validate-modules:undocumented-parameter plugins/modules/vyos_ping.py validate-modules:doc-default-does-not-match-spec plugins/modules/vyos_ping.py validate-modules:doc-required-mismatch plugins/modules/vyos_ping.py validate-modules:parameter-type-not-in-doc -plugins/modules/vyos_static_route.py future-import-boilerplate -plugins/modules/vyos_static_route.py metaclass-boilerplate -plugins/modules/vyos_static_route.py validate-modules:doc-choices-do-not-match-spec -plugins/modules/vyos_static_route.py validate-modules:doc-default-does-not-match-spec -plugins/modules/vyos_static_route.py validate-modules:doc-elements-mismatch -plugins/modules/vyos_static_route.py validate-modules:doc-missing-type -plugins/modules/vyos_static_route.py validate-modules:doc-required-mismatch -plugins/modules/vyos_static_route.py validate-modules:missing-suboption-docs -plugins/modules/vyos_static_route.py validate-modules:parameter-type-not-in-doc -plugins/modules/vyos_static_route.py validate-modules:undocumented-parameter plugins/modules/vyos_system.py future-import-boilerplate plugins/modules/vyos_system.py metaclass-boilerplate plugins/modules/vyos_system.py validate-modules:doc-default-does-not-match-spec diff --git a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_rules_config.cfg b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_rules_config.cfg new file mode 100644 index 0000000..f65b386 --- /dev/null +++ b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_rules_config.cfg @@ -0,0 +1,13 @@ +set firewall name V4-INGRESS default-action 'accept' +set firewall ipv6-name V6-INGRESS default-action 'accept' +set firewall name V4-INGRESS description 'This is IPv4 V4-INGRESS rule set' +set firewall name V4-INGRESS enable-default-log +set firewall name V4-INGRESS rule 101 protocol 'icmp' +set firewall name V4-INGRESS rule 101 description 'Rule 101 is configured by Ansible' +set firewall name V4-INGRESS rule 101 fragment 'match-frag' +set firewall name V4-INGRESS rule 101 +set firewall name V4-INGRESS rule 101 disabled +set firewall name V4-INGRESS rule 101 action 'accept' +set firewall name V4-INGRESS rule 101 ipsec 'match-ipsec' +set firewall name V4-EGRESS default-action 'reject' +set firewall ipv6-name V6-EGRESS default-action 'reject' diff --git a/tests/unit/modules/network/vyos/fixtures/vyos_static_routes_config.cfg b/tests/unit/modules/network/vyos/fixtures/vyos_static_routes_config.cfg new file mode 100644 index 0000000..0411dc9 --- /dev/null +++ b/tests/unit/modules/network/vyos/fixtures/vyos_static_routes_config.cfg @@ -0,0 +1,2 @@ +'set protocols static route 192.0.2.32/28 next-hop 192.0.2.9' +'set protocols static route 192.0.2.32/28 next-hop 192.0.2.10' diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py b/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py new file mode 100644 index 0000000..86fcc65 --- /dev/null +++ b/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py @@ -0,0 +1,1039 @@ +# (c) 2016 Red Hat Inc. +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see <http://www.gnu.org/licenses/>. + +# Make coding more python3-ish +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +from ansible_collections.vyos.vyos.tests.unit.compat.mock import patch +from ansible_collections.vyos.vyos.plugins.modules import vyos_firewall_rules +from ansible_collections.vyos.vyos.tests.unit.modules.utils import ( + set_module_args, +) +from .vyos_module import TestVyosModule, load_fixture + + +class TestVyosFirewallRulesModule(TestVyosModule): + + module = vyos_firewall_rules + + def setUp(self): + super(TestVyosFirewallRulesModule, self).setUp() + self.mock_get_config = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.network.Config.get_config" + ) + self.get_config = self.mock_get_config.start() + + self.mock_load_config = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.network.Config.load_config" + ) + self.load_config = self.mock_load_config.start() + + self.mock_get_resource_connection_config = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.cfg.base.get_resource_connection" + ) + self.get_resource_connection_config = ( + self.mock_get_resource_connection_config.start() + ) + + self.mock_get_resource_connection_facts = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.facts.facts.get_resource_connection" + ) + self.get_resource_connection_facts = ( + self.mock_get_resource_connection_facts.start() + ) + self.mock_execute_show_command = patch( + "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.static_routes.static_routes.Static_routesFacts.get_device_data" + ) + + self.mock_execute_show_command = patch( + "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.firewall_rules.firewall_rules.Firewall_rulesFacts.get_device_data" + ) + self.execute_show_command = self.mock_execute_show_command.start() + + def tearDown(self): + super(TestVyosFirewallRulesModule, self).tearDown() + self.mock_get_resource_connection_config.stop() + self.mock_get_resource_connection_facts.stop() + self.mock_get_config.stop() + self.mock_load_config.stop() + self.mock_execute_show_command.stop() + + def load_fixtures(self, commands=None): + def load_from_file(*args, **kwargs): + return load_fixture("vyos_firewall_rules_config.cfg") + + self.execute_show_command.side_effect = load_from_file + + def test_vyos_firewall_rule_set_01_merged(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="V6-INBOUND", + description="This is IPv6 INBOUND rule set", + default_action="reject", + enable_default_log=True, + rules=[], + ), + dict( + name="V6-OUTBOUND", + description="This is IPv6 OUTBOUND rule set", + default_action="accept", + enable_default_log=False, + rules=[], + ), + ], + ), + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INBOUND", + description="This is IPv4 INBOUND rule set", + default_action="reject", + enable_default_log=True, + rules=[], + ), + dict( + name="V4-OUTBOUND", + description="This is IPv4 OUTBOUND rule set", + default_action="accept", + enable_default_log=False, + rules=[], + ), + ], + ), + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name V6-INBOUND default-action 'reject'", + "set firewall ipv6-name V6-INBOUND description 'This is IPv6 INBOUND rule set'", + "set firewall ipv6-name V6-INBOUND enable-default-log", + "set firewall ipv6-name V6-OUTBOUND default-action 'accept'", + "set firewall ipv6-name V6-OUTBOUND description 'This is IPv6 OUTBOUND rule set'", + "set firewall name V4-INBOUND default-action 'reject'", + "set firewall name V4-INBOUND description 'This is IPv4 INBOUND rule set'", + "set firewall name V4-INBOUND enable-default-log", + "set firewall name V4-OUTBOUND default-action 'accept'", + "set firewall name V4-OUTBOUND description 'This is IPv4 OUTBOUND rule set'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_rule_set_02_merged(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="V6-INBOUND", + description="This is IPv6 INBOUND rule set", + default_action="reject", + enable_default_log=True, + rules=[], + ), + dict( + name="V6-OUTBOUND", + description="This is IPv6 OUTBOUND rule set", + default_action="accept", + enable_default_log=False, + rules=[], + ), + ], + ), + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INBOUND", + description="This is IPv4 INBOUND rule set", + default_action="reject", + enable_default_log=True, + rules=[], + ), + dict( + name="V4-OUTBOUND", + description="This is IPv4 OUTBOUND rule set", + default_action="accept", + enable_default_log=False, + rules=[], + ), + ], + ), + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name V6-INBOUND default-action 'reject'", + "set firewall ipv6-name V6-INBOUND description 'This is IPv6 INBOUND rule set'", + "set firewall ipv6-name V6-INBOUND enable-default-log", + "set firewall ipv6-name V6-OUTBOUND default-action 'accept'", + "set firewall ipv6-name V6-OUTBOUND description 'This is IPv6 OUTBOUND rule set'", + "set firewall name V4-INBOUND default-action 'reject'", + "set firewall name V4-INBOUND description 'This is IPv4 INBOUND rule set'", + "set firewall name V4-INBOUND enable-default-log", + "set firewall name V4-OUTBOUND default-action 'accept'", + "set firewall name V4-OUTBOUND description 'This is IPv4 OUTBOUND rule set'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_rule_merged_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="INBOUND", + description="This is IPv4 INBOUND rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="101", + action="accept", + description="Rule 101 is configured by Ansible", + ipsec="match-ipsec", + protocol="icmp", + fragment="match-frag", + disabled=True, + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall name INBOUND default-action 'accept'", + "set firewall name INBOUND description 'This is IPv4 INBOUND rule set'", + "set firewall name INBOUND enable-default-log", + "set firewall name INBOUND rule 101 protocol 'icmp'", + "set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'", + "set firewall name INBOUND rule 101 fragment 'match-frag'", + "set firewall name INBOUND rule 101", + "set firewall name INBOUND rule 101 disabled", + "set firewall name INBOUND rule 101 action 'accept'", + "set firewall name INBOUND rule 101 ipsec 'match-ipsec'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_rule_merged_02(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + protocol="tcp", + source=dict( + address="192.0.2.0", + mac_address="38:00:25:19:76:0c", + port=2127, + ), + destination=dict( + address="192.0.1.0", port=2124 + ), + limit=dict( + burst=10, + rate=dict( + number=20, unit="second" + ), + ), + recent=dict(count=10, time=20), + state=dict( + established=True, + related=True, + invalid=True, + new=True, + ), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall name INBOUND rule 101 protocol 'tcp'", + "set firewall name INBOUND rule 101 destination address 192.0.1.0", + "set firewall name INBOUND rule 101 destination port 2124", + "set firewall name INBOUND rule 101", + "set firewall name INBOUND rule 101 source address 192.0.2.0", + "set firewall name INBOUND rule 101 source mac-address 38:00:25:19:76:0c", + "set firewall name INBOUND rule 101 source port 2127", + "set firewall name INBOUND rule 101 state new enable", + "set firewall name INBOUND rule 101 state invalid enable", + "set firewall name INBOUND rule 101 state related enable", + "set firewall name INBOUND rule 101 state established enable", + "set firewall name INBOUND rule 101 limit burst 10", + "set firewall name INBOUND rule 101 limit rate 20/second", + "set firewall name INBOUND rule 101 recent count 10", + "set firewall name INBOUND rule 101 recent time 20", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_rule_merged_03(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + destination=dict( + group=dict( + address_group="OUT-ADDR-GROUP", + network_group="OUT-NET-GROUP", + port_group="OUT-PORT-GROUP", + ) + ), + source=dict( + group=dict( + address_group="IN-ADDR-GROUP", + network_group="IN-NET-GROUP", + port_group="IN-PORT-GROUP", + ) + ), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall name INBOUND rule 101 source group address-group IN-ADDR-GROUP", + "set firewall name INBOUND rule 101 source group network-group IN-NET-GROUP", + "set firewall name INBOUND rule 101 source group port-group IN-PORT-GROUP", + "set firewall name INBOUND rule 101 destination group address-group OUT-ADDR-GROUP", + "set firewall name INBOUND rule 101 destination group network-group OUT-NET-GROUP", + "set firewall name INBOUND rule 101 destination group port-group OUT-PORT-GROUP", + "set firewall name INBOUND rule 101", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_rule_merged_04(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + time=dict( + monthdays="2", + startdate="2020-01-24", + starttime="13:20:00", + stopdate="2020-01-28", + stoptime="13:30:00", + weekdays="!Sat,Sun", + utc=True, + ), + tcp=dict(flags="ALL"), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall name INBOUND rule 101", + "set firewall name INBOUND rule 101 tcp flags ALL", + "set firewall name INBOUND rule 101 time utc", + "set firewall name INBOUND rule 101 time monthdays 2", + "set firewall name INBOUND rule 101 time startdate 2020-01-24", + "set firewall name INBOUND rule 101 time stopdate 2020-01-28", + "set firewall name INBOUND rule 101 time weekdays !Sat,Sun", + "set firewall name INBOUND rule 101 time stoptime 13:30:00", + "set firewall name INBOUND rule 101 time starttime 13:20:00", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v6_rule_sets_rule_merged_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="INBOUND", + description="This is IPv6 INBOUND rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="101", + action="accept", + description="Rule 101 is configured by Ansible", + ipsec="match-ipsec", + protocol="icmp", + disabled=True, + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name INBOUND default-action 'accept'", + "set firewall ipv6-name INBOUND description 'This is IPv6 INBOUND rule set'", + "set firewall ipv6-name INBOUND enable-default-log", + "set firewall ipv6-name INBOUND rule 101 protocol 'icmp'", + "set firewall ipv6-name INBOUND rule 101 description 'Rule 101 is configured by Ansible'", + "set firewall ipv6-name INBOUND rule 101", + "set firewall ipv6-name INBOUND rule 101 disabled", + "set firewall ipv6-name INBOUND rule 101 action 'accept'", + "set firewall ipv6-name INBOUND rule 101 ipsec 'match-ipsec'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v6_rule_sets_rule_merged_02(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + protocol="tcp", + source=dict( + address="2001:db8::12", + mac_address="38:00:25:19:76:0c", + port=2127, + ), + destination=dict( + address="2001:db8::11", port=2124 + ), + limit=dict( + burst=10, + rate=dict( + number=20, unit="second" + ), + ), + recent=dict(count=10, time=20), + state=dict( + established=True, + related=True, + invalid=True, + new=True, + ), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name INBOUND rule 101 protocol 'tcp'", + "set firewall ipv6-name INBOUND rule 101 destination address 2001:db8::11", + "set firewall ipv6-name INBOUND rule 101 destination port 2124", + "set firewall ipv6-name INBOUND rule 101", + "set firewall ipv6-name INBOUND rule 101 source address 2001:db8::12", + "set firewall ipv6-name INBOUND rule 101 source mac-address 38:00:25:19:76:0c", + "set firewall ipv6-name INBOUND rule 101 source port 2127", + "set firewall ipv6-name INBOUND rule 101 state new enable", + "set firewall ipv6-name INBOUND rule 101 state invalid enable", + "set firewall ipv6-name INBOUND rule 101 state related enable", + "set firewall ipv6-name INBOUND rule 101 state established enable", + "set firewall ipv6-name INBOUND rule 101 limit burst 10", + "set firewall ipv6-name INBOUND rule 101 recent count 10", + "set firewall ipv6-name INBOUND rule 101 recent time 20", + "set firewall ipv6-name INBOUND rule 101 limit rate 20/second", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v6_rule_sets_rule_merged_03(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + destination=dict( + group=dict( + address_group="OUT-ADDR-GROUP", + network_group="OUT-NET-GROUP", + port_group="OUT-PORT-GROUP", + ) + ), + source=dict( + group=dict( + address_group="IN-ADDR-GROUP", + network_group="IN-NET-GROUP", + port_group="IN-PORT-GROUP", + ) + ), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name INBOUND rule 101 source group address-group IN-ADDR-GROUP", + "set firewall ipv6-name INBOUND rule 101 source group network-group IN-NET-GROUP", + "set firewall ipv6-name INBOUND rule 101 source group port-group IN-PORT-GROUP", + "set firewall ipv6-name INBOUND rule 101 destination group address-group OUT-ADDR-GROUP", + "set firewall ipv6-name INBOUND rule 101 destination group network-group OUT-NET-GROUP", + "set firewall ipv6-name INBOUND rule 101 destination group port-group OUT-PORT-GROUP", + "set firewall ipv6-name INBOUND rule 101", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v6_rule_sets_rule_merged_04(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + time=dict( + monthdays="2", + startdate="2020-01-24", + starttime="13:20:00", + stopdate="2020-01-28", + stoptime="13:30:00", + weekdays="!Sat,Sun", + utc=True, + ), + tcp=dict(flags="ALL"), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name INBOUND rule 101", + "set firewall ipv6-name INBOUND rule 101 tcp flags ALL", + "set firewall ipv6-name INBOUND rule 101 time utc", + "set firewall ipv6-name INBOUND rule 101 time monthdays 2", + "set firewall ipv6-name INBOUND rule 101 time startdate 2020-01-24", + "set firewall ipv6-name INBOUND rule 101 time stopdate 2020-01-28", + "set firewall ipv6-name INBOUND rule 101 time weekdays !Sat,Sun", + "set firewall ipv6-name INBOUND rule 101 time stoptime 13:30:00", + "set firewall ipv6-name INBOUND rule 101 time starttime 13:20:00", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v6_rule_sets_rule_merged_icmp_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv6", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + protocol="icmp", + icmp=dict( + type_name="port-unreachable" + ), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall ipv6-name INBOUND rule 101 icmpv6 type port-unreachable", + "set firewall ipv6-name INBOUND rule 101 protocol 'icmp'", + "set firewall ipv6-name INBOUND rule 101", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_rule_merged_icmp_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + protocol="icmp", + icmp=dict(type=1, code=1), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall name INBOUND rule 101 icmp type 1", + "set firewall name INBOUND rule 101 icmp code 1", + "set firewall name INBOUND rule 101 protocol 'icmp'", + "set firewall name INBOUND rule 101", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_rule_merged_icmp_02(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="INBOUND", + rules=[ + dict( + number="101", + protocol="icmp", + icmp=dict(type_name="echo-request"), + ) + ], + ), + ], + ) + ], + state="merged", + ) + ) + commands = [ + "set firewall name INBOUND rule 101 icmp type-name echo-request", + "set firewall name INBOUND rule 101 protocol 'icmp'", + "set firewall name INBOUND rule 101", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4_rule_sets_del_01(self): + set_module_args( + dict( + config=[ + dict(afi="ipv4", rule_sets=[dict(name="V4-INGRESS"),]) + ], + state="deleted", + ) + ) + commands = ["delete firewall name V4-INGRESS"] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4v6_rule_sets_del_02(self): + set_module_args( + dict( + config=[ + dict(afi="ipv4", rule_sets=[dict(name="V4-INGRESS"),]), + dict(afi="ipv6", rule_sets=[dict(name="V6-INGRESS"),]), + ], + state="deleted", + ) + ) + commands = [ + "delete firewall name V4-INGRESS", + "delete firewall ipv6-name V6-INGRESS", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4v6_rule_sets_del_03(self): + set_module_args(dict(config=[], state="deleted")) + commands = ["delete firewall name", "delete firewall ipv6-name"] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4v6_rule_sets_del_04(self): + set_module_args( + dict( + config=[ + dict(afi="ipv4", rule_sets=[dict(name="V4-ING"),]), + dict(afi="ipv6", rule_sets=[dict(name="V6-ING"),]), + ], + state="deleted", + ) + ) + self.execute_module(changed=False, commands=[]) + + def test_vyos_firewall_v4v6_rule_sets_rule_rep_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INGRESS", + description="This is IPv4 INGRESS rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="101", + action="reject", + description="Rule 101 is configured by Ansible RM", + ipsec="match-ipsec", + protocol="tcp", + fragment="match-frag", + disabled=False, + ), + dict( + number="102", + action="accept", + description="Rule 102 is configured by Ansible RM", + protocol="icmp", + disabled=True, + ), + ], + ), + ], + ), + dict( + afi="ipv6", + rule_sets=[ + dict( + name="V6-INGRESS", + default_action="accept", + description="This rule-set is configured by Ansible RM", + ), + dict( + name="V6-EGRESS", + default_action="reject", + description="This rule-set is configured by Ansible RM", + ), + ], + ), + ], + state="replaced", + ) + ) + commands = [ + "delete firewall name V4-INGRESS rule 101 disabled", + "delete firewall name V4-EGRESS default-action", + "set firewall name V4-INGRESS description 'This is IPv4 INGRESS rule set'", + "set firewall name V4-INGRESS rule 101 protocol 'tcp'", + "set firewall name V4-INGRESS rule 101 description 'Rule 101 is configured by Ansible RM'", + "set firewall name V4-INGRESS rule 101 action 'reject'", + "set firewall name V4-INGRESS rule 102 disabled", + "set firewall name V4-INGRESS rule 102 action 'accept'", + "set firewall name V4-INGRESS rule 102 protocol 'icmp'", + "set firewall name V4-INGRESS rule 102 description 'Rule 102 is configured by Ansible RM'", + "set firewall name V4-INGRESS rule 102", + "set firewall ipv6-name V6-INGRESS description 'This rule-set is configured by Ansible RM'", + "set firewall ipv6-name V6-EGRESS description 'This rule-set is configured by Ansible RM'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4v6_rule_sets_rule_rep_02(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INGRESS", + description="This is IPv4 V4-INGRESS rule set", + default_action="accept", + enable_default_log=False, + rules=[ + dict( + number="101", + action="accept", + description="Rule 101 is configured by Ansible", + ipsec="match-ipsec", + protocol="icmp", + fragment="match-frag", + disabled=True, + ), + ], + ), + ], + ), + dict( + afi="ipv6", + rule_sets=[ + dict(name="V6-INGRESS", default_action="accept",), + dict(name="V6-EGRESS", default_action="reject",), + ], + ), + ], + state="replaced", + ) + ) + commands = [ + "delete firewall name V4-INGRESS enable-default-log", + "delete firewall name V4-EGRESS default-action", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4v6_rule_sets_rule_rep_idem_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INGRESS", + description="This is IPv4 V4-INGRESS rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="101", + action="accept", + description="Rule 101 is configured by Ansible", + ipsec="match-ipsec", + protocol="icmp", + fragment="match-frag", + disabled=True, + ) + ], + ), + dict(name="V4-EGRESS", default_action="reject",), + ], + ), + dict( + afi="ipv6", + rule_sets=[ + dict(name="V6-INGRESS", default_action="accept",), + dict(name="V6-EGRESS", default_action="reject",), + ], + ), + ], + state="replaced", + ) + ) + self.execute_module(changed=False, commands=[]) + + def test_vyos_firewall_v4v6_rule_sets_rule_mer_idem_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INGRESS", + description="This is IPv4 V4-INGRESS rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="101", + action="accept", + description="Rule 101 is configured by Ansible", + ipsec="match-ipsec", + protocol="icmp", + fragment="match-frag", + disabled=True, + ) + ], + ), + dict(name="V4-EGRESS", default_action="reject",), + ], + ), + dict( + afi="ipv6", + rule_sets=[ + dict(name="V6-INGRESS", default_action="accept",), + dict(name="V6-EGRESS", default_action="reject",), + ], + ), + ], + state="merged", + ) + ) + self.execute_module(changed=False, commands=[]) + + def test_vyos_firewall_v4v6_rule_sets_rule_ovr_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-IN", + description="This is IPv4 INGRESS rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="1", + action="reject", + description="Rule 1 is configured by Ansible RM", + ipsec="match-ipsec", + protocol="tcp", + fragment="match-frag", + disabled=False, + ), + dict( + number="2", + action="accept", + description="Rule 102 is configured by Ansible RM", + protocol="icmp", + disabled=True, + ), + ], + ), + ], + ), + dict( + afi="ipv6", + rule_sets=[ + dict( + name="V6-IN", + default_action="accept", + description="This rule-set is configured by Ansible RM", + ), + dict( + name="V6-EG", + default_action="reject", + description="This rule-set is configured by Ansible RM", + ), + ], + ), + ], + state="overridden", + ) + ) + commands = [ + "delete firewall ipv6-name V6-INGRESS", + "delete firewall ipv6-name V6-EGRESS", + "delete firewall name V4-INGRESS", + "delete firewall name V4-EGRESS", + "set firewall name V4-IN default-action 'accept'", + "set firewall name V4-IN description 'This is IPv4 INGRESS rule set'", + "set firewall name V4-IN enable-default-log", + "set firewall name V4-IN rule 1 protocol 'tcp'", + "set firewall name V4-IN rule 1 description 'Rule 1 is configured by Ansible RM'", + "set firewall name V4-IN rule 1 fragment 'match-frag'", + "set firewall name V4-IN rule 1", + "set firewall name V4-IN rule 1 action 'reject'", + "set firewall name V4-IN rule 1 ipsec 'match-ipsec'", + "set firewall name V4-IN rule 2 disabled", + "set firewall name V4-IN rule 2 action 'accept'", + "set firewall name V4-IN rule 2 protocol 'icmp'", + "set firewall name V4-IN rule 2 description 'Rule 102 is configured by Ansible RM'", + "set firewall name V4-IN rule 2", + "set firewall ipv6-name V6-IN default-action 'accept'", + "set firewall ipv6-name V6-IN description 'This rule-set is configured by Ansible RM'", + "set firewall ipv6-name V6-EG default-action 'reject'", + "set firewall ipv6-name V6-EG description 'This rule-set is configured by Ansible RM'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_firewall_v4v6_rule_sets_rule_ovr_idem_01(self): + set_module_args( + dict( + config=[ + dict( + afi="ipv4", + rule_sets=[ + dict( + name="V4-INGRESS", + description="This is IPv4 V4-INGRESS rule set", + default_action="accept", + enable_default_log=True, + rules=[ + dict( + number="101", + action="accept", + description="Rule 101 is configured by Ansible", + ipsec="match-ipsec", + protocol="icmp", + fragment="match-frag", + disabled=True, + ) + ], + ), + dict(name="V4-EGRESS", default_action="reject",), + ], + ), + dict( + afi="ipv6", + rule_sets=[ + dict(name="V6-INGRESS", default_action="accept",), + dict(name="V6-EGRESS", default_action="reject",), + ], + ), + ], + state="overridden", + ) + ) + self.execute_module(changed=False, commands=[]) diff --git a/tests/unit/modules/network/vyos/test_vyos_static_route.py b/tests/unit/modules/network/vyos/test_vyos_static_route.py index e020ca5..762508c 100644 --- a/tests/unit/modules/network/vyos/test_vyos_static_route.py +++ b/tests/unit/modules/network/vyos/test_vyos_static_route.py @@ -21,7 +21,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type from ansible_collections.vyos.vyos.tests.unit.compat.mock import patch -from ansible_collections.vyos.vyos.plugins.modules import vyos_static_route +from ansible.modules.network.vyos import _vyos_static_route from ansible_collections.vyos.vyos.tests.unit.modules.utils import ( set_module_args, ) @@ -30,18 +30,18 @@ from .vyos_module import TestVyosModule class TestVyosStaticRouteModule(TestVyosModule): - module = vyos_static_route + module = _vyos_static_route def setUp(self): super(TestVyosStaticRouteModule, self).setUp() self.mock_get_config = patch( - "ansible_collections.vyos.vyos.plugins.modules.vyos_static_route.get_config" + "ansible.modules.network.vyos._vyos_static_route.get_config" ) self.get_config = self.mock_get_config.start() self.mock_load_config = patch( - "ansible_collections.vyos.vyos.plugins.modules.vyos_static_route.load_config" + "ansible.modules.network.vyos._vyos_static_route.load_config" ) self.load_config = self.mock_load_config.start() diff --git a/tests/unit/modules/network/vyos/test_vyos_static_routes.py b/tests/unit/modules/network/vyos/test_vyos_static_routes.py new file mode 100644 index 0000000..3646d61 --- /dev/null +++ b/tests/unit/modules/network/vyos/test_vyos_static_routes.py @@ -0,0 +1,293 @@ +# (c) 2016 Red Hat Inc. +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see <http://www.gnu.org/licenses/>. + +# Make coding more python3-ish +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +from ansible_collections.vyos.vyos.tests.unit.compat.mock import patch +from ansible_collections.vyos.vyos.plugins.modules import vyos_static_routes +from ansible_collections.vyos.vyos.tests.unit.modules.utils import ( + set_module_args, +) +from .vyos_module import TestVyosModule, load_fixture + + +class TestVyosStaticRoutesModule(TestVyosModule): + + module = vyos_static_routes + + def setUp(self): + super(TestVyosStaticRoutesModule, self).setUp() + self.mock_get_config = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.network.Config.get_config" + ) + self.get_config = self.mock_get_config.start() + + self.mock_load_config = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.network.Config.load_config" + ) + self.load_config = self.mock_load_config.start() + + self.mock_get_resource_connection_config = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.cfg.base.get_resource_connection" + ) + self.get_resource_connection_config = ( + self.mock_get_resource_connection_config.start() + ) + + self.mock_get_resource_connection_facts = patch( + "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.facts.facts.get_resource_connection" + ) + self.get_resource_connection_facts = ( + self.mock_get_resource_connection_facts.start() + ) + + self.mock_execute_show_command = patch( + "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.facts.static_routes.static_routes.Static_routesFacts.get_device_data" + ) + self.execute_show_command = self.mock_execute_show_command.start() + + def tearDown(self): + super(TestVyosStaticRoutesModule, self).tearDown() + self.mock_get_resource_connection_config.stop() + self.mock_get_resource_connection_facts.stop() + self.mock_get_config.stop() + self.mock_load_config.stop() + self.mock_execute_show_command.stop() + + def load_fixtures(self, commands=None): + def load_from_file(*args, **kwargs): + return load_fixture("vyos_static_routes_config.cfg") + + self.execute_show_command.side_effect = load_from_file + + def test_vyos_static_routes_merged(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", + routes=[ + dict( + dest="192.0.2.48/28", + next_hops=[ + dict( + forward_router_address="192.0.2.9" + ), + dict( + forward_router_address="192.0.2.10" + ), + ], + ) + ], + ) + ] + ) + ], + state="merged", + ) + ) + commands = [ + "set protocols static route 192.0.2.48/28", + "set protocols static route 192.0.2.48/28 next-hop '192.0.2.9'", + "set protocols static route 192.0.2.48/28 next-hop '192.0.2.10'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_static_routes_merged_idempotent(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", + routes=[ + dict( + dest="192.0.2.32/28", + next_hops=[ + dict( + forward_router_address="192.0.2.9" + ), + dict( + forward_router_address="192.0.2.10" + ), + ], + ) + ], + ) + ] + ) + ], + state="merged", + ) + ) + self.execute_module(changed=False, commands=[]) + + def test_vyos_static_routes_replaced(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", + routes=[ + dict( + dest="192.0.2.48/28", + next_hops=[ + dict( + forward_router_address="192.0.2.9" + ), + dict( + forward_router_address="192.0.2.10" + ), + ], + ) + ], + ) + ] + ) + ], + state="replaced", + ) + ) + commands = [ + "set protocols static route 192.0.2.48/28", + "set protocols static route 192.0.2.48/28 next-hop '192.0.2.9'", + "set protocols static route 192.0.2.48/28 next-hop '192.0.2.10'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_static_routes_replaced_idempotent(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", + routes=[ + dict( + dest="192.0.2.32/28", + next_hops=[ + dict( + forward_router_address="192.0.2.9" + ), + dict( + forward_router_address="192.0.2.10" + ), + ], + ) + ], + ) + ] + ) + ], + state="replaced", + ) + ) + + self.execute_module(changed=False, commands=[]) + + def test_vyos_static_routes_overridden(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", + routes=[ + dict( + dest="192.0.2.48/28", + next_hops=[ + dict( + forward_router_address="192.0.2.9" + ), + dict( + forward_router_address="192.0.2.10" + ), + ], + ) + ], + ) + ] + ) + ], + state="overridden", + ) + ) + commands = [ + "delete protocols static route 192.0.2.32/28", + "set protocols static route 192.0.2.48/28", + "set protocols static route 192.0.2.48/28 next-hop '192.0.2.9'", + "set protocols static route 192.0.2.48/28 next-hop '192.0.2.10'", + ] + self.execute_module(changed=True, commands=commands) + + def test_vyos_static_routes_overridden_idempotent(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", + routes=[ + dict( + dest="192.0.2.32/28", + next_hops=[ + dict( + forward_router_address="192.0.2.9" + ), + dict( + forward_router_address="192.0.2.10" + ), + ], + ) + ], + ) + ] + ) + ], + state="overridden", + ) + ) + self.execute_module(changed=False, commands=[]) + + def test_vyos_static_routes_deleted(self): + set_module_args( + dict( + config=[ + dict( + address_families=[ + dict( + afi="ipv4", routes=[dict(dest="192.0.2.32/28")] + ) + ] + ) + ], + state="deleted", + ) + ) + commands = ["delete protocols static route 192.0.2.32/28"] + self.execute_module(changed=True, commands=commands) |