Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat(eos_validate_state): Added the validation for IP security connections #3911

Merged
merged 10 commits into from
May 31, 2024
Merged

Feat(eos_validate_state): Added the validation for IP security connections #3911

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5b77d54
issue-3890: Added the validation for ip sec connection
MaheshGSLAB Apr 24, 2024
1c4ab81
Merge branch 'devel' into issue-3890
MaheshGSLAB Apr 29, 2024
0df2ed2
issue-3890: updated the anta-preview.md
MaheshGSLAB Apr 29, 2024
02e9c69
issue-3890: Updated the testcae description
MaheshGSLAB May 9, 2024
d3d0905
Merge branch 'devel' into issue-3890
MaheshGSLAB May 14, 2024
3e9a312
issue-3890: Update the for loop and doc string
MaheshGSLAB May 14, 2024
bcc393a
issue-3890: updated the doc string
MaheshGSLAB May 16, 2024
ff45994
Merge branch 'devel' into issue-3890
MaheshGSLAB May 17, 2024
e520526
Merge branch 'devel' into issue-3890
MaheshGSLAB May 27, 2024
9b08a6e
issue-3890: fixed doc string
MaheshGSLAB May 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions ...ctions/arista/avd/molecule/eos_validate_state/intended/test_catalogs/dc1-wan1-catalog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,24 @@ anta.tests.security:
profile: eAPI_SSL_Profile
result_overwrite:
custom_field: 'eAPI HTTPS SSL Profile: eAPI_SSL_Profile'
- VerifySpecificIPSecConn:
ip_security_connections:
- peer: 10.255.255.10
vrf: default
result_overwrite:
custom_field: 'IPv4 Peer: 10.255.255.10 VRF: default'
- VerifySpecificIPSecConn:
ip_security_connections:
- peer: 10.255.255.20
vrf: default
result_overwrite:
custom_field: 'IPv4 Peer: 10.255.255.20 VRF: default'
- VerifySpecificIPSecConn:
ip_security_connections:
- peer: 10.255.1.2
vrf: default
result_overwrite:
custom_field: 'IPv4 Peer: 10.255.1.2 VRF: default'
- VerifySSHStatus: null
- VerifySSHIPv4Acl:
number: 3
Expand Down
18 changes: 18 additions & 0 deletions ...ctions/arista/avd/molecule/eos_validate_state/intended/test_catalogs/dc1-wan2-catalog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,24 @@ anta.tests.security:
profile: eAPI_SSL_Profile
result_overwrite:
custom_field: 'eAPI HTTPS SSL Profile: eAPI_SSL_Profile'
- VerifySpecificIPSecConn:
ip_security_connections:
- peer: 10.255.255.10
vrf: default
result_overwrite:
custom_field: 'IPv4 Peer: 10.255.255.10 VRF: default'
- VerifySpecificIPSecConn:
ip_security_connections:
- peer: 10.255.255.20
vrf: default
result_overwrite:
custom_field: 'IPv4 Peer: 10.255.255.20 VRF: default'
- VerifySpecificIPSecConn:
ip_security_connections:
- peer: 10.255.1.1
vrf: default
result_overwrite:
custom_field: 'IPv4 Peer: 10.255.1.1 VRF: default'
- VerifySSHStatus: null
- VerifySSHIPv4Acl:
number: 3
Expand Down
2,832 changes: 1,419 additions & 1,413 deletions ansible_collections/arista/avd/molecule/eos_validate_state/reports/FABRIC-state.csv
View file
Open in desktop

Large diffs are not rendered by default.

2,840 changes: 1,423 additions & 1,417 deletions ansible_collections/arista/avd/molecule/eos_validate_state/reports/FABRIC-state.md
View file
Open in desktop

Large diffs are not rendered by default.

27 changes: 27 additions & 0 deletions ...ections/arista/avd/molecule/eos_validate_state/reports/test_results/dc1-wan1-results.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,33 @@
],
"description": "Verifies IPv4 security connections for a peer."
},
{
"name": "dc1-wan1",
"test": "VerifySpecificIPSecConn",
"categories": [
"security"
],
"description": "Verifies IPv4 security connections for a peer.",
"custom_field": "IPv4 Peer: 10.255.1.2 VRF: default"
},
{
"name": "dc1-wan1",
"test": "VerifySpecificIPSecConn",
"categories": [
"security"
],
"description": "Verifies IPv4 security connections for a peer.",
"custom_field": "IPv4 Peer: 10.255.255.10 VRF: default"
},
{
"name": "dc1-wan1",
"test": "VerifySpecificIPSecConn",
"categories": [
"security"
],
"description": "Verifies IPv4 security connections for a peer.",
"custom_field": "IPv4 Peer: 10.255.255.20 VRF: default"
},
{
"name": "dc1-wan1",
"test": "VerifySSHIPv4Acl",
Expand Down
27 changes: 27 additions & 0 deletions ...ections/arista/avd/molecule/eos_validate_state/reports/test_results/dc1-wan2-results.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,33 @@
],
"description": "Verifies IPv4 security connections for a peer."
},
{
"name": "dc1-wan2",
"test": "VerifySpecificIPSecConn",
"categories": [
"security"
],
"description": "Verifies IPv4 security connections for a peer.",
"custom_field": "IPv4 Peer: 10.255.1.1 VRF: default"
},
{
"name": "dc1-wan2",
"test": "VerifySpecificIPSecConn",
"categories": [
"security"
],
"description": "Verifies IPv4 security connections for a peer.",
"custom_field": "IPv4 Peer: 10.255.255.10 VRF: default"
},
{
"name": "dc1-wan2",
"test": "VerifySpecificIPSecConn",
"categories": [
"security"
],
"description": "Verifies IPv4 security connections for a peer.",
"custom_field": "IPv4 Peer: 10.255.255.20 VRF: default"
},
{
"name": "dc1-wan2",
"test": "VerifySSHIPv4Acl",
Expand Down
3 changes: 3 additions & 0 deletions ansible_collections/arista/avd/roles/eos_validate_state/ANTA-Preview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,9 @@ title: Ansible Collection Role eos_validate_state - Preview Integration with ANT
- (New) AvdTestAPIHttpsSSL (No Ansible tags, use the new `skipped_tests` variable instead)
- VerifyAPIHttpsSSL: Validate eAPI HTTPS SSL profile status.

- (New) AvdTestIPSecurity (No Ansible tags, use the new `skipped_tests` variable instead)
- VerifySpecificIPSecConn: Validates the establishment of IP security connections for a peer within the default VRF. This test exclusively examines IPsec connections defined in the router's path selection configuration.
carlbuchmann marked this conversation as resolved.
Show resolved Hide resolved

## Input variables

```yaml
Expand Down
2 changes: 2 additions & 0 deletions ansible_collections/arista/avd/roles/eos_validate_state/python_modules/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
AvdTestHardware,
AvdTestInbandReachability,
AvdTestInterfacesState,
AvdTestIPSecurity,
AvdTestLLDPTopology,
AvdTestLoopback0Reachability,
AvdTestMLAG,
Expand Down Expand Up @@ -36,6 +37,7 @@
AvdTestInbandReachability: {"legacy_ansible_tags": ["loopback_reachability", "loopback0_reachability", "optional"]},
AvdTestLoopback0Reachability: {"legacy_ansible_tags": ["loopback_reachability", "loopback0_reachability"]},
AvdTestAPIHttpsSSL: {},
AvdTestIPSecurity: {},
}
"""
A dict of all AVD eos_validate_state test classes with their equivalent legacy Ansible tags.
Expand Down
3 changes: 2 additions & 1 deletion ansible_collections/arista/avd/roles/eos_validate_state/python_modules/tests/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from .avdtestinterfaces import AvdTestInterfacesState
from .avdtestmlag import AvdTestMLAG
from .avdtestrouting import AvdTestBGP, AvdTestRoutingTable
from .avdtestsecurity import AvdTestAPIHttpsSSL
from .avdtestsecurity import AvdTestAPIHttpsSSL, AvdTestIPSecurity
from .avdtestsystem import AvdTestNTP, AvdTestReloadCause

__all__ = [
Expand All @@ -22,4 +22,5 @@
"AvdTestRoutingTable",
"AvdTestBGP",
"AvdTestAPIHttpsSSL",
"AvdTestIPSecurity",
]
50 changes: 50 additions & 0 deletions ...e_collections/arista/avd/roles/eos_validate_state/python_modules/tests/avdtestsecurity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,53 @@ def test_definition(self) -> dict | None:
anta_tests.append({"VerifyAPIHttpsSSL": {"profile": profile, "result_overwrite": {"custom_field": f"eAPI HTTPS SSL Profile: {profile}"}}})

return {self.anta_module: anta_tests}


class AvdTestIPSecurity(AvdTestBase):
"""
AvdTestIPSecurity class for IP security connection tests.
carl-baillargeon marked this conversation as resolved.
Show resolved Hide resolved
It validates the state of IPv4 security connections for a specified peer, ensuring they are established.
It specifically focuses on IPv4 security connections within the default VRF and examines connections defined in the router's path selection configuration.
carlbuchmann marked this conversation as resolved.
Show resolved Hide resolved

"""

anta_module = "anta.tests.security"

@cached_property
def test_definition(self) -> dict | None:
"""
Generates the proper ANTA test definition for all IP security connection tests.

Returns:
test_definition (dict): ANTA test definition.
"""
anta_tests = []

# Check if there are any path groups with static peers
if (path_groups := get(self.structured_config, "router_path_selection.path_groups")) is None:
LOGGER.info("No router path-group configured to collect the static peer. %s is skipped.", self.__class__.__name__)
carl-baillargeon marked this conversation as resolved.
Show resolved Hide resolved
return None

added_peers = set()
for group_idx, path_group in enumerate(path_groups):
if not self.validate_data(data=path_group, data_path=f"router_path_selection.path_groups.[{group_idx}]", required_keys="static_peers"):
continue

for peer_idx, peer in enumerate(path_group["static_peers"]):
if self.validate_data(
data=peer, data_path=f"router_path_selection.path_groups.[{group_idx}].static_peers.[{peer_idx}]", required_keys="router_ip"
):
peer_address = peer["router_ip"]
vrf = "default" # TODO: Keeping the vrf name static for now. We may need to change later on.
if (peer_address, vrf) not in added_peers:
anta_tests.append(
{
"VerifySpecificIPSecConn": {
"ip_security_connections": [{"peer": peer_address, "vrf": vrf}],
"result_overwrite": {"custom_field": f"IPv4 Peer: {peer_address} VRF: {vrf}"},
}
}
)
added_peers.add((peer_address, vrf))

return {self.anta_module: anta_tests} if anta_tests else None
Loading