cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/test/integration/targets/nxos_nxapi/tests/cli/nxapi_ssl.yaml
tstoner 2c3d418e53 Nxapi ssl (#42905) 
* NXAPI ssl ciphers & protocols default values

* TLSv1, TLSv1.1, TLSv1.2 and weak cipher support

* NXOS NXAPI weak/strong cipher & TLSv 1.2, 1.1 & 1.0 support

* Version checking for strong/weak ciphers & TLS 1.2, 1.1 & 1.0 support

* Cleaned up erroneously committed changes.

* Specific NXOS platform checking for nxapi ssl ciphers & protocols

* Fixed ansibot reported errors.

* Resolved ansibot reported error.

* Added network_os_version to mocked up N7K unit test device_info

* Calling get_capabilities() once in main and passing results into methods.

* Removed raising exceptions when platform capabilities return None
per reviewers request. Skipping nxapi ssl options when capabilities
are None and generating a warning when these options are skipped

* Cleaned up explicit checks for None/not None
2018-07-27 22:10:39 +05:30

246 lines
7.1 KiB
YAML
Raw Blame History

---
- block:
- debug: msg="START cli/nxapi_ssl.yaml"
- name: Configure NXAPI HTTPs w/weak ciphers
nxos_nxapi: &configure_https_weak_ciphers
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
ssl_strong_ciphers: no
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc ciphers
register: result
- name: Assert weak ciphers configuration
assert: &weak_ciphers
that:
- result.stdout_lines[0][0] == 'nxapi ssl ciphers weak'
- name: Configure NXAPI HTTP w/weak ciphers again
nxos_nxapi: *configure_https_weak_ciphers
register: result
- name: Assert configuration is idempotent
assert: &assert_false
that:
- result.changed == false
- name: Configure NXAPI HTTPs w/strong ciphers
nxos_nxapi: &configure_https_strong_ciphers
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
ssl_strong_ciphers: yes
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc ciphers
register: result
- name: Assert strong ciphers configuration
assert: &strong_ciphers
that:
- result.stdout_lines[0][0] == 'no nxapi ssl ciphers weak'
- name: Configure NXAPI HTTPs w/strong ciphers again
nxos_nxapi: *configure_https_strong_ciphers
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs w/default TLSv1
nxos_nxapi: &configure_https_default
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/default TLSv1 configuration
assert: &default_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1'
- name: Configure NXAPI HTTPs w/default again
nxos_nxapi: *configure_https_default
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs TLSv1.1 -default TLSv1
nxos_nxapi: &configure_https_tlsv1_1
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
tlsv1_1: yes
tlsv1_0: no
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/TLSv1.1 configuration
assert: &tlsv1_1_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1.1'
- name: Configure NXAPI HTTPs w/TLSv1.1 -default TLSv1 again
nxos_nxapi: *configure_https_tlsv1_1
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs TLSv1.2 -default TLSv1
nxos_nxapi: &configure_https_tlsv1_2
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
tlsv1_2: yes
tlsv1_0: no
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/TLSv1.2 configuration
assert: &tlsv1_2_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1.2'
- name: Configure NXAPI HTTPs w/TLSv1.2 -default TLSv1 again
nxos_nxapi: *configure_https_tlsv1_2
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs w/TLS1.2 +default TLSv1
nxos_nxapi: &configure_https_tlsv1_2_default
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
ssl_strong_ciphers: yes
tlsv1_2: yes
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/TLS1.2 +default TLSv1 configuration
assert: &tlsv1_2_default_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1 TLSv1.2'
- name: Configure NXAPI HTTPs w/TLS1.2 again
nxos_nxapi: *configure_https_tlsv1_2_default
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs w/TLS1.2 TLS1.1 -default TLSv1
nxos_nxapi: &configure_https_tlsv1_2_tlsv1_1
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
ssl_strong_ciphers: yes
tlsv1_0: no
tlsv1_1: yes
tlsv1_2: yes
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/TLS1.2 TLS1.2 -default TLSv1 configuration
assert: &tlsv1_2_tlsv1_1_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1.1 TLSv1.2'
- name: Configure NXAPI HTTPs w/TLS1.2 TLS1.1 -default TLSv1 again
nxos_nxapi: *configure_https_tlsv1_2_tlsv1_1
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs w/TLS1.2 TLS1.1 +default TLSv1
nxos_nxapi: &configure_https_tlsv1_2_tlsv1_1_default
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
ssl_strong_ciphers: yes
tlsv1_1: yes
tlsv1_2: yes
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/TLS1.2 TLS1.1 +default TLSv1 configuration
assert: &tlsv1_2_tlsv1_1_default_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1 TLSv1.1 TLSv1.2'
- name: Configure NXAPI HTTPs w/TLS1.2 TLS1.1 +default TLSv1 again
nxos_nxapi: *configure_https_tlsv1_2_tlsv1_1_default
register: result
- name: Assert configuration is idempotent
assert: *assert_false
- name: Configure NXAPI HTTPs with explicit TLS1.2 TLS1.1 TLSv1
nxos_nxapi: &configure_https_tlsv1_2_tlsv1_1_tlsv1_0
enable_https: yes
enable_sandbox: "{{nxapi_sandbox_option|default(omit)}}"
ssl_strong_ciphers: yes
tlsv1_0: yes
tlsv1_1: yes
tlsv1_2: yes
register: result
- nxos_command:
commands:
- show run all | inc nxapi | inc protocols
register: result
- name: Assert NXAPI HTTPs w/TLS1.2 TLS1.2 TLSv1 configuration
assert: &tlsv1_2_tlsv1_1_tlsv1_0_configuration
that:
- result.stdout_lines[0][0] == 'nxapi ssl protocols TLSv1 TLSv1.1 TLSv1.2'
- name: Configure NXAPI HTTPs w/TLS1.2 TLS1.1 TLSv1 again
nxos_nxapi: *configure_https_tlsv1_2_tlsv1_1_tlsv1_0
register: result
- name: Assert configuration is idempotent
assert: *assert_false
always:
- name: Cleanup - Disable NXAPI
nxos_nxapi:
state: absent
register: result
- name: Cleanup - Re-enable NXAPI
nxos_nxapi:
state: present
register: result
- debug: msg="END cli/nxapi_ssl.yaml"
when: (platform is match("N9K") or platform is match("N3K") or platform is match("N9K-F") or platform is match("N35") or platform is match("N3L")) and major_version is version('9.2', '>=')
Reference in a new issue View git blame Copy permalink