Fix encalg and hashalg update (#71)

* encryption-algorithm-options fixed

* hash-algorithm-options fixed

* only delete hashalgopt if match is defined

* test files for encalg and hashalg

* issue #69 hash-algorithm-option fixed

* issue #69 INTERIM hash-algorithm-option fixed

* issue #69 doc hash-algorithm-option fixed

* issue #69 restore original encryption-algorithm-option reset causing error

* issue #69 fix encryption-algorithm-option reset

* typo

* issue #69 - working with lxml <= 5.1.0

* issue #69 - working with lxml <= 5.1.0

* issue #69 - updated test for fix-encalg-and-hashalg

* issue #69 - cleanup fix-encalg-and-hashalg

* issue #69 - use lxml 5.1.0 for tests

* issue #69 - linted

* Revert "issue #69 - updated test for fix-encalg-and-hashalg"

This reverts commit 777fcc7.

---------

Co-authored-by: Klaus Zerwes <[email protected]>

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - name: install requirements
         run: |
           python -m pip install --upgrade pip
-          pip install ansible==9.2.0 ansible-core==2.16.3 lxml cryptography
+          pip install ansible==9.2.0 ansible-core==2.16.3 lxml==5.1.0 cryptography
       - name: run ansible test
         working-directory: ./test
         run: |

tasks/ipsecphase2.yml

@@ -57,6 +57,39 @@
     count: true
   register: eao_count
 
+- name: debug eao_count
+  ansible.builtin.debug:
+    var: eao_count
+    verbosity: 1
+
+- name: "IPSec ike phase2 {{ uniqid }} get defined encryption-algorithm-options for ikeid {{ ikeid }} from xml"
+  delegate_to: localhost
+  community.general.xml:
+    path: "{{ local_config_path }}"
+    xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option/name"
+    content: text
+  register: eao_matches
+  when: eao_count.count > 0
+
+- name: debug eao_matches
+  ansible.builtin.debug:
+    var: eao_matches
+    verbosity: 1
+  when: eao_matches is defined
+
+- name: "IPSec ike phase2 {{ uniqid }} get defined list of encryption-algorithm-options for ikeid {{ ikeid }}"
+  ansible.builtin.set_fact:
+    eao_list: "{{ eao_matches.matches | list | map(attribute='name') | list | flatten }}"
+  when:
+    - eao_matches is defined
+    - eao_matches.matches is defined
+
+- name: debug eao_list
+  ansible.builtin.debug:
+    var: eao_list
+    verbosity: 1
+  when: eao_list is defined
+
 - name: "IPSec ike phase2 {{ uniqid }} get encryption-algorithm-options for ikeid {{ ikeid }}"
   delegate_to: localhost
   community.general.xml:
@@ -74,12 +107,13 @@
     verbosity: 1
   when: encalgopt is defined
 
-- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}"
+- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (1)"
   ansible.builtin.set_fact:
     encalgopt_reset: true
   when:
-    - eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options']|length)
-- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}"
+    - eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options'] | length)
+
+- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (2)"
   ansible.builtin.set_fact:
     encalgopt_reset: true
   when:
@@ -93,16 +127,16 @@
     verbosity: 1
   when: encalgopt_reset is defined
 
-- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }}"
+- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }} ..."
   delegate_to: localhost
+  # debugger: on_failed
   community.general.xml:
     path: "{{ local_config_path }}"
     xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option"
     state: absent
     pretty_print: true
-  with_items:
-    - "{{ ipsecphasevar2[uniqid]['encryption-algorithm-options'] | default([]) }}"
-  when: encalgopt_reset | default(false)
+  when:
+    - encalgopt_reset | default(false)
 
 - name: "IPSec ike phase2 {{ uniqid }} create encryption-algorithm-options for ikeid {{ ikeid }}"  # noqa jinja[spacing]
   delegate_to: localhost
@@ -152,7 +186,7 @@
     verbosity: 1
   when: hashalgopt is defined
 
-- name: register fact change_hashalgopt
+- name: register fact change_hashalgopt (1)
   ansible.builtin.set_fact:
     change_hashalgopt: true
   with_items: "{{ hashalgopt.matches }}"
@@ -164,29 +198,38 @@
       or
       (ipsecphasevar2[uniqid]['hash-algorithm-options']|length) != (hashalgopt.matches|length))
 
-- name: register fact change_hashalgopt
+- name: register fact change_hashalgopt (2)
   ansible.builtin.set_fact:
     change_hashalgopt: true
-  with_items: "{{ hashalgopt.matches }}"
   when:
     - hashalgopt_count.count == 0
-    - hashalgopt is defined
-    - hashalgopt.matches is defined
-    - ipsecphasevar2[uniqid]['hash-algorithm-options']|length > 0
+    - ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0
 
-- name: register fact change_hashalgopt
+- name: register fact change_hashalgopt (3)
   ansible.builtin.set_fact:
     change_hashalgopt: true
-  when: hashalgopt_count.count == 0 and ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0
+  when:
+    - hashalgopt_count.count > 0
+    - ipsecphasevar2[uniqid]['hash-algorithm-options'] | length == 0
+
+- name: debug change_hashalgopt
+  ansible.builtin.debug:
+    var: change_hashalgopt
+    verbosity: 1
+  when: change_hashalgopt is defined
 
 - name: "IPSec ike phase2 {{ uniqid }} reset hash-algorithm-options for ikeid {{ ikeid }}"
   delegate_to: localhost
+  # debugger: on_failed
   community.general.xml:
     path: "{{ local_config_path }}"
     xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/hash-algorithm-option"
     state: absent
     pretty_print: true
-  when: change_hashalgopt | default(False)
+  when:
+    - change_hashalgopt | default(false)
+    - hashalgopt is defined
+    - hashalgopt.matches is defined
 
 - name: "IPSec ike phase2 {{ uniqid }} hash-algorithm-options for ikeid {{ ikeid }}"
   delegate_to: localhost

test/ipsec-test1-04-encalg-expect.xml

@@ -0,0 +1,122 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<opnsense>
+  <system>
+  </system>
+  <ipsec>
+    <enable>1</enable>
+    <ipsec_asn>1</ipsec_asn>
+    <ipsec_chd>1</ipsec_chd>
+    <passthrough_networks>192.168.0.0/24</passthrough_networks>
+    <phase1>
+      <ikeid>1</ikeid>
+      <descr>s2s test</descr>
+      <iketype>ikev1</iketype>
+      <interface>wan</interface>
+      <mode>main</mode>
+      <protocol>inet</protocol>
+      <myid_type>auto</myid_type>
+      <myid_data>localhost</myid_data>
+      <peerid_type>fqdn</peerid_type>
+      <peerid_data>fw02</peerid_data>
+      <lifetime>28800</lifetime>
+      <certref>61546da45fbc3</certref>
+      <caref>5ef9c5881c158</caref>
+      <authentication_method>rsasig</authentication_method>
+      <nat_traversal>on</nat_traversal>
+      <auto>start</auto>
+      <dhgroup>2</dhgroup>
+      <hash-algorithm>md5,sha1</hash-algorithm>
+      <private-key/>
+      <remote-gateway>fw02</remote-gateway>
+      <dpd_delay>10</dpd_delay>
+      <dpd_maxfail>5</dpd_maxfail>
+      <dpd_action>restart</dpd_action>
+      <encryption-algorithm>
+        <name>aes</name>
+        <keylen>256</keylen>
+      </encryption-algorithm>
+    </phase1>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>eea1dcb2e051a</uniqid>
+      <disabled>1</disabled>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.0.0.1</pinghost>
+      <descr>10.0.0.0/12</descr>
+      <reqid>1</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.0.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes192</name>
+      </encryption-algorithm-option>
+      <encryption-algorithm-option>
+        <name>aes128gcm16</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
+      <hash-algorithm-option>hmac_sha512</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e471b7299c8c1</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.128.0.1</pinghost>
+      <descr>10.128.0.0/12</descr>
+      <reqid>2</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.128.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes192</name>
+      </encryption-algorithm-option>
+      <encryption-algorithm-option>
+        <name>aes128gcm16</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
+      <hash-algorithm-option>hmac_sha512</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e98f78c414ece</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.224.0.1</pinghost>
+      <descr>10.224.0.0/12</descr>
+      <reqid>3</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.224.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes192</name>
+      </encryption-algorithm-option>
+      <encryption-algorithm-option>
+        <name>aes128gcm16</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
+      <hash-algorithm-option>hmac_sha512</hash-algorithm-option>
+    </phase2>
+  </ipsec>
+</opnsense>

test/ipsec-test1-04-encalg.xml

@@ -0,0 +1,110 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<opnsense>
+  <system>
+  </system>
+  <ipsec>
+    <enable>1</enable>
+    <ipsec_asn>1</ipsec_asn>
+    <ipsec_chd>1</ipsec_chd>
+    <passthrough_networks>192.168.0.0/24</passthrough_networks>
+    <phase1>
+      <ikeid>1</ikeid>
+      <descr>s2s test</descr>
+      <iketype>ikev1</iketype>
+      <interface>wan</interface>
+      <mode>main</mode>
+      <protocol>inet</protocol>
+      <myid_type>auto</myid_type>
+      <myid_data>localhost</myid_data>
+      <peerid_type>fqdn</peerid_type>
+      <peerid_data>fw02</peerid_data>
+      <lifetime>28800</lifetime>
+      <certref>61546da45fbc3</certref>
+      <caref>5ef9c5881c158</caref>
+      <authentication_method>rsasig</authentication_method>
+      <nat_traversal>on</nat_traversal>
+      <auto>start</auto>
+      <dhgroup>2</dhgroup>
+      <hash-algorithm>md5,sha1</hash-algorithm>
+      <private-key/>
+      <remote-gateway>fw02</remote-gateway>
+      <dpd_delay>10</dpd_delay>
+      <dpd_maxfail>5</dpd_maxfail>
+      <dpd_action>restart</dpd_action>
+      <encryption-algorithm>
+        <name>aes</name>
+        <keylen>256</keylen>
+      </encryption-algorithm>
+    </phase1>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>eea1dcb2e051a</uniqid>
+      <disabled>1</disabled>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.0.0.1</pinghost>
+      <descr>10.0.0.0/12</descr>
+      <reqid>1</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.0.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e471b7299c8c1</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.128.0.1</pinghost>
+      <descr>10.128.0.0/12</descr>
+      <reqid>2</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.128.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+    <phase2>
+      <ikeid>1</ikeid>
+      <uniqid>e98f78c414ece</uniqid>
+      <mode>tunnel</mode>
+      <pfsgroup>2</pfsgroup>
+      <lifetime>3600</lifetime>
+      <protocol>esp</protocol>
+      <pinghost>10.224.0.1</pinghost>
+      <descr>10.224.0.0/12</descr>
+      <reqid>3</reqid>
+      <localid>
+        <type>lan</type>
+      </localid>
+      <remoteid>
+        <type>network</type>
+        <address>10.224.0.0</address>
+        <netbits>12</netbits>
+      </remoteid>
+      <encryption-algorithm-option>
+        <name>aes256</name>
+      </encryption-algorithm-option>
+      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
+    </phase2>
+  </ipsec>
+</opnsense>