From 2444e27ccecf3f2ebe8405254b64833d12ee495a Mon Sep 17 00:00:00 2001 From: Wen Liang Date: Sun, 21 Feb 2021 11:18:00 -0500 Subject: [PATCH] wifi: Add Opportunistic Wireless Encryption (OWE) support Enable WPA3 OWE support via: ```yaml network_connections: - name: wlan0 type: wireless wireless: ssid: "WIFI_SSID" key_mgmt: "owe" ``` Integration test case was included for Fedora and CentOS. ( Failed in setting up the mock wifi on RHEL, so skipped the integration test on RHEL) Signed-off-by: Wen Liang --- .yamllint.yml | 2 + README.md | 23 +++++++- examples/wireless_wpa3_owe.yml | 12 ++++ .../network_lsr/argument_validator.py | 1 + tests/ensure_provider_tests.py | 7 +++ tests/playbooks/tests_wireless_wpa3_owe.yml | 43 ++++++++++++++ tests/tasks/setup_mock_wifi_wpa3_owe.yml | 57 +++++++++++++++++++ tests/tasks/start_mock_wifi.yml | 31 ++++++++++ tests/tests_wireless_wpa3_owe_nm.yml | 22 +++++++ 9 files changed, 195 insertions(+), 3 deletions(-) create mode 100644 examples/wireless_wpa3_owe.yml create mode 100644 tests/playbooks/tests_wireless_wpa3_owe.yml create mode 100644 tests/tasks/setup_mock_wifi_wpa3_owe.yml create mode 100644 tests/tasks/start_mock_wifi.yml create mode 100644 tests/tests_wireless_wpa3_owe_nm.yml diff --git a/.yamllint.yml b/.yamllint.yml index b7d0a48..df2d7c8 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -23,3 +23,5 @@ rules: /tests/tests_team_plugin_installation_nm.yml /tests/tests_ethtool_coalesce_initscripts.yml /tests/tests_ethtool_ring_initscripts.yml + /tests/tests_wireless_wpa3_owe_nm.yml + /tests/tasks/setup_mock_wifi_wpa3_owe.yml diff --git a/README.md b/README.md index f73d621..19ca5dc 100644 --- a/README.md +++ b/README.md @@ -261,8 +261,8 @@ the ansible role. #### `type: wireless` -The `wireless` type supports WPA-PSK (password) authentication and WPA-EAP (802.1x) -authentication. +The `wireless` type supports WPA-PSK (password) authentication, WPA-EAP (802.1x) +authentication, and Enhanced Open (OWE). `nm` (NetworkManager) is the only supported `network_provider` for this type. @@ -272,7 +272,13 @@ If WPA-EAP is used, ieee802_1x settings must be defined in the The following options are supported: - `ssid`: the SSID of the wireless network (required) -- `key_mgmt`: `wpa-psk` or `wpa-eap` (required) +- `key_mgmt` (required) + + Any key from following key list: + - `owe` + - `wpa-eap` + - `wpa-psk` + - `password`: password for the network (required if `wpa-psk` is used) ### `autoconnect` @@ -845,6 +851,17 @@ network_connections: domain_suffix_match: example.com ``` +Configuring Enhanced Open(OWE): + +```yaml +network_connections: + - name: wlan0 + type: wireless + wireless: + ssid: "WIFI_SSID" + key_mgmt: "owe" +``` + ### Invalid and Wrong Configuration The `network` role rejects invalid configurations. It is recommended to test the role diff --git a/examples/wireless_wpa3_owe.yml b/examples/wireless_wpa3_owe.yml new file mode 100644 index 0000000..66c44f2 --- /dev/null +++ b/examples/wireless_wpa3_owe.yml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: BSD-3-Clause +--- +- hosts: all + vars: + network_connections: + - name: wlan0 + type: wireless + wireless: + ssid: "My Enhanced Open(OWE) Network" + key_mgmt: "owe" + roles: + - linux-system-roles.network diff --git a/module_utils/network_lsr/argument_validator.py b/module_utils/network_lsr/argument_validator.py index a5c36df..ff38027 100644 --- a/module_utils/network_lsr/argument_validator.py +++ b/module_utils/network_lsr/argument_validator.py @@ -1194,6 +1194,7 @@ class ArgValidator_DictWireless(ArgValidatorDict): VALID_KEY_MGMT = [ "wpa-psk", "wpa-eap", + "owe", ] def __init__(self): diff --git a/tests/ensure_provider_tests.py b/tests/ensure_provider_tests.py index 53a0ff7..cde98c5 100755 --- a/tests/ensure_provider_tests.py +++ b/tests/ensure_provider_tests.py @@ -84,6 +84,13 @@ NM_ONLY_TESTS = { EXTRA_RUN_CONDITION: "ansible_distribution_major_version == '7'", }, "playbooks/tests_wireless_plugin_installation.yml": {}, + "playbooks/tests_wireless_wpa3_owe.yml": { + "comment": "# OWE has not been supported by NetworkManager 1.18.8 on \ +RHEL 7(dist-tag). Failed in setting up mock wifi on RHEL 8", + EXTRA_RUN_CONDITION: "ansible_distribution_major_version > '7' and \ +ansible_distribution == 'CentOS' or\n ansible_distribution_major_version > '32' \ +and ansible_distribution == 'Fedora'", + }, } # NM_CONDITIONAL_TESTS is used to store the test playbooks which are demanding for NM # minimum version or extra running condition, test playbooks in NM_CONDITIONAL_TESTS diff --git a/tests/playbooks/tests_wireless_wpa3_owe.yml b/tests/playbooks/tests_wireless_wpa3_owe.yml new file mode 100644 index 0000000..c0e87ac --- /dev/null +++ b/tests/playbooks/tests_wireless_wpa3_owe.yml @@ -0,0 +1,43 @@ +# SPDX-License-Identifier: BSD-3-Clause +--- +- hosts: all + vars: + interface: wlan0 + tasks: + - name: "INIT: wireless tests" + debug: + msg: "##################################################" + - include_tasks: tasks/setup_mock_wifi_wpa3_owe.yml + - block: + - name: "TEST: wireless connection with OWE" + debug: + msg: "##################################################" + - import_role: + name: linux-system-roles.network + vars: + network_allow_restart: true + network_connections: + - name: "{{ interface }}" + state: up + type: wireless + ip: + address: + - 203.0.113.2/24 + dhcp4: "no" + auto6: "no" + wireless: + ssid: "hostapd-owe" + key_mgmt: "owe" + + - name: "Verify connection profile" + shell: + nmcli c show {{ interface }} | grep 802-11-wireless-security.key-mgmt + register: key_mgmt + ignore_errors: yes + changed_when: false + + - name: "Assert that OWE is configured correctly" + assert: + that: + - "'owe' in key_mgmt.stdout" + msg: "OWE is configured incorrectly" diff --git a/tests/tasks/setup_mock_wifi_wpa3_owe.yml b/tests/tasks/setup_mock_wifi_wpa3_owe.yml new file mode 100644 index 0000000..a3ea983 --- /dev/null +++ b/tests/tasks/setup_mock_wifi_wpa3_owe.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: BSD-3-Clause +--- +- name: Install packages required to set up mock wifi network + package: + name: + - NetworkManager + - wpa_supplicant + state: present + +# Even though hostapd can be installed via EPEL 8, Opportunistic Wireless Encryption +# (OWE) has not been enabled by default. To warrant the test support on RHEL(dist-tag), +# we setup hostapd copr repo to enable OWE option. +- name: install hostapd and mac80211_hwsim kernel module in CentOS 8 + shell: | + dnf -y copr enable liangwen12year/hostapd-owe + dnf -y install hostapd + release=$(uname -r) + tmp="${release/-//}" + tmp="${tmp/.x//x}" + dnf -y install https://koji.mbox.centos.org/pkgs/packages/kernel/$tmp/kernel-core-$release.rpm + dnf -y install https://koji.mbox.centos.org/pkgs/packages/kernel/$tmp/kernel-modules-$release.rpm + dnf -y install https://koji.mbox.centos.org/pkgs/packages/kernel/$tmp/kernel-modules-internal-$release.rpm + when: + - ansible_distribution_major_version == '8' + - ansible_distribution == 'CentOS' + +- name: install hostapd in Fedora + shell: | + dnf -y copr enable liangwen12year/hostapd-owe + dnf -y install hostapd + when: + - ansible_distribution == 'Fedora' + +- name: install mac80211_hwsim kernel modules in Fedora + shell: | + dnf -y install koji + koji download-build --arch=$(uname -p) kernel-modules-internal-$(uname -r) + dnf -y install kernel-modules*.rpm + when: + - ansible_distribution == 'Fedora' + +- name: Create hostapd config + copy: + content: | + interface=wlan1 + ssid=hostapd-owe + hw_mode=g + channel=6 + wpa=2 + wpa_key_mgmt=OWE + rsn_pairwise=CCMP + ieee80211w=2 + nas_identifier=ap.example.com + dest: /etc/hostapd/wireless.conf + mode: "0644" + +- include_tasks: tasks/start_mock_wifi.yml diff --git a/tests/tasks/start_mock_wifi.yml b/tests/tasks/start_mock_wifi.yml new file mode 100644 index 0000000..23c0be3 --- /dev/null +++ b/tests/tasks/start_mock_wifi.yml @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: BSD-3-Clause +--- +- name: Ensure NetworkManager is running + service: + name: NetworkManager + state: started + +- name: Load mac80211_hwsim kernel module to mock a wifi network + shell: modprobe mac80211_hwsim radio=2 && sleep 5 + changed_when: false + +- name: Restart NetworkManager and wpa_supplicant + service: + name: "{{ item }}" + state: restarted + with_items: + - NetworkManager + - wpa_supplicant + +- name: Bring up wlan0 and wlan1 (mock wifi interfaces) + shell: | + ip link set up wlan0 + ip link set up wlan1 + nmcli device set wlan1 managed off + ip addr add 203.0.113.1/24 dev wlan1 + sleep 5 + changed_when: false + +- name: Start hostapd + shell: hostapd -B /etc/hostapd/wireless.conf && sleep 5 + changed_when: false diff --git a/tests/tests_wireless_wpa3_owe_nm.yml b/tests/tests_wireless_wpa3_owe_nm.yml new file mode 100644 index 0000000..7a0daf1 --- /dev/null +++ b/tests/tests_wireless_wpa3_owe_nm.yml @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: BSD-3-Clause +# This file was generated by ensure_provider_tests.py +--- +# set network provider and gather facts +- hosts: all + name: Run playbook 'playbooks/tests_wireless_wpa3_owe.yml' with nm as provider + tasks: + - name: Set network provider to 'nm' + set_fact: + network_provider: nm + tags: + - always + + +# The test requires or should run with NetworkManager, therefore it cannot run +# on RHEL/CentOS 6 +# OWE has not been supported by NetworkManager 1.18.8 on RHEL 7(dist-tag). Failed in setting up mock wifi on RHEL 8 +- import_playbook: playbooks/tests_wireless_wpa3_owe.yml + when: + - ansible_distribution_major_version != '6' + - ansible_distribution_major_version > '7' and ansible_distribution == 'CentOS' or + ansible_distribution_major_version > '32' and ansible_distribution == 'Fedora'