Update to v1.1.0

Author: pdudotdev

ansible/collections/requirements.yml

@@ -6,3 +6,5 @@ collections:
     version: ">=9.0.0"
   - name: community.hashi_vault
     version: ">=7.0.0"
+  - name: cisco.ios
+    version: ">=8.0.0"

ansible/filter_plugins/ospf_filters.py

@@ -22,19 +22,70 @@ def _parse(xml_string: str) -> ET.Element:
 def route_exists(xml_string: str, prefix: str) -> bool:
     """Return True if a route to the given prefix exists in the routing table.
 
-    Matches if any <destination-prefix> starts with the prefix (e.g. '192.168.42.1'
-    matches '192.168.42.1/32'). Works with ietf-routing XML.
+    Handles two XML formats:
+      - ietf-routing: matches <destination-prefix> (IOS-XE)
+      - JunOS RPC: matches <rt-destination> (get-route-information)
+    Matches if any element starts with the prefix (e.g. '192.168.42.1'
+    matches '192.168.42.1/32').
     """
     root = _parse(xml_string)
+    match_tags = {"destination-prefix", "rt-destination"}
     for elem in root.iter():
-        if _strip_ns(elem.tag) == "destination-prefix" and elem.text:
+        if _strip_ns(elem.tag) in match_tags and elem.text:
             if elem.text.strip().startswith(prefix):
                 return True
     return False
 
 
+def ospf_neighbor_full(xml_string: str, neighbor_id: str) -> bool:
+    """Return True if a neighbor with the given router-id is in FULL state.
+
+    Finds the neighbor ID in the XML, then checks sibling elements for a
+    'full' state string. Works with Cisco-IOS-XE-ospf-oper YANG output.
+    """
+    root = _parse(xml_string)
+    parent_map = {c: p for p in root.iter() for c in p}
+    for elem in root.iter():
+        if elem.text and elem.text.strip() == neighbor_id:
+            parent = parent_map.get(elem)
+            if parent is not None:
+                for sibling in parent:
+                    if sibling.text and "full" in sibling.text.strip().lower():
+                        return True
+    return False
+
+
+def config_contains(xml_string: str, value: str) -> bool:
+    """Return True if any element's text matches the given value exactly.
+
+    Used for checking configuration elements (e.g. route-map names) in
+    NETCONF running config responses.
+    """
+    root = _parse(xml_string)
+    for elem in root.iter():
+        if elem.text and elem.text.strip() == value:
+            return True
+    return False
+
+
+def assert_check(xml_string: str, assertion: str, value: str) -> bool:
+    """Dispatch to the appropriate assertion function by name."""
+    checks = {
+        "route_exists": route_exists,
+        "ospf_neighbor_full": ospf_neighbor_full,
+        "config_contains": config_contains,
+    }
+    fn = checks.get(assertion)
+    if fn is None:
+        raise ValueError(f"Unknown assertion type: {assertion}")
+    return fn(xml_string, value)
+
+
 class FilterModule:
     def filters(self) -> dict:
         return {
             "route_exists": route_exists,
+            "ospf_neighbor_full": ospf_neighbor_full,
+            "config_contains": config_contains,
+            "assert_check": assert_check,
         }

ansible/inventory/hosts.yml

@@ -24,6 +24,8 @@ all:
     junos:
       vars:
         ansible_netconf_ncclient_device_handler: junos
+        ansible_user: "{{ lookup('community.hashi_vault.vault_kv2_get', 'yana/routerjunos', engine_mount_point='secret').secret.username }}"
+        ansible_password: "{{ lookup('community.hashi_vault.vault_kv2_get', 'yana/routerjunos', engine_mount_point='secret').secret.password }}"
       hosts:
         C1J:
           ansible_host: 172.20.20.207

ansible/playbooks/_run_check.yml

@@ -1,6 +1,18 @@
 ---
 # _run_check.yml — executes one test case file.
 # Called in a loop from network_qa.yml with test_case_path as the loop var.
+#
+# Supports two test patterns:
+#   1. Read-only: NETCONF GET + assert (e.g. route_to_a2a)
+#   2. Configure-assert-teardown: push config via CLI, wait, assert via
+#      NETCONF, then tear down config. Teardown always runs, even on failure.
+#
+# NETCONF queries support two methods:
+#   - netconf_get (default): subtree filter with <get> or <get-config>
+#   - netconf_rpc: vendor-specific RPC (e.g. JunOS get-route-information)
+#
+# Each test case specifies its own NETCONF filter/RPC, assertion type, and
+# expected value. Config/teardown phases are optional.
 
 - name: "Load scenario: {{ test_case_path | basename }}"
   ansible.builtin.include_vars:
@@ -11,25 +23,53 @@
   when: scenario_filter == '' or scenario_filter == scenario.scenario
   block:
 
-    - name: "{{ scenario.scenario }} | NETCONF GET routing table"
+    - name: "{{ scenario.scenario }} | Push pre-test config"
+      ansible.netcommon.cli_config:
+        config: "{{ scenario.config_commands | default('') }}"
+      delegate_to: "{{ scenario.config_device | default('localhost') }}"
+      vars:
+        ansible_connection: ansible.netcommon.network_cli
+        ansible_network_os: "{{ scenario.config_network_os | default('') }}"
+        ansible_port: 22
+        ansible_ssh_host_key_checking: false
+      when: scenario.config_commands is defined
+
+    - name: "{{ scenario.scenario }} | Wait for convergence"
+      ansible.builtin.pause:
+        seconds: "{{ scenario.convergence_wait | default(0) }}"
+      when: scenario.convergence_wait is defined
+
+    - name: "{{ scenario.scenario }} | NETCONF GET"
       ansible.netcommon.netconf_get:
-        filter: >-
-          <routing-state xmlns="urn:ietf:params:xml:ns:yang:ietf-routing">
-            <routing-instance><name>{{ scenario.vrf | default('default') }}</name></routing-instance>
-          </routing-state>
+        filter: "{{ scenario.netconf_filter }}"
+        source: "{{ scenario.netconf_source | default(omit) }}"
         display: xml
       delegate_to: "{{ scenario.device }}"
       register: netconf_result
+      when: scenario.netconf_rpc is not defined
+
+    - name: "{{ scenario.scenario }} | NETCONF RPC"
+      ansible.netcommon.netconf_rpc:
+        rpc: "{{ scenario.netconf_rpc }}"
+        content: "{{ scenario.netconf_rpc_content | default(omit) }}"
+        display: xml
+      delegate_to: "{{ scenario.device }}"
+      register: netconf_rpc_result
+      when: scenario.netconf_rpc is defined
+
+    - name: "{{ scenario.scenario }} | Unify result"
+      ansible.builtin.set_fact:
+        _netconf_output: "{{ (netconf_rpc_result.output | default(netconf_result.output | default(''))) }}"
 
     - name: "{{ scenario.scenario }} | Debug XML"
       ansible.builtin.debug:
-        msg: "{{ netconf_result.output | truncate(500) }}"
+        msg: "{{ _netconf_output | truncate(500) }}"
       when: ansible_verbosity >= 1
 
-    - name: "{{ scenario.scenario }} | Assert route exists"
+    - name: "{{ scenario.scenario }} | Assert"
       ansible.builtin.set_fact:
-        _assertion_passed: "{{ netconf_result.output | route_exists(scenario.assert_route_exists) }}"
-        _assertion_output: "{{ netconf_result.output | truncate(500) }}"
+        _assertion_passed: "{{ _netconf_output | assert_check(scenario.assertion, scenario.assert_value) }}"
+        _assertion_output: "{{ _netconf_output | truncate(500) }}"
 
   rescue:
 
@@ -40,6 +80,18 @@
 
   always:
 
+    - name: "{{ scenario.scenario }} | Teardown config"
+      ansible.netcommon.cli_config:
+        config: "{{ scenario.teardown_commands | default('') }}"
+      delegate_to: "{{ scenario.config_device | default('localhost') }}"
+      vars:
+        ansible_connection: ansible.netcommon.network_cli
+        ansible_network_os: "{{ scenario.config_network_os | default('') }}"
+        ansible_port: 22
+        ansible_ssh_host_key_checking: false
+      when: scenario.teardown_commands is defined
+      ignore_errors: true
+
     - name: "{{ scenario.scenario }} | Record result"
       ansible.builtin.set_fact:
         qa_results: >-

ansible/test_cases/ospf_adj_e1c_c1j.yml

@@ -0,0 +1,19 @@
+---
+# ospf_adj_e1c_c1j.yml
+# Verify E1C (ASBR, IOS-XE) has a FULL OSPF adjacency with C1J (core, JunOS)
+# in Area 0. This is a backbone adjacency — if it drops, E1C loses its path
+# to the core and inter-area/external routes stop propagating.
+
+scenario: ospf_adj_e1c_c1j
+description: "Verify E1C has FULL OSPF adjacency with C1J (router-id 22.22.22.11)"
+rfc_ref: RFC 2328 §10.3
+rfc_citation: >
+  RFC 2328 Section 10.3: The Neighbor State Machine. A neighbor transitions
+  to FULL state only after complete database synchronization. Failure to
+  reach FULL indicates hello timer mismatch, area type mismatch, MTU
+  mismatch, authentication failure, or interface misconfiguration.
+device: E1C
+netconf_filter: |
+  <ospf-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-ospf-oper"/>
+assertion: ospf_neighbor_full
+assert_value: "22.22.22.11"

ansible/test_cases/route_map_e1c_to_c1j.yml

@@ -0,0 +1,45 @@
+---
+# route_map_e1c_to_c1j.yml
+# Configure a route-map on E1C that redistributes a test static route into
+# OSPF, then verify the route reaches C1J downstream. Covers two vendors
+# (IOS-XE config push, JunOS NETCONF assertion) and tests the full
+# redistribution pipeline: static → prefix-list → route-map → OSPF → LSA flood.
+#
+# Teardown removes all test config from E1C after the assertion (pass or fail).
+
+scenario: route_map_e1c_to_c1j
+description: "Verify route-map on E1C redistributes static route 10.99.99.0/24 to C1J via OSPF"
+rfc_ref: RFC 2328 §16.4
+rfc_citation: >
+  RFC 2328 Section 16.4: Calculating AS external routes. Routes redistributed
+  into OSPF appear as Type 5 LSAs and must be reachable by all non-stub
+  routers. Missing redistribution indicates a route-map, prefix-list, or
+  OSPF configuration error at the ASBR.
+
+# Phase 1: Push config to E1C via CLI
+config_device: E1C
+config_network_os: cisco.ios.ios
+config_commands: |
+  ip route vrf VRF1 10.99.99.0 255.255.255.0 Null0
+  ip prefix-list PL_QA_STATIC seq 10 permit 10.99.99.0/24
+  route-map RM_QA_STATIC permit 10
+   match ip address prefix-list PL_QA_STATIC
+  router ospf 1 vrf VRF1
+   redistribute static subnets route-map RM_QA_STATIC
+convergence_wait: 15
+
+# Phase 2: Assert on C1J via JunOS RPC
+device: C1J
+netconf_rpc: get-route-information
+netconf_rpc_content: |
+  <table>VRF1.inet.0</table>
+assertion: route_exists
+assert_value: "10.99.99.0"
+
+# Phase 3: Teardown E1C config
+teardown_commands: |
+  router ospf 1 vrf VRF1
+   no redistribute static subnets route-map RM_QA_STATIC
+  no route-map RM_QA_STATIC
+  no ip prefix-list PL_QA_STATIC
+  no ip route vrf VRF1 10.99.99.0 255.255.255.0 Null0

ansible/test_cases/route_to_a2a.yml

@@ -1,8 +1,7 @@
 ---
 # route_to_a2a.yml
 # Verify E1C has a route to A2A's loopback (192.168.42.1/32) in VRF1.
-# This is the single end-to-end health check — if this route exists,
-# OSPF propagation across the fabric is working.
+# If this route exists, OSPF propagation across the fabric is working.
 # If it fails, the agent investigates using OSPF/routing skills + RAG.
 
 scenario: route_to_a2a
@@ -13,5 +12,9 @@ rfc_citation: >
   inter-area routes are computed from the link-state database. A missing
   route indicates an LSDB propagation or SPF calculation failure.
 device: E1C
-vrf: VRF1
-assert_route_exists: "192.168.42.1"
+netconf_filter: |
+  <routing-state xmlns="urn:ietf:params:xml:ns:yang:ietf-routing">
+    <routing-instance><name>VRF1</name></routing-instance>
+  </routing-state>
+assertion: route_exists
+assert_value: "192.168.42.1"