diff options
Diffstat (limited to 'tests/units/anta_tests/test_security.py')
-rw-r--r-- | tests/units/anta_tests/test_security.py | 291 |
1 files changed, 283 insertions, 8 deletions
diff --git a/tests/units/anta_tests/test_security.py b/tests/units/anta_tests/test_security.py index 17fa04e..4c28541 100644 --- a/tests/units/anta_tests/test_security.py +++ b/tests/units/anta_tests/test_security.py @@ -1,9 +1,8 @@ # Copyright (c) 2023-2024 Arista Networks, Inc. # Use of this source code is governed by the Apache License 2.0 # that can be found in the LICENSE file. -""" -Tests for anta.tests.security.py -""" +"""Tests for anta.tests.security.py.""" + from __future__ import annotations from typing import Any @@ -16,7 +15,9 @@ from anta.tests.security import ( VerifyAPISSLCertificate, VerifyBannerLogin, VerifyBannerMotd, + VerifyIPSecConnHealth, VerifyIPv4ACL, + VerifySpecificIPSecConn, VerifySSHIPv4Acl, VerifySSHIPv6Acl, VerifySSHStatus, @@ -107,7 +108,7 @@ DATA: list[dict[str, Any]] = [ "unixSocketServer": {"configured": False, "running": False}, "sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"}, "tlsProtocol": ["1.2"], - } + }, ], "inputs": None, "expected": {"result": "success"}, @@ -124,7 +125,7 @@ DATA: list[dict[str, Any]] = [ "unixSocketServer": {"configured": False, "running": False}, "sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"}, "tlsProtocol": ["1.2"], - } + }, ], "inputs": None, "expected": {"result": "failure", "messages": ["eAPI HTTP server is enabled globally"]}, @@ -141,7 +142,7 @@ DATA: list[dict[str, Any]] = [ "unixSocketServer": {"configured": False, "running": False}, "sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"}, "tlsProtocol": ["1.2"], - } + }, ], "inputs": {"profile": "API_SSL_Profile"}, "expected": {"result": "success"}, @@ -157,7 +158,7 @@ DATA: list[dict[str, Any]] = [ "httpsServer": {"configured": True, "running": True, "port": 443}, "unixSocketServer": {"configured": False, "running": False}, "tlsProtocol": ["1.2"], - } + }, ], "inputs": {"profile": "API_SSL_Profile"}, "expected": {"result": "failure", "messages": ["eAPI HTTPS server SSL profile (API_SSL_Profile) is not configured"]}, @@ -174,7 +175,7 @@ DATA: list[dict[str, Any]] = [ "unixSocketServer": {"configured": False, "running": False}, "sslProfile": {"name": "Wrong_SSL_Profile", "configured": True, "state": "valid"}, "tlsProtocol": ["1.2"], - } + }, ], "inputs": {"profile": "API_SSL_Profile"}, "expected": {"result": "failure", "messages": ["eAPI HTTPS server SSL profile (API_SSL_Profile) is misconfigured or invalid"]}, @@ -897,4 +898,278 @@ DATA: list[dict[str, Any]] = [ ], }, }, + { + "name": "success", + "test": VerifyIPSecConnHealth, + "eos_data": [ + { + "connections": { + "default-172.18.3.2-172.18.5.2-srcUnused-0": { + "pathDict": {"path9": "Established"}, + }, + "default-100.64.3.2-100.64.5.2-srcUnused-0": { + "pathDict": {"path10": "Established"}, + }, + } + } + ], + "inputs": {}, + "expected": {"result": "success"}, + }, + { + "name": "failure-no-connection", + "test": VerifyIPSecConnHealth, + "eos_data": [{"connections": {}}], + "inputs": {}, + "expected": {"result": "failure", "messages": ["No IPv4 security connection configured."]}, + }, + { + "name": "failure-not-established", + "test": VerifyIPSecConnHealth, + "eos_data": [ + { + "connections": { + "default-172.18.3.2-172.18.5.2-srcUnused-0": { + "pathDict": {"path9": "Idle"}, + "saddr": "172.18.3.2", + "daddr": "172.18.2.2", + "tunnelNs": "default", + }, + "Guest-100.64.3.2-100.64.5.2-srcUnused-0": {"pathDict": {"path10": "Idle"}, "saddr": "100.64.3.2", "daddr": "100.64.5.2", "tunnelNs": "Guest"}, + } + } + ], + "inputs": {}, + "expected": { + "result": "failure", + "messages": [ + "The following IPv4 security connections are not established:\n" + "source:172.18.3.2 destination:172.18.2.2 vrf:default\n" + "source:100.64.3.2 destination:100.64.5.2 vrf:Guest." + ], + }, + }, + { + "name": "success-with-connection", + "test": VerifySpecificIPSecConn, + "eos_data": [ + { + "connections": { + "Guest-172.18.3.2-172.18.2.2-srcUnused-0": { + "pathDict": {"path9": "Established"}, + "saddr": "172.18.3.2", + "daddr": "172.18.2.2", + "tunnelNs": "Guest", + }, + "Guest-100.64.3.2-100.64.2.2-srcUnused-0": { + "pathDict": {"path10": "Established"}, + "saddr": "100.64.3.2", + "daddr": "100.64.2.2", + "tunnelNs": "Guest", + }, + } + } + ], + "inputs": { + "ip_security_connections": [ + { + "peer": "10.255.0.1", + "vrf": "Guest", + "connections": [ + {"source_address": "100.64.3.2", "destination_address": "100.64.2.2"}, + {"source_address": "172.18.3.2", "destination_address": "172.18.2.2"}, + ], + }, + ] + }, + "expected": {"result": "success"}, + }, + { + "name": "success-without-connection", + "test": VerifySpecificIPSecConn, + "eos_data": [ + { + "connections": { + "default-172.18.3.2-172.18.2.2-srcUnused-0": { + "pathDict": {"path9": "Established"}, + "saddr": "172.18.3.2", + "daddr": "172.18.2.2", + "tunnelNs": "default", + }, + "default-100.64.3.2-100.64.2.2-srcUnused-0": {"pathDict": {"path10": "Established"}, "saddr": "100.64.3.2", "daddr": "100.64.2.2"}, + } + } + ], + "inputs": { + "ip_security_connections": [ + { + "peer": "10.255.0.1", + "vrf": "default", + }, + ] + }, + "expected": {"result": "success"}, + }, + { + "name": "failure-no-connection", + "test": VerifySpecificIPSecConn, + "eos_data": [ + {"connections": {}}, + { + "connections": { + "DATA-172.18.3.2-172.18.2.2-srcUnused-0": { + "pathDict": {"path9": "Established"}, + "saddr": "172.18.3.2", + "daddr": "172.18.2.2", + "tunnelNs": "DATA", + }, + "DATA-100.64.3.2-100.64.2.2-srcUnused-0": { + "pathDict": {"path10": "Established"}, + "saddr": "100.64.3.2", + "daddr": "100.64.2.2", + "tunnelNs": "DATA", + }, + } + }, + ], + "inputs": { + "ip_security_connections": [ + { + "peer": "10.255.0.1", + "vrf": "default", + }, + { + "peer": "10.255.0.2", + "vrf": "DATA", + "connections": [ + {"source_address": "100.64.3.2", "destination_address": "100.64.2.2"}, + {"source_address": "172.18.3.2", "destination_address": "172.18.2.2"}, + ], + }, + ] + }, + "expected": {"result": "failure", "messages": ["No IPv4 security connection configured for peer `10.255.0.1`."]}, + }, + { + "name": "failure-not-established", + "test": VerifySpecificIPSecConn, + "eos_data": [ + { + "connections": { + "default-172.18.3.2-172.18.5.2-srcUnused-0": { + "pathDict": {"path9": "Idle"}, + "saddr": "172.18.3.2", + "daddr": "172.18.2.2", + "tunnelNs": "default", + }, + "default-100.64.3.2-100.64.5.2-srcUnused-0": { + "pathDict": {"path10": "Idle"}, + "saddr": "100.64.2.2", + "daddr": "100.64.1.2", + "tunnelNs": "default", + }, + }, + }, + { + "connections": { + "MGMT-172.18.2.2-172.18.1.2-srcUnused-0": {"pathDict": {"path9": "Idle"}, "saddr": "172.18.2.2", "daddr": "172.18.1.2", "tunnelNs": "MGMT"}, + "MGMT-100.64.2.2-100.64.1.2-srcUnused-0": {"pathDict": {"path10": "Idle"}, "saddr": "100.64.2.2", "daddr": "100.64.1.2", "tunnelNs": "MGMT"}, + } + }, + ], + "inputs": { + "ip_security_connections": [ + { + "peer": "10.255.0.1", + "vrf": "default", + }, + { + "peer": "10.255.0.2", + "vrf": "MGMT", + "connections": [ + {"source_address": "100.64.2.2", "destination_address": "100.64.1.2"}, + {"source_address": "172.18.2.2", "destination_address": "172.18.1.2"}, + ], + }, + ] + }, + "expected": { + "result": "failure", + "messages": [ + "Expected state of IPv4 security connection `source:172.18.3.2 destination:172.18.2.2 vrf:default` for peer `10.255.0.1` is `Established` " + "but found `Idle` instead.", + "Expected state of IPv4 security connection `source:100.64.2.2 destination:100.64.1.2 vrf:default` for peer `10.255.0.1` is `Established` " + "but found `Idle` instead.", + "Expected state of IPv4 security connection `source:100.64.2.2 destination:100.64.1.2 vrf:MGMT` for peer `10.255.0.2` is `Established` " + "but found `Idle` instead.", + "Expected state of IPv4 security connection `source:172.18.2.2 destination:172.18.1.2 vrf:MGMT` for peer `10.255.0.2` is `Established` " + "but found `Idle` instead.", + ], + }, + }, + { + "name": "failure-missing-connection", + "test": VerifySpecificIPSecConn, + "eos_data": [ + { + "connections": { + "default-172.18.3.2-172.18.5.2-srcUnused-0": { + "pathDict": {"path9": "Idle"}, + "saddr": "172.18.3.2", + "daddr": "172.18.2.2", + "tunnelNs": "default", + }, + "default-100.64.3.2-100.64.5.2-srcUnused-0": { + "pathDict": {"path10": "Idle"}, + "saddr": "100.64.3.2", + "daddr": "100.64.2.2", + "tunnelNs": "default", + }, + }, + }, + { + "connections": { + "default-172.18.2.2-172.18.1.2-srcUnused-0": { + "pathDict": {"path9": "Idle"}, + "saddr": "172.18.2.2", + "daddr": "172.18.1.2", + "tunnelNs": "default", + }, + "default-100.64.2.2-100.64.1.2-srcUnused-0": { + "pathDict": {"path10": "Idle"}, + "saddr": "100.64.2.2", + "daddr": "100.64.1.2", + "tunnelNs": "default", + }, + } + }, + ], + "inputs": { + "ip_security_connections": [ + { + "peer": "10.255.0.1", + "vrf": "default", + }, + { + "peer": "10.255.0.2", + "vrf": "default", + "connections": [ + {"source_address": "100.64.4.2", "destination_address": "100.64.1.2"}, + {"source_address": "172.18.4.2", "destination_address": "172.18.1.2"}, + ], + }, + ] + }, + "expected": { + "result": "failure", + "messages": [ + "Expected state of IPv4 security connection `source:172.18.3.2 destination:172.18.2.2 vrf:default` for peer `10.255.0.1` is `Established` " + "but found `Idle` instead.", + "Expected state of IPv4 security connection `source:100.64.3.2 destination:100.64.2.2 vrf:default` for peer `10.255.0.1` is `Established` " + "but found `Idle` instead.", + "IPv4 security connection `source:100.64.4.2 destination:100.64.1.2 vrf:default` for peer `10.255.0.2` is not found.", + "IPv4 security connection `source:172.18.4.2 destination:172.18.1.2 vrf:default` for peer `10.255.0.2` is not found.", + ], + }, + }, ] |