arista/anta
1
0
Fork 0
Code Issues Activity

Merging upstream version 1.1.0.

Browse source 
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
Daniel Baumann 2025-02-05 11:54:55 +01:00
parent 50f8dbf7e8
commit 2044ea6182
Signed by: daniel
GPG key ID: FBB4F0E80A80222F
196 changed files with 10121 additions and 3780 deletions
Download patch file Download diff file Expand all files Collapse all files

144
tests/units/anta_tests/test_security.py
View file

@ -7,6 +7,9 @@ from __future__ import annotations
from typing import Any
import pytest
from pydantic import ValidationError
from anta.tests.security import (
VerifyAPIHttpsSSL,
VerifyAPIHttpStatus,
@ -15,6 +18,7 @@ from anta.tests.security import (
VerifyAPISSLCertificate,
VerifyBannerLogin,
VerifyBannerMotd,
VerifyHardwareEntropy,
VerifyIPSecConnHealth,
VerifyIPv4ACL,
VerifySpecificIPSecConn,
@ -23,7 +27,7 @@ from anta.tests.security import (
VerifySSHStatus,
VerifyTelnetStatus,
)
from tests.lib.anta import test # noqa: F401; pylint: disable=W0611
from tests.units.anta_tests import test
DATA: list[dict[str, Any]] = [
{
@ -38,15 +42,35 @@ DATA: list[dict[str, Any]] = [
"test": VerifySSHStatus,
"eos_data": ["SSH per host connection limit is 20\nFIPS status: disabled\n\n"],
"inputs": None,
"expected": {"result": "error", "messages": ["Could not find SSH status in returned output."]},
"expected": {"result": "failure", "messages": ["Could not find SSH status in returned output."]},
},
{
"name": "failure-ssh-disabled",
"name": "failure-ssh-enabled",
"test": VerifySSHStatus,
"eos_data": ["SSHD status for Default VRF is enabled\nSSH connection limit is 50\nSSH per host connection limit is 20\nFIPS status: disabled\n\n"],
"inputs": None,
"expected": {"result": "failure", "messages": ["SSHD status for Default VRF is enabled"]},
},
{
"name": "success-4.32",
"test": VerifySSHStatus,
"eos_data": [
"User certificate authentication methods: none (neither trusted CA nor SSL profile configured)\n"
"SSHD status for Default VRF: disabled\nSSH connection limit: 50\nSSH per host connection limit: 20\nFIPS status: disabled\n\n"
],
"inputs": None,
"expected": {"result": "success"},
},
{
"name": "failure-ssh-enabled-4.32",
"test": VerifySSHStatus,
"eos_data": [
"User certificate authentication methods: none (neither trusted CA nor SSL profile configured)\n"
"SSHD status for Default VRF: enabled\nSSH connection limit: 50\nSSH per host connection limit: 20\nFIPS status: disabled\n\n"
],
"inputs": None,
"expected": {"result": "failure", "messages": ["SSHD status for Default VRF: enabled"]},
},
{
"name": "success",
"test": VerifySSHIPv4Acl,
@ -580,40 +604,6 @@ DATA: list[dict[str, Any]] = [
],
},
},
{
"name": "error-wrong-input-rsa",
"test": VerifyAPISSLCertificate,
"eos_data": [],
"inputs": {
"certificates": [
{
"certificate_name": "ARISTA_ROOT_CA.crt",
"expiry_threshold": 30,
"common_name": "Arista Networks Internal IT Root Cert Authority",
"encryption_algorithm": "RSA",
"key_size": 256,
},
]
},
"expected": {"result": "error", "messages": ["Allowed sizes are (2048, 3072, 4096)."]},
},
{
"name": "error-wrong-input-ecdsa",
"test": VerifyAPISSLCertificate,
"eos_data": [],
"inputs": {
"certificates": [
{
"certificate_name": "ARISTA_SIGNING_CA.crt",
"expiry_threshold": 30,
"common_name": "AristaIT-ICA ECDSA Issuing Cert Authority",
"encryption_algorithm": "ECDSA",
"key_size": 2048,
},
]
},
"expected": {"result": "error", "messages": ["Allowed sizes are (256, 384, 512)."]},
},
{
"name": "success",
"test": VerifyBannerLogin,
@ -1213,4 +1203,84 @@ DATA: list[dict[str, Any]] = [
],
},
},
{
"name": "success",
"test": VerifyHardwareEntropy,
"eos_data": [{"cpuModel": "2.20GHz", "cryptoModule": "Crypto Module v3.0", "hardwareEntropyEnabled": True, "blockedNetworkProtocols": []}],
"inputs": {},
"expected": {"result": "success"},
},
{
"name": "failure",
"test": VerifyHardwareEntropy,
"eos_data": [{"cpuModel": "2.20GHz", "cryptoModule": "Crypto Module v3.0", "hardwareEntropyEnabled": False, "blockedNetworkProtocols": []}],
"inputs": {},
"expected": {"result": "failure", "messages": ["Hardware entropy generation is disabled."]},
},
]
class TestAPISSLCertificate:
"""Test anta.tests.security.VerifyAPISSLCertificate.Input.APISSLCertificate."""
@pytest.mark.parametrize(
("model_params", "error"),
[
pytest.param(
{
"certificate_name": "ARISTA_ROOT_CA.crt",
"expiry_threshold": 30,
"common_name": "Arista Networks Internal IT Root Cert Authority",
"encryption_algorithm": "RSA",
"key_size": 256,
},
"Value error, `ARISTA_ROOT_CA.crt` key size 256 is invalid for RSA encryption. Allowed sizes are (2048, 3072, 4096).",
id="RSA_wrong_size",
),
pytest.param(
{
"certificate_name": "ARISTA_SIGNING_CA.crt",
"expiry_threshold": 30,
"common_name": "AristaIT-ICA ECDSA Issuing Cert Authority",
"encryption_algorithm": "ECDSA",
"key_size": 2048,
},
"Value error, `ARISTA_SIGNING_CA.crt` key size 2048 is invalid for ECDSA encryption. Allowed sizes are (256, 384, 512).",
id="ECDSA_wrong_size",
),
],
)
def test_invalid(self, model_params: dict[str, Any], error: str) -> None:
"""Test invalid inputs for anta.tests.security.VerifyAPISSLCertificate.Input.APISSLCertificate."""
with pytest.raises(ValidationError) as exec_info:
VerifyAPISSLCertificate.Input.APISSLCertificate.model_validate(model_params)
assert error == exec_info.value.errors()[0]["msg"]
@pytest.mark.parametrize(
"model_params",
[
pytest.param(
{
"certificate_name": "ARISTA_SIGNING_CA.crt",
"expiry_threshold": 30,
"common_name": "AristaIT-ICA ECDSA Issuing Cert Authority",
"encryption_algorithm": "ECDSA",
"key_size": 256,
},
id="ECDSA",
),
pytest.param(
{
"certificate_name": "ARISTA_ROOT_CA.crt",
"expiry_threshold": 30,
"common_name": "Arista Networks Internal IT Root Cert Authority",
"encryption_algorithm": "RSA",
"key_size": 4096,
},
id="RSA",
),
],
)
def test_valid(self, model_params: dict[str, Any]) -> None:
"""Test valid inputs for anta.tests.security.VerifyAPISSLCertificate.Input.APISSLCertificate."""
VerifyAPISSLCertificate.Input.APISSLCertificate.model_validate(model_params)