From: Craig Gumbley Date: Fri, 25 Feb 2022 20:07:07 +0000 (+0000) Subject: (SEC-944) Add test cases X-Git-Tag: v3.4.0~1^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=30db99bee6b4d415c9cee0cd8202e340ce509efb;p=puppet-modules%2Fpuppetlabs-firewall.git (SEC-944) Add test cases Prior to this commit there we no test cases to validate our changes to the module. This commit adds test cases for each of the configurations for onduplicaterulebehaviour. --- diff --git a/spec/acceptance/firewall_duplicate_comment_spec.rb b/spec/acceptance/firewall_duplicate_comment_spec.rb new file mode 100644 index 0000000..e019a45 --- /dev/null +++ b/spec/acceptance/firewall_duplicate_comment_spec.rb @@ -0,0 +1,75 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +def make_manifest(behaviour) + pp = <<-PUPPETCODE + class { 'firewall': } + resources { 'firewall': + purge => true, + } + + firewall { '550 destination': + proto => tcp, + dport => '550', + action => accept, + destination => '192.168.2.0/24', + onduplicaterulebehaviour => #{behaviour} + } + PUPPETCODE + + pp +end + +describe 'firewall - duplicate comments' do + before(:all) do + if os[:family] == 'ubuntu' || os[:family] == 'debian' + update_profile_file + end + end + + before(:each) do + run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"') + end + + after(:each) do + iptables_flush_all_tables + end + + context 'when onduplicateerrorhevent is set to error' do + it 'raises an error' do + run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"') + pp = make_manifest('error') + + apply_manifest(pp) do |r| + expect(r.stderr).to include('Error: /Stage[main]/Main/Firewall[550 destination]: Could not evaluate: Duplicate rule found for 550 destination. Skipping update.') + end + end + end + + context 'when onduplicateerrorhevent is set to warn' do + run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"') + + it 'warns and continues' do + run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"') + pp = make_manifest('warn') + + apply_manifest(pp) do |r| + expect(r.stderr).to include('Warning: Firewall[550 destination](provider=iptables): Duplicate rule found for 550 destination.. This may add an additional rule to the system.') + end + end + end + + context 'when onduplicateerrorhevent is set to ignore' do + run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"') + + it 'continues silently' do + run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"') + pp = make_manifest('ignore') + + apply_manifest(pp) do |r| + expect(r.stderr).to be_empty + end + end + end +end diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb index adf65d6..72864cd 100644 --- a/spec/spec_helper_acceptance_local.rb +++ b/spec/spec_helper_acceptance_local.rb @@ -111,5 +111,12 @@ RSpec.configure do |c| } PUPPETCODE LitmusHelper.instance.apply_manifest(pp) + + # Ensure that policycoreutils is present. In the future we could probably refactor + # this so that policycoreutils is installed on platform where the os.family fact + # is set to 'redhat' + if ['almalinux-8', 'rocky-8'].include?("#{fetch_os_name}-#{os[:release].to_i}") + LitmusHelper.instance.run_shell('yum install policycoreutils -y') + end end end