Implement categories for rules

jiuka · jiuka · commit d2b465df50e8 · 2025-01-21T20:07:32.000+01:00
diff --git a/plugins/module_utils/defaults/rule.py b/plugins/module_utils/defaults/rule.py
@@ -21,6 +21,7 @@
     'enabled': True,
     'description': '',
     'debug': False,
+    'categories': [],
 }
 
 RULE_MOD_ARG_ALIASES = {
@@ -42,6 +43,7 @@
     'description': ['desc'],
     'state': ['st'],
     'enabled': ['en'],
+    'categories': ['cat'],
 }
 
 RULE_MATCH_FIELDS_ARG = dict(
@@ -119,6 +121,11 @@
         aliases=RULE_MOD_ARG_ALIASES['description']
     ),
     uuid=dict(type='str', required=False, description='Optionally you can supply the uuid of an existing rule'),
+    categories=dict(
+        type='list', requird=False, default=RULE_DEFAULTS['categories'],
+        aliases=RULE_MOD_ARG_ALIASES['categories'], elements='str',
+        description='Select the categories for the rule.',
+    ),
     **STATE_MOD_ARG,
     **RULE_MATCH_FIELDS_ARG,
     **OPN_MOD_ARGS,
diff --git a/plugins/module_utils/main/rule.py b/plugins/module_utils/main/rule.py
@@ -2,8 +2,10 @@
 
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.base.handler import \
     ModuleSoftError
+from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.category import \
+    resolve_categories
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.main import \
-    validate_int_fields
+    validate_int_fields, is_unset
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.base.api import Session
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.rule import \
     validate_values
@@ -25,7 +27,7 @@ class Rule(BaseModule):
         'sequence', 'action', 'quick', 'interface', 'direction',
         'ip_protocol', 'protocol', 'source_invert', 'source_net', 'source_port',
         'destination_invert', 'destination_net', 'destination_port', 'log',
-        'description', 'gateway',
+        'description', 'gateway', 'categories',
     ]
     FIELDS_ALL = ['enabled']
     FIELDS_ALL.extend(FIELDS_CHANGE)
@@ -37,7 +39,7 @@ class Rule(BaseModule):
     FIELDS_TYPING = {
         'bool': ['enabled', 'log', 'quick', 'source_invert', 'destination_invert'],
         'select': ['action', 'direction', 'ip_protocol', 'protocol', 'gateway'],
-        'list': ['interface'],
+        'list': ['interface', 'categories'],
     }
     EXIST_ATTR = 'rule'
     TIMEOUT = 60.0  # urltable etc reload
@@ -84,6 +86,8 @@ def check(self) -> None:
                 field_minmax=self.INT_VALIDATIONS,
                 error_func=self._error
             )
+            if not is_unset(self.p['categories']):
+                resolve_categories(self, self.p)
 
         self._build_log_name()
         self.b.find(match_fields=self.p['match_fields'])
diff --git a/plugins/module_utils/main/rule_purge.py b/plugins/module_utils/main/rule_purge.py
@@ -3,6 +3,8 @@
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.main import is_unset
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.purge import \
     purge, check_purge_filter
+from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.category import \
+    resolve_categories
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.helper.rule import \
     check_purge_configured
 from ansible_collections.ansibleguy.opnsense.plugins.module_utils.base.api import Session
@@ -11,7 +13,8 @@
 
 def process(m: AnsibleModule, p: dict, r: dict) -> None:
     s = Session(module=m)
-    existing_rules = Rule(module=m, session=s, result={}).get_existing()
+    meta_rule = Rule(module=m, session=s, result={})
+    existing_rules = meta_rule.get_existing()
     rules_to_purge = []
 
     def obj_func(rule_to_purge: dict) -> Rule:
@@ -51,6 +54,9 @@ def obj_func(rule_to_purge: dict) -> Rule:
                 )
 
         else:
+            if not is_unset(p['filters']) and 'categories' in p['filters']:
+                resolve_categories(meta_rule, p['filters'])
+
             # checking if existing rule should be purged
             for existing_rule in existing_rules:
                 to_purge = check_purge_configured(module=m, existing_rule=existing_rule)
diff --git a/tests/rule_category.yml b/tests/rule_category.yml
@@ -0,0 +1,283 @@
+---
+- name: Setup Test dummy
+  hosts: localhost
+  gather_facts: no
+  module_defaults:
+    group/ansibleguy.opnsense.all:
+      firewall: "{{ lookup('ansible.builtin.env', 'TEST_FIREWALL') }}"
+      api_credential_file: "{{ lookup('ansible.builtin.env', 'TEST_API_KEY') }}"
+      ssl_verify: false
+
+  tasks:
+    - name: Adding dummy alias
+      ansibleguy.opnsense.category:
+        name: 'ANSIBLE_TEST_DUMMY_1_1'
+        color: ff0000
+
+    - name: Adding dummy alias
+      ansibleguy.opnsense.category:
+        name: 'ANSIBLE_TEST_DUMMY_1_2'
+        color: 00ff00
+
+- name: Testing Rule - category
+  hosts: localhost
+  gather_facts: no
+  module_defaults:
+    group/ansibleguy.opnsense.all:
+      firewall: "{{ lookup('ansible.builtin.env', 'TEST_FIREWALL') }}"
+      api_credential_file: "{{ lookup('ansible.builtin.env', 'TEST_API_KEY') }}"
+      ssl_verify: false
+      match_fields: ['description']
+
+  tasks:
+    - name: Adding 1
+      ansibleguy.opnsense.rule:
+        source_net: '192.168.0.0/24'
+        destination_net: '192.168.1.0/24'
+        destination_port: 443
+        protocol: 'TCP'
+        description: 'ANSIBLE_TEST_1_1'
+        categories: 'ANSIBLE_TEST_DUMMY_1_1'
+      register: opn1
+      failed_when: >
+        not opn1.changed or
+        opn1.failed
+
+    - name: Nothing changed
+      ansibleguy.opnsense.rule:
+        source_net: '192.168.0.0/24'
+        destination_net: '192.168.1.0/24'
+        destination_port: 443
+        protocol: 'TCP'
+        description: 'ANSIBLE_TEST_1_1'
+        categories: 'ANSIBLE_TEST_DUMMY_1_1'
+      register: opn3
+      failed_when: >
+        opn3.changed or
+        opn3.failed
+
+    - name: Changing
+      ansibleguy.opnsense.rule:
+        source_net: '192.168.0.0/24'
+        destination_net: '192.168.1.0/24'
+        destination_port: 443
+        protocol: 'TCP'
+        description: 'ANSIBLE_TEST_1_1'
+        categories:
+          - 'ANSIBLE_TEST_DUMMY_1_1'
+          - 'ANSIBLE_TEST_DUMMY_1_2'
+      register: opn4
+      failed_when: >
+        not opn4.changed or
+        opn4.failed
+
+    - name: Removing
+      ansibleguy.opnsense.rule:
+        description: 'ANSIBLE_TEST_1_1'
+        state: 'absent'
+      register: opn4
+      failed_when: >
+        not opn4.changed or
+        opn4.failed
+
+- name: Testing Multiple Rule - category
+  hosts: localhost
+  gather_facts: no
+  module_defaults:
+    group/ansibleguy.opnsense.all:
+      firewall: "{{ lookup('ansible.builtin.env', 'TEST_FIREWALL') }}"
+      api_credential_file: "{{ lookup('ansible.builtin.env', 'TEST_API_KEY') }}"
+      ssl_verify: false
+      match_fields: ['description']
+      key_field: 'description'
+
+  tasks:
+    - name: Adding
+      ansibleguy.opnsense.rule_multi:
+        rules:
+          ANSIBLE_TEST_2_1:
+            source_net: '192.168.1.0/24'
+            destination_invert: true
+            destination_net: '10.0.0.0/8'
+            action: 'block'
+            categories: 'ANSIBLE_TEST_DUMMY_1_1'
+          ANSIBLE_TEST_2_2:
+            source_net: '192.168.0.0/24'
+            destination_net: '192.168.10.0/24'
+            destination_port: 443
+            protocol: 'TCP'
+            interface: 'lan'
+            categories: 'ANSIBLE_TEST_DUMMY_1_1'
+        reload: false
+      register: opn5
+      failed_when: >
+        opn5.failed or
+        not opn5.changed
+
+    - name: Changing
+      ansibleguy.opnsense.rule_multi:
+        rules:
+          ANSIBLE_TEST_2_1:
+            source_net: '192.168.1.0/24'
+            destination_invert: true
+            destination_net: '10.0.0.0/8'
+            action: 'block'
+            categories: 'ANSIBLE_TEST_DUMMY_1_2'
+          ANSIBLE_TEST_2_2:
+            source_net: '192.168.0.0/24'
+            destination_net: '192.168.10.0/24'
+            destination_port: 443
+            protocol: 'TCP'
+            interface: 'lan'
+            categories:
+              - 'ANSIBLE_TEST_DUMMY_1_1'
+              - 'ANSIBLE_TEST_DUMMY_1_2'
+        reload: false
+      register: opn6
+      failed_when: >
+        opn6.failed or
+        not opn6.changed
+
+    - name: Not Changing
+      ansibleguy.opnsense.rule_multi:
+        rules:
+          ANSIBLE_TEST_2_1:
+            source_net: '192.168.1.0/24'
+            destination_invert: true
+            destination_net: '10.0.0.0/8'
+            action: 'block'
+            categories: 'ANSIBLE_TEST_DUMMY_1_2'
+          ANSIBLE_TEST_2_2:
+            source_net: '192.168.0.0/24'
+            destination_net: '192.168.10.0/24'
+            destination_port: 443
+            protocol: 'TCP'
+            interface: 'lan'
+            categories:
+              - 'ANSIBLE_TEST_DUMMY_1_1'
+              - 'ANSIBLE_TEST_DUMMY_1_2'
+        reload: false
+      register: opn7
+      failed_when: >
+        opn7.failed or
+        opn7.changed
+
+    - name: Removing
+      ansibleguy.opnsense.rule_multi:
+        rules:
+          ANSIBLE_TEST_2_1:
+          ANSIBLE_TEST_2_2:
+        state: 'absent'
+
+- name: Testing Purging of Rules - category
+  hosts: localhost
+  gather_facts: no
+  module_defaults:
+    group/ansibleguy.opnsense.all:
+      firewall: "{{ lookup('ansible.builtin.env', 'TEST_FIREWALL') }}"
+      api_credential_file: "{{ lookup('ansible.builtin.env', 'TEST_API_KEY') }}"
+      ssl_verify: false
+
+    ansibleguy.opnsense.rule_multi:
+      match_fields: ['description']
+      key_field: 'description'
+
+    ansibleguy.opnsense.rule_purge:
+      match_fields: ['description']
+      key_field: 'description'
+
+  tasks:
+    - name: Adding
+      ansibleguy.opnsense.rule_multi:
+        rules:
+          ANSIBLE_TEST_3_1:
+            source_net: '192.168.1.0/24'
+            destination_invert: true
+            destination_net: '10.0.0.0/8'
+            action: 'block'
+            categories: 'ANSIBLE_TEST_DUMMY_1_1'
+          ANSIBLE_TEST_3_2:
+            source_net: '192.168.0.0/24'
+            destination_net: '192.168.10.0/24'
+            destination_port: 443
+            protocol: 'TCP'
+            interface: 'lan'
+            categories: ['ANSIBLE_TEST_DUMMY_1_1', 'ANSIBLE_TEST_DUMMY_1_2']
+          ANSIBLE_TEST_3_3:
+            source_invert: true
+            source_net: 'bogons'
+            action: 'block'
+            categories: 'ANSIBLE_TEST_DUMMY_1_2'
+
+    - name: Filtered purge
+      ansibleguy.opnsense.rule_purge:
+        filters:
+          categories: 'ANSIBLE_TEST_DUMMY_1_1'
+      register: opn1
+      failed_when: >
+        opn1.failed or
+        not opn1.changed
+
+    - name: Listing rules
+      ansibleguy.opnsense.list:
+        target: 'rule'
+      register: opn2
+      failed_when: >
+        'data' not in opn2 or
+        opn2.data | length != 2
+
+    - name: Filtered purge partial
+      ansibleguy.opnsense.rule_purge:
+        filter_partial: true
+        filters:
+          categories: 'ANSIBLE_TEST_DUMMY_1_1'
+      register: opn3
+      failed_when: >
+        opn3.failed or
+        not opn3.changed
+
+    - name: Listing rules
+      ansibleguy.opnsense.list:
+        target: 'rule'
+      register: opn4
+      failed_when: >
+        'data' not in opn4 or
+        opn4.data | length != 1
+
+    - name: Filtered purge invert
+      ansibleguy.opnsense.rule_purge:
+        filter_invert: true
+        filters:
+          categories: 'ANSIBLE_TEST_DUMMY_1_1'
+      register: opn5
+      failed_when: >
+        opn5.failed or
+        not opn5.changed
+
+    - name: Listing rules
+      ansibleguy.opnsense.list:
+        target: 'rule'
+      register: opn6
+      failed_when: >
+        'data' not in opn6 or
+        opn6.data | length != 0
+
+- name: Cleanup Test dummy
+  hosts: localhost
+  gather_facts: no
+  module_defaults:
+    group/ansibleguy.opnsense.all:
+      firewall: "{{ lookup('ansible.builtin.env', 'TEST_FIREWALL') }}"
+      api_credential_file: "{{ lookup('ansible.builtin.env', 'TEST_API_KEY') }}"
+      ssl_verify: false
+
+  tasks:
+    - name: Adding dummy alias
+      ansibleguy.opnsense.category:
+        name: 'ANSIBLE_TEST_DUMMY_1_1'
+        state: 'absent'
+
+    - name: Adding dummy alias
+      ansibleguy.opnsense.category:
+        name: 'ANSIBLE_TEST_DUMMY_1_2'
+        state: 'absent'
