Add wired_mac_auth_virtualswitch test suite for single-VM MAC authentication testing#8907
Open
Add wired_mac_auth_virtualswitch test suite for single-VM MAC authentication testing#8907
Conversation
Initial setup for virtualswitch-based MAC authentication tests: - Add test suite directory structure - Add variables to vars/all.yml for virtualswitch configuration - Create network setup test (veth pair creation) - Create virtualswitch installation test - Create virtualswitch configuration test - Create virtualswitch service startup test - Add TESTSUITE.md documentation This test suite uses virtualswitch running locally on the PF VM to simulate a network switch, eliminating the need for separate switch01, node01, and wireless01 VMs. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Create reusable venom libs for virtualswitch operations: - virtualswitch_install: Install package (dnf/apt) - virtualswitch_service: Start/stop/restart service - virtualswitch_service_status: Check service status - virtualswitch_api_status: Check API health - virtualswitch_plug_device: Plug device via API - virtualswitch_unplug_device: Unplug device via API - virtualswitch_device_status: Get device status - virtualswitch_config_deploy: Deploy config.yaml - virtualswitch_veth_create: Create and configure veth pair - virtualswitch_veth_delete: Delete veth pair Refactor test suite files to use the new libs instead of inline exec commands, reducing code duplication. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add test files for PacketFence configuration: - 08_configure_registration_interface.yml: Configure vswitch-host interface - 10_create_registration_network.yml: Create registration network - 12_restart_services.yml: Restart PF services after config changes - 14_enable_node_cleanup_task.yml: Enable node cleanup maintenance - 16_restart_pfcron_service.yml: Restart pfcron service 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add test files for network device and node configuration: - 18_create_switch_group.yml: Create virtualswitch switch group - 20_create_switch.yml: Create switch definition (Cisco type) - 22_create_role.yml: Create headless_device role - 24_create_node.yml: Create node with specified MAC - 26_create_connection_profile.yml: Create wired MAC auth profile 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add MAC auth and printer/Fingerbank test files: - 28_plug_device_mab.yml: Plug device via virtualswitch API - 30_check_radius_audit_log.yml: Verify RADIUS Accept - 32_check_virtualswitch_device_status.yml: Verify device authorized - 34_create_printer_role.yml: Create printer role - 36_create_vlan_filter_printer.yml: Create VLAN filter for printers - 38_clear_fingerbank_cache.yml: Clear Fingerbank cache - 40_create_printer_node.yml: Create printer node - 42_plug_printer_mab.yml: Plug printer device - 44_check_printer_radius_audit_log.yml: Verify printer RADIUS - 46_check_printer_fingerbank_detection.yml: Verify Fingerbank detection - 48_check_printer_vlan_assignment.yml: Verify printer VLAN - 50_check_printer_virtualswitch_status.yml: Verify printer authorized - 52_collect_virtualswitch_logs.yml: Collect logs for CI 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add teardown files to clean up after tests: - 00_unplug_device.yml: Unplug device from interface 1 - 02_unplug_printer.yml: Unplug printer from interface 2 - 04_unreg_node.yml: Unregister device node - 06_unreg_printer_node.yml: Unregister printer node - 08_delete_node.yml: Delete device node - 10_delete_printer_node.yml: Delete printer node - 12_delete_connection_profile.yml: Delete connection profile - 14_delete_vlan_filter_printer.yml: Delete printer VLAN filter - 16_delete_switch.yml: Delete switch - 18_delete_switch_group.yml: Delete switch group - 20_unplug_all_interfaces.yml: Cleanup all interfaces - 22_stop_virtualswitch.yml: Stop virtualswitch service - 24_delete_registration_network.yml: Delete registration network - 26_delete_registration_interface.yml: Remove interface from PF - 28_teardown_network.yml: Remove veth pair - 30_disable_node_cleanup_task.yml: Disable cleanup task - 32_restart_pfcron_service.yml: Restart pfcron 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add scenario orchestration files: - site.yml: Main playbook entry point - playbooks/configure.yml: Pre-configuration (placeholder) - playbooks/run_tests.yml: Run venom test suites Add Makefile targets: - mac_auth_virtualswitch_el8: Run tests on EL8 - mac_auth_virtualswitch_deb12: Run tests on Debian 12 - Branch aliases for CI integration This scenario tests MAC authentication using VirtualSwitch running in a namespace on the PF VM itself, without requiring separate switch01, node01, or wireless01 VMs. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add CI jobs for virtualswitch MAC auth tests (Plan A - namespace mode): Development and maintenance jobs: - mac_auth_virtualswitch_el8 - mac_auth_virtualswitch_deb12 Branch jobs: - mac_auth_virtualswitch_el8_branches - mac_auth_virtualswitch_deb12_branches 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ignore planning files in venom test scenarios as they are for local development and planning purposes only, not meant to be committed to the repository. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…d namespace setup Update virtualswitch test infrastructure to download packages from authenticated URL and properly configure network namespace for isolated operation. Changes: - Update virtualswitch_install.yml to download from authenticated URL using curl with GitLab CI credentials (CI_VIRTUALSWITCH_USER, CI_VIRTUALSWITCH_PASSWORD) - Add package URLs to vars/all.yml for both Debian and RHEL packages - Enhance virtualswitch_veth_create.yml to: * Create network namespace (vswitch-ns) * Move vswitch-ns interface into namespace * Configure networking inside namespace with IP and routing * Enable loopback interface in namespace - Update virtualswitch_veth_delete.yml to delete namespace during cleanup Package URLs: - Debian: https://support.inverse.ca/~jgoimard/virtualswitch/virtualswitch_2.5.2-1_amd64.deb - RHEL: https://support.inverse.ca/~jgoimard/virtualswitch/virtualswitch-2.5.2-1.el8.x86_64.rpm Network configuration: - Host interface (vswitch-host): 10.99.99.1/24 (PF registration interface) - Namespace interface (vswitch-ns): 10.99.99.254/24 (virtualswitch source IP) - Default route in namespace points to host (10.99.99.1) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…t variables Add GitLab CI environment variables for virtualswitch package authentication to be available in the same way as PSONO variables. These variables must be defined in GitLab CI/CD settings and will be passed to the test environment for authenticated package downloads. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add CI_VIRTUALSWITCH_DEB_VERSION and CI_VIRTUALSWITCH_RPM_VERSION as fixed environment variables to centralize version management for virtualswitch packages. Changes: - Add CI_VIRTUALSWITCH_DEB_VERSION='2.5.2-1' to environment.yml - Add CI_VIRTUALSWITCH_RPM_VERSION='2.5.2-1.el8' to environment.yml - Update virtualswitch_install.yml to construct URLs using version variables - Use default values if environment variables are not set for backward compatibility This makes it easier to update virtualswitch package versions in the future by changing only the environment.yml file. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Move the base URL to a separate environment variable for easier configuration and maintenance. Changes: - Add CI_VIRTUALSWITCH_BASE_URL='https://support.inverse.ca/~jgoimard/virtualswitch' - Update virtualswitch_install.yml to use BASE_URL variable - Construct full package URLs by combining BASE_URL with version and filename This allows changing the download location by updating only one variable in environment.yml. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed Debian package installation to use dpkg -i for local .deb files, which is the correct method. apt-get install doesn't work properly with local package files. Changes: - Use dpkg -i to install the downloaded .deb file - Add apt-get install -f -y to fix any dependency issues if dpkg fails - This resolves "dnf: not found" errors on Debian systems 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add fallback to yum for older RHEL/CentOS systems that don't have dnf. Both dnf and yum properly handle local RPM file installation with automatic dependency resolution. Changes: - Check for both dnf and yum availability - Prefer dnf if available, fallback to yum - Update error message to reflect support for both package managers - Both commands work correctly: dnf/yum install -y /path/to/file.rpm 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Restructure package installation to detect OS family from /etc/os-release instead of testing for package managers. This makes it explicit which OS we're installing on and provides better error messages. Changes: - Source /etc/os-release to get OS ID and ID_LIKE - Use case statement to match OS family patterns - Red Hat family: rhel, fedora, centos, rocky, alma - install RPM - Debian family: debian, ubuntu - install DEB - Each OS path is separate and explicit - Better error messages showing detected OS This approach is more maintainable and clearer about OS detection logic. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove quotes from retry and delay parameters in the executor step as Venom expects these to be integers, not strings. Also remove the 's' suffix from delay as Venom's delay parameter expects just an integer (seconds). Fixes error: "unable to get executor: attribute 'delay' is not an integer" 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…utor - Update api_url in all virtualswitch executors from localhost to namespace IP (10.99.99.254:38080) - Add virtualswitch.api.port variable in all.yml for centralized port configuration - Add virtualswitch_service_create executor to create systemd service for virtualswitch in namespace - Add test case for virtualswitch service creation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update virtualswitch version from 2.5.2-1 to 2.6.2-1 - Install wpasupplicant before virtualswitch package on both DEB and RPM systems 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update network config to match virtualswitch-namespace service: - Host IP: 10.255.255.1/30 (on vswitchbr bridge) - Namespace IP: 10.255.255.2/30 - API port: 8080 (localhost) - Remove custom veth setup (namespace service handles it) - Remove custom service file creation (package provides it) - Update registration interface config to use vswitchbr bridge - Update executor defaults with new API URL - Add wait for bridge before configuring PF interface 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Port 8080 is used by PacketFence, so VirtualSwitch API needs to use a different port. Added systemd override file to configure the virtualswitch-namespace service with custom port 38080. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After virtualswitch installation: - Stop and disable the standard virtualswitch service - Enable and start the virtualswitch-namespace service This ensures the namespace-based service runs instead of the standard one. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
More transparent naming to indicate this starts the namespace service. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The virtualswitch-namespace service runs in its own network namespace with IP 10.255.255.2. Access the API via this IP instead of localhost, avoiding any port conflict with PacketFence on the host. - API URL: http://10.255.255.2:8080 - Removed systemd override (no longer needed) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…tors - Add virtualswitch_api.yml as base executor for all API operations - Refactor virtualswitch_api_status, virtualswitch_device_status, virtualswitch_plug_device, virtualswitch_unplug_device to use the generic API executor internally - Remove virtualswitch_config_deploy.yml (no longer needed) - API accessed via namespace IP (10.255.255.2:8080) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This executor writes config to disk (not API), needed for initial setup. Updated default IPs to match namespace network (10.255.255.x). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Now exposes all config.yaml options as inputs: - RADIUS settings - DHCP (enabled, server_ip) - IPFIX (enabled, destination, port, interval) - SCEP (enabled, server_url, shared_secret) - Wireless (ssid, switch_mac) - Device state (auto_save, file_path) - Interface types (YAML list) - VLANs (YAML list) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Write interface_types and vlans directly as inline YAML arrays:
interface_types: [{id: 1, type: ethernet}, {id: 2, type: ethernet}, ...]
vlans: [{id: 2, interfaces: [1,2,3,4,5]}, ...]
No conversion needed - values written directly to config file.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Configure radiusd-auth as additional listening daemon on the virtualswitch bridge interface for RADIUS authentication. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Group test files by logical phase (0x-6x) for better organization: - 0x: VirtualSwitch setup - 1x: PacketFence infrastructure - 2x: PacketFence entities - 3x: Headless device test - 4x: Printer test setup - 5x: Printer test execution - 6x: Logging Add missing teardown steps for role cleanup and update documentation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace pf_api_action with direct http type to match the pattern used in wired_mac_auth test suite and avoid venom executor loading issues. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace custom pf_api executors with direct http type calls to match the patterns used in wired_mac_auth and common test suites. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use correct API endpoint /authentication-session instead of /status which was returning 404. Update assertions to check for "authenticated" matching the actual API response port_state value. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Teardown runs in descending order, so switch and switch_group must have higher numbers to be deleted before roles that reference them. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix variable interpolation by using result. prefix for nested executor outputs and add vars to capture parsed JSON responses. Expose individual JSON fields following the pf_api_action pattern for better assertions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix vlan_filter path: config/filter_engines/vlan_filters (not vlan/vlan_filters) - Fix vlan_filter condition: use JSON object format instead of string - Fix fingerbank cache clear: use pfcmd CLI instead of non-existent API - Fix printer node creation: use http type with proper vars extraction - Fix radius audit log check: add retry_if and profile assertion Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Switch group cannot be deleted while still referenced by a switch. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Match pattern used by other test suites (inline/l2, inline/l3, etc.) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move shared virtualswitch setup and teardown to global test suites: global_config_virtualswitch: - 00_create_headless_device_role.yml - 05_create_printer_role.yml - 10_create_switch_group.yml - 15_create_switch.yml - 20_install_virtualswitch.yml - 25_disable_standard_virtualswitch.yml - 30_configure_virtualswitch.yml - 35_start_virtualswitch_namespace.yml global_teardown_virtualswitch: - 00_delete_switch.yml - 05_delete_switch_group.yml - 10_delete_headless_device_role.yml - 15_delete_printer_role.yml - 20_stop_virtualswitch.yml Update run_tests.yml to use new test suite structure. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Split virtualswitch configuration: global_config_virtualswitch_namespace (service setup): - 00_install_virtualswitch.yml - 05_disable_standard_virtualswitch.yml - 10_configure_virtualswitch.yml - 15_start_virtualswitch_namespace.yml global_config_virtualswitch (PF configuration): - 00_create_headless_device_role.yml - 05_create_printer_role.yml - 10_create_switch_group.yml - 15_create_switch.yml global_teardown_virtualswitch_namespace: - 00_stop_virtualswitch.yml Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reorganize teardown test suites as subdirectories: - global_teardown_virtualswitch -> global_config_virtualswitch/teardown - global_teardown_virtualswitch_namespace -> global_config_virtualswitch_namespace/teardown Also add TESTSUITE.md documentation for each test suite. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The printer role deletion was failing because the VLAN filter (autoassign_printer_role) still referenced it. This adds a step to delete the VLAN filter before the printer role. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Fingerbank detection returns device_class as "Datacenter Appliance" for the virtualswitch hp-printer profile. Since the node is pre-created with the printer category, check that field instead. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The pf_api_node_action_ output is a JSON string, not a parsed object. Venom auto-creates a _json suffix version that can be accessed as a map. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove unreg files (cron task handles unregistration) - Rename teardown files to follow numbering convention: - 30_unplug_all_interfaces → 04 (0x unplug range) - 14_delete_node → 10 (1x delete range) - 16_delete_printer_node → 12 - Use pf_api_node_delete executor for node deletion - Add URL-encoded MAC addresses to vars/all.yml - Update TESTSUITE.md with correct teardown steps Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The filter may not exist if test failed earlier or was never created. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The PacketFence API uses /config/filter_engines/vlan_filter/{id} for
individual filter operations, not /config/filter_engines/vlan_filters/.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ualswitch The VLAN filter is created in wired_mac_auth_virtualswitch, so it should only be deleted in that test suite's teardown. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ssertion - Add service disable step to virtualswitch-namespace teardown - Add config file removal to virtualswitch-namespace teardown - Fix VLAN filter deletion to assert only 200 (not 404) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…lswitch Reorganize test suites: - Move roles (headless_device, printer) to wired_mac_auth_virtualswitch - Move switch/switch_group to global_config_virtualswitch - Merge virtualswitch namespace setup into global_config_virtualswitch - Delete global_config_virtualswitch_namespace directory - Update TESTSUITE.md files to reflect new structure New structure: - global_config_virtualswitch: virtualswitch install/config + switch setup - wired_mac_auth_virtualswitch: roles + infrastructure + tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
… fix teardown order - Move role creation (headless_device, printer) from wired_mac_auth_virtualswitch to global_config_virtualswitch to ensure they exist before switch configuration - Move VLAN filter and role deletion to global_config_virtualswitch/teardown to fix dependency order (roles must be deleted after switch that references them) - Renumber wired_mac_auth_virtualswitch test files to start from 0x instead of 1x - Remove global_config_virtualswitch_namespace from run_tests.yml (merged previously) - Update TESTSUITE.md documentation for both test suites Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
Author
|
Contributor
Author
|
Improvements: Use |
Contributor
Author
So worked also on el8 |
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add a new Venom test suite (
wired_mac_auth_virtualswitch) that tests MAC Authentication using VirtualSwitch running in namespace mode on a single PacketFence VM. This eliminates the need forseparate switch/node VMs required by the existing
wired_mac_authtest suite.The test suite validates:
Impacts
wired_mac_auth_virtualswitchglobal_config_virtualswitch(virtualswitch setup, roles, switch configuration)Delete branch after merge
YES
Checklist
NEWS file entries
New Features
Enhancements