Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

T7002 fw global integration fix #379

Merged
merged 24 commits into from
Feb 12, 2025
Merged

T7002 fw global integration fix #379

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
15d8141
T7002 fw_global integration tests fix init
omnom62 Jan 28, 2025
a566fa1
adding 1.3 structure
omnom62 Jan 28, 2025
5213e97
v1.3- integration tests for fw_global
omnom62 Jan 28, 2025
aef39b2
fixed integration tests for 1.3 and fw_global
omnom62 Jan 28, 2025
32a58a5
D.R.Y. for firewall_global integration tests
omnom62 Jan 28, 2025
cc2d884
changelog
omnom62 Jan 28, 2025
d3a3a32
Merge branch 'main' into t7002-fw_global_integration_fix
omnom62 Jan 28, 2025
bcfd00e
config-trap is fixed for 1.4
omnom62 Jan 30, 2025
dc2fc3a
Merge branch 'main' into t7002-fw_global_integration_fix
omnom62 Feb 2, 2025
af4a6ba
fw_global log mod fixed
omnom62 Feb 3, 2025
a4c5bda
firewall_gobal 1.4 integration and unit tests fixes
omnom62 Feb 3, 2025
b452618
firewall_gobal unit tests fix
omnom62 Feb 3, 2025
be98129
Merge branch 'main' into t7002-fw_global_integration_fix
omnom62 Feb 3, 2025
e541bff
T7002 firewall_global integration tests fixed
omnom62 Feb 4, 2025
8a3e618
clean-up work things
omnom62 Feb 4, 2025
63e6c6a
Merge branch 'main' into t7002-fw_global_integration_fix
omnom62 Feb 9, 2025
0f32058
some updates from PR review
omnom62 Feb 9, 2025
13f9ead
populate_commands for fw_global
omnom62 Feb 9, 2025
28b8e62
D.R.Y fw_global integration tests
omnom62 Feb 9, 2025
2cd091f
linter fw_global
omnom62 Feb 9, 2025
20b6b2d
linter
omnom62 Feb 9, 2025
3c30269
fragments for T7002 updated
omnom62 Feb 10, 2025
5d29940
linter
omnom62 Feb 10, 2025
2d038b2
Merge branch 'main' into t7002-fw_global_integration_fix
omnom62 Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions changelogs/fragments/T7002-firewall-global-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
bugfixes:
- vyos_firewall_global - fixed the facts parsers to include state-policies, redirect
- vyos_firewall_global - fixed behavior for stanzas processing by facts in 1.4+ (e.g. present/absent stanza vs enable/disable)
trivial:
- vyos_firewall_global - updated unit test suites to include units for 1.4+ and missing attributes (e.g. log)
- vyos_firewall_global - re-factored integration test suite structure to D.R.Y and add support for 1.4+
- vyos_firewall_global - cleared-up the obsolete stanzas (e.g. config-trap)
32 changes: 22 additions & 10 deletions plugins/module_utils/network/vyos/config/firewall_global/firewall_global.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -476,14 +476,23 @@ def _render_state_policy(self, attr, w, h, opr):
for key, val in iteritems(w):
if val and key != "connection_type":
if opr and key in l_set and not (h and self._is_w_same(w, h, key)):
commands.append(
self._form_attr_cmd(
key=attr + " " + w["connection_type"],
attr=key,
val=self._bool_to_str(val),
opr=opr,
),
)
if key == "log" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"):
commands.append(
self._form_attr_cmd(
key=attr + " " + w["connection_type"],
attr=key,
opr=opr,
),
)
else:
commands.append(
self._form_attr_cmd(
key=attr + " " + w["connection_type"],
attr=key,
val=self._bool_to_str(val),
opr=opr,
),
)
elif not opr and key in l_set:
if not h:
commands.append(
Expand Down Expand Up @@ -645,14 +654,17 @@ def _compute_command(self, key=None, attr=None, val=None, remove=False, opr=True
cmd = "delete firewall "
else:
cmd = "set firewall "
if key != "group" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"):
if attr and key != "group" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"):
cmd += "global-options "
if key:
cmd += key.replace("_", "-") + " "
if attr:
cmd += attr.replace("_", "-")
if val and opr:
cmd += " '" + str(val) + "'"
if key == "state_policy" and LooseVersion(get_os_version(self._module)) >= LooseVersion("1.4"):
cmd += ""
else:
cmd += " '" + str(val) + "'"
return cmd.strip()

def _bool_to_str(self, val):
Expand Down
6 changes: 3 additions & 3 deletions plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ def route_redirects(self, conf):
rr_lst = []

v6_attr = findall(
r"^set firewall (?:global-options )(?:ipv6-src-route|ipv6-receive-redirects) (\S+)",
r"^set firewall (?:global-options )?(?:ipv6-src-route|ipv6-receive-redirects) (\S+)",
conf,
M,
)
Expand All @@ -121,7 +121,7 @@ def route_redirects(self, conf):
rr_lst.append(obj)

v4_attr = findall(
r"^set firewall (?:global-options )(?:ip-src-route|receive-redirects|send-redirects) (\S+)",
r"^set firewall (?:global-options )?(?:ip-src-route|receive-redirects|send-redirects) (\S+)",
conf,
M,
)
Expand Down Expand Up @@ -174,7 +174,7 @@ def parse_state_policy(self, conf):
:return: generated rule list configuration.
"""
sp_lst = []
policies = findall(r"^set firewall (?:global-options )state-policy (\S+)", conf, M)
policies = findall(r"^set firewall (?:global-options )?state-policy (\S+)", conf, M)
policies = list(set(policies)) # remove redundancies
if policies:
rules_lst = []
Expand Down
28 changes: 28 additions & 0 deletions tests/integration/targets/vyos_firewall_global/tests/cli/_get_version.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
- name: make sure to get facts
vyos.vyos.vyos_facts:
vars:
ansible_connection: ansible.netcommon.network_cli
register: vyos_facts
when: vyos_version is not defined

- name: debug vyos_facts
debug:
var: vyos_facts

- name: pull version from facts
set_fact:
vyos_version: "{{ vyos_facts.ansible_facts.ansible_net_version.split('-')[0].split(' ')[-1] }}"
when: vyos_version is not defined

- name: fix '.0' versions
set_fact:
vyos_version: "{{ vyos_version }}.0"
when: vyos_version.count('.') == 1

- name: include correct vars
include_vars: pre-v1_4.yaml
when: vyos_version is version('1.4.0', '<', version_type='semver')

- name: include correct vars
include_vars: v1_4.yaml
when: vyos_version is version('1.4.0', '>=', version_type='semver')
1 change: 0 additions & 1 deletion ...ewall_global/tests/cli/_parsed_config.cfg → ...l_global/tests/cli/_parsed_config_1_3.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
set firewall all-ping 'enable'
set firewall broadcast-ping 'enable'
set firewall config-trap 'enable'
set firewall group address-group MGMT-HOSTS address '192.0.1.1'
set firewall group address-group MGMT-HOSTS address '192.0.1.3'
set firewall group address-group MGMT-HOSTS address '192.0.1.5'
Expand Down
18 changes: 18 additions & 0 deletions tests/integration/targets/vyos_firewall_global/tests/cli/_parsed_config_1_4.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'enable'
set firewall group address-group MGMT-HOSTS address '192.0.1.1'
set firewall group address-group MGMT-HOSTS address '192.0.1.3'
set firewall group address-group MGMT-HOSTS address '192.0.1.5'
set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list'
set firewall group network-group MGMT description 'This group has the Management network addresses'
set firewall group network-group MGMT network '192.0.1.0/24'
set firewall global-options ip-src-route 'enable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'strict'
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy established log 'enable'
set firewall global-options state-policy invalid action 'reject'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'enable'
50 changes: 7 additions & 43 deletions tests/integration/targets/vyos_firewall_global/tests/cli/_populate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,47 +1,11 @@
---
- ansible.builtin.include_tasks: _remove_config.yaml

- name: Setup
vars:
lines: >-
set firewall all-ping 'enable'

set firewall broadcast-ping 'enable'

set firewall config-trap 'enable'

set firewall group address-group MGMT-HOSTS address '192.0.1.1'

set firewall group address-group MGMT-HOSTS address '192.0.1.3'

set firewall group address-group MGMT-HOSTS address '192.0.1.5'

set firewall group address-group MGMT-HOSTS description 'This group has
the Management hosts address list'

set firewall group network-group MGMT description 'This group has the
Management network addresses'

set firewall group network-group MGMT network '192.0.1.0/24'

set firewall ip-src-route 'enable'
- name: ensure facts
include_tasks: _get_version.yaml

set firewall log-martians 'enable'

set firewall receive-redirects 'disable'

set firewall send-redirects 'enable'

set firewall source-validation 'strict'

set firewall state-policy established action 'accept'

set firewall state-policy established log 'enable'

set firewall state-policy invalid action 'reject'

set firewall syn-cookies 'enable'

set firewall twa-hazards-protection 'enable'
ansible.netcommon.cli_config:
config: "{{ lines }}"
- name: Setup {{ vyos_version }}
vyos.vyos.vyos_config:
lines: "{{ populate_commands }}"
vars:
ansible_connection: ansible.netcommon.network_cli
38 changes: 1 addition & 37 deletions tests/integration/targets/vyos_firewall_global/tests/cli/merged.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,43 +8,7 @@
- name: Merge the provided configuration with the existing running configuration
register: result
vyos.vyos.vyos_firewall_global: &id001
config:
validation: strict
config_trap: true
log_martians: true
syn_cookies: true
twa_hazards_protection: true
ping:
all: true
broadcast: true
state_policy:
- connection_type: established
action: accept
log: true

- connection_type: invalid
action: reject
route_redirects:
- afi: ipv4
ip_src_route: true
icmp_redirects:
send: true
receive: false
group:
address_group:
- name: MGMT-HOSTS
description: This group has the Management hosts address list
members:
- address: 192.0.1.1

- address: 192.0.1.3

- address: 192.0.1.5
network_group:
- name: MGMT
description: This group has the Management network addresses
members:
- address: 192.0.1.0/24
config: "{{ merged['config'] }}"
state: merged

- name: Assert that before dicts were correctly generated
Expand Down
2 changes: 1 addition & 1 deletion tests/integration/targets/vyos_firewall_global/tests/cli/parsed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
- name: Provide the running configuration for parsing (config to be parsed)
register: result
vyos.vyos.vyos_firewall_global: &id001
running_config: "{{ lookup('file', '_parsed_config.cfg') }}"
running_config: "{{ lookup('file', parsed_config_file) }}"
state: parsed

- name: Assert that correct parsing done
Expand Down
45 changes: 1 addition & 44 deletions tests/integration/targets/vyos_firewall_global/tests/cli/rendered.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,50 +8,7 @@
- name: Structure provided configuration into device specific commands
register: result
vyos.vyos.vyos_firewall_global: &id001
config:
validation: strict
config_trap: true
log_martians: true
syn_cookies: true
twa_hazards_protection: true
ping:
all: true
broadcast: true
state_policy:
- connection_type: established
action: accept
log: true

- connection_type: invalid
action: reject
route_redirects:
- afi: ipv4
ip_src_route: true
icmp_redirects:
send: true
receive: false
group:
address_group:
- name: SALES-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.2.1

- address: 192.0.2.2

- address: 192.0.2.3

- name: ENG-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.3.1

- address: 192.0.3.2
network_group:
- name: MGMT
description: This group has the Management network addresses
members:
- address: 192.0.1.0/24
config: "{{ rendered['config'] }}"
state: rendered

- name: Assert that correct set of commands were generated
Expand Down
45 changes: 1 addition & 44 deletions tests/integration/targets/vyos_firewall_global/tests/cli/replaced.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,50 +8,7 @@
- name: Replace device configurations of listed firewall with provided configurations
register: result
vyos.vyos.vyos_firewall_global: &id001
config:
validation: strict
config_trap: true
log_martians: true
syn_cookies: true
twa_hazards_protection: true
ping:
all: true
broadcast: true
state_policy:
- connection_type: established
action: accept
log: true

- connection_type: invalid
action: reject
route_redirects:
- afi: ipv4
ip_src_route: true
icmp_redirects:
send: true
receive: false
group:
address_group:
- name: SALES-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.2.1

- address: 192.0.2.2

- address: 192.0.2.3

- name: ENG-HOSTS
description: Sales office hosts address list
members:
- address: 192.0.3.1

- address: 192.0.3.2
network_group:
- name: MGMT
description: This group has the Management network addresses
members:
- address: 192.0.1.0/24
config: "{{ replaced['config'] }}"
state: replaced

- name: Assert that correct set of commands were generated
Expand Down
Loading