end
describe 'name' do
- context 'when valid' do
- pp1 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '001 - test': ensure => present }
- PUPPETCODE
- it 'applies cleanly' do
- apply_manifest(pp1, catch_failures: true)
- end
- end
-
- context 'when invalid' do
- pp2 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { 'test': ensure => present }
- PUPPETCODE
- it 'fails' do
- apply_manifest(pp2, expect_failures: true) do |r|
- expect(r.stderr).to match(%r{Invalid value "test".})
- end
- end
- end
-
context 'when invalid ordering range specified' do
pp = <<-PUPPETCODE
class { '::firewall': }
+ firewall { '001 - test': ensure => present }
firewall { '9946 test': ensure => present }
PUPPETCODE
it 'fails' do
end
describe 'ensure' do
- context 'when default' do
- pp3 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '555 - test':
- proto => tcp,
- port => '555',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp3, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT})
- end
- end
- end
-
context 'when present' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
end
describe 'source' do
- context 'when 192.168.2.0/24' do
- pp7 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '556 - test':
- proto => tcp,
- port => '556',
- action => accept,
- source => '192.168.2.0/24',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp7, catch_failures: true)
- apply_manifest(pp7, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT})
- end
- end
- end
-
- context 'when ! 192.168.2.0/24' do
- pp8 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '556 - test':
- proto => tcp,
- port => '556',
- action => accept,
- source => '! 192.168.2.0/24',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp8, catch_failures: true)
- apply_manifest(pp8, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT})
- end
- end
- end
-
# Invalid address
context 'when 256.168.2.0/24' do
pp9 = <<-PUPPETCODE
require 'spec_helper_acceptance'
-describe 'connlimit property' do
+describe 'firewall attribute testing, happy path' do
before :all do
iptables_flush_all_tables
ip6tables_flush_all_tables
connmark => '0x1',
action => reject,
}
+ firewall { '556 - source':
+ proto => tcp,
+ port => '556',
+ action => accept,
+ source => '192.168.2.0/24',
+ }
+ firewall { '557 - source negated':
+ proto => tcp,
+ port => '557',
+ action => accept,
+ source => '! 192.168.2.0/24',
+ }
firewall { '801 - gid root':
chain => 'OUTPUT',
action => accept,
gid => 'root',
proto => 'all',
}
- firewall { '802 - gid not root':
+ firewall { '802 - gid root negated':
chain => 'OUTPUT',
action => accept,
gid => '!root',
uid => '0',
proto => 'all',
}
- firewall { '804 - uid not 0':
+ firewall { '804 - uid 0 negated':
chain => 'OUTPUT',
action => accept,
uid => '!0',
%r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Metrics/LineLength
)
end
- it 'contains the connmark' do
+ it 'contains connmark' do
expect(result.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - connmark" -j REJECT --reject-with icmp-port-unreachable})
end
- it 'when gid set to root' do
+ it 'source is set' do
+ expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - source" -j ACCEPT})
+ end
+ it 'source is negated' do
+ expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 557 -m comment --comment "557 - source negated" -j ACCEPT})
+ end
+ it 'gid set to root' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT})
end
- it 'when gid set to not root' do
- expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "802 - gid not root" -j ACCEPT})
+ it 'gid set to root negated' do
+ expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "802 - gid root negated" -j ACCEPT})
end
- it 'when uid set to 0' do
+ it 'uid set to 0' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "803 - uid 0" -j ACCEPT})
end
- it 'when uid set to not 0' do
- expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - uid not 0" -j ACCEPT})
+ it 'uid set to 0 negated' do
+ expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - uid 0 negated" -j ACCEPT})
end
end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff