ACE object-group as protocol support added (#240)

* ACE object-group as protocol support added * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * changelog fragment added * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * fix tests * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: Vladimir Rulev <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Sagar Paul <[email protected]>
ansible-collections · Jan 6, 2025 · 2e742e5 · 2e742e5
1 parent 9c2cdd7
commit 2e742e5
Show file tree

Hide file tree

Showing 9 changed files with 16 additions and 63 deletions.
diff --git a/changelogs/fragments/240-ace-protocol-object-group.yml b/changelogs/fragments/240-ace-protocol-object-group.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - cisco.asa.asa_acls - add support for specifying object-group as protocol
diff --git a/plugins/module_utils/network/asa/facts/acls/acls.py b/plugins/module_utils/network/asa/facts/acls/acls.py
@@ -90,6 +90,7 @@ def populate_facts(self, connection, ansible_facts, data=None):
                         each.get("protocol")
                         and each.get("protocol") != "icmp"
                         and each.get("protocol") != "icmp6"
+                        and "object-group" not in each.get("protocol")
                     ):
                         each["protocol_options"] = {each.get("protocol"): True}
                 acls.append(val)

diff --git a/plugins/module_utils/network/asa/rm_templates/acls.py b/plugins/module_utils/network/asa/rm_templates/acls.py
@@ -153,7 +153,7 @@ def __init__(self, lines=None):
                     \s*(?P<grant>deny|permit)*
                     \s*(?P<ethertype_params>(dsap\s\S+)|bpdu|eii-ipx|ipx|mpls-unicast|mpls-multicast|isis|any\s)*
                     \s*(?P<std_dest>(host\s\S+)|any4|(?:[0-9]{1,3}\.){3}[0-9]{1,3}\s(?:[0-9]{1,3}\.){3}[0-9]{1,3})*
-                    \s*(?P<protocol>ah|eigrp|esp|gre|icmp|icmp6|igmp|igrp|ip|ipinip|ipsec|nos|ospf|pcp|pim|pptp|sctp|snp|tcp|udp)*
+                    \s*(?P<protocol>ah|eigrp|esp|gre|icmp|icmp6|igmp|igrp|ip|ipinip|ipsec|nos|ospf|pcp|pim|pptp|sctp|snp|tcp|udp|object-group\s\S+)*
                     \s*(?P<protocol_num>\d+\s)*
                     \s*(?P<source>any4|any6|any|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(([a-f0-9:]+:+)+[a-f0-9]+\S+|host\s(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})|(([a-f0-9:]+:+)+[a-f0-9]+)\S+)|interface\s\S+|object-group\s\S+))*
                     \s*(?P<source_port_protocol>(eq|gts|lt|neq)\s(\S+|\d+)|range\s\S+\s\S+)*

diff --git a/tests/sanity/ignore-2.15.txt b/tests/sanity/ignore-2.15.txt
@@ -1,11 +1 @@
 plugins/action/asa.py action-plugin-docs # base class for deprecated network platform modules using `connection: local`
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py E501: line too long (161 > 160 characters)
diff --git a/tests/sanity/ignore-2.16.txt b/tests/sanity/ignore-2.16.txt
@@ -1,11 +1 @@
 plugins/action/asa.py action-plugin-docs # base class for deprecated network platform modules using `connection: local`
-tests/unit/modules/network/asa/test_asa_acls.py:91:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:173:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:383:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:469:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:679:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:758:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:968:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1017:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1065:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1130:161: E501: line too long (161 > 160 characters)
diff --git a/tests/sanity/ignore-2.17.txt b/tests/sanity/ignore-2.17.txt
@@ -1,11 +1 @@
 plugins/action/asa.py action-plugin-docs # base class for deprecated network platform modules using `connection: local`
-tests/unit/modules/network/asa/test_asa_acls.py:91:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:173:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:383:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:469:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:679:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:758:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:968:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1017:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1065:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1130:161: E501: line too long (161 > 160 characters)
diff --git a/tests/sanity/ignore-2.18.txt b/tests/sanity/ignore-2.18.txt
@@ -1,11 +1 @@
 plugins/action/asa.py action-plugin-docs # base class for deprecated network platform modules using `connection: local`
-tests/unit/modules/network/asa/test_asa_acls.py:91:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:173:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:383:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:469:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:679:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:758:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:968:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1017:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1065:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1130:161: E501: line too long (161 > 160 characters)
diff --git a/tests/sanity/ignore-2.19.txt b/tests/sanity/ignore-2.19.txt
@@ -1,11 +1 @@
 plugins/action/asa.py action-plugin-docs # base class for deprecated network platform modules using `connection: local`
-tests/unit/modules/network/asa/test_asa_acls.py:91:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:173:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:383:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:469:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:679:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:758:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:968:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1017:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1065:161: E501: line too long (161 > 160 characters)
-tests/unit/modules/network/asa/test_asa_acls.py:1130:161: E501: line too long (161 > 160 characters)
diff --git a/tests/unit/modules/network/asa/test_asa_acls.py b/tests/unit/modules/network/asa/test_asa_acls.py
@@ -88,7 +88,7 @@ def test_asa_acls_merged(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -170,7 +170,7 @@ def test_asa_acls_merged_idempotent(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -380,7 +380,7 @@ def test_asa_acls_replaced(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -466,7 +466,7 @@ def test_asa_acls_replaced_idempotent(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -676,7 +676,7 @@ def test_asa_acls_overridden(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -755,7 +755,7 @@ def test_asa_acls_overridden_idempotent(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -965,7 +965,7 @@ def test_asa_acls_delete_by_acl(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -1014,7 +1014,7 @@ def test_asa_acls_deleted_all(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -1062,7 +1062,7 @@ def test_asa_acls_rendered(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -1127,7 +1127,7 @@ def test_asa_acls_gathered(self):
             access-list test_global_access line 2 remark test global remark
             access-list test_access; 2 elements; name hash: 0x96b5d78b
             access-list test_access line 1 extended deny tcp 192.0.2.0 255.255.255.0 198.51.100.0 255.255.255.0 eq www log default (hitcnt=0) 0xdc46eb6e
-            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8948
+            access-list test_access line 2 extended deny igrp 198.51.100.0 255.255.255.0 198.51.110.0 255.255.255.0 log errors interval 300 (hitcnt=0) 0x831d8
             access-list test_access line 3 extended permit ip host 192.0.2.2 any interval 300 (hitcnt=0) 0x831d897d
             access-list test_R1_traffic; 1 elements; name hash: 0x2c20a0c
             access-list test_R1_traffic line 1 extended deny tcp 2001:db8:0:3::/64 eq www 2001:fc8:0:4::/64 eq telnet inactive (hitcnt=0) (inactive) 0x11821a52
@@ -1271,8 +1271,8 @@ def test_asa_acls_gathered(self):
                         {
                             "grant": "permit",
                             "line": 2,
-                            "source": {"object_group": "MYSERV.11"},
-                            "destination": {
+                            "protocol": "object-group MYSERV.11",
+                            "source": {
                                 "object_group": "ALLSERV.12",
                                 "port_protocol": {"eq": "9389"},
                             },
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- cisco.asa.asa_acls - add support for specifying object-group as protocol