From 85eeea157574c4034e60df6ab39bf3196a70bfdd Mon Sep 17 00:00:00 2001 From: anvitha-jain Date: Thu, 3 Oct 2024 07:21:56 -0700 Subject: [PATCH] [ignore_changes] Added comments for mac_sec_keys. --- plugins/module_utils/constants.py | 13 ++++- plugins/modules/ndo_mac_sec_policy.py | 50 +++++++++---------- .../targets/ndo_mac_sec_policy/tasks/main.yml | 14 +++--- 3 files changed, 43 insertions(+), 34 deletions(-) diff --git a/plugins/module_utils/constants.py b/plugins/module_utils/constants.py index 84a64a12..2e24247b 100644 --- a/plugins/module_utils/constants.py +++ b/plugins/module_utils/constants.py @@ -25,8 +25,17 @@ NDO_API_VERSION_FORMAT = "/mso/api/{api_version}" NDO_API_VERSION_PATH_FORMAT = "/mso/api/{api_version}/{path}" -NDO_CIPHER_SUITE_MAP = {"128_gcm_aes": "128GcmAes", "128_gcm_aes_xpn": "128GcmAesXpn", "256_gcm_aes": "256GcmAes", "256_gcm_aes_xpn": "256GcmAesXpn"} -NDO_SECURITY_POLICY_MAP = {"should_secure": "shouldSecure", "must_secure": "mustSecure"} +NDO_CIPHER_SUITE_MAP = { + "128_gcm_aes": "128GcmAes", + "128_gcm_aes_xpn": "128GcmAesXpn", + "256_gcm_aes": "256GcmAes", + "256_gcm_aes_xpn": "256GcmAesXpn", +} + +NDO_SECURITY_POLICY_MAP = { + "should_secure": "shouldSecure", + "must_secure": "mustSecure", +} EPG_U_SEG_ATTR_TYPE_MAP = { "ip": "ip", diff --git a/plugins/modules/ndo_mac_sec_policy.py b/plugins/modules/ndo_mac_sec_policy.py index e189a0a0..c95ef1fe 100644 --- a/plugins/modules/ndo_mac_sec_policy.py +++ b/plugins/modules/ndo_mac_sec_policy.py @@ -93,9 +93,11 @@ - The default value 16 for type C(access). - This parameter is only available for type C(access). type: int - mac_sec_key: + mac_sec_keys: description: - List of the MACSec Keys. + - Providing an empty list will remove the O(mac_sec_keys) from the MACSec Policy. + - The old O(mac_sec_keys) entries will be replaced with the new entries during update. type: list elements: dict suboptions: @@ -138,7 +140,7 @@ """ EXAMPLES = r""" -- name: Create a new MACSec Policy of interface_type fabric +- name: Create a new MACSec Policy of interface_type fabric cisco.mso.ndo_mac_sec_policy: host: mso_host username: admin @@ -156,7 +158,7 @@ template: ansible_test_template mac_sec_policy: ansible_test_mac_sec_policy description: "Ansible Test MACSec Policy" - mac_sec_key: + mac_sec_keys: - key_name: ansible_test_key psk: 'AA111111111111111111111111111111111111111111111111111111111111aa' start_time: '2029-12-11 11:12:13' @@ -232,13 +234,13 @@ def main(): description=dict(type="str"), admin_state=dict(type="str", choices=["enabled", "disabled"]), interface_type=dict(type="str", choices=["fabric", "access"], default="fabric"), - cipher_suite=dict(type="str", choices=["128_gcm_aes", "128_gcm_aes_xpn", "256_gcm_aes", "256_gcm_aes_xpn"]), + cipher_suite=dict(type="str", choices=list(NDO_CIPHER_SUITE_MAP)), window_size=dict(type="int"), - security_policy=dict(type="str", choices=["should_secure", "must_secure"]), + security_policy=dict(type="str", choices=list(NDO_SECURITY_POLICY_MAP)), sak_expiry_time=dict(type="int"), confidentiality_offset=dict(type="int", choices=[0, 30, 50]), key_server_priority=dict(type="int"), - mac_sec_key=dict( + mac_sec_keys=dict( type="list", elements="dict", options=dict( @@ -257,7 +259,7 @@ def main(): argument_spec=argument_spec, supports_check_mode=True, required_if=[ - ["state", "present", ["mac_sec_policy"]], + ["state", "present", ["mac_sec_policy", "mac_sec_policy_uuid"], True], ["state", "absent", ["mac_sec_policy", "mac_sec_policy_uuid"], True], ], ) @@ -270,13 +272,13 @@ def main(): description = module.params.get("description") admin_state = module.params.get("admin_state") interface_type = module.params.get("interface_type") - cipher_suite = module.params.get("cipher_suite") + cipher_suite = NDO_CIPHER_SUITE_MAP.get(module.params.get("cipher_suite")) window_size = module.params.get("window_size") - security_policy = module.params.get("security_policy") + security_policy = NDO_SECURITY_POLICY_MAP.get(module.params.get("security_policy")) sak_expiry_time = module.params.get("sak_expiry_time") confidentiality_offset = module.params.get("confidentiality_offset") key_server_priority = module.params.get("key_server_priority") - mac_sec_keys = module.params.get("mac_sec_key") + mac_sec_keys = module.params.get("mac_sec_keys") state = module.params.get("state") ops = [] @@ -302,8 +304,6 @@ def main(): if state == "present": - mso.existing = {} - if match: if mac_sec_policy and match.details.get("name") != mac_sec_policy: @@ -322,18 +322,16 @@ def main(): mso.fail_json(msg="Type cannot be changed for an existing MACSec Policy.") if cipher_suite and match.details.get("macsecParams")["cipherSuite"] != cipher_suite: - ops.append(dict(op="replace", path="{0}/{1}/macsecParams/cipherSuite".format(path, match.index), value=NDO_CIPHER_SUITE_MAP.get(cipher_suite))) - match.details["macsecParams"]["cipherSuite"] = NDO_CIPHER_SUITE_MAP.get(cipher_suite) + ops.append(dict(op="replace", path="{0}/{1}/macsecParams/cipherSuite".format(path, match.index), value=cipher_suite)) + match.details["macsecParams"]["cipherSuite"] = cipher_suite if window_size and match.details.get("macsecParams")["windowSize"] != window_size: ops.append(dict(op="replace", path="{0}/{1}/macsecParams/windowSize".format(path, match.index), value=window_size)) match.details["macsecParams"]["windowSize"] = window_size if security_policy and match.details.get("macsecParams")["securityPol"] != security_policy: - ops.append( - dict(op="replace", path="{0}/{1}/macsecParams/securityPol".format(path, match.index), value=NDO_SECURITY_POLICY_MAP.get(security_policy)) - ) - match.details["macsecParams"]["securityPol"] = NDO_SECURITY_POLICY_MAP.get(security_policy) + ops.append(dict(op="replace", path="{0}/{1}/macsecParams/securityPol".format(path, match.index), value=security_policy)) + match.details["macsecParams"]["securityPol"] = security_policy if sak_expiry_time and match.details.get("macsecParams")["sakExpiryTime"] != sak_expiry_time: ops.append(dict(op="replace", path="{0}/{1}/macsecParams/sakExpiryTime".format(path, match.index), value=sak_expiry_time)) @@ -342,15 +340,16 @@ def main(): if interface_type == "access": if confidentiality_offset and match.details.get("macsecParams")["confOffSet"] != confidentiality_offset: ops.append( - dict(op="replace", path="{0}/{1}/macsecParams/confOffSet".format(path, match.index), value="offset" + str(confidentiality_offset)) + dict(op="replace", path="{0}/{1}/macsecParams/confOffSet".format(path, match.index), value="offset{0}".format(confidentiality_offset)) ) - match.details["macsecParams"]["confOffSet"] = "offset" + str(confidentiality_offset) + match.details["macsecParams"]["confOffSet"] = "offset{0}".format(confidentiality_offset) if key_server_priority and match.details.get("macsecParams")["keyServerPrio"] != key_server_priority: ops.append(dict(op="replace", path="{0}/{1}/macsecParams/keyServerPrio".format(path, match.index), value=key_server_priority)) match.details["macsecParams"]["keyServerPrio"] = key_server_priority if mac_sec_keys: + # updating mac_sec_keys modifies the existing list with the new list mac_sec_keys_list = [] for mac_sec_key in mac_sec_keys: mac_sec_keys_list.append( @@ -362,12 +361,13 @@ def main(): ) ) - ops.append(dict(op="replace", path="{0}/{1}/macsecKeys".format(path, match.index), value=mac_sec_keys_list)) + if mac_sec_keys_list != match.details.get("macsecKeys", []): + ops.append(dict(op="replace", path="{0}/{1}/macsecKeys".format(path, match.index), value=mac_sec_keys_list)) match.details["macsecKeys"] = mac_sec_keys elif mac_sec_keys == []: # remove mac_sec_keys if the list is empty ops.append(dict(op="remove", path="{0}/{1}/macsecKeys".format(path, match.index))) - match.details.pop("macsecKeys") + match.details.pop("macsecKeys", None) mso.sanitize(match.details) @@ -382,17 +382,17 @@ def main(): if admin_state: payload["adminState"] = admin_state if cipher_suite: - mac_sec_param_map["cipherSuite"] = NDO_CIPHER_SUITE_MAP.get(cipher_suite) + mac_sec_param_map["cipherSuite"] = cipher_suite if window_size: mac_sec_param_map["windowSize"] = window_size if security_policy: - mac_sec_param_map["securityPol"] = NDO_SECURITY_POLICY_MAP.get(security_policy) + mac_sec_param_map["securityPol"] = security_policy if sak_expiry_time: mac_sec_param_map["sakExpiryTime"] = sak_expiry_time if interface_type == "access": if confidentiality_offset: - mac_sec_param_map["confOffSet"] = "offset" + str(confidentiality_offset) + mac_sec_param_map["confOffSet"] = "offset{0}".format(confidentiality_offset) if key_server_priority: mac_sec_param_map["keyServerPrio"] = key_server_priority payload["macsecParams"] = mac_sec_param_map diff --git a/tests/integration/targets/ndo_mac_sec_policy/tasks/main.yml b/tests/integration/targets/ndo_mac_sec_policy/tasks/main.yml index 17e0c63b..55f92449 100644 --- a/tests/integration/targets/ndo_mac_sec_policy/tasks/main.yml +++ b/tests/integration/targets/ndo_mac_sec_policy/tasks/main.yml @@ -122,7 +122,7 @@ # UPDATE - # Only one mac_sec_key can be added during creation + # Only one mac_sec_keys can be added during creation - name: Create another MACsec policy of interface_type 'access' cisco.mso.ndo_mac_sec_policy: &add_mac_sec_policy_2 <<: *mso_info @@ -137,7 +137,7 @@ confidentiality_offset: 50 key_server_priority: 11 interface_type: access - mac_sec_key: + mac_sec_keys: - key_name: abc12 psk: 'AA111111111111111111111111111111111111111111111111111111111111aa' start_time: '2029-12-11 11:12:13' @@ -158,7 +158,7 @@ sak_expiry_time: 100 confidentiality_offset: 30 key_server_priority: 10 - mac_sec_key: + mac_sec_keys: - key_name: abc12 psk: 'AAabcdabcdabcdabcdabcdabcdabcdab' start_time: '2029-12-11 11:12:13' @@ -256,14 +256,14 @@ - nm_update_mac_sec_policy_uuid.previous.uuid == nm_update_mac_sec_policy_uuid.current.uuid - nm_update_mac_sec_policy_uuid.current.uuid is defined - - name: Update the MACsec policy by removing the mac_sec_key + - name: Update the MACsec policy by removing the mac_sec_keys cisco.mso.ndo_mac_sec_policy: <<: *update_mac_sec_policy - mac_sec_key: [] + mac_sec_keys: [] state: present register: rm_update_mac_sec_policy_key - - name: Assert that the MACsec policy was updated by removing the mac_sec_key + - name: Assert that the MACsec policy was updated by removing the mac_sec_keys assert: that: - rm_update_mac_sec_policy_key is changed @@ -336,7 +336,7 @@ mac_sec_policy: ansible_mac_sec_policy_2 description: 'Ansible MACsec Policy description' interface_type: access - mac_sec_key: + mac_sec_keys: - key_name: abc12 psk: 'AA111111111111111111111111111111111111111111111111111111111111aa' start_time: 'wrong-time 11:12:13'