diff --git a/README.md b/README.md index a9b01e1..b41daaa 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ This role can be used to configure: - MacVLAN interfaces - Infiniband interfaces - IP configuration +- 802.1x authentication Introduction ------------ @@ -410,7 +411,7 @@ kernel and device, changing some features might not be supported. txvlan: yes|no # optional ``` -### `802.1x` +### `ieee802_1x` Configures 802.1x authentication for an interface. @@ -428,15 +429,15 @@ SSL certificates and keys must be deployed on the host prior to running the role Identity string for EAP authentication methods. -* `private-key` (required) +* `private_key` (required) Absolute path to the client's PEM or PKCS#12 encoded private key used for 802.1x authentication. - * `private-key-password` + * `private_key_password` - Password to the private key specified in `private-key`. + Password to the private key specified in `private_key`. - * `private-key-password-flags` + * `private_key_password_flags` List of flags to configure how the private key password is managed. @@ -450,15 +451,15 @@ SSL certificates and keys must be deployed on the host prior to running the role See NetworkManager documentation on "Secret flag types" more details (`man 5 nm-settings`). - * `client-cert` (required) + * `client_cert` (required) Absolute path to the client's PEM encoded certificate used for 802.1x authentication. - * `ca-cert` + * `ca_cert` Absolute path to the PEM encoded certificate authority used to verify the EAP server. - * `system-ca-certs` + * `system_ca_certs` If set to `True`, NetworkManager will use the system's trusted ca certificates to verify the EAP server. @@ -662,15 +663,15 @@ Configuring 802.1x: network_connections: - name: eth0 type: ethernet - 802.1x: + ieee802_1x: identity: myhost eap: tls - private-key: /etc/pki/tls/client.key + private_key: /etc/pki/tls/client.key # recommend vault encrypting the private key password # see https://docs.ansible.com/ansible/latest/user_guide/vault.html - private-key-password: "p@55w0rD" - client-cert: /etc/pki/tls/client.pem - ca-cert: /etc/pki/tls/cacert.pem + private_key_password: "p@55w0rD" + client_cert: /etc/pki/tls/client.pem + ca_cert: /etc/pki/tls/cacert.pem ``` ### Invalid and Wrong Configuration diff --git a/defaults/main.yml b/defaults/main.yml index 1d25d5e..6b15964 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,9 +20,9 @@ network_provider_current: "{{ # Default to the auto-detected value network_provider: "{{ network_provider_current }}" -# wpa_supplicant is required if any 802.1x connections are defined +# wpa_supplicant is required if any ieee802_1x connections are defined wpa_supplicant_required: "{{ network_connections | - json_query('[*][\"802.1x\"]') | flatten | count > 0 }}" + json_query('[*][ieee802_1x]') | flatten | count > 0 }}" _network_packages_default_802_1x: ["{% if wpa_supplicant_required %}wpa_supplicant{% endif %}"] diff --git a/examples/eth-with-802-1x.yml b/examples/eth-with-802-1x.yml index 4b5de25..05258a7 100644 --- a/examples/eth-with-802-1x.yml +++ b/examples/eth-with-802-1x.yml @@ -5,15 +5,15 @@ network_connections: - name: eth0 type: ethernet - 802.1x: + ieee802_1x: identity: myhost eap: tls - private-key: /etc/pki/tls/client.key + private_key: /etc/pki/tls/client.key # recommend vault encrypting the private key password # see https://docs.ansible.com/ansible/latest/user_guide/vault.html - private-key-password: "p@55w0rD" - client-cert: /etc/pki/tls/client.pem - ca-cert: /etc/pki/tls/cacert.pem + private_key_password: "p@55w0rD" + client_cert: /etc/pki/tls/client.pem + ca_cert: /etc/pki/tls/cacert.pem # certs have to be deployed first pre_tasks: diff --git a/library/network_connections.py b/library/network_connections.py index 05275b3..15f4274 100644 --- a/library/network_connections.py +++ b/library/network_connections.py @@ -974,49 +974,51 @@ class NMUtil: else: s_ip6.add_route(rr) - if connection["802.1x"]: + if connection["ieee802_1x"]: s_8021x = self.connection_ensure_setting(con, NM.Setting8021x) - s_8021x.set_property(NM.SETTING_802_1X_EAP, [connection["802.1x"]["eap"]]) s_8021x.set_property( - NM.SETTING_802_1X_IDENTITY, connection["802.1x"]["identity"] + NM.SETTING_802_1X_EAP, [connection["ieee802_1x"]["eap"]] + ) + s_8021x.set_property( + NM.SETTING_802_1X_IDENTITY, connection["ieee802_1x"]["identity"] ) s_8021x.set_property( NM.SETTING_802_1X_PRIVATE_KEY, - Util.path_to_glib_bytes(connection["802.1x"]["private-key"]), + Util.path_to_glib_bytes(connection["ieee802_1x"]["private_key"]), ) - if connection["802.1x"]["private-key-password"]: + if connection["ieee802_1x"]["private_key_password"]: s_8021x.set_property( NM.SETTING_802_1X_PRIVATE_KEY_PASSWORD, - connection["802.1x"]["private-key-password"], + connection["ieee802_1x"]["private_key_password"], ) - if connection["802.1x"]["private-key-password-flags"]: + if connection["ieee802_1x"]["private_key_password_flags"]: s_8021x.set_secret_flags( NM.SETTING_802_1X_PRIVATE_KEY_PASSWORD, Util.NM().SettingSecretFlags( Util.convert_passwd_flags_nm( - connection["802.1x"]["private-key-password-flags"] + connection["ieee802_1x"]["private_key_password_flags"] ), ), ) s_8021x.set_property( NM.SETTING_802_1X_CLIENT_CERT, - Util.path_to_glib_bytes(connection["802.1x"]["client-cert"]), + Util.path_to_glib_bytes(connection["ieee802_1x"]["client_cert"]), ) - if connection["802.1x"]["ca-cert"]: + if connection["ieee802_1x"]["ca_cert"]: s_8021x.set_property( NM.SETTING_802_1X_CA_CERT, - Util.path_to_glib_bytes(connection["802.1x"]["ca-cert"]), + Util.path_to_glib_bytes(connection["ieee802_1x"]["ca_cert"]), ) s_8021x.set_property( NM.SETTING_802_1X_SYSTEM_CA_CERTS, - connection["802.1x"]["system-ca-certs"], + connection["ieee802_1x"]["system_ca_certs"], ) try: diff --git a/module_utils/network_lsr/argument_validator.py b/module_utils/network_lsr/argument_validator.py index 6f0ca88..8096901 100644 --- a/module_utils/network_lsr/argument_validator.py +++ b/module_utils/network_lsr/argument_validator.py @@ -726,7 +726,7 @@ class ArgValidator_Dict802_1X(ArgValidatorDict): def __init__(self): ArgValidatorDict.__init__( self, - name="802.1x", + name="ieee802_1x", nested=[ ArgValidatorStr( "eap", @@ -734,19 +734,19 @@ class ArgValidator_Dict802_1X(ArgValidatorDict): default_value="tls", ), ArgValidatorStr("identity", required=True), - ArgValidatorPath("private-key", required=True), - ArgValidatorStr("private-key-password"), + ArgValidatorPath("private_key", required=True), + ArgValidatorStr("private_key_password"), ArgValidatorList( - "private-key-password-flags", + "private_key_password_flags", nested=ArgValidatorStr( - "private-key-password-flags[?]", + "private_key_password_flags[?]", enum_values=ArgValidator_Dict802_1X.VALID_PRIVATE_KEY_FLAGS, ), default_value=None, ), - ArgValidatorPath("client-cert", required=True), - ArgValidatorPath("ca-cert"), - ArgValidatorBool("system-ca-certs", default_value=False), + ArgValidatorPath("client_cert", required=True), + ArgValidatorPath("ca_cert"), + ArgValidatorBool("system_ca_certs", default_value=False), ], default_value=None, ) @@ -1265,7 +1265,7 @@ class ArgValidator_ListConnections(ArgValidatorList): ) # check if 802.1x connection is valid - if connection["802.1x"]: + if connection["ieee802_1x"]: if mode == self.VALIDATE_ONE_MODE_INITSCRIPTS: raise ValidationError.from_connection( idx, diff --git a/tests/playbooks/tests_802_1x.yml b/tests/playbooks/tests_802_1x.yml index 3c59919..4fd14e3 100644 --- a/tests/playbooks/tests_802_1x.yml +++ b/tests/playbooks/tests_802_1x.yml @@ -35,15 +35,15 @@ - 203.0.113.2/24 dhcp4: "no" auto6: "no" - 802.1x: + ieee802_1x: identity: myhost eap: tls - private-key: /etc/pki/tls/client.key - private-key-password: test - private-key-password-flags: + private_key: /etc/pki/tls/client.key + private_key_password: test + private_key_password_flags: - none - client-cert: /etc/pki/tls/client.pem - ca-cert: /etc/pki/tls/cacert.pem + client_cert: /etc/pki/tls/client.pem + ca_cert: /etc/pki/tls/cacert.pem - name: "TEST: I can ping the EAP server" shell: ping -c1 203.0.113.1 - import_role: @@ -78,14 +78,14 @@ - 203.0.113.2/24 dhcp4: "no" auto6: "no" - 802.1x: + ieee802_1x: identity: myhost eap: tls - private-key: /etc/pki/tls/client.key.nocrypt - client-cert: /etc/pki/tls/client.pem - private-key-password-flags: + private_key: /etc/pki/tls/client.key.nocrypt + client_cert: /etc/pki/tls/client.pem + private_key_password_flags: - not-required - system-ca-certs: True + system_ca_certs: True - name: "TEST: I can ping the EAP server" shell: ping -c1 203.0.113.1 always: diff --git a/tests/unit/test_network_connections.py b/tests/unit/test_network_connections.py index 84e8b56..9786cbd 100755 --- a/tests/unit/test_network_connections.py +++ b/tests/unit/test_network_connections.py @@ -154,7 +154,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "5", "parent": None, @@ -251,7 +251,7 @@ class TestValidator(unittest.TestCase): continue if "type" not in connection: continue - if connection["type"] in ["macvlan"] or connection["802.1x"]: + if connection["type"] in ["macvlan"] or connection["ieee802_1x"]: # initscripts do not support this type. Skip the test. continue content_current = kwargs.get("initscripts_content_current", None) @@ -397,7 +397,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "5", "parent": None, @@ -448,7 +448,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "5", "parent": None, @@ -493,7 +493,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "5", "parent": None, @@ -581,7 +581,7 @@ class TestValidator(unittest.TestCase): }, "mac": "52:54:00:44:9f:ba", "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": 1450, "name": "prod1", "parent": None, @@ -643,7 +643,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "prod1", "parent": None, @@ -707,7 +707,7 @@ class TestValidator(unittest.TestCase): }, "mac": "52:54:00:44:9f:ba", "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": 1450, "name": "prod1", "parent": None, @@ -763,7 +763,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "prod.100", "parent": "prod1", @@ -846,7 +846,7 @@ class TestValidator(unittest.TestCase): }, "mac": "52:54:00:44:9f:ba", "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": 1450, "name": "prod1", "parent": None, @@ -902,7 +902,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "prod.100", "parent": "prod1", @@ -980,7 +980,7 @@ class TestValidator(unittest.TestCase): }, "mac": "33:24:10:24:2f:b9", "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": 1450, "name": "eth0-parent", "parent": None, @@ -1031,7 +1031,7 @@ class TestValidator(unittest.TestCase): "mac": None, "macvlan": {"mode": "bridge", "promiscuous": True, "tap": False}, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "veth0.0", "parent": "eth0-parent", @@ -1082,7 +1082,7 @@ class TestValidator(unittest.TestCase): "mac": None, "macvlan": {"mode": "passthru", "promiscuous": False, "tap": True}, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "veth0.1", "parent": "eth0-parent", @@ -1168,7 +1168,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "prod2", "parent": None, @@ -1205,7 +1205,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": "prod2", - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "prod2-slave1", "parent": None, @@ -1266,7 +1266,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "bond1", "parent": None, @@ -1312,7 +1312,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "bond1", "parent": None, @@ -1368,7 +1368,7 @@ class TestValidator(unittest.TestCase): }, "mac": "aa:bb:cc:dd:ee:ff", "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "5", "parent": None, @@ -1412,7 +1412,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "5", "parent": None, @@ -1484,7 +1484,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "6643-master", "parent": None, @@ -1521,7 +1521,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": "6643-master", - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "6643", "parent": None, @@ -1574,7 +1574,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "infiniband.1", "parent": None, @@ -1645,7 +1645,7 @@ class TestValidator(unittest.TestCase): "mac": "11:22:33:44:55:66:77:88:99:00:" "11:22:33:44:55:66:77:88:99:00", "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "infiniband.2", "parent": None, @@ -1736,7 +1736,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "555", "parent": None, @@ -1835,7 +1835,7 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": None, + "ieee802_1x": None, "mtu": None, "name": "e556", "parent": None, @@ -1929,7 +1929,7 @@ class TestValidator(unittest.TestCase): "ethtool": ETHTOOL_DEFAULTS, "force_state_change": None, "ignore_errors": None, - "interface_name": "802.1x-1", + "interface_name": "eth0", "ip": { "gateway6": None, "gateway4": None, @@ -1947,18 +1947,18 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "private-key-password": "p@55w0rD", - "private-key-password-flags": None, - "client-cert": "/etc/pki/tls/client.pem", - "ca-cert": "/etc/pki/tls/cacert.pem", - "system-ca-certs": False, + "private_key": "/etc/pki/tls/client.key", + "private_key_password": "p@55w0rD", + "private_key_password_flags": None, + "client_cert": "/etc/pki/tls/client.pem", + "ca_cert": "/etc/pki/tls/cacert.pem", + "system_ca_certs": False, }, "mtu": None, - "name": "802.1x-1", + "name": "eth0", "parent": None, "persistent_state": "present", "slave_type": None, @@ -1970,16 +1970,16 @@ class TestValidator(unittest.TestCase): ], [ { - "name": "802.1x-1", + "name": "eth0", "state": "up", "type": "ethernet", - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "private-key-password": "p@55w0rD", - "client-cert": "/etc/pki/tls/client.pem", - "ca-cert": "/etc/pki/tls/cacert.pem", + "private_key": "/etc/pki/tls/client.key", + "private_key_password": "p@55w0rD", + "client_cert": "/etc/pki/tls/client.pem", + "ca_cert": "/etc/pki/tls/cacert.pem", }, } ], @@ -1987,7 +1987,7 @@ class TestValidator(unittest.TestCase): def test_802_1x_2(self): """ - Test private key without password and system-ca-certs + Test private key without password and system_ca_certs """ self.maxDiff = None self.do_connections_validate( @@ -2000,7 +2000,7 @@ class TestValidator(unittest.TestCase): "ethtool": ETHTOOL_DEFAULTS, "force_state_change": None, "ignore_errors": None, - "interface_name": "802.1x-2", + "interface_name": "eth0", "ip": { "gateway6": None, "gateway4": None, @@ -2018,18 +2018,18 @@ class TestValidator(unittest.TestCase): }, "mac": None, "master": None, - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "private-key-password": None, - "private-key-password-flags": ["not-required"], - "client-cert": "/etc/pki/tls/client.pem", - "ca-cert": None, - "system-ca-certs": True, + "private_key": "/etc/pki/tls/client.key", + "private_key_password": None, + "private_key_password_flags": ["not-required"], + "client_cert": "/etc/pki/tls/client.pem", + "ca_cert": None, + "system_ca_certs": True, }, "mtu": None, - "name": "802.1x-2", + "name": "eth0", "parent": None, "persistent_state": "present", "slave_type": None, @@ -2041,16 +2041,16 @@ class TestValidator(unittest.TestCase): ], [ { - "name": "802.1x-2", + "name": "eth0", "state": "up", "type": "ethernet", - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "client-cert": "/etc/pki/tls/client.pem", - "private-key-password-flags": ["not-required"], - "system-ca-certs": True, + "private_key": "/etc/pki/tls/client.key", + "client_cert": "/etc/pki/tls/client.pem", + "private_key_password_flags": ["not-required"], + "system_ca_certs": True, }, } ], @@ -2064,16 +2064,16 @@ class TestValidator(unittest.TestCase): self.do_connections_check_invalid( [ { - "name": "802.1x-bad", + "name": "eth0", "state": "up", "type": "ethernet", - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "client.key", - "client-cert": "client.pem", - "private-key-password-flags": ["not-required"], - "system-ca-certs": True, + "private_key": "client.key", + "client_cert": "client.pem", + "private_key_password_flags": ["not-required"], + "system_ca_certs": True, }, } ] @@ -2087,16 +2087,16 @@ class TestValidator(unittest.TestCase): self.do_connections_check_invalid( [ { - "name": "802.1x-bad", + "name": "eth0", "state": "up", "type": "ethernet", - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "client-cert": "/etc/pki/tls/client.pem", - "private-key-password-flags": ["bad-flag"], - "system-ca-certs": True, + "private_key": "/etc/pki/tls/client.key", + "client_cert": "/etc/pki/tls/client.pem", + "private_key_password_flags": ["bad-flag"], + "system_ca_certs": True, }, } ] @@ -2104,20 +2104,20 @@ class TestValidator(unittest.TestCase): def test_802_1x_initscripts(self): """ - should fail to create 802.1x connection with initscripts + should fail to create ieee802_1x connection with initscripts """ input_connections = [ { - "name": "802.1x-is", + "name": "eth0", "state": "up", "type": "ethernet", - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "client-cert": "/etc/pki/tls/client.pem", - "private-key-password-flags": ["not-required"], - "system-ca-certs": True, + "private_key": "/etc/pki/tls/client.key", + "client_cert": "/etc/pki/tls/client.pem", + "private_key_password_flags": ["not-required"], + "system_ca_certs": True, }, } ] @@ -2139,16 +2139,16 @@ class TestValidator(unittest.TestCase): input_connections = [ { - "name": "802.1x-bond", + "name": "bond0", "state": "up", "type": "bond", - "802.1x": { + "ieee802_1x": { "identity": "myhost", "eap": "tls", - "private-key": "/etc/pki/tls/client.key", - "client-cert": "/etc/pki/tls/client.pem", - "private-key-password-flags": ["not-required"], - "system-ca-certs": True, + "private_key": "/etc/pki/tls/client.key", + "client_cert": "/etc/pki/tls/client.pem", + "private_key_password_flags": ["not-required"], + "system_ca_certs": True, }, } ]