[tests/plays] Move playbook tests to tests/plays and update

pfsensible · Jan 5, 2024 · cce890f · cce890f
1 parent b396bdb
commit cce890f
Show file tree

Hide file tree

Showing 15 changed files with 125 additions and 22 deletions.
diff --git a/tests/plays/README.md b/tests/plays/README.md
@@ -0,0 +1,11 @@
+# Testing pfsensible/core with plays
+
+You must checkout this repository into a path of the form ../ansible_collections/pfsensible/core/.
+
+The following collection dependencies are needed:
+ * ansible.utils
+
+You will need a fresh pfSense install available as `pfsense-test` or adjust the `hosts` file as needed.
+You need to be able to ssh to it as `root` without a password or use `--ask-pass`.
+
+Update `host_vars/pfsense-test.yml` with IP addresses of your test pfSense install.
diff --git a/tests/plays/ansible.cfg b/tests/plays/ansible.cfg
@@ -0,0 +1,7 @@
+# config file for ansible -- https://ansible.com/
+# ===============================================
+
+[defaults]
+inventory      = hosts
+collections_paths = ../../../..
+remote_user = root
diff --git a/tests/plays/host_vars/pfsense-test.yml b/tests/plays/host_vars/pfsense-test.yml
@@ -0,0 +1,4 @@
+---
+# IP address of the interfaces
+interface_ips:
+  wan: 192.168.122.228
diff --git a/tests/plays/hosts b/tests/plays/hosts
@@ -0,0 +1,2 @@
+[pfsense]
+pfsense-test
diff --git a/openvpn.yml → tests/plays/openvpn.yml b/openvpn.yml → tests/plays/openvpn.yml
@@ -195,6 +195,39 @@
         - openvpn
         - openvpn_psk
 
+    - name: Create OpenVPN Server generate
+      import_tasks: tasks/test_openvpn_server_create.yml
+      vars:
+        openvpn_server_args:
+          name: OpenVPN Server generate
+          mode: server_tls_user
+          authmode:
+            - RADIUS
+          interface: wan
+          local_port: 1197
+          tls: generate
+          tls_type: auth
+          ca: OpenVPN CA
+          cert: pfsense-test
+          data_ciphers:
+            - AES-256-GCM
+            - AES-128-GCM
+            - AES-256-CBC
+          tunnel_network: 10.100.1.0/24
+          compression: ""
+          gwredir: yes
+          passtos: yes
+          dns_domain: example.com
+          dns_server1: 10.10.10.10
+          dns_server2: 10.10.10.11
+          custom_options: |-
+            tls-version-min 1.2;
+          username_as_common_name: no
+        openvpn_server_vpnid: 4
+      tags:
+        - openvpn
+        - openvpn_generate
+
     - name: Create OpenVPN override vpnuser
       import_tasks: tasks/test_openvpn_override_create.yml
       vars:
@@ -282,6 +315,34 @@
         - openvpn
         - openvpn_override
 
+    - name: Delete VPN1 interfce (fails)
+      pfsensible.core.pfsense_interface:
+        descr: VPN1
+        state: absent
+      register: interface
+      failed_when: interface.msg != "The interface is part of the group VPN. Please remove it from the group first."
+      tags:
+        - openvpn
+        - openvpn_interface_delete
+
+    - name: Delete OpenVPN Server 1 (fails)
+      pfsensible.core.pfsense_openvpn_server:
+        name: OpenVPN Server 1
+        state: absent
+      tags:
+        - openvpn
+        - openvpn_delete
+      register: openvpn_server
+      failed_when: openvpn_server.msg != "Cannot delete the OpenVPN instance while the interface ovpns1 is assigned. Remove the interface assignment first."
+
+    - name: Delete VPN interface_group
+      pfsensible.core.pfsense_interface_group:
+        name: VPN
+        state: absent
+      tags:
+        - openvpn
+        - openvpn_interface_delete
+
     - name: Delete OpenVPN Server 1
       import_tasks: tasks/test_openvpn_server_delete.yml
       vars:
@@ -311,3 +372,13 @@
       tags:
         - openvpn
         - openvpn_delete
+
+    - name: Delete OpenVPN Server generate
+      import_tasks: tasks/test_openvpn_server_delete.yml
+      vars:
+        openvpn_server_args:
+          name: OpenVPN Server generate
+        openvpn_server_vpnid: 4
+      tags:
+        - openvpn
+        - openvpn_delete
diff --git a/tasks/test_interface_create.yml → tests/plays/tasks/test_interface_create.yml b/tasks/test_interface_create.yml → tests/plays/tasks/test_interface_create.yml
@@ -1,17 +1,19 @@
 ---
-    - name: "Define {{ interface_args.name }}"
+    - name: "Define {{ interface_args.descr }}"
       pfsensible.core.pfsense_interface: "{{ interface_args }}"
       register: interface
 
     - fail:
         msg: Interface ifname {{ interface.ifname }} does not match expected value {{ interface_ifname }}
       when: interface.ifname != interface_ifname
 
-    - command: /sbin/ifconfig {{ interface_args.interface }}
+    - name: Get interface configuration for {{ interface_args.interface }}
+      command: /sbin/ifconfig {{ interface_args.interface }}
       changed_when: no
       register: ifconfig
 
-    - set_fact:
+    - name: Get interface description
+      set_fact:
         if_description: "{{ ifconfig.stdout_lines | select('search', 'description:') | map('regex_replace', '^\\s*description:\\s*', '') | first }}"
 
     - fail:

diff --git a/tasks/test_interface_group_create.yml → ...ays/tasks/test_interface_group_create.yml b/tasks/test_interface_group_create.yml → ...ays/tasks/test_interface_group_create.yml
diff --git a/.../test_interface_group_ifconfig_groups.yml → .../test_interface_group_ifconfig_groups.yml b/.../test_interface_group_ifconfig_groups.yml → .../test_interface_group_ifconfig_groups.yml
diff --git a/tasks/test_openvpn_override_create.yml → ...ys/tasks/test_openvpn_override_create.yml b/tasks/test_openvpn_override_create.yml → ...ys/tasks/test_openvpn_override_create.yml
diff --git a/tasks/test_openvpn_override_delete.yml → ...ys/tasks/test_openvpn_override_delete.yml b/tasks/test_openvpn_override_delete.yml → ...ys/tasks/test_openvpn_override_delete.yml
diff --git a/tasks/test_openvpn_override_file_exists.yml → ...sks/test_openvpn_override_file_exists.yml b/tasks/test_openvpn_override_file_exists.yml → ...sks/test_openvpn_override_file_exists.yml
diff --git a/tasks/test_openvpn_server_create.yml → ...lays/tasks/test_openvpn_server_create.yml b/tasks/test_openvpn_server_create.yml → ...lays/tasks/test_openvpn_server_create.yml
@@ -11,30 +11,35 @@
     - wait_for:
         path: "/var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn"
 
-    - slurp:
+    - name: Retrieve config.ovpn
+      slurp:
         src: "/var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn"
       register: openvpn_config_file
 
-    - debug: msg="{{ openvpn_config_file['content'] | b64decode }}"
+    - name: Contents of config.ovpn
+      debug: msg="{{ openvpn_config_file['content'] | b64decode }}"
 
-    - template:
+    - name: Check if config.ovpn matches expected content
+      template:
         src: openvpn-server-config.ovpn.j2
         dest: /var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn
         owner: root
         group: wheel
         mode: 0600
-      check_mode: yes
+      check_mode: true
+      diff: true
       register: config
 
     - fail:
         msg: OpenVPN config files differ
       when: config.changed
 
     # TODO - Use community.general.pids with pattern (need version 3.0.0)
-    - shell: "ps xo command | grep '/openvpn --config /var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn' | grep -v grep"
+    - name: Check if openvpn server is running
+      shell: "ps xo command | grep '/openvpn --config /var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn' | grep -v grep"
       register: openvpn_server_process
-      ignore_errors: yes
-      changed_when: no
+      ignore_errors: true
+      changed_when: false
 
     - fail:
         msg: OpenVPN server process is not running

diff --git a/tasks/test_openvpn_server_delete.yml → ...lays/tasks/test_openvpn_server_delete.yml b/tasks/test_openvpn_server_delete.yml → ...lays/tasks/test_openvpn_server_delete.yml
@@ -9,12 +9,14 @@
         msg: OpenVPN server vpnid {{ openvpn_server.vpnid }} does not match expected value {{ openvpn_server_vpnid }}
       when: openvpn_server.vpnid != openvpn_server_vpnid
 
-    - wait_for:
+    - name: Wait for config.ovpn to be removed
+      wait_for:
         path: "/var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn"
         state: absent
 
     # TODO - Use community.general.pids with pattern (need version 3.0.0)
-    - shell: "ps xo command | grep '/openvpn --config /var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn' | grep -v grep"
+    - name: Check for running openvpn server
+      shell: "ps xo command | grep '/openvpn --config /var/etc/openvpn/server{{ openvpn_server.vpnid }}/config.ovpn' | grep -v grep"
       ignore_errors: yes
       register: openvpn_server_process
       changed_when: no

diff --git a/templates/openvpn-override.j2 → tests/plays/templates/openvpn-override.j2 b/templates/openvpn-override.j2 → tests/plays/templates/openvpn-override.j2
@@ -1,8 +1,8 @@
 {% if openvpn_override_args.tunnel_network is defined %}
-ifconfig {{ openvpn_override_args.tunnel_network | nthhost(1) }} {{ openvpn_override_args.tunnel_network | nthhost(2) }}
+ifconfig {{ openvpn_override_args.tunnel_network | ansible.utils.nthhost(1) }} {{ openvpn_override_args.tunnel_network | ansible.utils.nthhost(2) }}
 {% endif %}
 {% if openvpn_override_args.remote_network is defined %}
-route {{ openvpn_override_args.remote_network | ipaddr('network') }} {{ openvpn_override_args.remote_network | ipaddr('netmask') }}
+route {{ openvpn_override_args.remote_network | ansible.utils.ipaddr('network') }} {{ openvpn_override_args.remote_network | ansible.utils.ipaddr('netmask') }}
 {% endif %}
 {% if openvpn_override_args.gwredir is defined and openvpn_override_args.gwredir %}
 push "redirect-gateway def1"

diff --git a/templates/openvpn-server-config.ovpn.j2 → ...s/templates/openvpn-server-config.ovpn.j2 b/templates/openvpn-server-config.ovpn.j2 → ...s/templates/openvpn-server-config.ovpn.j2
@@ -1,5 +1,4 @@
 dev ovpns{{ openvpn_server.vpnid }}
-disable-dco
 verb {{ openvpn_server_args.verbosity_level if openvpn_server_args.verbosity_level is defined else '1' }}
 dev-type tun
 dev-node /dev/tun{{ openvpn_server.vpnid }}
@@ -23,15 +22,15 @@ client-disconnect /usr/local/sbin/openvpn.attributes.sh
 {% if openvpn_server_args.interface == 'any' %}
 multihome
 {% else %}
-local 192.168.122.227
+local {{ interface_ips[openvpn_server_args.interface] }}
 {% endif %}
 {% if 'tls' in openvpn_server_args.mode %}
 tls-server
 {% endif %}
 {% if 'p2p' in openvpn_server_args.mode %}
-ifconfig {{ openvpn_server_args.tunnel_network | nthhost(1) }} {{ openvpn_server_args.tunnel_network | nthhost(2) }}
+ifconfig {{ openvpn_server_args.tunnel_network | ansible.utils.nthhost(1) }} {{ openvpn_server_args.tunnel_network | ansible.utils.nthhost(2) }}
 {% else %}
-server 10.100.0.0 255.255.255.0
+server {{ openvpn_server_args.tunnel_network | ansible.utils.ipaddr('network') }} {{ openvpn_server_args.tunnel_network | ansible.utils.ipaddr('netmask') }}
 {% endif %}
 {% if 'user' in openvpn_server_args.mode %}
 client-config-dir /var/etc/openvpn/server{{ openvpn_server.vpnid }}/csc
@@ -48,12 +47,12 @@ tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsense-test' 1"
 lport {{ openvpn_server_args.local_port }}
 management /var/etc/openvpn/server{{ openvpn_server.vpnid }}/sock unix
 {% if 'user' in openvpn_server_args.mode %}
-push "dhcp-option DOMAIN example.com"
-push "dhcp-option DNS 10.10.10.10"
-push "dhcp-option DNS 10.10.10.11"
+push "dhcp-option DOMAIN {{ openvpn_server_args.dns_domain }}"
+push "dhcp-option DNS {{ openvpn_server_args.dns_server1 }}"
+push "dhcp-option DNS {{ openvpn_server_args.dns_server2 }}"
 {% endif %}
 {% if openvpn_server_args.remote_network is defined %}
-route {{ openvpn_server_args.remote_network | ipaddr('network') }} {{ openvpn_server_args.remote_network | ipaddr('netmask') }}
+route {{ openvpn_server_args.remote_network | ansible.utils.ipaddr('network') }} {{ openvpn_server_args.remote_network | ansible.utils.ipaddr('netmask') }}
 {% endif %}
 {% if 'shared_key' in openvpn_server_args.mode %}
 secret /var/etc/openvpn/server{{ openvpn_server.vpnid }}/secret