diff options
18 files changed, 483 insertions, 427 deletions
diff --git a/changelogs/fragments/T7002-firewall-global-integration-tests.yml b/changelogs/fragments/T7002-firewall-global-integration-tests.yml new file mode 100644 index 0000000..c94a76f --- /dev/null +++ b/changelogs/fragments/T7002-firewall-global-integration-tests.yml @@ -0,0 +1,8 @@ +--- +bugfixes: + - vyos_firewall_global - fixed the facts parsers to include state-policies, redirect + - vyos_firewall_global - fixed behavior for stanzas processing by facts in 1.4+ (e.g. present/absent stanza vs enable/disable) +trivial: + - vyos_firewall_global - updated unit test suites to include units for 1.4+ and missing attributes (e.g. log) + - vyos_firewall_global - re-factored integration test suite structure to D.R.Y and add support for 1.4+ + - vyos_firewall_global - cleared-up the obsolete stanzas (e.g. config-trap) diff --git a/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py index 7e978ff..34dc0ed 100644 --- a/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py +++ b/plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py @@ -476,14 +476,23 @@ class Firewall_global(ConfigBase): for key, val in iteritems(w): if val and key != "connection_type": if opr and key in l_set and not (h and self._is_w_same(w, h, key)): - commands.append( - self._form_attr_cmd( - key=attr + " " + w["connection_type"], - attr=key, - val=self._bool_to_str(val), - opr=opr, - ), - ) + if key == "log" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"): + commands.append( + self._form_attr_cmd( + key=attr + " " + w["connection_type"], + attr=key, + opr=opr, + ), + ) + else: + commands.append( + self._form_attr_cmd( + key=attr + " " + w["connection_type"], + attr=key, + val=self._bool_to_str(val), + opr=opr, + ), + ) elif not opr and key in l_set: if not h: commands.append( @@ -645,14 +654,17 @@ class Firewall_global(ConfigBase): cmd = "delete firewall " else: cmd = "set firewall " - if key != "group" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"): + if attr and key != "group" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"): cmd += "global-options " if key: cmd += key.replace("_", "-") + " " if attr: cmd += attr.replace("_", "-") if val and opr: - cmd += " '" + str(val) + "'" + if key == "state_policy" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"): + cmd += "" + else: + cmd += " '" + str(val) + "'" return cmd.strip() def _bool_to_str(self, val): diff --git a/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py index 97386e9..a46f856 100644 --- a/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py +++ b/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py @@ -111,7 +111,7 @@ class Firewall_globalFacts(object): rr_lst = [] v6_attr = findall( - r"^set firewall (?:global-options )(?:ipv6-src-route|ipv6-receive-redirects) (\S+)", + r"^set firewall (?:global-options )?(?:ipv6-src-route|ipv6-receive-redirects) (\S+)", conf, M, ) @@ -121,7 +121,7 @@ class Firewall_globalFacts(object): rr_lst.append(obj) v4_attr = findall( - r"^set firewall (?:global-options )(?:ip-src-route|receive-redirects|send-redirects) (\S+)", + r"^set firewall (?:global-options )?(?:ip-src-route|receive-redirects|send-redirects) (\S+)", conf, M, ) @@ -174,7 +174,7 @@ class Firewall_globalFacts(object): :return: generated rule list configuration. """ sp_lst = [] - policies = findall(r"^set firewall (?:global-options )state-policy (\S+)", conf, M) + policies = findall(r"^set firewall (?:global-options )?state-policy (\S+)", conf, M) policies = list(set(policies)) # remove redundancies if policies: rules_lst = [] diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/_get_version.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/_get_version.yaml new file mode 100644 index 0000000..2588b19 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/_get_version.yaml @@ -0,0 +1,28 @@ +- name: make sure to get facts + vyos.vyos.vyos_facts: + vars: + ansible_connection: ansible.netcommon.network_cli + register: vyos_facts + when: vyos_version is not defined + +- name: debug vyos_facts + debug: + var: vyos_facts + +- name: pull version from facts + set_fact: + vyos_version: "{{ vyos_facts.ansible_facts.ansible_net_version.split('-')[0].split(' ')[-1] }}" + when: vyos_version is not defined + +- name: fix '.0' versions + set_fact: + vyos_version: "{{ vyos_version }}.0" + when: vyos_version.count('.') == 1 + +- name: include correct vars + include_vars: pre-v1_4.yaml + when: vyos_version is version('1.4.0', '<', version_type='semver') + +- name: include correct vars + include_vars: v1_4.yaml + when: vyos_version is version('1.4.0', '>=', version_type='semver') diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config.cfg b/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config_1_3.cfg index 45446bd..9d9a2df 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config.cfg +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config_1_3.cfg @@ -1,6 +1,5 @@ set firewall all-ping 'enable' set firewall broadcast-ping 'enable' -set firewall config-trap 'enable' set firewall group address-group MGMT-HOSTS address '192.0.1.1' set firewall group address-group MGMT-HOSTS address '192.0.1.3' set firewall group address-group MGMT-HOSTS address '192.0.1.5' diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config_1_4.cfg b/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config_1_4.cfg new file mode 100644 index 0000000..4143578 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config_1_4.cfg @@ -0,0 +1,18 @@ +set firewall global-options all-ping 'enable' +set firewall global-options broadcast-ping 'enable' +set firewall group address-group MGMT-HOSTS address '192.0.1.1' +set firewall group address-group MGMT-HOSTS address '192.0.1.3' +set firewall group address-group MGMT-HOSTS address '192.0.1.5' +set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' +set firewall group network-group MGMT description 'This group has the Management network addresses' +set firewall group network-group MGMT network '192.0.1.0/24' +set firewall global-options ip-src-route 'enable' +set firewall global-options log-martians 'enable' +set firewall global-options receive-redirects 'disable' +set firewall global-options send-redirects 'enable' +set firewall global-options source-validation 'strict' +set firewall global-options state-policy established action 'accept' +set firewall global-options state-policy established log 'enable' +set firewall global-options state-policy invalid action 'reject' +set firewall global-options syn-cookies 'enable' +set firewall global-options twa-hazards-protection 'enable' diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/_populate.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/_populate.yaml index 865bf2f..ccd0f67 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/_populate.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/_populate.yaml @@ -1,47 +1,11 @@ --- - ansible.builtin.include_tasks: _remove_config.yaml -- name: Setup - vars: - lines: >- - set firewall all-ping 'enable' - - set firewall broadcast-ping 'enable' - - set firewall config-trap 'enable' - - set firewall group address-group MGMT-HOSTS address '192.0.1.1' - - set firewall group address-group MGMT-HOSTS address '192.0.1.3' - - set firewall group address-group MGMT-HOSTS address '192.0.1.5' - - set firewall group address-group MGMT-HOSTS description 'This group has - the Management hosts address list' - - set firewall group network-group MGMT description 'This group has the - Management network addresses' - - set firewall group network-group MGMT network '192.0.1.0/24' - - set firewall ip-src-route 'enable' +- name: ensure facts + include_tasks: _get_version.yaml - set firewall log-martians 'enable' - - set firewall receive-redirects 'disable' - - set firewall send-redirects 'enable' - - set firewall source-validation 'strict' - - set firewall state-policy established action 'accept' - - set firewall state-policy established log 'enable' - - set firewall state-policy invalid action 'reject' - - set firewall syn-cookies 'enable' - - set firewall twa-hazards-protection 'enable' - ansible.netcommon.cli_config: - config: "{{ lines }}" +- name: Setup {{ vyos_version }} + vyos.vyos.vyos_config: + lines: "{{ populate_commands }}" + vars: + ansible_connection: ansible.netcommon.network_cli diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/merged.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/merged.yaml index 4fb2a2d..a538476 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/merged.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/merged.yaml @@ -8,43 +8,7 @@ - name: Merge the provided configuration with the existing running configuration register: result vyos.vyos.vyos_firewall_global: &id001 - config: - validation: strict - config_trap: true - log_martians: true - syn_cookies: true - twa_hazards_protection: true - ping: - all: true - broadcast: true - state_policy: - - connection_type: established - action: accept - log: true - - - connection_type: invalid - action: reject - route_redirects: - - afi: ipv4 - ip_src_route: true - icmp_redirects: - send: true - receive: false - group: - address_group: - - name: MGMT-HOSTS - description: This group has the Management hosts address list - members: - - address: 192.0.1.1 - - - address: 192.0.1.3 - - - address: 192.0.1.5 - network_group: - - name: MGMT - description: This group has the Management network addresses - members: - - address: 192.0.1.0/24 + config: "{{ merged['config'] }}" state: merged - name: Assert that before dicts were correctly generated diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/parsed.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/parsed.yaml index 59851c3..1afffef 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/parsed.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/parsed.yaml @@ -16,7 +16,7 @@ - name: Provide the running configuration for parsing (config to be parsed) register: result vyos.vyos.vyos_firewall_global: &id001 - running_config: "{{ lookup('file', '_parsed_config.cfg') }}" + running_config: "{{ lookup('file', parsed_config_file) }}" state: parsed - name: Assert that correct parsing done diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/rendered.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/rendered.yaml index 34796b8..d8704ed 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/rendered.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/rendered.yaml @@ -8,50 +8,7 @@ - name: Structure provided configuration into device specific commands register: result vyos.vyos.vyos_firewall_global: &id001 - config: - validation: strict - config_trap: true - log_martians: true - syn_cookies: true - twa_hazards_protection: true - ping: - all: true - broadcast: true - state_policy: - - connection_type: established - action: accept - log: true - - - connection_type: invalid - action: reject - route_redirects: - - afi: ipv4 - ip_src_route: true - icmp_redirects: - send: true - receive: false - group: - address_group: - - name: SALES-HOSTS - description: Sales office hosts address list - members: - - address: 192.0.2.1 - - - address: 192.0.2.2 - - - address: 192.0.2.3 - - - name: ENG-HOSTS - description: Sales office hosts address list - members: - - address: 192.0.3.1 - - - address: 192.0.3.2 - network_group: - - name: MGMT - description: This group has the Management network addresses - members: - - address: 192.0.1.0/24 + config: "{{ rendered['config'] }}" state: rendered - name: Assert that correct set of commands were generated diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/replaced.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/replaced.yaml index ec71139..4c7b427 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/replaced.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/replaced.yaml @@ -8,50 +8,7 @@ - name: Replace device configurations of listed firewall with provided configurations register: result vyos.vyos.vyos_firewall_global: &id001 - config: - validation: strict - config_trap: true - log_martians: true - syn_cookies: true - twa_hazards_protection: true - ping: - all: true - broadcast: true - state_policy: - - connection_type: established - action: accept - log: true - - - connection_type: invalid - action: reject - route_redirects: - - afi: ipv4 - ip_src_route: true - icmp_redirects: - send: true - receive: false - group: - address_group: - - name: SALES-HOSTS - description: Sales office hosts address list - members: - - address: 192.0.2.1 - - - address: 192.0.2.2 - - - address: 192.0.2.3 - - - name: ENG-HOSTS - description: Sales office hosts address list - members: - - address: 192.0.3.1 - - - address: 192.0.3.2 - network_group: - - name: MGMT - description: This group has the Management network addresses - members: - - address: 192.0.1.0/24 + config: "{{ replaced['config'] }}" state: replaced - name: Assert that correct set of commands were generated diff --git a/tests/integration/targets/vyos_firewall_global/tests/cli/rtt.yaml b/tests/integration/targets/vyos_firewall_global/tests/cli/rtt.yaml index f48e432..31cbbbd 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/cli/rtt.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/cli/rtt.yaml @@ -2,49 +2,15 @@ - debug: msg: START vyos_firewall_global round trip integration tests on connection={{ ansible_connection }} +- include_tasks: _get_version.yaml + - include_tasks: _remove_config.yaml - block: - name: Apply the provided configuration (base config) register: base_config vyos.vyos.vyos_firewall_global: - config: - validation: strict - config_trap: true - log_martians: true - syn_cookies: true - twa_hazards_protection: true - ping: - all: true - broadcast: true - state_policy: - - connection_type: established - action: accept - log: true - - - connection_type: invalid - action: reject - route_redirects: - - afi: ipv4 - ip_src_route: true - icmp_redirects: - send: true - receive: false - group: - address_group: - - name: MGMT-HOSTS - description: This group has the Management hosts address list - members: - - address: 192.0.1.1 - - - address: 192.0.1.3 - - - address: 192.0.1.5 - network_group: - - name: MGMT - description: This group has the Management network addresses - members: - - address: 192.0.1.0/24 + config: "{{ round_trip['forward_config'] }}" state: merged - name: Gather firewall_global facts @@ -57,15 +23,7 @@ - name: Apply the provided configuration (config to be reverted) register: result vyos.vyos.vyos_firewall_global: - config: - validation: strict - config_trap: false - log_martians: false - syn_cookies: false - twa_hazards_protection: false - ping: - all: false - broadcast: false + config: "{{ round_trip['revert_config'] }}" state: merged - name: Assert that changes were applied diff --git a/tests/integration/targets/vyos_firewall_global/tests/redirection/cli/shortname.yaml b/tests/integration/targets/vyos_firewall_global/tests/redirection/cli/shortname.yaml index 721a138..2255531 100644 --- a/tests/integration/targets/vyos_firewall_global/tests/redirection/cli/shortname.yaml +++ b/tests/integration/targets/vyos_firewall_global/tests/redirection/cli/shortname.yaml @@ -8,43 +8,7 @@ - name: Merge the provided configuration with the existing running configuration register: result vyos.vyos.firewall_global: &id001 - config: - validation: strict - config_trap: true - log_martians: true - syn_cookies: true - twa_hazards_protection: true - ping: - all: true - broadcast: true - state_policy: - - connection_type: established - action: accept - log: true - - - connection_type: invalid - action: reject - route_redirects: - - afi: ipv4 - ip_src_route: true - icmp_redirects: - send: true - receive: false - group: - address_group: - - name: MGMT-HOSTS - description: This group has the Management hosts address list - members: - - address: 192.0.1.1 - - - address: 192.0.1.3 - - - address: 192.0.1.5 - network_group: - - name: MGMT - description: This group has the Management network addresses - members: - - address: 192.0.1.0/24 + config: "{{ merged['config'] }}" state: merged - name: Assert that before dicts were correctly generated diff --git a/tests/integration/targets/vyos_firewall_global/vars/main.yaml b/tests/integration/targets/vyos_firewall_global/vars/main.yaml index b996a94..363cc9e 100644 --- a/tests/integration/targets/vyos_firewall_global/vars/main.yaml +++ b/tests/integration/targets/vyos_firewall_global/vars/main.yaml @@ -1,30 +1,8 @@ --- merged: before: [] - commands: - - set firewall group address-group MGMT-HOSTS address 192.0.1.1 - - set firewall group address-group MGMT-HOSTS address 192.0.1.3 - - set firewall group address-group MGMT-HOSTS address 192.0.1.5 - - set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' - - set firewall group address-group MGMT-HOSTS - - set firewall group network-group MGMT network 192.0.1.0/24 - - set firewall group network-group MGMT description 'This group has the Management network addresses' - - set firewall group network-group MGMT - - set firewall ip-src-route 'enable' - - set firewall receive-redirects 'disable' - - set firewall send-redirects 'enable' - - set firewall config-trap 'enable' - - set firewall state-policy established action 'accept' - - set firewall state-policy established log 'enable' - - set firewall state-policy invalid action 'reject' - - set firewall broadcast-ping 'enable' - - set firewall all-ping 'enable' - - set firewall log-martians 'enable' - - set firewall twa-hazards-protection 'enable' - - set firewall syn-cookies 'enable' - - set firewall source-validation 'strict' + commands: "{{ merged_commands }}" after: - config_trap: true group: address_group: - members: @@ -59,9 +37,42 @@ merged: connection_type: invalid twa_hazards_protection: true validation: strict + config: + validation: strict + log_martians: true + syn_cookies: true + twa_hazards_protection: true + ping: + all: true + broadcast: true + state_policy: + - connection_type: established + action: accept + log: true + - connection_type: invalid + action: reject + route_redirects: + - afi: ipv4 + ip_src_route: true + icmp_redirects: + send: true + receive: false + group: + address_group: + - name: MGMT-HOSTS + description: This group has the Management hosts address list + members: + - address: 192.0.1.1 + - address: 192.0.1.3 + - address: 192.0.1.5 + network_group: + - name: MGMT + description: This group has the Management network addresses + members: + - address: 192.0.1.0/24 + populate: validation: strict - config_trap: true log_martians: true syn_cookies: true twa_hazards_protection: true @@ -95,20 +106,10 @@ populate: members: - address: 192.0.1.0/24 afi: ipv4 + replaced: - commands: - - delete firewall group address-group MGMT-HOSTS - - set firewall group address-group SALES-HOSTS address 192.0.2.1 - - set firewall group address-group SALES-HOSTS address 192.0.2.2 - - set firewall group address-group SALES-HOSTS address 192.0.2.3 - - set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' - - set firewall group address-group SALES-HOSTS - - set firewall group address-group ENG-HOSTS address 192.0.3.1 - - set firewall group address-group ENG-HOSTS address 192.0.3.2 - - set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' - - set firewall group address-group ENG-HOSTS + commands: "{{ replaced_commands }}" after: - config_trap: true group: address_group: - members: @@ -149,41 +150,93 @@ replaced: syn_cookies: true twa_hazards_protection: true validation: strict + config: + validation: strict + log_martians: true + syn_cookies: true + twa_hazards_protection: true + ping: + all: true + broadcast: true + state_policy: + - connection_type: established + action: accept + log: true + - connection_type: invalid + action: reject + route_redirects: + - afi: ipv4 + ip_src_route: true + icmp_redirects: + send: true + receive: false + group: + address_group: + - name: SALES-HOSTS + description: Sales office hosts address list + members: + - address: 192.0.2.1 + - address: 192.0.2.2 + - address: 192.0.2.3 + - name: ENG-HOSTS + description: Sales office hosts address list + members: + - address: 192.0.3.1 + - address: 192.0.3.2 + network_group: + - name: MGMT + description: This group has the Management network addresses + members: + - address: 192.0.1.0/24 + rendered: - commands: - - set firewall group address-group SALES-HOSTS address 192.0.2.1 - - set firewall group address-group SALES-HOSTS address 192.0.2.2 - - set firewall group address-group SALES-HOSTS address 192.0.2.3 - - set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' - - set firewall group address-group SALES-HOSTS - - set firewall group address-group ENG-HOSTS address 192.0.3.1 - - set firewall group address-group ENG-HOSTS address 192.0.3.2 - - set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' - - set firewall group address-group ENG-HOSTS - - set firewall group network-group MGMT network 192.0.1.0/24 - - set firewall group network-group MGMT description 'This group has the Management network addresses' - - set firewall group network-group MGMT - - set firewall ip-src-route 'enable' - - set firewall receive-redirects 'disable' - - set firewall send-redirects 'enable' - - set firewall config-trap 'enable' - - set firewall state-policy established action 'accept' - - set firewall state-policy established log 'enable' - - set firewall state-policy invalid action 'reject' - - set firewall broadcast-ping 'enable' - - set firewall all-ping 'enable' - - set firewall log-martians 'enable' - - set firewall twa-hazards-protection 'enable' - - set firewall syn-cookies 'enable' - - set firewall source-validation 'strict' + commands: "{{ rendered_commands }}" + config: + validation: strict + log_martians: true + syn_cookies: true + twa_hazards_protection: true + ping: + all: true + broadcast: true + state_policy: + - connection_type: established + action: accept + log: true + - connection_type: invalid + action: reject + route_redirects: + - afi: ipv4 + ip_src_route: true + icmp_redirects: + send: true + receive: false + group: + address_group: + - name: SALES-HOSTS + description: Sales office hosts address list + members: + - address: 192.0.2.1 + - address: 192.0.2.2 + - address: 192.0.2.3 + - name: ENG-HOSTS + description: Sales office hosts address list + members: + - address: 192.0.3.1 + - address: 192.0.3.2 + network_group: + - name: MGMT + description: This group has the Management network addresses + members: + - address: 192.0.1.0/24 + deleted: - commands: - - "delete firewall " + commands: "{{ deleted_commands }}" after: [] + round_trip: after: validation: strict - config_trap: false log_martians: false syn_cookies: false twa_hazards_protection: false @@ -217,3 +270,44 @@ round_trip: members: - address: 192.0.1.0/24 afi: ipv4 + forward_config: + validation: strict + log_martians: true + syn_cookies: true + twa_hazards_protection: true + ping: + all: true + broadcast: true + state_policy: + - connection_type: established + action: accept + log: true + - connection_type: invalid + action: reject + route_redirects: + - afi: ipv4 + ip_src_route: true + icmp_redirects: + send: true + receive: false + group: + address_group: + - name: MGMT-HOSTS + description: This group has the Management hosts address list + members: + - address: 192.0.1.1 + - address: 192.0.1.3 + - address: 192.0.1.5 + network_group: + - name: MGMT + description: This group has the Management network addresses + members: + - address: 192.0.1.0/24 + revert_config: + validation: strict + log_martians: false + syn_cookies: false + twa_hazards_protection: false + ping: + all: false + broadcast: false diff --git a/tests/integration/targets/vyos_firewall_global/vars/pre-v1_4.yaml b/tests/integration/targets/vyos_firewall_global/vars/pre-v1_4.yaml new file mode 100644 index 0000000..db29345 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_global/vars/pre-v1_4.yaml @@ -0,0 +1,85 @@ +--- +merged_commands: + - set firewall group address-group MGMT-HOSTS address 192.0.1.1 + - set firewall group address-group MGMT-HOSTS address 192.0.1.3 + - set firewall group address-group MGMT-HOSTS address 192.0.1.5 + - set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' + - set firewall group address-group MGMT-HOSTS + - set firewall group network-group MGMT network 192.0.1.0/24 + - set firewall group network-group MGMT description 'This group has the Management network addresses' + - set firewall group network-group MGMT + - set firewall ip-src-route 'enable' + - set firewall receive-redirects 'disable' + - set firewall send-redirects 'enable' + - set firewall state-policy established action 'accept' + - set firewall state-policy established log 'enable' + - set firewall state-policy invalid action 'reject' + - set firewall broadcast-ping 'enable' + - set firewall all-ping 'enable' + - set firewall log-martians 'enable' + - set firewall twa-hazards-protection 'enable' + - set firewall syn-cookies 'enable' + - set firewall source-validation 'strict' + +populate_commands: + - set firewall all-ping 'enable' + - set firewall broadcast-ping 'enable' + - set firewall group address-group MGMT-HOSTS address '192.0.1.1' + - set firewall group address-group MGMT-HOSTS address '192.0.1.3' + - set firewall group address-group MGMT-HOSTS address '192.0.1.5' + - set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' + - set firewall group network-group MGMT description 'This group has the Management network addresses' + - set firewall group network-group MGMT network '192.0.1.0/24' + - set firewall ip-src-route 'enable' + - set firewall log-martians 'enable' + - set firewall receive-redirects 'disable' + - set firewall send-redirects 'enable' + - set firewall source-validation 'strict' + - set firewall state-policy established action 'accept' + - set firewall state-policy established log 'enable' + - set firewall state-policy invalid action 'reject' + - set firewall syn-cookies 'enable' + - set firewall twa-hazards-protection 'enable' + +replaced_commands: + - delete firewall group address-group MGMT-HOSTS + - set firewall group address-group SALES-HOSTS address 192.0.2.1 + - set firewall group address-group SALES-HOSTS address 192.0.2.2 + - set firewall group address-group SALES-HOSTS address 192.0.2.3 + - set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' + - set firewall group address-group SALES-HOSTS + - set firewall group address-group ENG-HOSTS address 192.0.3.1 + - set firewall group address-group ENG-HOSTS address 192.0.3.2 + - set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' + - set firewall group address-group ENG-HOSTS + +rendered_commands: + - set firewall group address-group SALES-HOSTS address 192.0.2.1 + - set firewall group address-group SALES-HOSTS address 192.0.2.2 + - set firewall group address-group SALES-HOSTS address 192.0.2.3 + - set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' + - set firewall group address-group SALES-HOSTS + - set firewall group address-group ENG-HOSTS address 192.0.3.1 + - set firewall group address-group ENG-HOSTS address 192.0.3.2 + - set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' + - set firewall group address-group ENG-HOSTS + - set firewall group network-group MGMT network 192.0.1.0/24 + - set firewall group network-group MGMT description 'This group has the Management network addresses' + - set firewall group network-group MGMT + - set firewall ip-src-route 'enable' + - set firewall receive-redirects 'disable' + - set firewall send-redirects 'enable' + - set firewall state-policy established action 'accept' + - set firewall state-policy established log 'enable' + - set firewall state-policy invalid action 'reject' + - set firewall broadcast-ping 'enable' + - set firewall all-ping 'enable' + - set firewall log-martians 'enable' + - set firewall twa-hazards-protection 'enable' + - set firewall syn-cookies 'enable' + - set firewall source-validation 'strict' + +deleted_commands: + - "delete firewall" + +parsed_config_file: "_parsed_config_1_3.cfg" diff --git a/tests/integration/targets/vyos_firewall_global/vars/v1_4.yaml b/tests/integration/targets/vyos_firewall_global/vars/v1_4.yaml new file mode 100644 index 0000000..d1ee6f2 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_global/vars/v1_4.yaml @@ -0,0 +1,85 @@ +--- +merged_commands: + - set firewall group address-group MGMT-HOSTS address 192.0.1.1 + - set firewall group address-group MGMT-HOSTS address 192.0.1.3 + - set firewall group address-group MGMT-HOSTS address 192.0.1.5 + - set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' + - set firewall group address-group MGMT-HOSTS + - set firewall group network-group MGMT network 192.0.1.0/24 + - set firewall group network-group MGMT description 'This group has the Management network addresses' + - set firewall group network-group MGMT + - set firewall global-options ip-src-route 'enable' + - set firewall global-options receive-redirects 'disable' + - set firewall global-options send-redirects 'enable' + - set firewall global-options state-policy established action 'accept' + - set firewall global-options state-policy established log + - set firewall global-options state-policy invalid action 'reject' + - set firewall global-options broadcast-ping 'enable' + - set firewall global-options all-ping 'enable' + - set firewall global-options log-martians 'enable' + - set firewall global-options twa-hazards-protection 'enable' + - set firewall global-options syn-cookies 'enable' + - set firewall global-options source-validation 'strict' + +populate_commands: + - set firewall global-options all-ping 'enable' + - set firewall global-options broadcast-ping 'enable' + - set firewall group address-group MGMT-HOSTS address '192.0.1.1' + - set firewall group address-group MGMT-HOSTS address '192.0.1.3' + - set firewall group address-group MGMT-HOSTS address '192.0.1.5' + - set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' + - set firewall group network-group MGMT description 'This group has the Management network addresses' + - set firewall group network-group MGMT network '192.0.1.0/24' + - set firewall global-options ip-src-route 'enable' + - set firewall global-options log-martians 'enable' + - set firewall global-options receive-redirects 'disable' + - set firewall global-options send-redirects 'enable' + - set firewall global-options source-validation 'strict' + - set firewall global-options state-policy established action 'accept' + - set firewall global-options state-policy established log + - set firewall global-options state-policy invalid action 'reject' + - set firewall global-options syn-cookies 'enable' + - set firewall global-options twa-hazards-protection 'enable' + +replaced_commands: + - delete firewall group address-group MGMT-HOSTS + - set firewall group address-group SALES-HOSTS address 192.0.2.1 + - set firewall group address-group SALES-HOSTS address 192.0.2.2 + - set firewall group address-group SALES-HOSTS address 192.0.2.3 + - set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' + - set firewall group address-group SALES-HOSTS + - set firewall group address-group ENG-HOSTS address 192.0.3.1 + - set firewall group address-group ENG-HOSTS address 192.0.3.2 + - set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' + - set firewall group address-group ENG-HOSTS + +rendered_commands: + - set firewall group address-group SALES-HOSTS address 192.0.2.1 + - set firewall group address-group SALES-HOSTS address 192.0.2.2 + - set firewall group address-group SALES-HOSTS address 192.0.2.3 + - set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' + - set firewall group address-group SALES-HOSTS + - set firewall group address-group ENG-HOSTS address 192.0.3.1 + - set firewall group address-group ENG-HOSTS address 192.0.3.2 + - set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' + - set firewall group address-group ENG-HOSTS + - set firewall group network-group MGMT network 192.0.1.0/24 + - set firewall group network-group MGMT description 'This group has the Management network addresses' + - set firewall group network-group MGMT + - set firewall global-options ip-src-route 'enable' + - set firewall global-options receive-redirects 'disable' + - set firewall global-options send-redirects 'enable' + - set firewall global-options state-policy established action 'accept' + - set firewall global-options state-policy established log + - set firewall global-options state-policy invalid action 'reject' + - set firewall global-options broadcast-ping 'enable' + - set firewall global-options all-ping 'enable' + - set firewall global-options log-martians 'enable' + - set firewall global-options twa-hazards-protection 'enable' + - set firewall global-options syn-cookies 'enable' + - set firewall global-options source-validation 'strict' + +deleted_commands: + - "delete firewall" + +parsed_config_file: "_parsed_config_1_4.cfg" diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_global.py b/tests/unit/modules/network/vyos/test_vyos_firewall_global.py index 752bb0d..2ecd062 100644 --- a/tests/unit/modules/network/vyos/test_vyos_firewall_global.py +++ b/tests/unit/modules/network/vyos/test_vyos_firewall_global.py @@ -62,7 +62,7 @@ class TestVyosFirewallGlobalModule(TestVyosModule): "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.config.firewall_global.firewall_global.get_os_version", ) self.get_os_version = self.mock_get_os_version.start() - self.get_os_version.return_value = "1.2" + self.get_os_version.return_value = "1.3" self.execute_show_command = self.mock_execute_show_command.start() self.maxDiff = None @@ -102,12 +102,16 @@ class TestVyosFirewallGlobalModule(TestVyosModule): dict(connection_type="invalid", action="reject"), ], route_redirects=[ - dict(ip_src_route=True, afi="ipv6"), dict( afi="ipv4", ip_src_route=True, icmp_redirects=dict(send=True, receive=False), ), + dict( + afi="ipv6", + ip_src_route=True, + icmp_redirects=dict(receive=False), + ), ], group=dict( address_group=[ @@ -179,10 +183,9 @@ class TestVyosFirewallGlobalModule(TestVyosModule): "set firewall group port-group TELNET description 'This group has the telnet ports'", "set firewall group port-group TELNET", "set firewall ip-src-route 'enable'", - "set firewall ipv6-src-route 'enable'", "set firewall receive-redirects 'disable'", - "set firewall send-redirects 'enable'", "set firewall config-trap 'enable'", + "set firewall ipv6-receive-redirects 'disable'", "set firewall state-policy established action 'accept'", "set firewall state-policy established log 'enable'", "set firewall state-policy invalid action 'reject'", @@ -302,6 +305,8 @@ class TestVyosFirewallGlobalModule(TestVyosModule): ), ) commands = [ + "delete firewall ipv6-src-route", + "delete firewall send-redirects", "delete firewall group address-group RND-HOSTS address 192.0.2.3", "delete firewall group address-group RND-HOSTS address 192.0.2.5", "set firewall group address-group RND-HOSTS address 192.0.2.7", @@ -313,10 +318,14 @@ class TestVyosFirewallGlobalModule(TestVyosModule): ] self.execute_module(changed=True, commands=commands) - def test_vyos_firewall_global_set_01_replaced_idem(self): + def test_vyos_firewall_global_set_02_replaced(self): set_module_args( dict( config=dict( + state_policy=[ + dict(connection_type="invalid", action="reject"), + dict(connection_type="related", action="drop"), + ], group=dict( address_group=[ dict( @@ -325,8 +334,8 @@ class TestVyosFirewallGlobalModule(TestVyosModule): description="This group has the Management hosts address lists", members=[ dict(address="192.0.2.1"), - dict(address="192.0.2.3"), - dict(address="192.0.2.5"), + dict(address="192.0.2.7"), + dict(address="192.0.2.9"), ], ), dict( @@ -335,7 +344,7 @@ class TestVyosFirewallGlobalModule(TestVyosModule): description="This group has the hosts address lists of this machine", members=[ dict(address="::1"), - dict(address="fdec:2503:89d6:59b3::1"), + dict(address="fdec:2503:89d6:59b3::2"), ], ), ], @@ -357,7 +366,7 @@ class TestVyosFirewallGlobalModule(TestVyosModule): dict( name="SSH", description="This group has the ssh ports", - members=[dict(port="22")], + members=[dict(port="2222")], ), ], ), @@ -365,127 +374,81 @@ class TestVyosFirewallGlobalModule(TestVyosModule): state="replaced", ), ) - self.execute_module(changed=False, commands=[]) - - def test_vyos_firewall_global_set_01_deleted(self): - set_module_args(dict(config=dict(), state="deleted")) - commands = ["delete firewall"] + commands = [ + "delete firewall group address-group RND-HOSTS address 192.0.2.3", + "delete firewall group address-group RND-HOSTS address 192.0.2.5", + "delete firewall ipv6-src-route", + "delete firewall send-redirects", + "set firewall state-policy related action 'drop'", + "set firewall state-policy invalid action 'reject'", + "set firewall group address-group RND-HOSTS address 192.0.2.7", + "set firewall group address-group RND-HOSTS address 192.0.2.9", + "delete firewall group ipv6-address-group LOCAL-v6 address fdec:2503:89d6:59b3::1", + "set firewall group ipv6-address-group LOCAL-v6 address fdec:2503:89d6:59b3::2", + "delete firewall group port-group SSH port 22", + "set firewall group port-group SSH port 2222", + ] self.execute_module(changed=True, commands=commands) - def test_vyos_firewall_global_set_01_merged_version14(self): - self.get_os_version.return_value = "1.4" + def test_vyos_firewall_global_set_01_replaced_idem(self): set_module_args( dict( config=dict( - validation="strict", - config_trap=True, - log_martians=True, - syn_cookies=True, - twa_hazards_protection=True, - ping=dict(all=True, broadcast=True), - state_policy=[ - dict( - connection_type="established", - action="accept", - log=True, - ), - dict(connection_type="invalid", action="reject"), - ], route_redirects=[ - dict( - afi="ipv4", - ip_src_route=True, - icmp_redirects=dict(send=True, receive=False), - ), - dict( - afi="ipv6", - ip_src_route=True, - icmp_redirects=dict(receive=False), - ), + dict(ip_src_route=True, afi="ipv6"), + dict(icmp_redirects=dict(send=True), afi="ipv4"), ], group=dict( address_group=[ dict( afi="ipv4", - name="MGMT-HOSTS", + name="RND-HOSTS", description="This group has the Management hosts address lists", members=[ - dict(address="192.0.1.1"), - dict(address="192.0.1.3"), - dict(address="192.0.1.5"), + dict(address="192.0.2.1"), + dict(address="192.0.2.3"), + dict(address="192.0.2.5"), ], ), dict( afi="ipv6", - name="GOOGLE-DNS-v6", + name="LOCAL-v6", + description="This group has the hosts address lists of this machine", members=[ - dict(address="2001:4860:4860::8888"), - dict(address="2001:4860:4860::8844"), + dict(address="::1"), + dict(address="fdec:2503:89d6:59b3::1"), ], ), ], network_group=[ dict( afi="ipv4", - name="MGMT", + name="RND", description="This group has the Management network addresses", - members=[dict(address="192.0.1.0/24")], + members=[dict(address="192.0.2.0/24")], ), dict( afi="ipv6", - name="DOCUMENTATION-v6", - description="IPv6 Addresses reserved for documentation per RFC 3849", - members=[ - dict(address="2001:0DB8::/32"), - dict(address="3FFF:FFFF::/32"), - ], + name="UNIQUE-LOCAL-v6", + description="This group encompasses the ULA address space in IPv6", + members=[dict(address="fc00::/7")], ), ], port_group=[ dict( - name="TELNET", - description="This group has the telnet ports", - members=[dict(port="23")], + name="SSH", + description="This group has the ssh ports", + members=[dict(port="22")], ), ], ), ), - state="merged", + state="replaced", ), ) - commands = [ - "set firewall group address-group MGMT-HOSTS address 192.0.1.1", - "set firewall group address-group MGMT-HOSTS address 192.0.1.3", - "set firewall group address-group MGMT-HOSTS address 192.0.1.5", - "set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address lists'", - "set firewall group address-group MGMT-HOSTS", - "set firewall group ipv6-address-group GOOGLE-DNS-v6 address 2001:4860:4860::8888", - "set firewall group ipv6-address-group GOOGLE-DNS-v6 address 2001:4860:4860::8844", - "set firewall group ipv6-address-group GOOGLE-DNS-v6", - "set firewall group network-group MGMT network 192.0.1.0/24", - "set firewall group network-group MGMT description 'This group has the Management network addresses'", - "set firewall group network-group MGMT", - "set firewall group ipv6-network-group DOCUMENTATION-v6 network 2001:0DB8::/32", - "set firewall group ipv6-network-group DOCUMENTATION-v6 network 3FFF:FFFF::/32", - "set firewall group ipv6-network-group DOCUMENTATION-v6 description 'IPv6 Addresses reserved for documentation per RFC 3849'", - "set firewall group ipv6-network-group DOCUMENTATION-v6", - "set firewall group port-group TELNET port 23", - "set firewall group port-group TELNET description 'This group has the telnet ports'", - "set firewall group port-group TELNET", - "set firewall global-options ip-src-route 'enable'", - "set firewall global-options receive-redirects 'disable'", - "set firewall global-options send-redirects 'enable'", - "set firewall global-options config-trap 'enable'", - "set firewall global-options ipv6-src-route 'enable'", - "set firewall global-options ipv6-receive-redirects 'disable'", - "set firewall global-options state-policy established action 'accept'", - "set firewall global-options state-policy established log 'enable'", - "set firewall global-options state-policy invalid action 'reject'", - "set firewall global-options broadcast-ping 'enable'", - "set firewall global-options all-ping 'enable'", - "set firewall global-options log-martians 'enable'", - "set firewall global-options twa-hazards-protection 'enable'", - "set firewall global-options syn-cookies 'enable'", - "set firewall global-options source-validation 'strict'", - ] + self.execute_module(changed=False, commands=[]) + + def test_vyos_firewall_global_set_01_deleted(self): + set_module_args(dict(config=dict(), state="deleted")) + commands = ["delete firewall"] self.execute_module(changed=True, commands=commands) diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py b/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py index a25da29..f4ae4ad 100644 --- a/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py +++ b/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py @@ -187,7 +187,7 @@ class TestVyosFirewallRulesModule14(TestVyosModule): "set firewall global-options config-trap 'enable'", "set firewall global-options ipv6-receive-redirects 'disable'", "set firewall global-options state-policy established action 'accept'", - "set firewall global-options state-policy established log 'enable'", + "set firewall global-options state-policy established log", "set firewall global-options state-policy established log-level 'emerg'", "set firewall global-options state-policy invalid action 'reject'", "set firewall global-options broadcast-ping 'enable'", @@ -462,5 +462,5 @@ class TestVyosFirewallRulesModule14(TestVyosModule): def test_vyos_firewall_global_set_01_deleted(self): set_module_args(dict(config=dict(), state="deleted")) - commands = ["delete firewall global-options"] + commands = ["delete firewall"] self.execute_module(changed=True, commands=commands) |