Update to na_ontap_firewall_policy (#51976)

* Revert "changes to clusteR"

This reverts commit 33ee1b71e4bc8435fb315762a871f8c4cb6c5f80.

* Fix issue and unit tests

* update to firewall

* fix import issues

* Revert "Revert "changes to clusteR""

This reverts commit 2713c75f31.

* fix docs

* stop pylint on unicode line, line can only be run in python2

* Review comment

* add pylint skip

* add pylint skip
This commit is contained in:
Chris Archibald 2019-03-11 06:56:30 -07:00 committed by John R Barker
parent 591e0ffb69
commit dbcfb3d0fe
2 changed files with 470 additions and 156 deletions

View file

@ -1,6 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
# (c) 2018, NetApp, Inc # (c) 2018-2019, NetApp, Inc
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function from __future__ import absolute_import, division, print_function
@ -16,71 +16,66 @@ short_description: NetApp ONTAP Manage a firewall policy
version_added: '2.7' version_added: '2.7'
author: NetApp Ansible Team (@carchi8py) <ng-ansibleteam@netapp.com> author: NetApp Ansible Team (@carchi8py) <ng-ansibleteam@netapp.com>
description: description:
- Manage a firewall policy for an Ontap Cluster - Configure firewall on an ONTAP node and manage firewall policy for an ONTAP SVM
extends_documentation_fragment: extends_documentation_fragment:
- netapp.na_ontap - netapp.na_ontap
requirements:
- Python package ipaddress. Install using 'pip install ipaddress'
options: options:
state: state:
description: description:
- Whether to set up a fire policy or not - Whether to set up a firewall policy or not
choices: ['present', 'absent'] choices: ['present', 'absent']
default: present default: present
allow_list: allow_list:
description: description:
- A list of IPs and masks to use - A list of IPs and masks to use.
- The host bits of the IP addresses used in this list must be set to 0.
policy: policy:
description: description:
- A policy name for the firewall policy - A policy name for the firewall policy
required: true
service: service:
description: description:
- The service to apply the policy to - The service to apply the policy to
choices: ['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet'] choices: ['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']
required: true
vserver: vserver:
description: description:
- The Vserver to apply the policy to. - The Vserver to apply the policy to.
required: true
enable: enable:
description: description:
- enabled firewall - enable firewall on a node
choices: ['enable', 'disable'] choices: ['enable', 'disable']
default: enable
logging: logging:
description: description:
- enable logging - enable logging for firewall on a node
choices: ['enable', 'disable'] choices: ['enable', 'disable']
default: disable
node: node:
description: description:
- The node to run the firewall configuration on - The node to run the firewall configuration on
required: True
''' '''
EXAMPLES = """ EXAMPLES = """
- name: create firewall Policy - name: create firewall Policy
na_ontap_firewall_policy: na_ontap_firewall_policy:
state: present state: present
allow_list: [1.2.3.4/24,1.3.3.4/24] allow_list: [1.2.3.0/24,1.3.0.0/16]
policy: pizza policy: pizza
service: http service: http
vserver: ci_dev vserver: ci_dev
hostname: "{{ netapp hostname }}" hostname: "{{ netapp hostname }}"
username: "{{ netapp username }}" username: "{{ netapp username }}"
password: "{{ netapp password }}" password: "{{ netapp password }}"
node: laurentn-vsim1
- name: Modify firewall Policy - name: Modify firewall Policy
na_ontap_firewall_policy: na_ontap_firewall_policy:
state: present state: present
allow_list: [1.2.3.4/24,1.3.3.4/24] allow_list: [1.5.3.0/24]
policy: pizza policy: pizza
service: http service: http
vserver: ci_dev vserver: ci_dev
hostname: "{{ netapp hostname }}" hostname: "{{ netapp hostname }}"
username: "{{ netapp username }}" username: "{{ netapp username }}"
password: "{{ netapp password }}" password: "{{ netapp password }}"
node: laurentn-vsim1
- name: Destory firewall Policy - name: Destory firewall Policy
na_ontap_firewall_policy: na_ontap_firewall_policy:
@ -91,7 +86,16 @@ EXAMPLES = """
hostname: "{{ netapp hostname }}" hostname: "{{ netapp hostname }}"
username: "{{ netapp username }}" username: "{{ netapp username }}"
password: "{{ netapp password }}" password: "{{ netapp password }}"
node: laurentn-vsim1
- name: Enable firewall and logging on a node
na_ontap_firewall_policy:
node: test-vsim1
enable: enable
logging: enable
hostname: "{{ netapp hostname }}"
username: "{{ netapp username }}"
password: "{{ netapp password }}"
""" """
RETURN = """ RETURN = """
@ -103,6 +107,13 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_native from ansible.module_utils._text import to_native
import ansible.module_utils.netapp as netapp_utils import ansible.module_utils.netapp as netapp_utils
from ansible.module_utils.netapp_module import NetAppModule from ansible.module_utils.netapp_module import NetAppModule
try:
import ipaddress
HAS_IPADDRESS_LIB = True
except ImportError:
HAS_IPADDRESS_LIB = False
import sys
HAS_NETAPP_LIB = netapp_utils.has_netapp_lib() HAS_NETAPP_LIB = netapp_utils.has_netapp_lib()
@ -113,16 +124,20 @@ class NetAppONTAPFirewallPolicy(object):
self.argument_spec.update(dict( self.argument_spec.update(dict(
state=dict(required=False, choices=['present', 'absent'], default='present'), state=dict(required=False, choices=['present', 'absent'], default='present'),
allow_list=dict(required=False, type="list"), allow_list=dict(required=False, type="list"),
policy=dict(required=True, type='str'), policy=dict(required=False, type='str'),
service=dict(required=True, type='str', choices=['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']), service=dict(required=False, type='str', choices=['dns', 'http', 'https', 'ndmp',
vserver=dict(required=True, type="str"), 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']),
enable=dict(required=False, type="str", choices=['enable', 'disable'], default='enable'), vserver=dict(required=False, type="str"),
logging=dict(required=False, type="str", choices=["enable", 'disable'], default='disable'), enable=dict(required=False, type="str", choices=['enable', 'disable']),
node=dict(required=True, type="str") logging=dict(required=False, type="str", choices=['enable', 'disable']),
node=dict(required=False, type="str")
)) ))
self.module = AnsibleModule( self.module = AnsibleModule(
argument_spec=self.argument_spec, argument_spec=self.argument_spec,
required_together=(['policy', 'service', 'vserver'],
['enable', 'node']
),
supports_check_mode=True supports_check_mode=True
) )
@ -133,33 +148,32 @@ class NetAppONTAPFirewallPolicy(object):
self.module.fail_json(msg="the python NetApp-Lib module is required") self.module.fail_json(msg="the python NetApp-Lib module is required")
else: else:
self.server = netapp_utils.setup_na_ontap_zapi(module=self.module) self.server = netapp_utils.setup_na_ontap_zapi(module=self.module)
if HAS_IPADDRESS_LIB is False:
self.module.fail_json(msg="the python ipaddress lib is required for this module")
return return
def create_firewall_policy(self): def validate_ip_addresses(self):
""" '''
Create a firewall policy Validate if the given IP address is a network address (i.e. it's host bits are set to 0)
:return: Nothing ONTAP doesn't validate if the host bits are set,
""" and hence doesn't add a new address unless the IP is from a different network.
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-create") So this validation allows the module to be idempotent.
net_firewall_policy_obj = self.create_modify_policy(net_firewall_policy_obj)
try:
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error creating Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
def destroy_firewall_policy(self):
"""
Destroy a Firewall Policy
:return: None :return: None
""" '''
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-destroy") for ip in self.parameters['allow_list']:
net_firewall_policy_obj.add_new_child('policy', self.parameters['policy']) # create an IPv4 object for current IP address
net_firewall_policy_obj.add_new_child('service', self.parameters['service']) if sys.version_info[0] >= 3:
net_firewall_policy_obj.add_new_child('vserver', self.parameters['vserver']) ip_addr = str(ip)
else:
ip_addr = unicode(ip) # pylint: disable=undefined-variable
# get network address from netmask, throw exception if address is not a network address
try: try:
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True) ipaddress.ip_network(ip_addr)
except netapp_utils.zapi.NaApiError as error: except ValueError as exc:
self.module.fail_json(msg="Error destroying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc()) self.module.fail_json(msg='Error: Invalid IP address value for allow_list parameter.'
'Please specify a network address without host bits set: %s'
% (to_native(exc)))
def get_firewall_policy(self): def get_firewall_policy(self):
""" """
@ -167,147 +181,161 @@ class NetAppONTAPFirewallPolicy(object):
:return: returns a firewall policy object, or returns False if there are none :return: returns a firewall policy object, or returns False if there are none
""" """
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-get-iter") net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-get-iter")
net_firewall_policy_info = netapp_utils.zapi.NaElement("net-firewall-policy-info") attributes = {
query = netapp_utils.zapi.NaElement('query') 'query': {
net_firewall_policy_info.add_new_child('policy', self.parameters['policy']) 'net-firewall-policy-info': self.firewall_policy_attributes()
query.add_child_elem(net_firewall_policy_info) }
net_firewall_policy_obj.add_child_elem(query) }
result = self.server.invoke_successfully(net_firewall_policy_obj, True) net_firewall_policy_obj.translate_struct(attributes)
if result.get_child_by_name('num-records') and \
int(result.get_child_content('num-records')) == 1:
return result
return False
def modify_firewall_policy(self): try:
result = self.server.invoke_successfully(net_firewall_policy_obj, True)
except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error getting firewall policy %s:%s" % (self.parameters['policy'],
to_native(error)),
exception=traceback.format_exc())
if result.get_child_by_name('num-records') and int(result.get_child_content('num-records')) >= 1:
attributes_list = result.get_child_by_name('attributes-list')
policy_info = attributes_list.get_child_by_name('net-firewall-policy-info')
ips = self.na_helper.get_value_for_list(from_zapi=True,
zapi_parent=policy_info.get_child_by_name('allow-list'))
return {
'service': policy_info['service'],
'allow_list': ips}
return None
def create_firewall_policy(self):
""" """
Modify a firewall Policy Create a firewall policy for given vserver
:return: None
"""
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-create")
net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes())
if self.parameters.get('allow_list'):
self.validate_ip_addresses()
net_firewall_policy_obj.add_child_elem(self.na_helper.get_value_for_list(from_zapi=False,
zapi_parent='allow-list',
zapi_child='ip-and-mask',
data=self.parameters['allow_list'])
)
try:
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error creating Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
def destroy_firewall_policy(self):
"""
Destroy a Firewall Policy from a vserver
:return: None
"""
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-destroy")
net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes())
try:
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error destroying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
def modify_firewall_policy(self, modify):
"""
Modify a firewall Policy on a vserver
:return: none :return: none
""" """
self.validate_ip_addresses()
net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-modify") net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-modify")
net_firewall_policy_obj = self.create_modify_policy(net_firewall_policy_obj) net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes())
net_firewall_policy_obj.add_child_elem(self.na_helper.get_value_for_list(from_zapi=False,
zapi_parent='allow-list',
zapi_child='ip-and-mask',
data=modify['allow_list']))
try: try:
self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True) self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True)
except netapp_utils.zapi.NaApiError as error: except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error modifying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc()) self.module.fail_json(msg="Error modifying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc())
def create_modify_policy(self, net_firewall_policy_obj): def firewall_policy_attributes(self):
""" return {
Set up the parameters for creating or modifying a policy 'policy': self.parameters['policy'],
:param net_firewall_policy_obj: The Firewall policy to modify 'service': self.parameters['service'],
:return: 'vserver': self.parameters['vserver'],
""" }
net_firewall_policy_obj.add_new_child('policy', self.parameters['policy'])
net_firewall_policy_obj.add_new_child('service', self.parameters['service'])
net_firewall_policy_obj.add_new_child('vserver', self.parameters['vserver'])
allow_ip_list = netapp_utils.zapi.NaElement("allow-list")
for each in self.parameters['allow_list']:
net_firewall_policy_ip = netapp_utils.zapi.NaElement("ip-and-mask")
net_firewall_policy_ip.set_content(each)
allow_ip_list.add_child_elem(net_firewall_policy_ip)
net_firewall_policy_obj.add_child_elem(allow_ip_list)
return net_firewall_policy_obj
def get_firewall_config(self): def get_firewall_config_for_node(self):
""" """
Get a firewall configuration Get firewall configuration on the node
:return: the firewall configuration :return: dict() with firewall config details
""" """
if self.parameters.get('logging'):
if self.parameters.get('node') is None:
self.module.fail_json(msg='Error: Missing parameter \'node\' to modify firewall logging')
net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-get") net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-get")
net_firewall_config_obj.add_new_child('node-name', self.parameters['node']) net_firewall_config_obj.add_new_child('node-name', self.parameters['node'])
try: try:
result = self.server.invoke_successfully(net_firewall_config_obj, True) result = self.server.invoke_successfully(net_firewall_config_obj, True)
except netapp_utils.zapi.NaApiError as error: except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error getting Firewall Configuration: %s" % (to_native(error)), exception=traceback.format_exc()) self.module.fail_json(msg="Error getting Firewall Configuration: %s" % (to_native(error)),
return result exception=traceback.format_exc())
if result.get_child_by_name('attributes'):
firewall_info = result['attributes'].get_child_by_name('net-firewall-config-info')
return {'enable': self.change_status_to_bool(firewall_info.get_child_content('is-enabled'), to_zapi=False),
'logging': self.change_status_to_bool(firewall_info.get_child_content('is-logging'), to_zapi=False)}
return None
def check_policy(self, policy): def modify_firewall_config(self, modify):
""" """
Check to see if a policy has been changed or not Modify the configuration of a firewall on node
:param policy: policy to check :return: None
:return: True if the policy has changed, False if there are no changes
"""
changed = False
attributes_list = policy.get_child_by_name('attributes-list')
policy_info = attributes_list.get_child_by_name('net-firewall-policy-info')
allow_list = policy_info.get_child_by_name('allow-list')
for each in allow_list.get_children():
if each.get_content() not in self.parameters['allow_list']:
changed = True
if self.parameters['service'] != policy_info.get_child_by_name('service').get_content():
changed = True
if self.parameters['policy'] != policy_info.get_child_by_name('policy').get_content():
changed = True
return changed
def modify_firewall_config(self):
"""
Modify the configuration of a firewall
:return: none
""" """
net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-modify") net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-modify")
net_firewall_config_obj.add_new_child('node-name', self.parameters['node']) net_firewall_config_obj.add_new_child('node-name', self.parameters['node'])
net_firewall_config_obj.add_new_child('is-enabled', self.parameters['enable']) if modify.get('enable'):
net_firewall_config_obj.add_new_child('is-logging', self.parameters['logging']) net_firewall_config_obj.add_new_child('is-enabled', self.change_status_to_bool(self.parameters['enable']))
if modify.get('logging'):
net_firewall_config_obj.add_new_child('is-logging', self.change_status_to_bool(self.parameters['logging']))
try: try:
self.server.invoke_successfully(net_firewall_config_obj, enable_tunneling=True) self.server.invoke_successfully(net_firewall_config_obj, enable_tunneling=True)
except netapp_utils.zapi.NaApiError as error: except netapp_utils.zapi.NaApiError as error:
self.module.fail_json(msg="Error modifying Firewall Config: %s" % (to_native(error)), exception=traceback.format_exc()) self.module.fail_json(msg="Error modifying Firewall Config: %s" % (to_native(error)),
exception=traceback.format_exc())
def check_config(self, config): def change_status_to_bool(self, input, to_zapi=True):
""" if to_zapi:
check to see if a firewall configuration has changed or not return 'true' if input == 'enable' else 'false'
:param config: The configuration to check
:return: true if it has changed, false if it has not
"""
changed = False
attributes_list = config.get_child_by_name('attributes')
firewall_info = attributes_list.get_child_by_name('net-firewall-config-info')
enable = firewall_info.get_child_by_name('is-enabled')
logging = firewall_info.get_child_by_name('is-logging')
if self.parameters['enable'] == 'enable':
is_enable = "true"
else: else:
is_enable = "false" return 'enable' if input == 'true' else 'disable'
if enable != is_enable:
changed = True
if self.parameters['logging'] == 'logging':
is_logging = "true"
else:
is_logging = "false"
if logging != is_logging:
changed = True
return changed
def apply(self): def autosupport_log(self):
results = netapp_utils.get_cserver(self.server) results = netapp_utils.get_cserver(self.server)
cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results) cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results)
netapp_utils.ems_log_event("na_ontap_firewall_policy", cserver) netapp_utils.ems_log_event("na_ontap_firewall_policy", cserver)
changed = False
if self.parameters['state'] == 'present': def apply(self):
policy = self.get_firewall_policy() self.autosupport_log()
if not policy: cd_action, modify, modify_config = None, None, None
if self.parameters.get('policy'):
current = self.get_firewall_policy()
cd_action = self.na_helper.get_cd_action(current, self.parameters)
if cd_action is None and self.parameters['state'] == 'present':
modify = self.na_helper.get_modified_attributes(current, self.parameters)
if self.parameters.get('node'):
current_config = self.get_firewall_config_for_node()
# firewall config for a node is always present, we cannot create or delete a firewall on a node
modify_config = self.na_helper.get_modified_attributes(current_config, self.parameters)
if self.na_helper.changed:
if self.module.check_mode:
pass
else:
if cd_action == 'create':
self.create_firewall_policy() self.create_firewall_policy()
if not self.check_config(self.get_firewall_config()): elif cd_action == 'delete':
self.modify_firewall_config()
changed = True
else:
if self.check_policy(policy):
self.modify_firewall_policy()
changed = True
if not self.check_config(self.get_firewall_config()):
self.modify_firewall_config()
changed = True
else:
if self.get_firewall_policy():
self.destroy_firewall_policy() self.destroy_firewall_policy()
if not self.check_config(self.get_firewall_config()):
self.modify_firewall_config()
changed = True
else: else:
if not self.check_config(self.get_firewall_config()): if modify:
self.modify_firewall_config() self.modify_firewall_policy(modify)
changed = True if modify_config:
self.module.exit_json(changed=changed) self.modify_firewall_config(modify_config)
self.module.exit_json(changed=self.na_helper.changed)
def main(): def main():

View file

@ -0,0 +1,286 @@
# (c) 2018, NetApp, Inc
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
''' unit test template for ONTAP Ansible module '''
from __future__ import print_function
import json
import pytest
from units.compat import unittest
from units.compat.mock import patch, Mock
from ansible.module_utils import basic
from ansible.module_utils._text import to_bytes
import ansible.module_utils.netapp as netapp_utils
from ansible.modules.storage.netapp.na_ontap_firewall_policy \
import NetAppONTAPFirewallPolicy as fp_module # module under test
if not netapp_utils.has_netapp_lib():
pytestmark = pytest.mark.skip('skipping as missing required netapp_lib')
def set_module_args(args):
"""prepare arguments so that they will be picked up during module creation"""
args = json.dumps({'ANSIBLE_MODULE_ARGS': args})
basic._ANSIBLE_ARGS = to_bytes(args) # pylint: disable=protected-access
class AnsibleExitJson(Exception):
"""Exception class to be raised by module.exit_json and caught by the test case"""
pass
class AnsibleFailJson(Exception):
"""Exception class to be raised by module.fail_json and caught by the test case"""
pass
def exit_json(*args, **kwargs): # pylint: disable=unused-argument
"""function to patch over exit_json; package return data into an exception"""
if 'changed' not in kwargs:
kwargs['changed'] = False
raise AnsibleExitJson(kwargs)
def fail_json(*args, **kwargs): # pylint: disable=unused-argument
"""function to patch over fail_json; package return data into an exception"""
kwargs['failed'] = True
raise AnsibleFailJson(kwargs)
class MockONTAPConnection(object):
''' mock server connection to ONTAP host '''
def __init__(self, kind=None, data=None):
''' save arguments '''
self.kind = kind
self.data = data
self.xml_in = None
self.xml_out = None
def invoke_successfully(self, xml, enable_tunneling): # pylint: disable=unused-argument
''' mock invoke_successfully returning xml data '''
self.xml_in = xml
if self.kind == 'policy':
xml = self.build_policy_info(self.data)
if self.kind == 'config':
xml = self.build_firewall_config_info(self.data)
self.xml_out = xml
return xml
@staticmethod
def build_policy_info(data):
''' build xml data for net-firewall-policy-info '''
xml = netapp_utils.zapi.NaElement('xml')
attributes = {
'num-records': 1,
'attributes-list': {
'net-firewall-policy-info': {
'policy': data['policy'],
'service': data['service'],
'allow-list': [
{'ip-and-mask': '1.2.3.0/24'}
]
}
}
}
xml.translate_struct(attributes)
return xml
@staticmethod
def build_firewall_config_info(data):
''' build xml data for net-firewall-config-info '''
xml = netapp_utils.zapi.NaElement('xml')
attributes = {
'attributes': {
'net-firewall-config-info': {
'is-enabled': 'true',
'is-logging': 'false'
}
}
}
xml.translate_struct(attributes)
return xml
class TestMyModule(unittest.TestCase):
''' a group of related Unit Tests '''
def setUp(self):
self.mock_module_helper = patch.multiple(basic.AnsibleModule,
exit_json=exit_json,
fail_json=fail_json)
self.mock_module_helper.start()
self.addCleanup(self.mock_module_helper.stop)
self.mock_policy = {
'policy': 'test',
'service': 'http',
'vserver': 'my_vserver',
'allow_list': '1.2.3.0/24'
}
self.mock_config = {
'node': 'test',
'enable': 'enable',
'logging': 'enable'
}
def mock_policy_args(self):
return {
'policy': self.mock_policy['policy'],
'service': self.mock_policy['service'],
'vserver': self.mock_policy['vserver'],
'allow_list': [self.mock_policy['allow_list']],
'hostname': 'test',
'username': 'test_user',
'password': 'test_pass!'
}
def mock_config_args(self):
return {
'node': self.mock_config['node'],
'enable': self.mock_config['enable'],
'logging': self.mock_config['logging'],
'hostname': 'test',
'username': 'test_user',
'password': 'test_pass!'
}
def get_mock_object(self, kind=None):
"""
Helper method to return an na_ontap_firewall_policy object
:param kind: passes this param to MockONTAPConnection()
:return: na_ontap_firewall_policy object
"""
obj = fp_module()
obj.autosupport_log = Mock(return_value=None)
if kind is None:
obj.server = MockONTAPConnection()
else:
mock_data = self.mock_config if kind == 'config' else self.mock_policy
obj.server = MockONTAPConnection(kind=kind, data=mock_data)
return obj
def test_module_fail_when_required_args_missing(self):
''' required arguments are reported as errors '''
with pytest.raises(AnsibleFailJson) as exc:
set_module_args({})
fp_module()
print('Info: %s' % exc.value.args[0]['msg'])
def test_helper_firewall_policy_attributes(self):
''' helper returns dictionary with vserver, service and policy details '''
data = self.mock_policy
set_module_args(self.mock_policy_args())
result = self.get_mock_object('policy').firewall_policy_attributes()
del data['allow_list']
assert data == result
def test_helper_validate_ip_addresses_positive(self):
''' test if helper validates if IP is a network address '''
data = self.mock_policy_args()
data['allow_list'] = ['1.2.0.0/16', '1.2.3.0/24']
set_module_args(data)
result = self.get_mock_object().validate_ip_addresses()
assert result is None
def test_helper_validate_ip_addresses_negative(self):
''' test if helper validates if IP is a network address '''
data = self.mock_policy_args()
data['allow_list'] = ['1.2.0.10/16', '1.2.3.0/24']
set_module_args(data)
with pytest.raises(AnsibleFailJson) as exc:
self.get_mock_object().validate_ip_addresses()
msg = 'Error: Invalid IP address value for allow_list parameter.' \
'Please specify a network address without host bits set: ' \
'1.2.0.10/16 has host bits set'
assert exc.value.args[0]['msg'] == msg
def test_get_nonexistent_policy(self):
''' Test if get_firewall_policy returns None for non-existent policy '''
set_module_args(self.mock_policy_args())
result = self.get_mock_object().get_firewall_policy()
assert result is None
def test_get_existing_policy(self):
''' Test if get_firewall_policy returns policy details for existing policy '''
data = self.mock_policy_args()
set_module_args(data)
result = self.get_mock_object('policy').get_firewall_policy()
assert result['service'] == data['service']
assert result['allow_list'] == ['1.2.3.0/24'] # from build_policy_info()
def test_successful_create(self):
''' Test successful create '''
set_module_args(self.mock_policy_args())
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object().apply()
assert exc.value.args[0]['changed']
def test_create_idempotency(self):
''' Test create idempotency '''
set_module_args(self.mock_policy_args())
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object('policy').apply()
assert not exc.value.args[0]['changed']
def test_successful_delete(self):
''' Test delete existing job '''
data = self.mock_policy_args()
data['state'] = 'absent'
set_module_args(data)
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object('policy').apply()
assert exc.value.args[0]['changed']
def test_delete_idempotency(self):
''' Test delete idempotency '''
data = self.mock_policy_args()
data['state'] = 'absent'
set_module_args(data)
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object().apply()
assert not exc.value.args[0]['changed']
def test_successful_modify(self):
''' Test successful modify allow_list '''
data = self.mock_policy_args()
data['allow_list'] = ['1.2.0.0/16']
set_module_args(data)
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object('policy').apply()
assert exc.value.args[0]['changed']
def test_successful_modify_mutiple_ips(self):
''' Test successful modify allow_list '''
data = self.mock_policy_args()
data['allow_list'] = ['1.2.0.0/16', '1.0.0.0/8']
set_module_args(data)
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object('policy').apply()
assert exc.value.args[0]['changed']
def test_get_nonexistent_config(self):
''' Test if get_firewall_config returns None for non-existent node '''
set_module_args(self.mock_config_args())
result = self.get_mock_object().get_firewall_config_for_node()
assert result is None
def test_get_existing_config(self):
''' Test if get_firewall_config returns policy details for existing node '''
data = self.mock_config_args()
set_module_args(data)
result = self.get_mock_object('config').get_firewall_config_for_node()
assert result['enable'] == 'enable' # from build_config_info()
assert result['logging'] == 'disable' # from build_config_info()
def test_successful_modify_config(self):
''' Test successful modify allow_list '''
data = self.mock_config_args()
data['enable'] = 'disable'
data['logging'] = 'enable'
set_module_args(data)
with pytest.raises(AnsibleExitJson) as exc:
self.get_mock_object('config').apply()
assert exc.value.args[0]['changed']