Skip to content

Commit

Permalink
[ignore] Added missing test cases for secure properties
Browse files Browse the repository at this point in the history
  • Loading branch information
samiib authored and lhercot committed Jun 11, 2024
1 parent 9d9c2a6 commit 99ba402
Show file tree
Hide file tree
Showing 9 changed files with 169 additions and 38 deletions.
14 changes: 13 additions & 1 deletion tests/integration/targets/aci_aaa_key_ring/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@

# UPDATE
- name: Update an existing key ring
cisco.aci.aci_aaa_key_ring:
cisco.aci.aci_aaa_key_ring: &key_ring_1_update
<<: *key_ring_1_present
description: "This is a changed description."
modulus: 2048
Expand All @@ -102,6 +102,12 @@
key: "{{ lookup('file', 'pki/admin.key') }}"
register: nm_update_key_ring_1

# UPDATE IDEMPOTENCY
- name: Update an existing key ring again
cisco.aci.aci_aaa_key_ring:
<<: *key_ring_1_update
register: nm_update_key_ring_1_again

- name: Assertions for updating a key ring
ansible.builtin.assert:
that:
Expand All @@ -113,6 +119,12 @@
- nm_update_key_ring_1.current.0.pkiKeyRing.attributes.descr == "This is a changed description."
- nm_update_key_ring_1.current.0.pkiKeyRing.attributes.modulus == "mod2048"
- nm_update_key_ring_1.current.0.pkiKeyRing.attributes.tp == "certificate_authority_1"
- nm_update_key_ring_1.proposed.pkiKeyRing.attributes.key == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when key is set
- nm_update_key_ring_1_again is changed
- nm_update_key_ring_1_again.proposed.pkiKeyRing.attributes.key == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- nm_update_key_ring_1_again.previous.0.pkiKeyRing.attributes.key is undefined
- nm_update_key_ring_1_again.current.0.pkiKeyRing.attributes.key is undefined

# VERSION SPECIFIC TESTS
- name: Test updating a key ring with key_type
Expand Down
88 changes: 52 additions & 36 deletions tests/integration/targets/aci_aaa_user/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,28 @@
state: absent
ignore_errors: true # ignore errors to because of multiple executions for hosts at the same time

- name: Set vars
ansible.builtin.set_fact:
aci_info: &aci_info
host: "{{ aci_hostname }}"
username: "{{ aci_username }}"
password: "{{ aci_password }}"
validate_certs: '{{ aci_validate_certs | default(false) }}'
use_ssl: '{{ aci_use_ssl | default(true) }}'
use_proxy: '{{ aci_use_proxy | default(true) }}'
output_level: '{{ aci_use_proxy | default("info") }}'

- name: Query system information to fetch version
cisco.aci.aci_system:
<<: *aci_info
id: 1
state: query
register: version

# ADD USER
- name: Add user without dateutil installed (error)
cisco.aci.aci_aaa_user: &user_present
host: '{{ aci_hostname }}'
username: '{{ aci_username }}'
password: '{{ aci_password }}'
validate_certs: '{{ aci_validate_certs | default(false) }}'
use_ssl: '{{ aci_use_ssl | default(true) }}'
use_proxy: '{{ aci_use_proxy | default(true) }}'
output_level: '{{ aci_output_level | default("info") }}'
<<: *aci_info
aaa_user: ansible
description: Ansible test user
email: [email protected]
Expand All @@ -50,13 +62,7 @@
# CLEAN ENVIRONMENT
- name: Remove any pre-existing user
cisco.aci.aci_aaa_user: &user_absent
host: '{{ aci_hostname }}'
username: '{{ aci_username }}'
password: '{{ aci_password }}'
validate_certs: '{{ aci_validate_certs | default(false) }}'
use_ssl: '{{ aci_use_ssl | default(true) }}'
use_proxy: '{{ aci_use_proxy | default(true) }}'
output_level: '{{ aci_output_level | default("info") }}'
<<: *aci_info
aaa_user: ansible
state: absent

Expand All @@ -68,7 +74,7 @@

# NOTE: Setting password is not idempotent, see #35544
- name: Add user (normal mode)
cisco.aci.aci_aaa_user:
cisco.aci.aci_aaa_user: &user_present_pass
<<: *user_present
# changed password because password strength check is triggered on the 6.0(2h) version, thus failing testcase
aaa_password: khsaubf@3ijsdn!!2#%nbsh
Expand All @@ -90,20 +96,42 @@
- nm_add_user is changed
- nm_add_user.current.0.aaaUser.attributes.annotation == 'orchestrator:ansible'
- nm_add_user.current.0.aaaUser.attributes.descr == 'Ansible test user'
- nm_add_user.proposed.aaaUser.attributes.pwd == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- cm_add_user_again is not changed
- nm_add_user_again is not changed
- nm_add_user_again.current.0.aaaUser.attributes.descr == 'Ansible test user'

# VERSION SPECIFIC TESTS
- name: Test updating a password
when: version.current.0.topSystem.attributes.version is version('6.0', '>=')
block:
# Can't use previous 5 passwords
- name: Update user with no password change
cisco.aci.aci_aaa_user:
<<: *user_present_pass
ignore_errors: true
register: nm_add_user_no_password_change

- name: Update user with password change
cisco.aci.aci_aaa_user:
<<: *user_present
aaa_password: khsaubf@3ijsdn!!2#%nbsh1
register: nm_add_user_password_change

- name: Verify add user
ansible.builtin.assert:
that:
# Idempotency is not supported when password is set
- nm_add_user_password_change is changed
- nm_add_user_password_change.proposed.aaaUser.attributes.pwd == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- nm_add_user_password_change.previous.0.aaaUser.attributes.pwd is undefined
- nm_add_user_password_change.current.0.aaaUser.attributes.pwd is undefined
- nm_add_user_no_password_change.msg == "APIC Error 1{{":"}} Password history check{{":"}} user ansible should not use previous 5 passwords"

# MODIFY USER
- name: Modify user (check_mode)
cisco.aci.aci_aaa_user: &user_changed
host: '{{ aci_hostname }}'
username: '{{ aci_username }}'
password: '{{ aci_password }}'
validate_certs: '{{ aci_validate_certs | default(false) }}'
use_ssl: '{{ aci_use_ssl | default(true) }}'
use_proxy: '{{ aci_use_proxy | default(true) }}'
output_level: '{{ aci_output_level | default("info") }}'
<<: *aci_info
aaa_user: ansible
description: Ansible test user for integration tests
email: [email protected]
Expand Down Expand Up @@ -148,13 +176,7 @@
# CLEAR PASSWORD HISTORY
- name: Clear password history (check_mode)
cisco.aci.aci_aaa_user: &clear_password_history
host: '{{ aci_hostname }}'
username: '{{ aci_username }}'
password: '{{ aci_password }}'
validate_certs: '{{ aci_validate_certs | default(false) }}'
use_ssl: '{{ aci_use_ssl | default(true) }}'
use_proxy: '{{ aci_use_proxy | default(true) }}'
output_level: '{{ aci_output_level | default("info") }}'
<<: *aci_info
aaa_user: ansible
clear_password_history: true
check_mode: true
Expand Down Expand Up @@ -186,13 +208,7 @@
# QUERY ALL USERS
- name: Query all users (check_mode)
cisco.aci.aci_aaa_user: &user_query
host: '{{ aci_hostname }}'
username: '{{ aci_username }}'
password: '{{ aci_password }}'
validate_certs: '{{ aci_validate_certs | default(false) }}'
use_ssl: '{{ aci_use_ssl | default(true) }}'
use_proxy: '{{ aci_use_proxy | default(true) }}'
output_level: '{{ aci_output_level | default("info") }}'
<<: *aci_info
aaa_user: ansible
state: query
check_mode: true
Expand Down
16 changes: 15 additions & 1 deletion tests/integration/targets/aci_file_remote_path/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,24 +100,38 @@

# UPDATE FILE REMOTE PATH
- name: Update File Remote Path
cisco.aci.aci_file_remote_path:
cisco.aci.aci_file_remote_path: &update_path
<<: *aci_path
remote_protocol: sftp
remote_user: new_user
remote_password: new_pass
remote_path: /tmp/dummy
register: update_path

- name: Update File Remote Path again
cisco.aci.aci_file_remote_path:
<<: *update_path
register: update_path_again

- name: Verify update of File Remote Path
ansible.builtin.assert:
that:
- update_path is changed
- update_path.previous == nm_create_path.current
- update_path.current.0.fileRemotePath.attributes.name == "ansible_file_path"
- update_path.current.0.fileRemotePath.attributes.descr == "Test File Path"
- update_path.current.0.fileRemotePath.attributes.protocol == "sftp"
- update_path.current.0.fileRemotePath.attributes.authType == "usePassword"
- update_path.current.0.fileRemotePath.attributes.userName == "new_user"
- update_path.current.0.fileRemotePath.attributes.remotePath == "/tmp/dummy"
- update_path.current.0.fileRemotePath.attributes.userPasswd is undefined
- update_path.proposed.fileRemotePath.attributes.userPasswd == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when remote_password is set
- update_path_again is changed
- update_path_again.current == update_path.current
- update_path_again.current.0.fileRemotePath.attributes.userPasswd is undefined
- update_path_again.previous.0.fileRemotePath.attributes.userPasswd is undefined
- update_path_again.proposed.fileRemotePath.attributes.userPasswd == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"

# QUERY FILE REMOTE PATH
- name: Query a File Remote Path
Expand Down
25 changes: 25 additions & 0 deletions tests/integration/targets/aci_firmware_source/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,31 @@
that:
- cm_add_source_again is not changed

- name: Add password source
cisco.aci.aci_firmware_source: &source_pass
<<: *source_present
source: ansible_test_pass
url_password: test
register: password_source

- name: Add password source again
cisco.aci.aci_firmware_source:
<<: *source_pass
register: password_source_again

- name: Verify add password source
ansible.builtin.assert:
that:
- password_source is changed
- password_source.previous == []
- password_source.current.0.firmwareOSource.attributes.password is undefined
- password_source.proposed.firmwareOSource.attributes.password == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when url_password is set
- password_source_again is changed
- password_source_again.previous == password_source.current
- password_source_again.current.0.firmwareOSource.attributes.password is undefined
- password_source_again.proposed.firmwareOSource.attributes.password == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"

- name: Add another source (normal mode)
cisco.aci.aci_firmware_source:
<<: *source_present
Expand Down
7 changes: 7 additions & 0 deletions tests/integration/targets/aci_key_policy/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,14 @@
- nm_add_key_policy.current.0.fvKeyPol.attributes.id == "1"
- nm_add_key_policy.current.0.fvKeyPol.attributes.startTime == "2024-01-01T00:00:00.000+00:00"
- nm_add_key_policy.current.0.fvKeyPol.attributes.endTime == "2026-01-01T00:00:00.000+00:00"
- nm_add_key_policy.current.0.fvKeyPol.attributes.preSharedKey is undefined
- nm_add_key_policy.proposed.fvKeyPol.attributes.preSharedKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when pre_shared_key is set
- nm_add_key_policy_idempotency is changed
- nm_add_key_policy_idempotency.current == nm_add_key_policy_idempotency.previous
- nm_add_key_policy_idempotency.current.0.fvKeyPol.attributes.preSharedKey is undefined
- nm_add_key_policy_idempotency.previous.0.fvKeyPol.attributes.preSharedKey is undefined
- nm_add_key_policy_idempotency.proposed.fvKeyPol.attributes.preSharedKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- nm_add_key_policy_2 is changed
- nm_add_key_policy_2.previous == []
- nm_add_key_policy_2.current.0.fvKeyPol.attributes.id == "2"
Expand Down
12 changes: 12 additions & 0 deletions tests/integration/targets/aci_l3out_bgp_peer/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1522,6 +1522,11 @@
state: present
register: create_with_password

- name: Create BGP Peer with password again
aci_l3out_bgp_peer:
<<: *bgp_peer_with_password
register: create_with_password_again

- name: Update BGP Peer to remove remote as and local as number
aci_l3out_bgp_peer:
<<: *bgp_peer_with_password
Expand All @@ -1538,6 +1543,13 @@
- create_with_password.current.0.bgpPeerP.attributes.password is not defined
- create_with_password.current.0.bgpPeerP.children.0.bgpLocalAsnP.attributes.localAsn == "65460"
- create_with_password.current.0.bgpPeerP.children.2.bgpAsP.attributes.asn == "65450"
- create_with_password.proposed.bgpPeerP.attributes.password == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when bgp_password is set
- create_with_password_again is changed
- create_with_password_again.current == create_with_password_again.previous
- create_with_password_again.current.0.bgpPeerP.attributes.password is undefined
- create_with_password_again.previous.0.bgpPeerP.attributes.password is undefined
- create_with_password_again.proposed.bgpPeerP.attributes.password == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- update_remove_remote_local_as is changed
- update_remove_remote_local_as.previous != []
- update_remove_remote_local_as.current.0.bgpPeerP.children | length == 1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,26 @@
ospf_auth_key: my_key
register: update_ospfIfP

- name: Update interface profile ospf policy again
cisco.aci.aci_l3out_logical_interface_profile_ospf_policy:
<<: *ospfIfP_update
register: update_ospfIfP_again

- name: Verify update_ospfIfP
ansible.builtin.assert:
that:
- update_ospfIfP is changed
- update_ospfIfP.previous != []
- update_ospfIfP.current[0].ospfIfP.children[0].ospfRsIfPol.attributes.tnOspfIfPolName == 'default'
- update_ospfIfP.current[0].ospfIfP.attributes.authType == 'simple'
- update_ospfIfP.current[0].ospfIfP.attributes.authKey is undefined
- update_ospfIfP.proposed.ospfIfP.attributes.authKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when ospf_auth_key is set
- update_ospfIfP_again is changed
- update_ospfIfP_again.current == update_ospfIfP_again.previous
- update_ospfIfP_again.current.0.ospfIfP.attributes.authKey is undefined
- update_ospfIfP_again.previous.0.ospfIfP.attributes.authKey is undefined
- update_ospfIfP_again.proposed.ospfIfP.attributes.authKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"

# QUERY INTERFACE PROFILE OSPF POLICY
- name: Query interface profile ospf policy
Expand Down
16 changes: 16 additions & 0 deletions tests/integration/targets/aci_snmp_user/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@
<<: *snmp_user
register: nm_create_snmp_user

- name: Create a snmp user again
cisco.aci.aci_snmp_user:
<<: *snmp_user
register: nm_create_snmp_user_again_with_secrets

- name: Create a snmp user again without secrets
cisco.aci.aci_snmp_user:
<<: *snmp_user
Expand All @@ -78,6 +83,17 @@
- nm_create_snmp_user.current.0.snmpUserP.attributes.annotation == 'orchestrator:ansible'
- nm_create_snmp_user.current.0.snmpUserP.attributes.descr == ""
- nm_create_snmp_user.previous == []
- nm_create_snmp_user.proposed.snmpUserP.attributes.authKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- nm_create_snmp_user.proposed.snmpUserP.attributes.privKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when auth_key or privacy_key is set
- nm_create_snmp_user_again_with_secrets is changed
- nm_create_snmp_user_again_with_secrets.current == nm_create_snmp_user_again_with_secrets.previous
- nm_create_snmp_user_again_with_secrets.current.0.snmpUserP.attributes.authKey is undefined
- nm_create_snmp_user_again_with_secrets.previous.0.snmpUserP.attributes.authKey is undefined
- nm_create_snmp_user_again_with_secrets.proposed.snmpUserP.attributes.authKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- nm_create_snmp_user_again_with_secrets.current.0.snmpUserP.attributes.privKey is undefined
- nm_create_snmp_user_again_with_secrets.previous.0.snmpUserP.attributes.privKey is undefined
- nm_create_snmp_user_again_with_secrets.proposed.snmpUserP.attributes.privKey == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- nm_create_snmp_user_again is not changed
- nm_create_snmp_user_again.previous.0.snmpUserP.attributes.dn == "uni/fabric/snmppol-ansible_snmp_policy/user-ansible_snmp_user"
- nm_create_snmp_user_again.previous.0.snmpUserP.attributes.name == "ansible_snmp_user"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,14 @@
<<: *aci_info
passphrase: ansible_passphrase
state: present
register: set_passphrase

- name: Set passphrase again
cisco.aci.aci_system_global_aes_passphrase_encryption:
<<: *aci_info
passphrase: ansible_passphrase
state: present
register: set_passphrase_again

- name: Query key configured
cisco.aci.aci_system_global_aes_passphrase_encryption:
Expand All @@ -60,6 +68,14 @@
- name: Verify passphrase and encryption settings
ansible.builtin.assert:
that:
- set_passphrase.current.0.pkiExportEncryptionKey.attributes.passphrase is undefined
- set_passphrase.proposed.pkiExportEncryptionKey.attributes.passphrase == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
# Idempotency is not supported when setting passphrase
- set_passphrase_again is changed
- set_passphrase_again.current == set_passphrase_again.previous
- set_passphrase_again.current.0.pkiExportEncryptionKey.attributes.passphrase is undefined
- set_passphrase_again.previous.0.pkiExportEncryptionKey.attributes.passphrase is undefined
- set_passphrase_again.proposed.pkiExportEncryptionKey.attributes.passphrase == "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
- query_passphrase.current.0.pkiExportEncryptionKey.attributes.keyConfigured == "yes"
- query_passphrase.current.0.pkiExportEncryptionKey.attributes.strongEncryptionEnabled == "no"
- query_encryption.current.0.pkiExportEncryptionKey.attributes.keyConfigured == "yes"
Expand Down

0 comments on commit 99ba402

Please sign in to comment.