Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[minor_changes] Added new module ndo_mac_sec_policy (DCNE-177 DCNE-74) #522

Merged
merged 9 commits into from
Oct 17, 2024
Prev Previous commit
Next Next commit
[ignore_changes] Added comments for mac_sec_keys.
anvitha-jain committed Oct 8, 2024
commit 85eeea157574c4034e60df6ab39bf3196a70bfdd
13 changes: 11 additions & 2 deletions plugins/module_utils/constants.py
Original file line number Diff line number Diff line change
@@ -25,8 +25,17 @@
NDO_API_VERSION_FORMAT = "/mso/api/{api_version}"
NDO_API_VERSION_PATH_FORMAT = "/mso/api/{api_version}/{path}"

NDO_CIPHER_SUITE_MAP = {"128_gcm_aes": "128GcmAes", "128_gcm_aes_xpn": "128GcmAesXpn", "256_gcm_aes": "256GcmAes", "256_gcm_aes_xpn": "256GcmAesXpn"}
NDO_SECURITY_POLICY_MAP = {"should_secure": "shouldSecure", "must_secure": "mustSecure"}
NDO_CIPHER_SUITE_MAP = {
"128_gcm_aes": "128GcmAes",
"128_gcm_aes_xpn": "128GcmAesXpn",
"256_gcm_aes": "256GcmAes",
"256_gcm_aes_xpn": "256GcmAesXpn",
}

NDO_SECURITY_POLICY_MAP = {
"should_secure": "shouldSecure",
"must_secure": "mustSecure",
}

EPG_U_SEG_ATTR_TYPE_MAP = {
"ip": "ip",
50 changes: 25 additions & 25 deletions plugins/modules/ndo_mac_sec_policy.py
Original file line number Diff line number Diff line change
@@ -93,9 +93,11 @@
- The default value 16 for type C(access).
- This parameter is only available for type C(access).
type: int
mac_sec_key:
mac_sec_keys:
description:
- List of the MACSec Keys.
anvitha-jain marked this conversation as resolved.
Show resolved Hide resolved
- Providing an empty list will remove the O(mac_sec_keys) from the MACSec Policy.
- The old O(mac_sec_keys) entries will be replaced with the new entries during update.
type: list
elements: dict
suboptions:
@@ -138,7 +140,7 @@
"""

EXAMPLES = r"""
- name: Create a new MACSec Policy of interface_type fabric
- name: Create a new MACSec Policy of interface_type fabric
cisco.mso.ndo_mac_sec_policy:
host: mso_host
username: admin
@@ -156,7 +158,7 @@
template: ansible_test_template
mac_sec_policy: ansible_test_mac_sec_policy
description: "Ansible Test MACSec Policy"
mac_sec_key:
mac_sec_keys:
- key_name: ansible_test_key
psk: 'AA111111111111111111111111111111111111111111111111111111111111aa'
start_time: '2029-12-11 11:12:13'
@@ -232,13 +234,13 @@ def main():
description=dict(type="str"),
admin_state=dict(type="str", choices=["enabled", "disabled"]),
interface_type=dict(type="str", choices=["fabric", "access"], default="fabric"),
anvitha-jain marked this conversation as resolved.
Show resolved Hide resolved
cipher_suite=dict(type="str", choices=["128_gcm_aes", "128_gcm_aes_xpn", "256_gcm_aes", "256_gcm_aes_xpn"]),
cipher_suite=dict(type="str", choices=list(NDO_CIPHER_SUITE_MAP)),
window_size=dict(type="int"),
security_policy=dict(type="str", choices=["should_secure", "must_secure"]),
security_policy=dict(type="str", choices=list(NDO_SECURITY_POLICY_MAP)),
sak_expiry_time=dict(type="int"),
confidentiality_offset=dict(type="int", choices=[0, 30, 50]),
key_server_priority=dict(type="int"),
mac_sec_key=dict(
mac_sec_keys=dict(
type="list",
elements="dict",
options=dict(
@@ -257,7 +259,7 @@ def main():
argument_spec=argument_spec,
supports_check_mode=True,
required_if=[
["state", "present", ["mac_sec_policy"]],
["state", "present", ["mac_sec_policy", "mac_sec_policy_uuid"], True],
["state", "absent", ["mac_sec_policy", "mac_sec_policy_uuid"], True],
],
)
@@ -270,13 +272,13 @@ def main():
description = module.params.get("description")
admin_state = module.params.get("admin_state")
interface_type = module.params.get("interface_type")
cipher_suite = module.params.get("cipher_suite")
cipher_suite = NDO_CIPHER_SUITE_MAP.get(module.params.get("cipher_suite"))
window_size = module.params.get("window_size")
security_policy = module.params.get("security_policy")
security_policy = NDO_SECURITY_POLICY_MAP.get(module.params.get("security_policy"))
sak_expiry_time = module.params.get("sak_expiry_time")
confidentiality_offset = module.params.get("confidentiality_offset")
key_server_priority = module.params.get("key_server_priority")
mac_sec_keys = module.params.get("mac_sec_key")
mac_sec_keys = module.params.get("mac_sec_keys")
state = module.params.get("state")

ops = []
@@ -302,8 +304,6 @@ def main():

if state == "present":

mso.existing = {}

if match:

if mac_sec_policy and match.details.get("name") != mac_sec_policy:
@@ -322,18 +322,16 @@ def main():
mso.fail_json(msg="Type cannot be changed for an existing MACSec Policy.")

if cipher_suite and match.details.get("macsecParams")["cipherSuite"] != cipher_suite:
ops.append(dict(op="replace", path="{0}/{1}/macsecParams/cipherSuite".format(path, match.index), value=NDO_CIPHER_SUITE_MAP.get(cipher_suite)))
match.details["macsecParams"]["cipherSuite"] = NDO_CIPHER_SUITE_MAP.get(cipher_suite)
ops.append(dict(op="replace", path="{0}/{1}/macsecParams/cipherSuite".format(path, match.index), value=cipher_suite))
match.details["macsecParams"]["cipherSuite"] = cipher_suite

if window_size and match.details.get("macsecParams")["windowSize"] != window_size:
ops.append(dict(op="replace", path="{0}/{1}/macsecParams/windowSize".format(path, match.index), value=window_size))
match.details["macsecParams"]["windowSize"] = window_size

if security_policy and match.details.get("macsecParams")["securityPol"] != security_policy:
ops.append(
dict(op="replace", path="{0}/{1}/macsecParams/securityPol".format(path, match.index), value=NDO_SECURITY_POLICY_MAP.get(security_policy))
)
match.details["macsecParams"]["securityPol"] = NDO_SECURITY_POLICY_MAP.get(security_policy)
ops.append(dict(op="replace", path="{0}/{1}/macsecParams/securityPol".format(path, match.index), value=security_policy))
match.details["macsecParams"]["securityPol"] = security_policy

if sak_expiry_time and match.details.get("macsecParams")["sakExpiryTime"] != sak_expiry_time:
ops.append(dict(op="replace", path="{0}/{1}/macsecParams/sakExpiryTime".format(path, match.index), value=sak_expiry_time))
@@ -342,15 +340,16 @@ def main():
if interface_type == "access":
if confidentiality_offset and match.details.get("macsecParams")["confOffSet"] != confidentiality_offset:
ops.append(
dict(op="replace", path="{0}/{1}/macsecParams/confOffSet".format(path, match.index), value="offset" + str(confidentiality_offset))
dict(op="replace", path="{0}/{1}/macsecParams/confOffSet".format(path, match.index), value="offset{0}".format(confidentiality_offset))
)
match.details["macsecParams"]["confOffSet"] = "offset" + str(confidentiality_offset)
match.details["macsecParams"]["confOffSet"] = "offset{0}".format(confidentiality_offset)

if key_server_priority and match.details.get("macsecParams")["keyServerPrio"] != key_server_priority:
ops.append(dict(op="replace", path="{0}/{1}/macsecParams/keyServerPrio".format(path, match.index), value=key_server_priority))
match.details["macsecParams"]["keyServerPrio"] = key_server_priority

if mac_sec_keys:
# updating mac_sec_keys modifies the existing list with the new list
mac_sec_keys_list = []
for mac_sec_key in mac_sec_keys:
mac_sec_keys_list.append(
@@ -362,12 +361,13 @@ def main():
)
)

ops.append(dict(op="replace", path="{0}/{1}/macsecKeys".format(path, match.index), value=mac_sec_keys_list))
if mac_sec_keys_list != match.details.get("macsecKeys", []):
ops.append(dict(op="replace", path="{0}/{1}/macsecKeys".format(path, match.index), value=mac_sec_keys_list))
match.details["macsecKeys"] = mac_sec_keys
elif mac_sec_keys == []:
# remove mac_sec_keys if the list is empty
ops.append(dict(op="remove", path="{0}/{1}/macsecKeys".format(path, match.index)))
match.details.pop("macsecKeys")
match.details.pop("macsecKeys", None)

mso.sanitize(match.details)

@@ -382,17 +382,17 @@ def main():
if admin_state:
payload["adminState"] = admin_state
if cipher_suite:
mac_sec_param_map["cipherSuite"] = NDO_CIPHER_SUITE_MAP.get(cipher_suite)
mac_sec_param_map["cipherSuite"] = cipher_suite
if window_size:
mac_sec_param_map["windowSize"] = window_size
if security_policy:
mac_sec_param_map["securityPol"] = NDO_SECURITY_POLICY_MAP.get(security_policy)
mac_sec_param_map["securityPol"] = security_policy
if sak_expiry_time:
mac_sec_param_map["sakExpiryTime"] = sak_expiry_time

if interface_type == "access":
if confidentiality_offset:
mac_sec_param_map["confOffSet"] = "offset" + str(confidentiality_offset)
mac_sec_param_map["confOffSet"] = "offset{0}".format(confidentiality_offset)
if key_server_priority:
mac_sec_param_map["keyServerPrio"] = key_server_priority
payload["macsecParams"] = mac_sec_param_map
14 changes: 7 additions & 7 deletions tests/integration/targets/ndo_mac_sec_policy/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -122,7 +122,7 @@

# UPDATE

# Only one mac_sec_key can be added during creation
# Only one mac_sec_keys can be added during creation
- name: Create another MACsec policy of interface_type 'access'
cisco.mso.ndo_mac_sec_policy: &add_mac_sec_policy_2
<<: *mso_info
@@ -137,7 +137,7 @@
confidentiality_offset: 50
key_server_priority: 11
interface_type: access
mac_sec_key:
mac_sec_keys:
- key_name: abc12
psk: 'AA111111111111111111111111111111111111111111111111111111111111aa'
start_time: '2029-12-11 11:12:13'
@@ -158,7 +158,7 @@
sak_expiry_time: 100
confidentiality_offset: 30
key_server_priority: 10
mac_sec_key:
mac_sec_keys:
- key_name: abc12
psk: 'AAabcdabcdabcdabcdabcdabcdabcdab'
start_time: '2029-12-11 11:12:13'
@@ -256,14 +256,14 @@
- nm_update_mac_sec_policy_uuid.previous.uuid == nm_update_mac_sec_policy_uuid.current.uuid
- nm_update_mac_sec_policy_uuid.current.uuid is defined

- name: Update the MACsec policy by removing the mac_sec_key
- name: Update the MACsec policy by removing the mac_sec_keys
cisco.mso.ndo_mac_sec_policy:
<<: *update_mac_sec_policy
mac_sec_key: []
mac_sec_keys: []
state: present
register: rm_update_mac_sec_policy_key

- name: Assert that the MACsec policy was updated by removing the mac_sec_key
- name: Assert that the MACsec policy was updated by removing the mac_sec_keys
assert:
that:
- rm_update_mac_sec_policy_key is changed
@@ -336,7 +336,7 @@
mac_sec_policy: ansible_mac_sec_policy_2
description: 'Ansible MACsec Policy description'
interface_type: access
mac_sec_key:
mac_sec_keys:
- key_name: abc12
psk: 'AA111111111111111111111111111111111111111111111111111111111111aa'
start_time: 'wrong-time 11:12:13'