diff --git a/lib/ansible/modules/network/nxos/nxos_aaa_server.py b/lib/ansible/modules/network/nxos/nxos_aaa_server.py index db694dc35d..d47a2c848e 100644 --- a/lib/ansible/modules/network/nxos/nxos_aaa_server.py +++ b/lib/ansible/modules/network/nxos/nxos_aaa_server.py @@ -39,7 +39,6 @@ notes: stored as encrypted (type 7). - Changes to the global AAA server key with encrypt_type=0 are not idempotent. - - If global AAA server key is not found, it's shown as "unknown" - state=default will set the supplied parameters to their default values. The parameters that you want to default must also be set to default. If global_key=default, the global key will be removed. @@ -51,7 +50,7 @@ options: choices: ['radius', 'tacacs'] global_key: description: - - Global AAA shared secret. + - Global AAA shared secret or keyword 'default'. encrypt_type: description: - The state of encryption applied to the entered global key. @@ -60,14 +59,15 @@ options: deadtime: description: - Duration for which a non-reachable AAA server is skipped, - in minutes. Range is 1-1440. Device default is 0. + in minutes or keyword 'default. + Range is 1-1440. Device default is 0. server_timeout: description: - - Global AAA server timeout period, in seconds. Range is 1-60. - Device default is 5. + - Global AAA server timeout period, in seconds or keyword 'default. + Range is 1-60. Device default is 5. directed_request: description: - - Enables direct authentication requests to AAA server. + - Enables direct authentication requests to AAA server or keyword 'default' Device default is disabled. choices: ['enabled', 'disabled'] state: @@ -116,7 +116,14 @@ from ansible.module_utils.network.nxos.nxos import nxos_argument_spec, check_arg from ansible.module_utils.basic import AnsibleModule -def execute_show_command(command, module, command_type='cli_show'): +PARAM_TO_DEFAULT_KEYMAP = { + 'server_timeout': '5', + 'deadtime': '0', + 'directed_request': 'disabled', +} + + +def execute_show_command(command, module): command = { 'command': command, 'output': 'text', @@ -142,8 +149,7 @@ def get_aaa_server_info(server_type, module): global_key_command = 'show run | sec {0}'.format(server_type) aaa_regex = r'.*{0}-server\skey\s\d\s+(?P\S+).*'.format(server_type) - server_body = execute_show_command( - server_command, module, command_type='cli_show_ascii')[0] + server_body = execute_show_command(server_command, module)[0] split_server = server_body.splitlines() @@ -154,30 +160,25 @@ def get_aaa_server_info(server_type, module): elif line.startswith('deadtime'): aaa_server_info['deadtime'] = line.split(':')[1] - request_body = execute_show_command( - request_command, module, command_type='cli_show_ascii')[0] - aaa_server_info['directed_request'] = request_body.replace('\n', '') + request_body = execute_show_command(request_command, module)[0] - key_body = execute_show_command( - global_key_command, module, command_type='cli_show_ascii')[0] + if bool(request_body): + aaa_server_info['directed_request'] = request_body.replace('\n', '') + else: + aaa_server_info['directed_request'] = 'disabled' + + key_body = execute_show_command(global_key_command, module)[0] try: match_global_key = re.match(aaa_regex, key_body, re.DOTALL) group_key = match_global_key.groupdict() aaa_server_info['global_key'] = group_key["key"].replace('\"', '') except (AttributeError, TypeError): - aaa_server_info['global_key'] = 'unknown' + aaa_server_info['global_key'] = None return aaa_server_info -def set_aaa_server_global_key(encrypt_type, key, server_type): - if not encrypt_type: - encrypt_type = '' - return '{0}-server key {1} {2}'.format( - server_type, encrypt_type, key) - - def config_aaa_server(params, server_type): cmds = [] @@ -215,13 +216,13 @@ def default_aaa_server(existing, params, server_type): global_key = params.get('global_key') existing_key = existing.get('global_key') - if deadtime is not None: + if deadtime is not None and existing.get('deadtime') != PARAM_TO_DEFAULT_KEYMAP['deadtime']: cmds.append('no {0}-server deadtime 1'.format(server_type)) - if server_timeout is not None: + if server_timeout is not None and existing.get('server_timeout') != PARAM_TO_DEFAULT_KEYMAP['server_timeout']: cmds.append('no {0}-server timeout 1'.format(server_type)) - if directed_request is not None: + if directed_request is not None and existing.get('directed_request') != PARAM_TO_DEFAULT_KEYMAP['directed_request']: cmds.append('no {0}-server directed-request'.format(server_type)) if global_key is not None and existing_key is not None: diff --git a/test/integration/targets/nxos_aaa_server/tests/common/radius.yaml b/test/integration/targets/nxos_aaa_server/tests/common/radius.yaml index 46e46720ac..517c247208 100644 --- a/test/integration/targets/nxos_aaa_server/tests/common/radius.yaml +++ b/test/integration/targets/nxos_aaa_server/tests/common/radius.yaml @@ -73,7 +73,7 @@ - assert: *false - name: "Remove radius server configuration" - nxos_aaa_server: + nxos_aaa_server: &rad_def server_type: radius deadtime: default server_timeout: default @@ -85,6 +85,12 @@ - assert: *true + - name: "Check Idempotence" + nxos_aaa_server: *rad_def + register: result + + - assert: *false + rescue: - debug: msg="connection={{ ansible_connection }} nxos_aaa_server failure detected" @@ -94,4 +100,4 @@ nxos_aaa_server: *remove register: result - - debug: msg="END connection={{ ansible_connection }} nxos_aaa_server radius.yaml sanity test" +- debug: msg="END connection={{ ansible_connection }} nxos_aaa_server radius.yaml sanity test" diff --git a/test/integration/targets/nxos_aaa_server/tests/common/tacacs.yaml b/test/integration/targets/nxos_aaa_server/tests/common/tacacs.yaml index 255d9f7a17..0ad7effb4a 100644 --- a/test/integration/targets/nxos_aaa_server/tests/common/tacacs.yaml +++ b/test/integration/targets/nxos_aaa_server/tests/common/tacacs.yaml @@ -79,11 +79,24 @@ - assert: *false - name: "Remove tacacs server configuration" - nxos_aaa_server: *remove + nxos_aaa_server: &tac_def + server_type: tacacs + deadtime: default + server_timeout: default + global_key: default + directed_request: default + state: default + provider: "{{ connection }}" register: result - assert: *true + - name: "Check Idempotence" + nxos_aaa_server: *tac_def + register: result + + - assert: *false + rescue: - debug: msg="connection={{ ansible_connection }} nxos_aaa_server failure detected" @@ -100,4 +113,4 @@ state: disabled provider: "{{ connection }}" - - debug: msg="END connection={{ ansible_connection }} nxos_aaa_server tacacs.yaml sanity test" +- debug: msg="END connection={{ ansible_connection }} nxos_aaa_server tacacs.yaml sanity test"