From 1a3e5f624a409a56900aacac8764ed162ddce68c Mon Sep 17 00:00:00 2001 From: Klaus Zerwes Date: Tue, 28 May 2024 23:01:36 +0200 Subject: [PATCH] Fix encalg and hashalg update (#71) * encryption-algorithm-options fixed * hash-algorithm-options fixed * only delete hashalgopt if match is defined * test files for encalg and hashalg * issue #69 hash-algorithm-option fixed * issue #69 INTERIM hash-algorithm-option fixed * issue #69 doc hash-algorithm-option fixed * issue #69 restore original encryption-algorithm-option reset causing error * issue #69 fix encryption-algorithm-option reset * typo * issue #69 - working with lxml <= 5.1.0 * issue #69 - working with lxml <= 5.1.0 * issue #69 - updated test for fix-encalg-and-hashalg * issue #69 - cleanup fix-encalg-and-hashalg * issue #69 - use lxml 5.1.0 for tests * issue #69 - linted * Revert "issue #69 - updated test for fix-encalg-and-hashalg" This reverts commit 777fcc7078ca5b40f4e2ffde024dd94658936296. --------- Co-authored-by: Klaus Zerwes --- .github/workflows/test.yml | 2 +- tasks/ipsecphase2.yml | 75 ++++++++++++---- test/ipsec-test1-04-encalg-expect.xml | 122 ++++++++++++++++++++++++++ test/ipsec-test1-04-encalg.xml | 110 +++++++++++++++++++++++ test/ipsec-test1-04-encalg.yml | 75 ++++++++++++++++ test/test.yml | 2 +- 6 files changed, 368 insertions(+), 18 deletions(-) create mode 100644 test/ipsec-test1-04-encalg-expect.xml create mode 100644 test/ipsec-test1-04-encalg.xml create mode 100644 test/ipsec-test1-04-encalg.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 719d19d..d718d94 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: - name: install requirements run: | python -m pip install --upgrade pip - pip install ansible==9.2.0 ansible-core==2.16.3 lxml cryptography + pip install ansible==9.2.0 ansible-core==2.16.3 lxml==5.1.0 cryptography - name: run ansible test working-directory: ./test run: | diff --git a/tasks/ipsecphase2.yml b/tasks/ipsecphase2.yml index a08499c..9dc6bed 100644 --- a/tasks/ipsecphase2.yml +++ b/tasks/ipsecphase2.yml @@ -57,6 +57,39 @@ count: true register: eao_count +- name: debug eao_count + ansible.builtin.debug: + var: eao_count + verbosity: 1 + +- name: "IPSec ike phase2 {{ uniqid }} get defined encryption-algorithm-options for ikeid {{ ikeid }} from xml" + delegate_to: localhost + community.general.xml: + path: "{{ local_config_path }}" + xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option/name" + content: text + register: eao_matches + when: eao_count.count > 0 + +- name: debug eao_matches + ansible.builtin.debug: + var: eao_matches + verbosity: 1 + when: eao_matches is defined + +- name: "IPSec ike phase2 {{ uniqid }} get defined list of encryption-algorithm-options for ikeid {{ ikeid }}" + ansible.builtin.set_fact: + eao_list: "{{ eao_matches.matches | list | map(attribute='name') | list | flatten }}" + when: + - eao_matches is defined + - eao_matches.matches is defined + +- name: debug eao_list + ansible.builtin.debug: + var: eao_list + verbosity: 1 + when: eao_list is defined + - name: "IPSec ike phase2 {{ uniqid }} get encryption-algorithm-options for ikeid {{ ikeid }}" delegate_to: localhost community.general.xml: @@ -74,12 +107,13 @@ verbosity: 1 when: encalgopt is defined -- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}" +- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (1)" ansible.builtin.set_fact: encalgopt_reset: true when: - - eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options']|length) -- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }}" + - eao_count.count != (ipsecphasevar2[uniqid]['encryption-algorithm-options'] | length) + +- name: "IPSec ike phase2 {{ uniqid }} check reset of encryption-algorithm-options for ikeid {{ ikeid }} (2)" ansible.builtin.set_fact: encalgopt_reset: true when: @@ -93,16 +127,16 @@ verbosity: 1 when: encalgopt_reset is defined -- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }}" +- name: "IPSec ike phase2 {{ uniqid }} reset encryption-algorithm-options for ikeid {{ ikeid }} ..." delegate_to: localhost + # debugger: on_failed community.general.xml: path: "{{ local_config_path }}" xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option" state: absent pretty_print: true - with_items: - - "{{ ipsecphasevar2[uniqid]['encryption-algorithm-options'] | default([]) }}" - when: encalgopt_reset | default(false) + when: + - encalgopt_reset | default(false) - name: "IPSec ike phase2 {{ uniqid }} create encryption-algorithm-options for ikeid {{ ikeid }}" # noqa jinja[spacing] delegate_to: localhost @@ -152,7 +186,7 @@ verbosity: 1 when: hashalgopt is defined -- name: register fact change_hashalgopt +- name: register fact change_hashalgopt (1) ansible.builtin.set_fact: change_hashalgopt: true with_items: "{{ hashalgopt.matches }}" @@ -164,29 +198,38 @@ or (ipsecphasevar2[uniqid]['hash-algorithm-options']|length) != (hashalgopt.matches|length)) -- name: register fact change_hashalgopt +- name: register fact change_hashalgopt (2) ansible.builtin.set_fact: change_hashalgopt: true - with_items: "{{ hashalgopt.matches }}" when: - hashalgopt_count.count == 0 - - hashalgopt is defined - - hashalgopt.matches is defined - - ipsecphasevar2[uniqid]['hash-algorithm-options']|length > 0 + - ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0 -- name: register fact change_hashalgopt +- name: register fact change_hashalgopt (3) ansible.builtin.set_fact: change_hashalgopt: true - when: hashalgopt_count.count == 0 and ipsecphasevar2[uniqid]['hash-algorithm-options'] | length > 0 + when: + - hashalgopt_count.count > 0 + - ipsecphasevar2[uniqid]['hash-algorithm-options'] | length == 0 + +- name: debug change_hashalgopt + ansible.builtin.debug: + var: change_hashalgopt + verbosity: 1 + when: change_hashalgopt is defined - name: "IPSec ike phase2 {{ uniqid }} reset hash-algorithm-options for ikeid {{ ikeid }}" delegate_to: localhost + # debugger: on_failed community.general.xml: path: "{{ local_config_path }}" xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/hash-algorithm-option" state: absent pretty_print: true - when: change_hashalgopt | default(False) + when: + - change_hashalgopt | default(false) + - hashalgopt is defined + - hashalgopt.matches is defined - name: "IPSec ike phase2 {{ uniqid }} hash-algorithm-options for ikeid {{ ikeid }}" delegate_to: localhost diff --git a/test/ipsec-test1-04-encalg-expect.xml b/test/ipsec-test1-04-encalg-expect.xml new file mode 100644 index 0000000..8da222d --- /dev/null +++ b/test/ipsec-test1-04-encalg-expect.xml @@ -0,0 +1,122 @@ + + + + + + 1 + 1 + 1 + 192.168.0.0/24 + + 1 + s2s test + ikev1 + wan + main + inet + auto + localhost + fqdn + fw02 + 28800 + 61546da45fbc3 + 5ef9c5881c158 + rsasig + on + start + 2 + md5,sha1 + + fw02 + 10 + 5 + restart + + aes + 256 + + + + 1 + eea1dcb2e051a + 1 + tunnel + 2 + 3600 + esp + 10.0.0.1 + 10.0.0.0/12 + 1 + + lan + + + network +
10.0.0.0
+ 12 +
+ + aes192 + + + aes128gcm16 + + hmac_sha256 + hmac_sha512 +
+ + 1 + e471b7299c8c1 + tunnel + 2 + 3600 + esp + 10.128.0.1 + 10.128.0.0/12 + 2 + + lan + + + network +
10.128.0.0
+ 12 +
+ + aes192 + + + aes128gcm16 + + hmac_sha256 + hmac_sha512 +
+ + 1 + e98f78c414ece + tunnel + 2 + 3600 + esp + 10.224.0.1 + 10.224.0.0/12 + 3 + + lan + + + network +
10.224.0.0
+ 12 +
+ + aes192 + + + aes128gcm16 + + hmac_sha256 + hmac_sha512 +
+
+
diff --git a/test/ipsec-test1-04-encalg.xml b/test/ipsec-test1-04-encalg.xml new file mode 100644 index 0000000..43ad283 --- /dev/null +++ b/test/ipsec-test1-04-encalg.xml @@ -0,0 +1,110 @@ + + + + + + 1 + 1 + 1 + 192.168.0.0/24 + + 1 + s2s test + ikev1 + wan + main + inet + auto + localhost + fqdn + fw02 + 28800 + 61546da45fbc3 + 5ef9c5881c158 + rsasig + on + start + 2 + md5,sha1 + + fw02 + 10 + 5 + restart + + aes + 256 + + + + 1 + eea1dcb2e051a + 1 + tunnel + 2 + 3600 + esp + 10.0.0.1 + 10.0.0.0/12 + 1 + + lan + + + network +
10.0.0.0
+ 12 +
+ + aes256 + + hmac_sha1 +
+ + 1 + e471b7299c8c1 + tunnel + 2 + 3600 + esp + 10.128.0.1 + 10.128.0.0/12 + 2 + + lan + + + network +
10.128.0.0
+ 12 +
+ + aes256 + + hmac_sha1 +
+ + 1 + e98f78c414ece + tunnel + 2 + 3600 + esp + 10.224.0.1 + 10.224.0.0/12 + 3 + + lan + + + network +
10.224.0.0
+ 12 +
+ + aes256 + + hmac_sha1 +
+
+
diff --git a/test/ipsec-test1-04-encalg.yml b/test/ipsec-test1-04-encalg.yml new file mode 100644 index 0000000..5760102 --- /dev/null +++ b/test/ipsec-test1-04-encalg.yml @@ -0,0 +1,75 @@ +--- +opn_ipsec: + enable: 1 + ipsec_asn: 1 + ipsec_chd: 1 + passthrough_networks: "192.168.0.0/24" + ikeids: # key is the ikeid + 1: + phase1: + descr: s2s test + iketype: ikev1 + interface: wan + mode: main + protocol: inet + myid_type: auto + myid_data: "{{ inventory_hostname }}" + peerid_type: fqdn + peerid_data: fw02 + encryption-algorithm: + name: aes + keylen: 256 + lifetime: 28800 + certref: 61546da45fbc3 + caref: 5ef9c5881c158 + authentication_method: rsasig + nat_traversal: "on" + auto: start + dhgroup: 2 + hash-algorithm: md5,sha1 + private-key: + remote-gateway: fw02 + dpd_delay: 10 + dpd_maxfail: 5 + dpd_action: restart + phase2_defaults: # common settings for all phase2 elements in this ikeid + disabled: 0 # ensure all tunnels are enabled as long as they are not explicitly disabled + mode: tunnel + pfsgroup: 2 + lifetime: 3600 + protocol: esp + localid: + type: lan + encryption-algorithm-options: + - name: aes192 + - name: aes128gcm16 + hash-algorithm-options: + - hmac_sha256 + - hmac_sha512 + phase2: + # key is the uniqid + eea1dcb2e051a: + pinghost: 10.0.0.1 + descr: 10.0.0.0/12 + disabled: 1 # this way you can disable a p2 entry without deleting it; a disabled p2 entry must be enabled by explicitly setting disabled: 0 + remoteid: + type: network + address: 10.0.0.0 + netbits: 12 + reqid: 1 + e471b7299c8c1: + pinghost: 10.128.0.1 + descr: 10.128.0.0/12 + remoteid: + type: network + address: 10.128.0.0 + netbits: 12 + reqid: 2 + e98f78c414ece: + pinghost: 10.224.0.1 + descr: 10.224.0.0/12 + remoteid: + type: network + address: 10.224.0.0 + netbits: 12 + reqid: 3 diff --git a/test/test.yml b/test/test.yml index 54f80e2..b6e2e4f 100644 --- a/test/test.yml +++ b/test/test.yml @@ -3,7 +3,7 @@ - name: run test hosts: testhosts vars: - ansible_python_interpreter: "/usr/bin/env python" # REQUIRED for guthub action + ansible_python_interpreter: "/usr/bin/env python" # REQUIRED for github action config_path: test/{{ inventory_hostname }}.xml local_config_path: cfg/{{ inventory_hostname }}.xml all_tests: {}