Introducing module firewall_alias (#137)

* created molecule file * created verify file * renaming aliases to alias * renaming aliases to alias * first draft of test_firewall_alias * removed unused file test_firewall_aliases * renaming * finished test_firewall_alias_from_xml unit test * added test_firewall_rule_alias_to_etree unit test * added to_etree function * finished test_firewall_alias_from_ansible_module_params_simple unit test * added from_ansible_module_params classmethod * added FirewallAliasSet unit test * added FirewallAliasSet class * updated tests in order to support new listenum and added xml-data * added FirewallAliasType * updated class FirewallAliasType values * added content list handling * added content unit tests * updated tests to accept new bool counter value * updated tests to accept new bool counter value * updated updatefreq default values * added tests to test updatefreq * added firewall_alias module * first working draft * first working draft firewall_alias * implemented remove function * added content as list handling * updated tests * started implementing content_validation * added host and network type validation unit tests * added content_types host and network * added validation functions * added multiple tests * enabled tests * added interface validation checks * added interface validation function * updated module_incex to support new module * updated tests * added converge file for module firewall_alias * removed unused imports * minor updated * updated documentation * updated return * fixed linter errors * fixed linter errors * finished documentation * fixed typing * removed unwanted file * pylint errors * fixed pylinter errors * added pylint skip-file to test_system_access_users_utils * fixed typos * fixed type asn * added test to verify type asn fix * fixed authgroup type * fixed setting of authgroup * added two new test cases * added toetree tests to check asn protocol * added tests to fix protocol assignment * added MaximumTableEntries validation * fixed hostname validation * updated converage * fixed linter errors * added molcue instance * updated module_index to support version 24.7 of the alias module * added missing maximumtableentries entry * Update plugins/module_utils/firewall_alias_utils.py Co-authored-by: Fabio Bertagna <33524186+DonGiovanni83@users.noreply.github.com> * Update plugins/module_utils/firewall_alias_utils.py Co-authored-by: Fabio Bertagna <33524186+DonGiovanni83@users.noreply.github.com> * Update plugins/module_utils/firewall_alias_utils.py Co-authored-by: Fabio Bertagna <33524186+DonGiovanni83@users.noreply.github.com> * Update plugins/module_utils/firewall_alias_utils.py Co-authored-by: Fabio Bertagna <33524186+DonGiovanni83@users.noreply.github.com> * applied @dongovanni's requests * restructred firewall_alias * restructred firewall_alias_utils version compatibility checks * removed unused import * updated version_added entry --------- Co-authored-by: Fabio Bertagna <33524186+DonGiovanni83@users.noreply.github.com>
puzzle · Aug 20, 2024 · 0416c70 · 0416c70
1 parent 6e9025f
commit 0416c70
Show file tree

Hide file tree

Showing 7 changed files with 3,171 additions and 0 deletions.
diff --git a/molecule/firewall_alias/converge.yml b/molecule/firewall_alias/converge.yml
@@ -0,0 +1,314 @@
+---
+- name: converge
+  hosts: all
+  become: true
+  tasks:
+
+    - name: Converge - Get OPNsense version
+      ansible.builtin.command: opnsense-version -O
+      register: opnsense_version_cmd
+      changed_when: false
+
+    - name: Converge - Set OPNsense version fact
+      ansible.builtin.set_fact:
+        opnsense_version: "{{ opnsense_version_cmd.stdout | from_json }}"
+
+    - name: Create a Host Alias with the content 10.0.0.1
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeHost
+        type: host
+        statistics: false
+        description: Test Alias with type Host
+        content: 10.0.0.1
+        state: present
+
+    - name: Create a Host Alias with an unsupported content 192.168.0.0/24
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeHost
+        type: host
+        statistics: false
+        description: Test Alias with type Host
+        content: 192.168.0.0/24
+        state: present
+      register: unsupported_content_for_type_host_result
+      ignore_errors: yes
+
+    - name: Verify that the alias update failed since the defined content is not supported for type host
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_host_result is failed
+        fail_msg: "Content 192.168.0.0/24 for type host should fail"
+        success_msg: "Content 192.168.0.0/24 failed as expected due to unsupported content for type host"
+
+
+    - name: Create a Host Alias with the content 10.0.0.1, 10.0.0.2
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeHostList
+        type: host
+        statistics: false
+        description: Test Alias with type Host
+        content:
+            - 10.0.0.1
+            - 10.0.0.2
+
+    - name: Create a Network Alias with the content 192.168.0.0/24
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeNetwork
+        type: network
+        statistics: false
+        description: Test Alias with type Network
+        content: 192.168.0.0/24
+
+    - name: Create a Network Alias with an unsupported content test_content
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeNetwork
+        type: network
+        statistics: false
+        description: Test Alias with type Network
+        content: test_content
+        state: present
+      register: unsupported_content_for_type_network_result
+      ignore_errors: yes
+
+    - name: Verify that the alias update failed since the defined content is not supported for type network
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_network_result is failed
+        fail_msg: "Content test_content for type network should fail"
+        success_msg: "Content test_content failed as expected due to unsupported content for type network"
+
+    - name: Create a NetworkGroup Alias with the content TestAliasTypeNetwork
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeNetworkGroup
+        type: networkgroup
+        description: Test Alias with type NetworkGroup
+        content:
+            - TestAliasTypeNetwork
+
+    - name: Create a NetworkGroup Alias with an unsupported content test_content
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeNetworkGroup
+        type: networkgroup
+        statistics: false
+        description: Test Alias with type NetworkGroup
+        content: test_content
+        state: present
+      register: unsupported_content_for_type_networkgroup_result
+      ignore_errors: yes
+
+    - name: Verify that the alias update failed since the defined content is not supported for type networkgroup
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_networkgroup_result is failed
+        fail_msg: "Content test_content for type networkgroup should fail"
+        success_msg: "Content test_content failed as expected due to unsupported content for type networkgroup"
+
+    - name: Create a Port Alias with the content 80
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypePort
+        type: port
+        statistics: false
+        description: Test Alias with type Port
+        content: 80
+
+    - name: Create a Port Alias with an unsupported content !30
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypePort
+        type: port
+        statistics: false
+        description: Test Alias with type Port
+        content: "!30"
+        state: present
+      register: unsupported_content_for_type_port_result
+      ignore_errors: yes
+
+    - name: Verify that the alias update failed since the defined content is not supported for type port
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_port_result is failed
+        fail_msg: "Content test_content for type port should fail"
+        success_msg: "Content !30 failed as expected due to unsupported content for type port"
+
+    - name: Create an MAC Alias with the content FF:FF:FF:FF:FF
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeMAC
+        type: macaddress
+        statistics: false
+        description: Test Alias with type MAC
+        content: FF:FF:FF:FF:FF:FF
+
+    - name: Create a MACAddress Alias with an unsupported content 11:AA:22:BB:33
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeMACAddress
+        type: macaddress
+        statistics: false
+        description: Test Alias with type MACAddress
+        content: 11:AA:22:BB:33
+        state: present
+      register: unsupported_content_for_type_macaddress_result
+      ignore_errors: yes
+
+    - name: Verify that the alias update failed since the defined content is not supported for type macaddress
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_macaddress_result is failed
+        fail_msg: "Content 11:AA:22:BB:33 for type macaddress should fail"
+        success_msg: "Content 11:AA:22:BB:33 failed as expected due to unsupported content for type macaddress"
+
+    - name: Create an URL Alias with the content www.puzzle.ch
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeURL
+        type: url
+        statistics: false
+        description: Test Alias with type URL
+        content: www.puzzle.ch
+
+    - name: Create a URLTable Alias with the content www.google.ch, www.puzzle.ch
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeURLTable
+        type: urltable
+        refreshfrequency:
+          days: 1
+          hours: 2
+        description: Test Alias with type URLTable
+        content:
+            - www.google.ch
+            - www.puzzle.ch
+
+    - name: Create a GeoIP Alias with the content CH, DE
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeGeoIP
+        type: geoip
+        description: Test Alias with type GeoIP
+        content:
+          - CH
+          - DE
+      ignore_errors: yes
+      register: unconfigured_geoip_result
+
+    - name: Verify that the creation failed, since the GeoIP settings are not configured
+      ansible.builtin.assert:
+        that:
+          - unconfigured_geoip_result is failed
+        fail_msg: "Setting of GeoIP should fail"
+        success_msg: "Setting of GeoIP should fail as expected due to unconfigured GeoIP settings"
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create an BGPASN Alias with the content 65000
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeBGPASN
+        type: bgpasn
+        statistics: false
+        description: Test Alias with type BGPASN
+        content: 65000
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create an BGPASN Alias with the content 65001 and protocol ipv4
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeBGPASN_ipv4
+        type: bgpasn
+        statistics: false
+        description: Test Alias with type BGPASN with the content 65001 and protocol ipv4
+        content: 65001
+        protocol: IPv4
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create an BGPASN Alias with the content 65002 and protocol ipv6
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeBGPASN_ipv6
+        type: bgpasn
+        statistics: false
+        description: Test Alias with type BGPASN with the content 65002 and protocol ipv6
+        content: 65002
+        protocol: IPv6
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create an BGPASN Alias with the content 65003 and protocol ipv4,ipv6
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeBGPASN_ipv4_ipv6
+        type: bgpasn
+        statistics: false
+        description: Test Alias with type BGPASN with the content 65003 and protocol ipv4,ipv6
+        content: 65003
+        protocol:
+          - IPv4
+          - IPv6
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create a BGPASN Alias with an unsupported content test_asn
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeBGPASN
+        type: bgpasn
+        statistics: false
+        description: Test Alias with type BGPASN
+        content: test_asn
+        state: present
+      register: unsupported_content_for_type_bgpasn_result
+      ignore_errors: yes
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Verify that the alias update failed since the defined content is not supported for type bgpasn
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_bgpasn_result is failed
+        fail_msg: "Content test_asn for type bgpasn should fail"
+        success_msg: "Content test_asn failed as expected due to unsupported content for type bgpasn"
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create an DYNAMICIPV6HOST Alias with the content ::abcd:1234:5678:abcd
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeDYNAMICIPV6HOST
+        type: dynamicipv6host
+        statistics: false
+        description: Test Alias with type DYNAMICIPV6HOST
+        content: ::abcd:1234:5678:abcd
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create a DYNAMICIPV6HOST Alias with an unsupported content 2001::10
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeDYNAMICIPV6HOST
+        type: dynamicipv6host
+        statistics: false
+        description: Test Alias with type DYNAMICIPV6HOST
+        content: 2001::10
+        state: present
+      register: unsupported_content_for_type_dynamicipv6host_result
+      ignore_errors: yes
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Verify that the alias update failed since the defined content is not supported for type dynamicipv6host
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_dynamicipv6host_result is failed
+        fail_msg: "Content 2001::10 for type dynamicipv6host should fail"
+        success_msg: "Content 2001::10 failed as expected due to unsupported content for type dynamicipv6host"
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create an OPNVPNGROUP Alias with the content admins
+      puzzle.opnsense.firewall_alias:
+        name: TestAliasTypeOPNVPNGROUP
+        type: opnvpngroup
+        statistics: false
+        description: Test Alias with type OPNVPNGROUP
+        content: admins
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Create a OPNVPNGROUP Alias with an unsupported content test_group
+      puzzle.opnsense.firewall_alias:
+        name: UnsupportedTestAliasTypeOPNVPNGROUP
+        type: opnvpngroup
+        statistics: false
+        description: Test Alias with type OPNVPNGROUP
+        content: test_group
+        state: present
+      ignore_errors: yes
+      register: unsupported_content_for_type_opnvpngroup_result
+      when: opnsense_version["product_version"] is version('23.7', '>=')
+
+    - name: Verify that the alias update failed since the defined content is not supported for type opnvpngroup
+      ansible.builtin.assert:
+        that:
+          - unsupported_content_for_type_opnvpngroup_result is failed
+        fail_msg: "Content test_group for type opnvpngroup should fail"
+        success_msg: "Content test_group failed as expected due to unsupported content for type opnvpngroup"
+      when: opnsense_version["product_version"] is version('23.7', '>=')
diff --git a/molecule/firewall_alias/molecule.yml b/molecule/firewall_alias/molecule.yml
@@ -0,0 +1,77 @@
+---
+scenario:
+    name: firewall_alias
+    test_sequence:
+        # - dependency not relevant unless we have requirements
+        - destroy
+        - syntax
+        - create
+        - converge
+        - idempotence
+        - verify
+        - destroy
+
+driver:
+    name: vagrant
+    parallel: true
+
+platforms:
+    - name: "22.7"
+      hostname: false
+      box: puzzle/opnsense
+      box_version: "22.7"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "23.1"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "23.1"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "23.7"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "23.7"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "24.1"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "24.1"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "24.7"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "24.7"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+
+provisioner:
+    name: ansible
+    env:
+        ANSIBLE_VERBOSITY: 3
+verifier:
+    name: ansible
+    options:
+        become: true