Build Windows Templates in RHV

roles/linux-system-roles.network/tests/tasks/activate_profile.yml

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        state: up
+...

roles/linux-system-roles.network/tests/tasks/assert_device_absent.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include: get_interface_stat.yml
+- name: "assert that interface {{ interface }} is absent"
+  assert:
+    that: not interface_stat.stat.exists
+    msg: "{{ interface }} exists"

roles/linux-system-roles.network/tests/tasks/assert_device_present.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include: get_interface_stat.yml
+- name: "assert that interface {{ interface }} is present"
+  assert:
+    that: interface_stat.stat.exists
+    msg: "{{ interface }} does not exist"

roles/linux-system-roles.network/tests/tasks/assert_output_in_stderr_without_warnings.yml

@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: "Assert that warnings is empty"
+  assert:
+    that:
+      - "'warnings' not in __network_connections_result"
+    msg: "There are unexpected warnings"
+- name: "Assert that there is output in stderr"
+  assert:
+    that:
+      - "'stderr' in __network_connections_result"
+    msg: "There are no messages in stderr"

roles/linux-system-roles.network/tests/tasks/assert_profile_absent.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include: get_profile_stat.yml
+- name: "assert that profile '{{ profile }}' is absent"
+  assert:
+    that: not lsr_net_profile_exists
+    msg: "profile {{ profile }} does exist"

roles/linux-system-roles.network/tests/tasks/assert_profile_present.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include: get_profile_stat.yml
+- name: "assert that profile '{{ profile }}' is present"
+  assert:
+    that: lsr_net_profile_exists
+    msg: "profile {{ profile }} does not exist"

roles/linux-system-roles.network/tests/tasks/cleanup_802_1x_server.yml

@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Remove test interfaces
+  shell: |
+    ip netns delete ns1
+    ip link delete veth1-br
+    ip link delete veth2-br
+    ip link delete br1
+
+- name: Kill hostapd process
+  shell: pkill hostapd
+- name: Remove certs and config
+  file:
+    state: absent
+    path: "{{ item }}"
+  with_items:
+    - /etc/pki/tls/hostapd_test
+    - /etc/hostapd/wired.conf
+    - /etc/hostapd/hostapd.eap_user

roles/linux-system-roles.network/tests/tasks/cleanup_mock_wifi.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Unload mac80211_hwsim module
+  shell: modprobe -r mac80211_hwsim
+
+- name: Kill hostapd process
+  shell: pkill hostapd

roles/linux-system-roles.network/tests/tasks/cleanup_profile+device.yml

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- shell: |
+    nmcli con delete {{ interface }}
+    nmcli con load /etc/sysconfig/network-scripts/ifcfg-{{ interface }}
+    rm -f /etc/sysconfig/network-scripts/ifcfg-{{ interface }}
+    ip link del {{ interface }}
+  ignore_errors: true
+...

roles/linux-system-roles.network/tests/tasks/create_and_remove_interface.yml

@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_tasks: show_interfaces.yml
+- include_tasks: manage_test_interface.yml
+  vars:
+    state: absent
+- include_tasks: show_interfaces.yml
+- include_tasks: assert_device_absent.yml
+
+- include_tasks: manage_test_interface.yml
+  vars:
+    state: present
+- include_tasks: show_interfaces.yml
+- include_tasks: assert_device_present.yml
+
+- include_tasks: manage_test_interface.yml
+  vars:
+    state: absent
+- include_tasks: show_interfaces.yml
+- include_tasks: assert_device_absent.yml

roles/linux-system-roles.network/tests/tasks/create_bridge_profile.yml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        persistent_state: present
+        type: bridge
+        ip:
+          dhcp4: false
+          auto6: false
+- debug:
+    var: __network_connections_result
+...

roles/linux-system-roles.network/tests/tasks/create_bridge_profile_no_autoconnect.yml

@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        autoconnect: false
+        persistent_state: present
+        type: bridge
+        ip:
+          dhcp4: false
+          auto6: false
+- debug:
+    var: __network_connections_result
+...

roles/linux-system-roles.network/tests/tasks/create_dummy_profile.yml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        state: up
+        type: dummy
+        ip:
+          address:
+            - "192.0.2.42/30"
+- debug:
+    var: __network_connections_result
+...

roles/linux-system-roles.network/tests/tasks/create_team_profile.yml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        persistent_state: present
+        type: team
+        ip:
+          dhcp4: false
+          auto6: false
+- debug:
+    var: __network_connections_result
+...

roles/linux-system-roles.network/tests/tasks/create_test_interfaces_with_dhcp.yml

@@ -0,0 +1,73 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Install dnsmasq
+  package:
+    name: dnsmasq
+    state: present
+
+
+- name: Create test interfaces
+  shell: |
+    # NM to see veth devices starting with test* as managed after ip add..
+    echo 'ENV{ID_NET_DRIVER}=="veth",\
+          ENV{INTERFACE}=="test*", \
+          ENV{NM_UNMANAGED}="0"' >/etc/udev/rules.d/88-veth.rules
+    udevadm control --reload-rules
+    udevadm settle --timeout=5
+
+    # Setuptwo devices with IPv4/IPv6 auto support
+    ip link add {{dhcp_interface1}} type veth peer name {{dhcp_interface1}}p
+    ip link set {{dhcp_interface1}}p up
+    ip link add {{dhcp_interface2}} type veth peer name {{dhcp_interface2}}p
+    ip link set {{dhcp_interface2}}p up
+
+    # Create the 'testbr' - providing both 10.x ipv4 and 2620:52:0 ipv6 dhcp
+    ip link add name testbr type bridge forward_delay 0
+    ip link set testbr up
+    ip addr add 192.0.2.1/24 dev testbr
+    ip -6 addr add 2001:DB8::1/32 dev testbr
+
+    if grep 'release 6' /etc/redhat-release; then
+        # We need bridge-utils and radvd only in rhel6
+        if ! rpm -q --quiet radvd; then yum -y install radvd; fi
+        if ! rpm -q --quiet bridge-utils; then yum -y install bridge-utils; fi
+
+        # We need to add iptables rule to allow dhcp request
+        iptables -I INPUT -i testbr -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+
+        # Add {{dhcp_interface1}}, {{dhcp_interface2}} peers into the testbr
+        brctl addif testbr {{dhcp_interface1}}p
+        brctl addif testbr {{dhcp_interface2}}p
+
+        # in RHEL6 /run is not present
+        mkdir -p /run
+
+        # and dnsmasq does not support ipv6
+        dnsmasq \
+            --pid-file=/run/dhcp_testbr.pid \
+            --dhcp-leasefile=/run/dhcp_testbr.lease \
+            --dhcp-range=192.0.2.1,192.0.2.254,240 \
+            --interface=testbr --bind-interfaces
+
+        # start radvd for ipv6
+        echo 'interface testbr {' > /etc/radvd.conf
+        echo '        AdvSendAdvert on;' >> /etc/radvd.conf
+        echo '        prefix 2001:DB8::/64 { ' >> /etc/radvd.conf
+        echo '              AdvOnLink on; }; ' >> /etc/radvd.conf
+        echo '        }; ' >> /etc/radvd.conf
+
+        # enable ipv6 forwarding
+        sysctl -w net.ipv6.conf.all.forwarding=1
+        service radvd restart
+
+    else
+        ip link set {{dhcp_interface1}}p master testbr
+        ip link set {{dhcp_interface2}}p master testbr
+        # Run joint DHCP4/DHCP6 server with RA enabled in veth namespace
+        dnsmasq \
+            --pid-file=/run/dhcp_testbr.pid \
+            --dhcp-leasefile=/run/dhcp_testbr.lease \
+            --dhcp-range=192.0.2.1,192.0.2.254,240 \
+            --dhcp-range=2001:DB8::10,2001:DB8::1FF,slaac,64,240 \
+            --enable-ra --interface=testbr --bind-interfaces
+    fi

roles/linux-system-roles.network/tests/tasks/delete_interface.yml

@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: remove test interface if necessary
+  command: "ip link del {{ interface }}"
+  ignore_errors: true
+...

roles/linux-system-roles.network/tests/tasks/el_repo_setup.yml

@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: BSD-3-Clause
+- name: Fix CentOS6 Base repo
+  copy:
+    dest: /etc/yum.repos.d/CentOS-Base.repo
+    content: |
+      [base]
+      name=CentOS-$releasever - Base
+      baseurl=https://vault.centos.org/6.10/os/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+      [updates]
+      name=CentOS-$releasever - Updates
+      baseurl=https://vault.centos.org/6.10/updates/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+      [extras]
+      name=CentOS-$releasever - Extras
+      baseurl=https://vault.centos.org/6.10/extras/$basearch/
+      gpgcheck=1
+      gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+  when:
+    - ansible_distribution == 'CentOS'
+    - ansible_distribution_major_version == '6'
+- include_tasks: enable_epel.yml

roles/linux-system-roles.network/tests/tasks/enable_epel.yml

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Enable EPEL {{ ansible_distribution_major_version }}
+  # yamllint disable-line rule:line-length
+  command: yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm
+  args:
+    warn: false
+    creates: /etc/yum.repos.d/epel.repo
+  when:
+    - ansible_distribution in ['RedHat', 'CentOS']
+    - ansible_distribution_major_version in ['7', '8']
+
+- name: Enable EPEL 6
+  copy:
+    dest: /etc/yum.repos.d/epel.repo
+    content: |
+      [epel]
+      name=Extra Packages for Enterprise Linux 6 - $basearch
+      baseurl=https://archives.fedoraproject.org/pub/archive/epel/6/$basearch
+      enabled=1
+      gpgcheck=0
+  when:
+    - ansible_distribution in ['RedHat', 'CentOS']
+    - ansible_distribution_major_version == '6'

roles/linux-system-roles.network/tests/tasks/get_NetworkManager_NVR.yml

@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- block:
+    - name: Get NetworkManager RPM version
+      command:
+        cmd: rpm -qa --qf '%{name}-%{version}-%{release}\n' NetworkManager
+        warn: false
+      register: __rpm_q_NetworkManager
+
+    - name: Store NetworkManager version
+      set_fact:
+        NetworkManager_NVR: "{{ __rpm_q_NetworkManager.stdout }}"
+
+    - name: Show NetworkManager version
+      debug:
+        var: NetworkManager_NVR
+  tags:
+    - always
+...

roles/linux-system-roles.network/tests/tasks/get_current_interfaces.yml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- command: ls -1
+  args:
+    chdir: /sys/class/net
+  register: _current_interfaces
+- set_fact:
+    current_interfaces: "{{ _current_interfaces.stdout_lines }}"

roles/linux-system-roles.network/tests/tasks/get_interface_stat.yml

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: "Get stat for interface {{ interface }}"
+  stat:
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+    path: "/sys/class/net/{{ interface }}"
+  register: interface_stat

roles/linux-system-roles.network/tests/tasks/get_modules_and_utils_paths.yml

@@ -0,0 +1,92 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: set collection paths
+  set_fact:
+    collection_paths: |
+      {{
+        (lookup("env","ANSIBLE_COLLECTIONS_PATH").split(":") +
+        lookup("env","ANSIBLE_COLLECTIONS_PATHS").split(":") +
+        lookup("config", "COLLECTIONS_PATHS")) |
+        select | list
+      }}
+
+- name: set search paths
+  set_fact:
+    modules_search_path: |
+        {{
+          (lookup("env", "ANSIBLE_LIBRARY").split(":") +
+          ["../../library", "../library"] +
+          lookup("config", "DEFAULT_MODULE_PATH")) |
+          select | list
+        }}
+    module_utils_search_path: |
+        {{
+          (lookup("env", "ANSIBLE_MODULE_UTILS").split(":") +
+          ["../../module_utils", "../module_utils"] +
+          lookup("config", "DEFAULT_MODULE_UTILS_PATH")) |
+          select | list
+        }}
+
+# the output should be something like
+# - path to parent directory to chdir to in order to use tar
+# - relative path under parent directory to tar
+# e.g. for the local role case
+# - ../..
+# - library
+# would translate to tar -C ../.. library
+# for the collection case
+# - /home/user/.ansible/collections
+# - ansible_collections/fedora/linux_system_roles/plugins/modules
+# would translate to tar -C /home/user/.ansible/collections \
+# ansible_collections/fedora/linux_system_roles/plugins/modules
+- name: find parent directory and path of modules
+  shell: |
+    set -euxo pipefail
+    for dir in {{ modules_search_path | join(" ") }}; do
+      if [ -f "$dir/network_connections.py" ]; then
+        readlink -f "$(dirname "$dir")"
+        basename "$dir"
+        exit 0
+      fi
+    done
+    for dir in {{ collection_paths | join(" ") }}; do
+      if [ ! -d "$dir" ]; then continue; fi
+      cd "$dir"
+      for subdir in ansible_collections/*/*/plugins/modules; do
+        if [ -f "$subdir/network_connections.py" ]; then
+          echo "$dir"
+          echo "$subdir"
+          exit 0
+        fi
+      done
+    done
+    echo network_connections.py not found
+    exit 1
+  delegate_to: localhost
+  register: modules_parent_and_dir
+
+- name: find parent directory and path of module_utils
+  shell: |
+    set -euxo pipefail
+    for dir in {{ module_utils_search_path | join(" ") }}; do
+      if [ -d "$dir/network_lsr" ]; then
+        readlink -f "$(dirname "$dir")"
+        basename "$dir"
+        exit 0
+      fi
+    done
+    for dir in {{ collection_paths | join(" ") }}; do
+      if [ ! -d "$dir" ]; then continue; fi
+      cd "$dir"
+      for subdir in ansible_collections/*/*/plugins/module_utils; do
+        if [ -d "$subdir/network_lsr" ]; then
+          echo "$dir"
+          echo "$subdir"
+          exit 0
+        fi
+      done
+    done
+    echo network_lsr not found
+    exit 1
+  delegate_to: localhost
+  register: module_utils_parent_and_dir

roles/linux-system-roles.network/tests/tasks/get_profile_stat.yml

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- set_fact: lsr_net_profile_exists=false
+
+- name: stat profile file
+  stat:
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+    path: /etc/sysconfig/network-scripts/ifcfg-{{ profile }}
+  register: profile_stat
+
+- set_fact: lsr_net_profile_exists=true
+  when: profile_stat.stat.exists
+
+# When certain profile is marked as absent but still up, the `nmcli connection`
+# still show it with FILENAME starting with /run. Only consider profile exists
+# when its FILENAME is in /etc folder
+- shell: nmcli -f NAME,FILENAME connection show |grep {{ profile }} | grep /etc
+  register: nm_profile_exists
+  ignore_errors: yes
+
+- set_fact: lsr_net_profile_exists=true
+  when: nm_profile_exists.rc == 0

roles/linux-system-roles.network/tests/tasks/manage_test_interface.yml

@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- fail:
+    msg: "state needs to be present or absent, not '{{ state }}'"
+  when: state not in ["present", "absent"]
+
+- fail:
+    msg: "type needs to be dummy, tap or veth, not '{{ type }}'"
+  when: type not in ["dummy", "tap", "veth"]
+
+- include: show_interfaces.yml
+
+- name: Install iproute
+  package:
+    name: iproute
+    state: present
+
+# veth
+- name: Create veth interface {{ interface }}
+  command: "{{ item }}"
+  with_items:
+    - ip link add {{ interface }} type veth peer name peer{{ interface }}
+    - ip link set peer{{ interface }} up
+    - ip link set {{ interface }} up
+  when: "type == 'veth' and state == 'present' and
+         interface not in current_interfaces"
+- name: Set up veth as managed by NetworkManager
+  shell: nmcli d set {{ interface }} managed true
+  # The varible for `network_provider` is not exists yet,
+  # just ignore error for initscripts
+  ignore_errors: yes
+  when: "type == 'veth' and state == 'present'"
+
+- name: Delete veth interface {{ interface }}
+  command: ip link del {{ interface }} type veth
+  when: "type == 'veth' and state == 'absent' and
+         interface in current_interfaces"
+
+# dummy
+- name: Create dummy interface {{ interface }}
+  command: ip link add "{{ interface }}" type dummy
+  when: "type == 'dummy' and state == 'present' and
+         interface not in current_interfaces"
+
+- name: Delete dummy interface {{ interface }}
+  command: ip link del "{{ interface }}" type dummy
+  when: "type == 'dummy' and state == 'absent' and
+         interface in current_interfaces"
+
+# tap
+- name: Create tap interface {{ interface }}
+  command: ip tuntap add dev {{ interface }} mode tap
+  when: "type == 'tap' and state == 'present'
+         and interface not in current_interfaces"
+
+- name: Delete tap interface {{ interface }}
+  command: ip tuntap del dev {{ interface }} mode tap
+  when: "type == 'tap' and state == 'absent' and
+         interface in current_interfaces"

roles/linux-system-roles.network/tests/tasks/provider/create_and_remove_with_initscripts.yml

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        state: up
+        persistent_state: present
+        type: ethernet
+        autoconnect: yes
+        ip:
+          address: 192.0.2.1/24
+    network_provider: initscripts
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        state: down
+        persistent_state: absent
+    network_provider: initscripts
+...

roles/linux-system-roles.network/tests/tasks/provider/create_with_nm.yml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        state: up
+        persistent_state: present
+        type: ethernet
+        autoconnect: yes
+        ip:
+          address: 192.0.2.1/24
+    network_provider: nm
+...

roles/linux-system-roles.network/tests/tasks/provider/default_with_nm.yml

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections: []
+    network_provider: nm
+...

roles/linux-system-roles.network/tests/tasks/remove+down_profile.yml

@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        persistent_state: absent
+        state: down
+...

roles/linux-system-roles.network/tests/tasks/remove_profile.yml

@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_role:
+    name: linux-system-roles.network
+  vars:
+    network_connections:
+      - name: "{{ interface }}"
+        persistent_state: absent
+...

roles/linux-system-roles.network/tests/tasks/remove_test_interfaces_with_dhcp.yml

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Remove test interfaces
+  shell: |
+    ip link delete {{dhcp_interface1}}
+    ip link delete {{dhcp_interface2}}
+    ip link delete testbr
+
+    # Remove udev rule for NM to see veth devices starting with test*.....
+    rm -rf /etc/udev/rules.d/88-veth.rules
+    udevadm control --reload-rules
+    udevadm settle --timeout=5
+
+
+- name: Stop dnsmasq/radvd services
+  shell: |
+    pkill -F /run/dhcp_testbr.pid
+    rm -rf /run/dhcp_testbr.pid
+    rm -rf /run/dhcp_testbr.lease
+    if grep 'release 6' /etc/redhat-release; then
+        # Stop radvd server
+        service radvd stop
+        iptables -D INPUT -i testbr -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+
+    fi

roles/linux-system-roles.network/tests/tasks/run_test.yml

@@ -0,0 +1,68 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Run test
+  block:
+    - name: "TEST: {{ lsr_description }}"
+      debug:
+        msg: "########## {{ lsr_description }} ##########"
+
+    - debug:
+        var: "{{ item }}"
+      loop:
+        - lsr_description
+        - lsr_setup
+        - lsr_test
+        - lsr_assert
+        - lsr_assert_when
+        - lsr_fail_debug
+        - lsr_cleanup
+
+    - include_tasks: tasks/show_interfaces.yml
+
+    - name: setup
+      include_tasks: "{{ item }}"
+      loop: "{{ lsr_setup }}"
+      tags:
+        - "tests::setup"
+
+    - name: test
+      include_tasks: "{{ item }}"
+      loop: "{{ lsr_test }}"
+      tags:
+        - "tests::test"
+
+    - name: asserts
+      include_tasks: "{{ item }}"
+      loop: "{{ lsr_assert }}"
+      tags:
+        - "tests::assert"
+
+    - name: conditional asserts
+      include_tasks: "{{ item['what'] }}"
+      when:
+        - "{{ item['when'] }}"
+      loop: "{{ lsr_assert_when|default([]) }}"
+
+    - name: "Success in test '{{ lsr_description }}'"
+      debug:
+        msg: "+++++ Success in test '{{ lsr_description }}' +++++"
+
+  rescue:
+    - name: "Failure in test '{{ lsr_description }}'"
+      debug:
+        msg: "!!!!! Failure in test '{{ lsr_description }}' !!!!!"
+
+    - debug:
+        var: "{{ item }}"
+      loop: "{{ lsr_fail_debug | default([]) }}"
+
+    - fail:
+        msg: "!!!!! Failure in test '{{ lsr_description }}' !!!!!"
+
+  always:
+    - name: cleanup
+      include_tasks: "{{ item }}"
+      loop: "{{ lsr_cleanup }}"
+      tags:
+        - "tests::cleanup"
+...

roles/linux-system-roles.network/tests/tasks/setup_802.1x.yml

@@ -0,0 +1,11 @@
+- include_tasks: tasks/setup_802_1x_server.yml
+- name: Copy client certs
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/pki/tls/{{ item }}"
+    mode: 0644
+  with_items:
+    - client.key
+    - client.key.nocrypt
+    - client.pem
+    - cacert.pem

roles/linux-system-roles.network/tests/tasks/setup_802_1x_server.yml

@@ -0,0 +1,75 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Install hostapd
+  package:
+    name: hostapd
+    state: present
+
+- name: Create directory for test certificates
+  file:
+    state: directory
+    path: /etc/pki/tls/hostapd_test
+- name: Copy server certificates
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/pki/tls/hostapd_test/{{ item }}"
+  with_items:
+    - server.key
+    - dh.pem
+    - server.pem
+    - cacert.pem
+
+- name: Create test interfaces
+  shell: |
+    ip link add veth1 type veth peer name veth1-br
+    ip link add veth2 type veth peer name veth2-br
+
+    ip link add br1 type bridge
+    ip link set br1 up
+
+    ip netns add ns1
+
+    ip link set veth1 netns ns1
+
+    ip netns exec ns1 ip addr add 203.0.113.1/24 dev veth1
+
+    ip link set veth1-br up
+    ip link set veth2-br up
+
+    ip link set veth1-br master br1
+    ip link set veth2-br master br1
+
+    ip netns exec ns1 ip link set veth1 up
+    ip link set veth2 up
+
+    # Enable forwarding of EAP 802.1x messages through software bridge "br1".
+    echo 8 > /sys/class/net/br1/bridge/group_fwd_mask
+
+- name: Create hostapd config
+  copy:
+    content: |
+      interface=veth1
+      driver=wired
+      debug=2
+      ieee8021x=1
+      eap_reauth_period=3600
+      eap_server=1
+      use_pae_group_addr=1
+      eap_user_file=/etc/hostapd/hostapd.eap_user
+      ca_cert=/etc/pki/tls/hostapd_test/cacert.pem
+      dh_file=/etc/pki/tls/hostapd_test/dh.pem
+      server_cert=/etc/pki/tls/hostapd_test/server.pem
+      private_key=/etc/pki/tls/hostapd_test/server.key
+      private_key_passwd=test
+      logger_syslog=-1
+      logger_syslog_level=0
+    dest: /etc/hostapd/wired.conf
+
+- name: Create eap_user_file config
+  copy:
+    content: |
+      * TLS
+    dest: /etc/hostapd/hostapd.eap_user
+
+- name: Run hostapd in namespace
+  shell: ip netns exec ns1 hostapd -B /etc/hostapd/wired.conf && sleep 5

roles/linux-system-roles.network/tests/tasks/setup_mock_wifi.yml

@@ -0,0 +1,82 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- name: Install packages required to set up mock wifi network
+  package:
+    name:
+      - hostapd
+      - NetworkManager
+      - wpa_supplicant
+    state: present
+
+- name: Ensure NetworkManager is running
+  service:
+    name: NetworkManager
+    state: started
+
+- name: Copy server certificates
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/pki/tls/{{ item }}"
+  with_items:
+    - server.key
+    - dh.pem
+    - server.pem
+    - cacert.pem
+
+- name: Create hostapd config
+  copy:
+    content: |
+      interface=wlan1
+      driver=nl80211
+      ctrl_interface=/var/run/hostapd
+      ctrl_interface_group=0
+      ssid=mock_wifi
+      country_code=EN
+      hw_mode=g
+      channel=7
+      auth_algs=3
+      wpa=3
+      ieee8021x=1
+      eapol_version=1
+      wpa_key_mgmt=WPA-EAP WPA-PSK
+      wpa_passphrase=p@55w0rD
+      eap_reauth_period=3600
+      eap_server=1
+      use_pae_group_addr=1
+      eap_user_file=/etc/hostapd/hostapd.eap_user
+      ca_cert=/etc/pki/tls/cacert.pem
+      dh_file=/etc/pki/tls/dh.pem
+      server_cert=/etc/pki/tls/server.pem
+      private_key=/etc/pki/tls/server.key
+      private_key_passwd=test
+      logger_syslog=-1
+      logger_syslog_level=0
+    dest: /etc/hostapd/wireless.conf
+
+- name: Create eap_user_file config
+  copy:
+    content: |
+      * TLS
+    dest: /etc/hostapd/hostapd.eap_user
+
+- name: Load mac80211_hwsim kernel module to mock a wifi network
+  shell: modprobe mac80211_hwsim && sleep 5
+
+- name: Restart NetworkManager and wpa_supplicant
+  service:
+    name: "{{ item }}"
+    state: restarted
+  with_items:
+    - NetworkManager
+    - wpa_supplicant
+
+- name: Configure wlan0 and wlan1 (mock wifi interfaces)
+  shell: |
+    ip link set up wlan0
+    ip link set up wlan1
+    nmcli device set wlan1 managed off
+    ip add add 203.0.113.1/24 dev wlan1
+    sleep 5
+
+- name: Start hostapd
+  shell: hostapd -B /etc/hostapd/wireless.conf && sleep 5

roles/linux-system-roles.network/tests/tasks/setup_test_interface.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include_tasks: tasks/manage_test_interface.yml
+  vars:
+    state: present
+    type: veth
+...

roles/linux-system-roles.network/tests/tasks/show_interfaces.yml

@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: BSD-3-Clause
+---
+- include: get_current_interfaces.yml
+- debug:
+    msg: "current_interfaces: {{ current_interfaces }}"

roles/linux-system-roles.network/tests/tasks/test_802.1x_capath.yml

@@ -0,0 +1,108 @@
+---
+- name: >-
+    TEST: 802.1x profile with unencrypted private key and ca_path
+  debug:
+    msg: "##################################################"
+- set_fact:
+    # Fixed versions/NVRs:
+    # 1.25.2
+    # NetworkManager-1.24.2-1.fc33
+    # NetworkManager-1.22.14-1.fc32
+    # NetworkManager-1.20.12-1.fc31
+    # 1.18.8
+    __NM_capath_ignored_NVRs:
+      - NetworkManager-1.18.0-5.el7.x86_64
+      - NetworkManager-1.18.4-3.el7.x86_64
+      - NetworkManager-1.20.0-3.el8.x86_64
+      - NetworkManager-1.22.8-4.el8.x86_64
+      - NetworkManager-1.20.4-1.fc31.x86_64
+      - NetworkManager-1.22.10-1.fc32.x86_64
+      - NetworkManager-1.22.12-1.fc32.x86_64
+- name: Create directory for ca_path test
+  file:
+    path: "/etc/pki/tls/my_ca_certs"
+    state: directory
+    mode: 0755
+- name: Copy cacert to ca_path
+  copy:
+    src: "cacert.pem"
+    dest: "/etc/pki/tls/my_ca_certs/cacert.pem"
+    mode: 0644
+- name: Install openssl (test dependency)
+  package:
+    name: openssl
+    state: present
+- name: Hash cacert
+  command: openssl x509 -hash -noout
+    -in /etc/pki/tls/my_ca_certs/cacert.pem
+  register: cacert_hash
+- name: Add symlink for cacert
+  file:
+    state: link
+    path: "/etc/pki/tls/my_ca_certs/{{ cacert_hash.stdout }}.0"
+    src: cacert.pem
+- name: Get NetworkManager version
+  command:
+    cmd: rpm -qa NetworkManager
+    warn: false
+  register: __network_NM_NVR
+- block:
+    - import_role:
+        name: linux-system-roles.network
+      vars:
+        network_connections:
+          - name: "{{ interface | default('802-1x-test') }}"
+            interface_name: veth2
+            state: up
+            type: ethernet
+            ip:
+              address:
+                - 203.0.113.2/24
+              dhcp4: "no"
+              auto6: "no"
+            ieee802_1x:
+              identity: myhost_capath
+              eap: tls
+              private_key: /etc/pki/tls/client.key.nocrypt
+              client_cert: /etc/pki/tls/client.pem
+              private_key_password_flags:
+                - not-required
+              ca_path: /etc/pki/tls/my_ca_certs
+    - name: "TEST: I can ping the EAP server"
+      command: ping -c1 203.0.113.1
+    - name: trigger failure in case the role did not fail
+      fail:
+        msg: after test
+  rescue:
+    - debug:
+        var: "{{ item }}"
+      with_items:
+        - ansible_failed_result
+        - ansible_failed_task
+        - __network_NM_NVR.stdout
+        - __NM_capath_ignored_NVRs
+
+    - name: Assert role behavior
+      vars:
+        expected_failure: __network_NM_NVR.stdout in __NM_capath_ignored_NVRs
+        failure: __network_connections_result.failed
+      assert:
+        that: (failure and expected_failure) or
+          (not failure and not expected_failure)
+        msg: "Role {{ failure and 'failed' or 'did not fail' }} but was expected
+          {{ expected_failure and '' or 'not' }} to fail.
+          NM NVR: {{ __network_NM_NVR.stdout }}"
+    - name: Assert role failure
+      assert:
+        that: "
+          'ieee802_1x.ca_path specified but not supported by NetworkManager'
+          in __network_connections_result.stderr"
+      when:
+        - __network_connections_result.failed
+
+
+    - name: Assert ping succeeded
+      assert:
+        that:
+          - "not 'cmd' in ansible_failed_result"
+...