arista/anta
1
0
Fork 0
Code Issues Activity

Merging upstream version 0.14.0.

Browse source 
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
Daniel Baumann 2025-02-05 11:39:09 +01:00
parent 082ce481df
commit 2265bd9c67
Signed by: daniel
GPG key ID: FBB4F0E80A80222F
211 changed files with 12174 additions and 6401 deletions
Download patch file Download diff file Expand all files Collapse all files

291
tests/units/anta_tests/test_security.py
View file

@ -1,9 +1,8 @@
# Copyright (c) 2023-2024 Arista Networks, Inc.
# Use of this source code is governed by the Apache License 2.0
# that can be found in the LICENSE file.
"""
Tests for anta.tests.security.py
"""
"""Tests for anta.tests.security.py."""
from __future__ import annotations
from typing import Any
@ -16,7 +15,9 @@ from anta.tests.security import (
VerifyAPISSLCertificate,
VerifyBannerLogin,
VerifyBannerMotd,
VerifyIPSecConnHealth,
VerifyIPv4ACL,
VerifySpecificIPSecConn,
VerifySSHIPv4Acl,
VerifySSHIPv6Acl,
VerifySSHStatus,
@ -107,7 +108,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
}
},
],
"inputs": None,
"expected": {"result": "success"},
@ -124,7 +125,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
}
},
],
"inputs": None,
"expected": {"result": "failure", "messages": ["eAPI HTTP server is enabled globally"]},
@ -141,7 +142,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "API_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
}
},
],
"inputs": {"profile": "API_SSL_Profile"},
"expected": {"result": "success"},
@ -157,7 +158,7 @@ DATA: list[dict[str, Any]] = [
"httpsServer": {"configured": True, "running": True, "port": 443},
"unixSocketServer": {"configured": False, "running": False},
"tlsProtocol": ["1.2"],
}
},
],
"inputs": {"profile": "API_SSL_Profile"},
"expected": {"result": "failure", "messages": ["eAPI HTTPS server SSL profile (API_SSL_Profile) is not configured"]},
@ -174,7 +175,7 @@ DATA: list[dict[str, Any]] = [
"unixSocketServer": {"configured": False, "running": False},
"sslProfile": {"name": "Wrong_SSL_Profile", "configured": True, "state": "valid"},
"tlsProtocol": ["1.2"],
}
},
],
"inputs": {"profile": "API_SSL_Profile"},
"expected": {"result": "failure", "messages": ["eAPI HTTPS server SSL profile (API_SSL_Profile) is misconfigured or invalid"]},
@ -897,4 +898,278 @@ DATA: list[dict[str, Any]] = [
],
},
},
{
"name": "success",
"test": VerifyIPSecConnHealth,
"eos_data": [
{
"connections": {
"default-172.18.3.2-172.18.5.2-srcUnused-0": {
"pathDict": {"path9": "Established"},
},
"default-100.64.3.2-100.64.5.2-srcUnused-0": {
"pathDict": {"path10": "Established"},
},
}
}
],
"inputs": {},
"expected": {"result": "success"},
},
{
"name": "failure-no-connection",
"test": VerifyIPSecConnHealth,
"eos_data": [{"connections": {}}],
"inputs": {},
"expected": {"result": "failure", "messages": ["No IPv4 security connection configured."]},
},
{
"name": "failure-not-established",
"test": VerifyIPSecConnHealth,
"eos_data": [
{
"connections": {
"default-172.18.3.2-172.18.5.2-srcUnused-0": {
"pathDict": {"path9": "Idle"},
"saddr": "172.18.3.2",
"daddr": "172.18.2.2",
"tunnelNs": "default",
},
"Guest-100.64.3.2-100.64.5.2-srcUnused-0": {"pathDict": {"path10": "Idle"}, "saddr": "100.64.3.2", "daddr": "100.64.5.2", "tunnelNs": "Guest"},
}
}
],
"inputs": {},
"expected": {
"result": "failure",
"messages": [
"The following IPv4 security connections are not established:\n"
"source:172.18.3.2 destination:172.18.2.2 vrf:default\n"
"source:100.64.3.2 destination:100.64.5.2 vrf:Guest."
],
},
},
{
"name": "success-with-connection",
"test": VerifySpecificIPSecConn,
"eos_data": [
{
"connections": {
"Guest-172.18.3.2-172.18.2.2-srcUnused-0": {
"pathDict": {"path9": "Established"},
"saddr": "172.18.3.2",
"daddr": "172.18.2.2",
"tunnelNs": "Guest",
},
"Guest-100.64.3.2-100.64.2.2-srcUnused-0": {
"pathDict": {"path10": "Established"},
"saddr": "100.64.3.2",
"daddr": "100.64.2.2",
"tunnelNs": "Guest",
},
}
}
],
"inputs": {
"ip_security_connections": [
{
"peer": "10.255.0.1",
"vrf": "Guest",
"connections": [
{"source_address": "100.64.3.2", "destination_address": "100.64.2.2"},
{"source_address": "172.18.3.2", "destination_address": "172.18.2.2"},
],
},
]
},
"expected": {"result": "success"},
},
{
"name": "success-without-connection",
"test": VerifySpecificIPSecConn,
"eos_data": [
{
"connections": {
"default-172.18.3.2-172.18.2.2-srcUnused-0": {
"pathDict": {"path9": "Established"},
"saddr": "172.18.3.2",
"daddr": "172.18.2.2",
"tunnelNs": "default",
},
"default-100.64.3.2-100.64.2.2-srcUnused-0": {"pathDict": {"path10": "Established"}, "saddr": "100.64.3.2", "daddr": "100.64.2.2"},
}
}
],
"inputs": {
"ip_security_connections": [
{
"peer": "10.255.0.1",
"vrf": "default",
},
]
},
"expected": {"result": "success"},
},
{
"name": "failure-no-connection",
"test": VerifySpecificIPSecConn,
"eos_data": [
{"connections": {}},
{
"connections": {
"DATA-172.18.3.2-172.18.2.2-srcUnused-0": {
"pathDict": {"path9": "Established"},
"saddr": "172.18.3.2",
"daddr": "172.18.2.2",
"tunnelNs": "DATA",
},
"DATA-100.64.3.2-100.64.2.2-srcUnused-0": {
"pathDict": {"path10": "Established"},
"saddr": "100.64.3.2",
"daddr": "100.64.2.2",
"tunnelNs": "DATA",
},
}
},
],
"inputs": {
"ip_security_connections": [
{
"peer": "10.255.0.1",
"vrf": "default",
},
{
"peer": "10.255.0.2",
"vrf": "DATA",
"connections": [
{"source_address": "100.64.3.2", "destination_address": "100.64.2.2"},
{"source_address": "172.18.3.2", "destination_address": "172.18.2.2"},
],
},
]
},
"expected": {"result": "failure", "messages": ["No IPv4 security connection configured for peer `10.255.0.1`."]},
},
{
"name": "failure-not-established",
"test": VerifySpecificIPSecConn,
"eos_data": [
{
"connections": {
"default-172.18.3.2-172.18.5.2-srcUnused-0": {
"pathDict": {"path9": "Idle"},
"saddr": "172.18.3.2",
"daddr": "172.18.2.2",
"tunnelNs": "default",
},
"default-100.64.3.2-100.64.5.2-srcUnused-0": {
"pathDict": {"path10": "Idle"},
"saddr": "100.64.2.2",
"daddr": "100.64.1.2",
"tunnelNs": "default",
},
},
},
{
"connections": {
"MGMT-172.18.2.2-172.18.1.2-srcUnused-0": {"pathDict": {"path9": "Idle"}, "saddr": "172.18.2.2", "daddr": "172.18.1.2", "tunnelNs": "MGMT"},
"MGMT-100.64.2.2-100.64.1.2-srcUnused-0": {"pathDict": {"path10": "Idle"}, "saddr": "100.64.2.2", "daddr": "100.64.1.2", "tunnelNs": "MGMT"},
}
},
],
"inputs": {
"ip_security_connections": [
{
"peer": "10.255.0.1",
"vrf": "default",
},
{
"peer": "10.255.0.2",
"vrf": "MGMT",
"connections": [
{"source_address": "100.64.2.2", "destination_address": "100.64.1.2"},
{"source_address": "172.18.2.2", "destination_address": "172.18.1.2"},
],
},
]
},
"expected": {
"result": "failure",
"messages": [
"Expected state of IPv4 security connection `source:172.18.3.2 destination:172.18.2.2 vrf:default` for peer `10.255.0.1` is `Established` "
"but found `Idle` instead.",
"Expected state of IPv4 security connection `source:100.64.2.2 destination:100.64.1.2 vrf:default` for peer `10.255.0.1` is `Established` "
"but found `Idle` instead.",
"Expected state of IPv4 security connection `source:100.64.2.2 destination:100.64.1.2 vrf:MGMT` for peer `10.255.0.2` is `Established` "
"but found `Idle` instead.",
"Expected state of IPv4 security connection `source:172.18.2.2 destination:172.18.1.2 vrf:MGMT` for peer `10.255.0.2` is `Established` "
"but found `Idle` instead.",
],
},
},
{
"name": "failure-missing-connection",
"test": VerifySpecificIPSecConn,
"eos_data": [
{
"connections": {
"default-172.18.3.2-172.18.5.2-srcUnused-0": {
"pathDict": {"path9": "Idle"},
"saddr": "172.18.3.2",
"daddr": "172.18.2.2",
"tunnelNs": "default",
},
"default-100.64.3.2-100.64.5.2-srcUnused-0": {
"pathDict": {"path10": "Idle"},
"saddr": "100.64.3.2",
"daddr": "100.64.2.2",
"tunnelNs": "default",
},
},
},
{
"connections": {
"default-172.18.2.2-172.18.1.2-srcUnused-0": {
"pathDict": {"path9": "Idle"},
"saddr": "172.18.2.2",
"daddr": "172.18.1.2",
"tunnelNs": "default",
},
"default-100.64.2.2-100.64.1.2-srcUnused-0": {
"pathDict": {"path10": "Idle"},
"saddr": "100.64.2.2",
"daddr": "100.64.1.2",
"tunnelNs": "default",
},
}
},
],
"inputs": {
"ip_security_connections": [
{
"peer": "10.255.0.1",
"vrf": "default",
},
{
"peer": "10.255.0.2",
"vrf": "default",
"connections": [
{"source_address": "100.64.4.2", "destination_address": "100.64.1.2"},
{"source_address": "172.18.4.2", "destination_address": "172.18.1.2"},
],
},
]
},
"expected": {
"result": "failure",
"messages": [
"Expected state of IPv4 security connection `source:172.18.3.2 destination:172.18.2.2 vrf:default` for peer `10.255.0.1` is `Established` "
"but found `Idle` instead.",
"Expected state of IPv4 security connection `source:100.64.3.2 destination:100.64.2.2 vrf:default` for peer `10.255.0.1` is `Established` "
"but found `Idle` instead.",
"IPv4 security connection `source:100.64.4.2 destination:100.64.1.2 vrf:default` for peer `10.255.0.2` is not found.",
"IPv4 security connection `source:172.18.4.2 destination:172.18.1.2 vrf:default` for peer `10.255.0.2` is not found.",
],
},
},
]