(SEC-944) Add test cases

Prior to this commit there we no test cases to validate our
changes to the module.

This commit adds test cases for each of the configurations for
onduplicaterulebehaviour.

diff --git a/spec/acceptance/firewall_duplicate_comment_spec.rb b/spec/acceptance/firewall_duplicate_comment_spec.rb
new file mode 100644 (file)
index 0000000..e019a45
--- /dev/null
+++ b/spec/acceptance/firewall_duplicate_comment_spec.rb
@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+def make_manifest(behaviour)
+  pp = <<-PUPPETCODE
+    class { 'firewall': }
+    resources { 'firewall':
+      purge => true,
+    }
+
+    firewall { '550 destination':
+      proto  => tcp,
+      dport   => '550',
+      action => accept,
+      destination => '192.168.2.0/24',
+      onduplicaterulebehaviour => #{behaviour}
+    }
+    PUPPETCODE
+
+  pp
+end
+
+describe 'firewall - duplicate comments' do
+  before(:all) do
+    if os[:family] == 'ubuntu' || os[:family] == 'debian'
+      update_profile_file
+    end
+  end
+
+  before(:each) do
+    run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+  end
+
+  after(:each) do
+    iptables_flush_all_tables
+  end
+
+  context 'when onduplicateerrorhevent is set to error' do
+    it 'raises an error' do
+      run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+      pp = make_manifest('error')
+
+      apply_manifest(pp) do |r|
+        expect(r.stderr).to include('Error: /Stage[main]/Main/Firewall[550 destination]: Could not evaluate: Duplicate rule found for 550 destination. Skipping update.')
+      end
+    end
+  end
+
+  context 'when onduplicateerrorhevent is set to warn' do
+    run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+
+    it 'warns and continues' do
+      run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+      pp = make_manifest('warn')
+
+      apply_manifest(pp) do |r|
+        expect(r.stderr).to include('Warning: Firewall[550 destination](provider=iptables): Duplicate rule found for 550 destination.. This may add an additional rule to the system.')
+      end
+    end
+  end
+
+  context 'when onduplicateerrorhevent is set to ignore' do
+    run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+
+    it 'continues silently' do
+      run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+      pp = make_manifest('ignore')
+
+      apply_manifest(pp) do |r|
+        expect(r.stderr).to be_empty
+      end
+    end
+  end
+end

diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb
index adf65d6008b41565050b5984bb561d692f1970d7..72864cd47a700c3b838a9290b01ba99fcdb6a6e2 100644 (file)
--- a/spec/spec_helper_acceptance_local.rb
+++ b/spec/spec_helper_acceptance_local.rb
@@ -111,5 +111,12 @@ RSpec.configure do |c|
       }
     PUPPETCODE
     LitmusHelper.instance.apply_manifest(pp)
+
+    # Ensure that policycoreutils is present. In the future we could probably refactor
+    # this so that policycoreutils is installed on platform where the os.family fact
+    # is set to 'redhat'
+    if ['almalinux-8', 'rocky-8'].include?("#{fetch_os_name}-#{os[:release].to_i}")
+      LitmusHelper.instance.run_shell('yum install policycoreutils -y')
+    end
   end
 end