summaryrefslogtreecommitdiffstats
path: root/tests/units/anta_tests/test_security.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/units/anta_tests/test_security.py')
-rw-r--r--tests/units/anta_tests/test_security.py291
1 files changed, 283 insertions, 8 deletions
diff --git a/tests/units/anta_tests/test_security.py b/tests/units/anta_tests/test_security.py
index 17fa04e..4c28541 100644
--- a/tests/units/anta_tests/test_security.py
+++ b/tests/units/anta_tests/test_security.py
@@ -1,9 +1,8 @@
# Copyright (c) 2023-2024 Arista Networks, Inc.
# Use of this source code is governed by the Apache License 2.0
# that can be found in the LICENSE file.
-"""
-Tests for anta.tests.security.py
-"""
+"""Tests for anta.tests.security.py."""
+
from __future__ import annotations
from typing import Any
@@ -16,7 +15,9 @@ from anta.tests.security import (
VerifyAPISSLCertificate,
VerifyBannerLogin,
VerifyBannerMotd,
+ VerifyIPSecConnHealth,
VerifyIPv4ACL,
+ VerifySpecificIPSecConn,
VerifySSHIPv4Acl,
VerifySSHIPv6Acl,
VerifySSHStatus,
@@ -107,7 +108,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
- }
+ },
],
"inputs": None,
"expected": {"result": "success"},
@@ -124,7 +125,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
- }
+ },
],
"inputs": None,
"expected": {"result": "failure", "messages": ["eAPI HTTP server is enabled globally"]},
@@ -141,7 +142,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
- }
+ },
],
"inputs": {"profile": "API_SSL_Profile"},
"expected": {"result": "success"},
@@ -157,7 +158,7 @@ DATA: list[dict[str, Any]] = [
"httpsServer": {"configured": True, "running": True, "port": 443},
"unixSocketServer": {"configured": False, "running": False},
"tlsProtocol": ["1.2"],
- }
+ },
],
"inputs": {"profile": "API_SSL_Profile"},
"expected": {"result": "failure", "messages": ["eAPI HTTPS server SSL profile (API_SSL_Profile) is not configured"]},
@@ -174,7 +175,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "Wrong_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
- }
+ },
],
"inputs": {"profile": "API_SSL_Profile"},
"expected": {"result": "failure", "messages": ["eAPI HTTPS server SSL profile (API_SSL_Profile) is misconfigured or invalid"]},
@@ -897,4 +898,278 @@ DATA: list[dict[str, Any]] = [
],
},
},
+ {
+ "name": "success",
+ "test": VerifyIPSecConnHealth,
+ "eos_data": [
+ {
+ "connections": {
+ "default-172.18.3.2-172.18.5.2-srcUnused-0": {
+ "pathDict": {"path9": "Established"},
+ },
+ "default-100.64.3.2-100.64.5.2-srcUnused-0": {
+ "pathDict": {"path10": "Established"},
+ },
+ }
+ }
+ ],
+ "inputs": {},
+ "expected": {"result": "success"},
+ },
+ {
+ "name": "failure-no-connection",
+ "test": VerifyIPSecConnHealth,
+ "eos_data": [{"connections": {}}],
+ "inputs": {},
+ "expected": {"result": "failure", "messages": ["No IPv4 security connection configured."]},
+ },
+ {
+ "name": "failure-not-established",
+ "test": VerifyIPSecConnHealth,
+ "eos_data": [
+ {
+ "connections": {
+ "default-172.18.3.2-172.18.5.2-srcUnused-0": {
+ "pathDict": {"path9": "Idle"},
+ "saddr": "172.18.3.2",
+ "daddr": "172.18.2.2",
+ "tunnelNs": "default",
+ },
+ "Guest-100.64.3.2-100.64.5.2-srcUnused-0": {"pathDict": {"path10": "Idle"}, "saddr": "100.64.3.2", "daddr": "100.64.5.2", "tunnelNs": "Guest"},
+ }
+ }
+ ],
+ "inputs": {},
+ "expected": {
+ "result": "failure",
+ "messages": [
+ "The following IPv4 security connections are not established:\n"
+ "source:172.18.3.2 destination:172.18.2.2 vrf:default\n"
+ "source:100.64.3.2 destination:100.64.5.2 vrf:Guest."
+ ],
+ },
+ },
+ {
+ "name": "success-with-connection",
+ "test": VerifySpecificIPSecConn,
+ "eos_data": [
+ {
+ "connections": {
+ "Guest-172.18.3.2-172.18.2.2-srcUnused-0": {
+ "pathDict": {"path9": "Established"},
+ "saddr": "172.18.3.2",
+ "daddr": "172.18.2.2",
+ "tunnelNs": "Guest",
+ },
+ "Guest-100.64.3.2-100.64.2.2-srcUnused-0": {
+ "pathDict": {"path10": "Established"},
+ "saddr": "100.64.3.2",
+ "daddr": "100.64.2.2",
+ "tunnelNs": "Guest",
+ },
+ }
+ }
+ ],
+ "inputs": {
+ "ip_security_connections": [
+ {
+ "peer": "10.255.0.1",
+ "vrf": "Guest",
+ "connections": [
+ {"source_address": "100.64.3.2", "destination_address": "100.64.2.2"},
+ {"source_address": "172.18.3.2", "destination_address": "172.18.2.2"},
+ ],
+ },
+ ]
+ },
+ "expected": {"result": "success"},
+ },
+ {
+ "name": "success-without-connection",
+ "test": VerifySpecificIPSecConn,
+ "eos_data": [
+ {
+ "connections": {
+ "default-172.18.3.2-172.18.2.2-srcUnused-0": {
+ "pathDict": {"path9": "Established"},
+ "saddr": "172.18.3.2",
+ "daddr": "172.18.2.2",
+ "tunnelNs": "default",
+ },
+ "default-100.64.3.2-100.64.2.2-srcUnused-0": {"pathDict": {"path10": "Established"}, "saddr": "100.64.3.2", "daddr": "100.64.2.2"},
+ }
+ }
+ ],
+ "inputs": {
+ "ip_security_connections": [
+ {
+ "peer": "10.255.0.1",
+ "vrf": "default",
+ },
+ ]
+ },
+ "expected": {"result": "success"},
+ },
+ {
+ "name": "failure-no-connection",
+ "test": VerifySpecificIPSecConn,
+ "eos_data": [
+ {"connections": {}},
+ {
+ "connections": {
+ "DATA-172.18.3.2-172.18.2.2-srcUnused-0": {
+ "pathDict": {"path9": "Established"},
+ "saddr": "172.18.3.2",
+ "daddr": "172.18.2.2",
+ "tunnelNs": "DATA",
+ },
+ "DATA-100.64.3.2-100.64.2.2-srcUnused-0": {
+ "pathDict": {"path10": "Established"},
+ "saddr": "100.64.3.2",
+ "daddr": "100.64.2.2",
+ "tunnelNs": "DATA",
+ },
+ }
+ },
+ ],
+ "inputs": {
+ "ip_security_connections": [
+ {
+ "peer": "10.255.0.1",
+ "vrf": "default",
+ },
+ {
+ "peer": "10.255.0.2",
+ "vrf": "DATA",
+ "connections": [
+ {"source_address": "100.64.3.2", "destination_address": "100.64.2.2"},
+ {"source_address": "172.18.3.2", "destination_address": "172.18.2.2"},
+ ],
+ },
+ ]
+ },
+ "expected": {"result": "failure", "messages": ["No IPv4 security connection configured for peer `10.255.0.1`."]},
+ },
+ {
+ "name": "failure-not-established",
+ "test": VerifySpecificIPSecConn,
+ "eos_data": [
+ {
+ "connections": {
+ "default-172.18.3.2-172.18.5.2-srcUnused-0": {
+ "pathDict": {"path9": "Idle"},
+ "saddr": "172.18.3.2",
+ "daddr": "172.18.2.2",
+ "tunnelNs": "default",
+ },
+ "default-100.64.3.2-100.64.5.2-srcUnused-0": {
+ "pathDict": {"path10": "Idle"},
+ "saddr": "100.64.2.2",
+ "daddr": "100.64.1.2",
+ "tunnelNs": "default",
+ },
+ },
+ },
+ {
+ "connections": {
+ "MGMT-172.18.2.2-172.18.1.2-srcUnused-0": {"pathDict": {"path9": "Idle"}, "saddr": "172.18.2.2", "daddr": "172.18.1.2", "tunnelNs": "MGMT"},
+ "MGMT-100.64.2.2-100.64.1.2-srcUnused-0": {"pathDict": {"path10": "Idle"}, "saddr": "100.64.2.2", "daddr": "100.64.1.2", "tunnelNs": "MGMT"},
+ }
+ },
+ ],
+ "inputs": {
+ "ip_security_connections": [
+ {
+ "peer": "10.255.0.1",
+ "vrf": "default",
+ },
+ {
+ "peer": "10.255.0.2",
+ "vrf": "MGMT",
+ "connections": [
+ {"source_address": "100.64.2.2", "destination_address": "100.64.1.2"},
+ {"source_address": "172.18.2.2", "destination_address": "172.18.1.2"},
+ ],
+ },
+ ]
+ },
+ "expected": {
+ "result": "failure",
+ "messages": [
+ "Expected state of IPv4 security connection `source:172.18.3.2 destination:172.18.2.2 vrf:default` for peer `10.255.0.1` is `Established` "
+ "but found `Idle` instead.",
+ "Expected state of IPv4 security connection `source:100.64.2.2 destination:100.64.1.2 vrf:default` for peer `10.255.0.1` is `Established` "
+ "but found `Idle` instead.",
+ "Expected state of IPv4 security connection `source:100.64.2.2 destination:100.64.1.2 vrf:MGMT` for peer `10.255.0.2` is `Established` "
+ "but found `Idle` instead.",
+ "Expected state of IPv4 security connection `source:172.18.2.2 destination:172.18.1.2 vrf:MGMT` for peer `10.255.0.2` is `Established` "
+ "but found `Idle` instead.",
+ ],
+ },
+ },
+ {
+ "name": "failure-missing-connection",
+ "test": VerifySpecificIPSecConn,
+ "eos_data": [
+ {
+ "connections": {
+ "default-172.18.3.2-172.18.5.2-srcUnused-0": {
+ "pathDict": {"path9": "Idle"},
+ "saddr": "172.18.3.2",
+ "daddr": "172.18.2.2",
+ "tunnelNs": "default",
+ },
+ "default-100.64.3.2-100.64.5.2-srcUnused-0": {
+ "pathDict": {"path10": "Idle"},
+ "saddr": "100.64.3.2",
+ "daddr": "100.64.2.2",
+ "tunnelNs": "default",
+ },
+ },
+ },
+ {
+ "connections": {
+ "default-172.18.2.2-172.18.1.2-srcUnused-0": {
+ "pathDict": {"path9": "Idle"},
+ "saddr": "172.18.2.2",
+ "daddr": "172.18.1.2",
+ "tunnelNs": "default",
+ },
+ "default-100.64.2.2-100.64.1.2-srcUnused-0": {
+ "pathDict": {"path10": "Idle"},
+ "saddr": "100.64.2.2",
+ "daddr": "100.64.1.2",
+ "tunnelNs": "default",
+ },
+ }
+ },
+ ],
+ "inputs": {
+ "ip_security_connections": [
+ {
+ "peer": "10.255.0.1",
+ "vrf": "default",
+ },
+ {
+ "peer": "10.255.0.2",
+ "vrf": "default",
+ "connections": [
+ {"source_address": "100.64.4.2", "destination_address": "100.64.1.2"},
+ {"source_address": "172.18.4.2", "destination_address": "172.18.1.2"},
+ ],
+ },
+ ]
+ },
+ "expected": {
+ "result": "failure",
+ "messages": [
+ "Expected state of IPv4 security connection `source:172.18.3.2 destination:172.18.2.2 vrf:default` for peer `10.255.0.1` is `Established` "
+ "but found `Idle` instead.",
+ "Expected state of IPv4 security connection `source:100.64.3.2 destination:100.64.2.2 vrf:default` for peer `10.255.0.1` is `Established` "
+ "but found `Idle` instead.",
+ "IPv4 security connection `source:100.64.4.2 destination:100.64.1.2 vrf:default` for peer `10.255.0.2` is not found.",
+ "IPv4 security connection `source:172.18.4.2 destination:172.18.1.2 vrf:default` for peer `10.255.0.2` is not found.",
+ ],
+ },
+ },
]
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-10 13:03:17 +0000