From: tphoney Date: Thu, 21 Feb 2019 11:39:53 +0000 (+0000) Subject: move error checks from acceptance to unit tests X-Git-Tag: 1.15.2~9^2~1 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=22dd68271034fab6ce72bfe3ac27e617160d3343;p=puppet-modules%2Fpuppetlabs-firewall.git move error checks from acceptance to unit tests --- diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index 9ca2da7..c9834f2 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -65,110 +65,6 @@ describe 'firewall basics', docker: true do end end - describe 'source' do - # Invalid address - context 'when 256.168.2.0/24' do - pp9 = <<-PUPPETCODE - class { '::firewall': } - firewall { '556 - test': - proto => tcp, - port => '556', - action => accept, - source => '256.168.2.0/24', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp9, expect_failures: true) do |r| - expect(r.stderr).to match(%r{host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -s 256.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT}) - end - end - end - end - - describe 'src_range' do - # Invalid IP - context 'when 392.168.1.1-192.168.1.10' do - pp11 = <<-PUPPETCODE - class { '::firewall': } - firewall { '557 - test': - proto => tcp, - port => '557', - action => accept, - src_range => '392.168.1.1-192.168.1.10', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp11, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Invalid IP address "392.168.1.1" in range "392.168.1.1-192.168.1.10"}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 392.168.1.1-192.168.1.10 -m multiport --ports 557 -m comment --comment "557 - test" -j ACCEPT}) - end - end - end - end - - describe 'destination' do - # Invalid address - context 'when 256.168.2.0/24' do - pp14 = <<-PUPPETCODE - class { '::firewall': } - firewall { '558 - test': - proto => tcp, - port => '558', - action => accept, - destination => '256.168.2.0/24', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp14, expect_failures: true) do |r| - expect(r.stderr).to match(%r{host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -d 256.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT}) - end - end - end - end - - describe 'dst_range' do - # Invalid IP - context 'when 392.168.1.1-192.168.1.10' do - pp16 = <<-PUPPETCODE - class { '::firewall': } - firewall { '559 - test': - proto => tcp, - port => '559', - action => accept, - dst_range => '392.168.1.1-192.168.1.10', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp16, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Invalid IP address "392.168.1.1" in range "392.168.1.1-192.168.1.10"}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --dst-range 392.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - test" -j ACCEPT}) - end - end - end - end - describe 'sport' do context 'when invalid ports' do pp19 = <<-PUPPETCODE @@ -243,28 +139,6 @@ describe 'firewall basics', docker: true do ['dst_type', 'src_type'].each do |type| describe type.to_s do - context 'when BROKEN' do - pp28 = <<-PUPPETCODE - class { '::firewall': } - firewall { '563 - test': - proto => tcp, - action => accept, - #{type} => 'BROKEN', - } - PUPPETCODE - it 'fails' do - apply_manifest(pp28, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Invalid value "BROKEN".}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "563 - test" -j ACCEPT}) - end - end - end - context 'when LOCAL --limit-iface-in', unless: (fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') <= '5') do pp97 = <<-PUPPETCODE class { '::firewall': } @@ -529,29 +403,6 @@ describe 'firewall basics', docker: true do end end - describe 'icmp' do - context 'when any' do - pp41 = <<-PUPPETCODE - class { '::firewall': } - firewall { '571 - test': - proto => icmp, - icmp => 'any', - } - PUPPETCODE - it 'fails' do - apply_manifest(pp41, expect_failures: true) do |r| - expect(r.stderr).to match(%r{This behaviour should be achieved by omitting or undefining the ICMP parameter}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p icmp -m comment --comment "570 - test" -m icmp --icmp-type 11}) - end - end - end - end - # iptables version 1.3.5 is not suppored by the ip6tables provider # iptables version 1.4.7 fails for multiple hl entries if default['platform'] !~ %r{(el-5|el-6|sles-10|sles-11)} @@ -1330,58 +1181,6 @@ describe 'firewall basics', docker: true do end - describe 'burst' do - context 'when invalid' do - pp70 = <<-PUPPETCODE - class { '::firewall': } - firewall { '571 - test': - ensure => present, - proto => tcp, - port => '571', - action => accept, - limit => '500/sec', - burst => '1500/sec', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp70, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Invalid value "1500\/sec".}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 573 -m comment --comment "573 - test" -m limit --limit 500\/sec --limit-burst 1500\/sec -j ACCEPT}) - end - end - end - end - - describe 'uid' do - context 'when nobody' do - pp71 = <<-PUPPETCODE - class { '::firewall': } - firewall { '574 - test': - ensure => present, - proto => tcp, - chain => 'OUTPUT', - port => '574', - action => accept, - uid => 'nobody', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp71, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m owner --uid-owner (nobody|\d+) -m multiport --ports 574 -m comment --comment "574 - test" -j ACCEPT}) - end - end - end - end - # iptables version 1.3.5 does not support masks on MARK rules if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'set_mark' do @@ -1411,32 +1210,6 @@ describe 'firewall basics', docker: true do end end - describe 'pkttype' do - context 'when test' do - pp75 = <<-PUPPETCODE - class { '::firewall': } - firewall { '582 - test': - ensure => present, - proto => tcp, - port => '582', - action => accept, - pkttype => 'test', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp75, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Invalid value "test".}) - end - end - - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 582 -m pkttype --pkt-type multicast -m comment --comment "582 - test" -j ACCEPT}) - end - end - end - end - # RHEL5/SLES does not support -m socket describe 'socket', unless: (default['platform'] =~ %r{el-5} || fact('operatingsystem') == 'SLES') do context 'when true' do diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb index 31c6fc8..a8fedac 100755 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -137,6 +137,38 @@ describe firewall do # rubocop:disable RSpec/MultipleDescribes end end + describe 'source error checking' do + it 'Invalid address when 256.168.2.0/24' do + expect(-> { resource[:source] = '256.168.2.0/24' }).to raise_error( + Puppet::Error, %r{host_to_ip failed} + ) + end + end + + describe 'destination error checking' do + it 'Invalid address when 256.168.2.0/24' do + expect(-> { resource[:destination] = '256.168.2.0/24' }).to raise_error( + Puppet::Error, %r{host_to_ip failed} + ) + end + end + + describe 'src_range error checking' do + it 'Invalid IP when 392.168.1.1-192.168.1.10' do + expect(-> { resource[:src_range] = '392.168.1.1-192.168.1.10' }).to raise_error( + Puppet::Error, %r{Invalid IP address} + ) + end + end + + describe 'dst_range error checking' do + it 'Invalid IP when 392.168.1.1-192.168.1.10' do + expect(-> { resource[:dst_range] = '392.168.1.1-192.168.1.10' }).to raise_error( + Puppet::Error, %r{Invalid IP address} + ) + end + end + [:dport, :sport].each do |port| describe port do it "should accept a #{port} as string" do @@ -413,6 +445,9 @@ describe firewall do # rubocop:disable RSpec/MultipleDescribes it 'fails if value is not numeric' do expect(-> { resource[:burst] = 'foo' }).to raise_error(Puppet::Error) end + it 'fails if value contains /sec' do + expect(-> { resource[:burst] = '1500/sec' }).to raise_error(Puppet::Error) + end end describe ':recent' do