From: tphoney Date: Wed, 20 Feb 2019 14:30:26 +0000 (+0000) Subject: clean tests ipsec_policy dir, comment, log_uid X-Git-Tag: 1.15.2~9^2~2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=150a22e8aad49aba711e885d753f5f2b2716436f;p=puppet-modules%2Fpuppetlabs-firewall.git clean tests ipsec_policy dir, comment, log_uid --- diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index fa68c17..9ca2da7 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -1488,114 +1488,6 @@ describe 'firewall basics', docker: true do end end - describe 'ipsec_policy' do - context 'when ipsec' do - pp80 = <<-PUPPETCODE - class { '::firewall': } - firewall { '593 - test': - ensure => 'present', - action => 'reject', - chain => 'OUTPUT', - destination => '20.0.0.0/8', - ipsec_dir => 'out', - ipsec_policy => 'ipsec', - proto => 'all', - reject => 'icmp-net-unreachable', - table => 'filter', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp80, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "593 - test" -j REJECT --reject-with icmp-net-unreachable}) - end - end - end - - context 'when none' do - pp81 = <<-PUPPETCODE - class { '::firewall': } - firewall { '594 - test': - ensure => 'present', - action => 'reject', - chain => 'OUTPUT', - destination => '20.0.0.0/8', - ipsec_dir => 'out', - ipsec_policy => 'none', - proto => 'all', - reject => 'icmp-net-unreachable', - table => 'filter', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp81, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol none -m comment --comment "594 - test" -j REJECT --reject-with icmp-net-unreachable}) - end - end - end - end - - describe 'ipsec_dir' do - context 'when out' do - pp82 = <<-PUPPETCODE - class { '::firewall': } - firewall { '595 - test': - ensure => 'present', - action => 'reject', - chain => 'OUTPUT', - destination => '20.0.0.0/8', - ipsec_dir => 'out', - ipsec_policy => 'ipsec', - proto => 'all', - reject => 'icmp-net-unreachable', - table => 'filter', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp82, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - test" -j REJECT --reject-with icmp-net-unreachable}) - end - end - end - - context 'when in' do - pp83 = <<-PUPPETCODE - class { '::firewall': } - firewall { '596 - test': - ensure => 'present', - action => 'reject', - chain => 'INPUT', - destination => '20.0.0.0/8', - ipsec_dir => 'in', - ipsec_policy => 'none', - proto => 'all', - reject => 'icmp-net-unreachable', - table => 'filter', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp83, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - test" -j REJECT --reject-with icmp-net-unreachable}) - end - end - end - end - describe 'recent' do context 'when set' do pp84 = <<-PUPPETCODE @@ -1786,117 +1678,4 @@ describe 'firewall basics', docker: true do end end end - - context 'when log_prefix containing -A' do - pp91 = <<-PUPPETCODE - class { '::firewall': } - firewall { '700 - test': - jump => 'LOG', - log_prefix => 'FW-A-INPUT: ', - } - PUPPETCODE - it 'adds the rule' do - apply_manifest(pp91, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - test" -j LOG --log-prefix "FW-A-INPUT: "}) - end - end - - pp92 = <<-PUPPETCODE - class { '::firewall': } - firewall { '700 - test': - ensure => absent, - jump => 'LOG', - log_prefix => 'FW-A-INPUT: ', - } - PUPPETCODE - it 'removes the rule' do - apply_manifest(pp92, catch_failures: true) - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m comment --comment "700 - test" -j LOG --log-prefix "FW-A-INPUT: "}) - end - end - end - - context 'when log_uid is true' do - pp93 = <<-PUPPETCODE - class { '::firewall': } - firewall { '700 - test log_uid': - chain => 'OUTPUT', - jump => 'LOG', - log_uid => true, - } - PUPPETCODE - it 'adds the rule' do - apply_manifest(pp93, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j LOG --log-uid}) - end - end - - pp94 = <<-PUPPETCODE - class { '::firewall': } - firewall { '700 - test log_uid': - chain => 'OUTPUT', - jump => 'LOG', - log_uid => false, - ensure => absent, - } - PUPPETCODE - it 'removes the rule' do - apply_manifest(pp94, catch_failures: true) - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j --log-uid}) - end - end - end - - context 'when comment containing "-A "' do - pp95 = <<-PUPPETCODE - class { '::firewall': } - firewall { '700 - blah-A Test Rule': - jump => 'LOG', - log_prefix => 'FW-A-INPUT: ', - } - PUPPETCODE - it 'adds the rule' do - apply_manifest(pp95, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "}) - end - end - - pp96 = <<-PUPPETCODE - class { '::firewall': } - firewall { '700 - blah-A Test Rule': - ensure => absent, - jump => 'LOG', - log_prefix => 'FW-A-INPUT: ', - } - PUPPETCODE - it 'removes the rule' do - apply_manifest(pp96, catch_failures: true) - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "}) - end - end - end end diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index 2b26916..c430016 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -144,6 +144,37 @@ describe 'firewall attribute testing, happy path' do action => accept, isfragment => true, } + firewall { '595 - ipsec_policy ipsec and out': + ensure => 'present', + action => 'reject', + chain => 'OUTPUT', + destination => '20.0.0.0/8', + ipsec_dir => 'out', + ipsec_policy => 'ipsec', + proto => 'all', + reject => 'icmp-net-unreachable', + table => 'filter', + } + firewall { '596 - ipsec_policy none and in': + ensure => 'present', + action => 'reject', + chain => 'INPUT', + destination => '20.0.0.0/8', + ipsec_dir => 'in', + ipsec_policy => 'none', + proto => 'all', + reject => 'icmp-net-unreachable', + table => 'filter', + } + firewall { '700 - blah-A Test Rule': + jump => 'LOG', + log_prefix => 'FW-A-INPUT: ', + } + firewall { '701 - log_uid': + chain => 'OUTPUT', + jump => 'LOG', + log_uid => true, + } firewall { '801 - gid root': chain => 'OUTPUT', action => accept, @@ -242,6 +273,18 @@ describe 'firewall attribute testing, happy path' do it 'isfragment is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --ports 583 -m comment --comment "583 - isfragment" -j ACCEPT}) end + it 'ipsec_policy ipsec and dir out' do + expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength + end + it 'ipsec_policy none and dir in' do + expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength + end + it 'comment containing "-A "' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "}) + end + it 'set log_uid' do + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid}) + end it 'gid set to root' do expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) end