Merging upstream version 1.1.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 107 insertions, 37 deletions

diff --git a/tests/units/anta_tests/test_security.py b/tests/units/anta_tests/test_security.py
index 3a732bd..0d4a478 100644
--- a/tests/units/anta_tests/test_security.py
+++ b/tests/units/anta_tests/test_security.py
@@ -7,6 +7,9 @@ from __future__ import annotations
 
 from typing import Any
 
+import pytest
+from pydantic import ValidationError
+
 from anta.tests.security import (
     VerifyAPIHttpsSSL,
     VerifyAPIHttpStatus,
@@ -15,6 +18,7 @@ from anta.tests.security import (
     VerifyAPISSLCertificate,
     VerifyBannerLogin,
     VerifyBannerMotd,
+    VerifyHardwareEntropy,
     VerifyIPSecConnHealth,
     VerifyIPv4ACL,
     VerifySpecificIPSecConn,
@@ -23,7 +27,7 @@ from anta.tests.security import (
     VerifySSHStatus,
     VerifyTelnetStatus,
 )
-from tests.lib.anta import test  # noqa: F401; pylint: disable=W0611
+from tests.units.anta_tests import test
 
 DATA: list[dict[str, Any]] = [
     {
@@ -38,16 +42,36 @@ DATA: list[dict[str, Any]] = [
         "test": VerifySSHStatus,
         "eos_data": ["SSH per host connection limit is 20\nFIPS status: disabled\n\n"],
         "inputs": None,
-        "expected": {"result": "error", "messages": ["Could not find SSH status in returned output."]},
+        "expected": {"result": "failure", "messages": ["Could not find SSH status in returned output."]},
     },
     {
-        "name": "failure-ssh-disabled",
+        "name": "failure-ssh-enabled",
         "test": VerifySSHStatus,
         "eos_data": ["SSHD status for Default VRF is enabled\nSSH connection limit is 50\nSSH per host connection limit is 20\nFIPS status: disabled\n\n"],
         "inputs": None,
         "expected": {"result": "failure", "messages": ["SSHD status for Default VRF is enabled"]},
     },
     {
+        "name": "success-4.32",
+        "test": VerifySSHStatus,
+        "eos_data": [
+            "User certificate authentication methods: none (neither trusted CA nor SSL profile configured)\n"
+            "SSHD status for Default VRF: disabled\nSSH connection limit: 50\nSSH per host connection limit: 20\nFIPS status: disabled\n\n"
+        ],
+        "inputs": None,
+        "expected": {"result": "success"},
+    },
+    {
+        "name": "failure-ssh-enabled-4.32",
+        "test": VerifySSHStatus,
+        "eos_data": [
+            "User certificate authentication methods: none (neither trusted CA nor SSL profile configured)\n"
+            "SSHD status for Default VRF: enabled\nSSH connection limit: 50\nSSH per host connection limit: 20\nFIPS status: disabled\n\n"
+        ],
+        "inputs": None,
+        "expected": {"result": "failure", "messages": ["SSHD status for Default VRF: enabled"]},
+    },
+    {
         "name": "success",
         "test": VerifySSHIPv4Acl,
         "eos_data": [{"ipAclList": {"aclList": [{"type": "Ip4Acl", "name": "ACL_IPV4_SSH", "configuredVrfs": ["MGMT"], "activeVrfs": ["MGMT"]}]}}],
@@ -581,40 +605,6 @@ DATA: list[dict[str, Any]] = [
         },
     },
     {
-        "name": "error-wrong-input-rsa",
-        "test": VerifyAPISSLCertificate,
-        "eos_data": [],
-        "inputs": {
-            "certificates": [
-                {
-                    "certificate_name": "ARISTA_ROOT_CA.crt",
-                    "expiry_threshold": 30,
-                    "common_name": "Arista Networks Internal IT Root Cert Authority",
-                    "encryption_algorithm": "RSA",
-                    "key_size": 256,
-                },
-            ]
-        },
-        "expected": {"result": "error", "messages": ["Allowed sizes are (2048, 3072, 4096)."]},
-    },
-    {
-        "name": "error-wrong-input-ecdsa",
-        "test": VerifyAPISSLCertificate,
-        "eos_data": [],
-        "inputs": {
-            "certificates": [
-                {
-                    "certificate_name": "ARISTA_SIGNING_CA.crt",
-                    "expiry_threshold": 30,
-                    "common_name": "AristaIT-ICA ECDSA Issuing Cert Authority",
-                    "encryption_algorithm": "ECDSA",
-                    "key_size": 2048,
-                },
-            ]
-        },
-        "expected": {"result": "error", "messages": ["Allowed sizes are (256, 384, 512)."]},
-    },
-    {
         "name": "success",
         "test": VerifyBannerLogin,
         "eos_data": [
@@ -1213,4 +1203,84 @@ DATA: list[dict[str, Any]] = [
             ],
         },
     },
+    {
+        "name": "success",
+        "test": VerifyHardwareEntropy,
+        "eos_data": [{"cpuModel": "2.20GHz", "cryptoModule": "Crypto Module v3.0", "hardwareEntropyEnabled": True, "blockedNetworkProtocols": []}],
+        "inputs": {},
+        "expected": {"result": "success"},
+    },
+    {
+        "name": "failure",
+        "test": VerifyHardwareEntropy,
+        "eos_data": [{"cpuModel": "2.20GHz", "cryptoModule": "Crypto Module v3.0", "hardwareEntropyEnabled": False, "blockedNetworkProtocols": []}],
+        "inputs": {},
+        "expected": {"result": "failure", "messages": ["Hardware entropy generation is disabled."]},
+    },
 ]
+
+
+class TestAPISSLCertificate:
+    """Test anta.tests.security.VerifyAPISSLCertificate.Input.APISSLCertificate."""
+
+    @pytest.mark.parametrize(
+        ("model_params", "error"),
+        [
+            pytest.param(
+                {
+                    "certificate_name": "ARISTA_ROOT_CA.crt",
+                    "expiry_threshold": 30,
+                    "common_name": "Arista Networks Internal IT Root Cert Authority",
+                    "encryption_algorithm": "RSA",
+                    "key_size": 256,
+                },
+                "Value error, `ARISTA_ROOT_CA.crt` key size 256 is invalid for RSA encryption. Allowed sizes are (2048, 3072, 4096).",
+                id="RSA_wrong_size",
+            ),
+            pytest.param(
+                {
+                    "certificate_name": "ARISTA_SIGNING_CA.crt",
+                    "expiry_threshold": 30,
+                    "common_name": "AristaIT-ICA ECDSA Issuing Cert Authority",
+                    "encryption_algorithm": "ECDSA",
+                    "key_size": 2048,
+                },
+                "Value error, `ARISTA_SIGNING_CA.crt` key size 2048 is invalid for ECDSA encryption. Allowed sizes are (256, 384, 512).",
+                id="ECDSA_wrong_size",
+            ),
+        ],
+    )
+    def test_invalid(self, model_params: dict[str, Any], error: str) -> None:
+        """Test invalid inputs for anta.tests.security.VerifyAPISSLCertificate.Input.APISSLCertificate."""
+        with pytest.raises(ValidationError) as exec_info:
+            VerifyAPISSLCertificate.Input.APISSLCertificate.model_validate(model_params)
+        assert error == exec_info.value.errors()[0]["msg"]
+
+    @pytest.mark.parametrize(
+        "model_params",
+        [
+            pytest.param(
+                {
+                    "certificate_name": "ARISTA_SIGNING_CA.crt",
+                    "expiry_threshold": 30,
+                    "common_name": "AristaIT-ICA ECDSA Issuing Cert Authority",
+                    "encryption_algorithm": "ECDSA",
+                    "key_size": 256,
+                },
+                id="ECDSA",
+            ),
+            pytest.param(
+                {
+                    "certificate_name": "ARISTA_ROOT_CA.crt",
+                    "expiry_threshold": 30,
+                    "common_name": "Arista Networks Internal IT Root Cert Authority",
+                    "encryption_algorithm": "RSA",
+                    "key_size": 4096,
+                },
+                id="RSA",
+            ),
+        ],
+    )
+    def test_valid(self, model_params: dict[str, Any]) -> None:
+        """Test valid inputs for anta.tests.security.VerifyAPISSLCertificate.Input.APISSLCertificate."""
+        VerifyAPISSLCertificate.Input.APISSLCertificate.model_validate(model_params)