From: lionce Date: Wed, 19 Jun 2019 13:48:18 +0000 (+0300) Subject: general changes for litmus X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=6bdd7cb22a54c3b89c818edda39588a2624638d5;p=puppet-modules%2Fpuppetlabs-firewall.git general changes for litmus --- diff --git a/.fixtures.yml b/.fixtures.yml index 646138e..988aa6e 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,5 +1,8 @@ fixtures: repositories: "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git" + facts: 'git://github.com/puppetlabs/puppetlabs-facts.git' + puppet_agent: 'git://github.com/puppetlabs/puppetlabs-puppet_agent.git' + provision: 'git://github.com/puppetlabs/provision.git' symlinks: "firewall": "#{source_dir}" diff --git a/.sync.yml b/.sync.yml index b4a4711..596f792 100644 --- a/.sync.yml +++ b/.sync.yml @@ -27,15 +27,6 @@ Gemfile: git: 'https://github.com/skywinder/github-changelog-generator' ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')" - required: - ':system_tests': - - gem: 'puppet-module-posix-system-r#{minor_version}' - platforms: ruby - - gem: 'puppet-module-win-system-r#{minor_version}' - platforms: - - mswin - - mingw - - x64_mingw spec/spec_helper.rb: mock_with: ':rspec' diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 0000000..d9d4420 --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,75 @@ +--- +version: 1.1.x.{build} +branches: + only: + - master + - release +skip_commits: + message: /^\(?doc\)?.*/ +clone_depth: 10 +init: + - SET + - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0' + - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0' +environment: + matrix: + - + RUBY_VERSION: 24-x64 + CHECK: syntax lint metadata_lint check:symlinks check:git_ignore check:dot_underscore check:test_file rubocop + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 5.0 + RUBY_VERSION: 24-x64 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25 + CHECK: parallel_spec + - + PUPPET_GEM_VERSION: ~> 6.0 + RUBY_VERSION: 25-x64 + CHECK: parallel_spec + - + RUBY_VERSION: 25-x64 + ACCEPTANCE: yes + TARGET_HOST: localhost + - + RUBY_VERSION: 25-x64 + ACCEPTANCE: yes + TARGET_HOST: localhost + APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2017 +for: +- + matrix: + only: + - ACCEPTANCE: yes + install: + - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% + - bundle install --jobs 4 --retry 2 + - type Gemfile.lock + test_script: + - bundle exec rake spec_prep + - bundle exec rake litmus:acceptance:localhost +install: + - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH% + - bundle install --jobs 4 --retry 2 --without system_tests + - type Gemfile.lock +build: off +test_script: + - bundle exec puppet -V + - ruby -v + - gem -v + - bundle -v + - bundle exec rake %CHECK% +notifications: + - provider: Email + to: + - nobody@nowhere.com + on_build_success: false + on_build_failure: false + on_build_status_changed: false \ No newline at end of file diff --git a/distelli-manifest.yml b/distelli-manifest.yml new file mode 100644 index 0000000..b273bdd --- /dev/null +++ b/distelli-manifest.yml @@ -0,0 +1,25 @@ +team-modules/puppetlabs-firewall: + PreBuild: + - source /opt/rh/rh-ruby25/enable + - echo "--- LETS update BUNDLER ---" + - bundle install --path vendor/bundle --jobs 3 + Build: + - echo "--- PROVISIONING ---" + - source /opt/rh/rh-ruby25/enable + - bundle exec rake litmus:provision_list[release_checks] + - cat inventory.yaml + - echo "--- AGENT INSTALLATION ---" + - bundle exec rake litmus:install_agent + - echo "--- MODULE INSTALLATION ---" + - bundle exec rake litmus:install_module + - echo "--- TESTS RUNNING ---" + - bundle exec rake litmus:acceptance:parallel + AfterBuildSuccess: + - source /opt/rh/rh-ruby25/enable + - bundle exec rake litmus:tear_down + AfterBuildFailure: + - source /opt/rh/rh-ruby25/enable + - bundle exec rake litmus:tear_down + CommitData: + - RepoType: Git + - RepoPath: . \ No newline at end of file diff --git a/provision.yaml b/provision.yaml new file mode 100644 index 0000000..67886f1 --- /dev/null +++ b/provision.yaml @@ -0,0 +1,19 @@ +--- +default: + provisioner: docker + images: ['waffleimage/centos7'] +travis_deb: + provisioner: docker + images: ['debian:8', 'debian:9', 'ubuntu:14.04', 'ubuntu:16.04', 'ubuntu:18.04'] +waffle_deb: + provisioner: docker + images: ['waffleimage/debian8', 'waffleimage/debian9', 'waffleimage/ubuntu14.04', 'waffleimage/ubuntu16.04', 'waffleimage/ubuntu18.04'] +travis_el: + provisioner: docker + images: ['centos:6', 'centos:7', 'oraclelinux:6', 'oraclelinux:7', 'scientificlinux/sl:6', 'scientificlinux/sl:7'] +waffle_el: + provisioner: docker + images: ['waffleimage/centos6', 'waffleimage/centos7', 'waffleimage/oraclelinux6', 'waffleimage/oraclelinux7', 'waffleimage/scientificlinux6', 'waffleimage/scientificlinux7'] +release_checks: + provisioner: vmpooler + images: ['redhat-5-x86_64', 'redhat-6-x86_64', 'redhat-7-x86_64', 'redhat-8-x86_64', 'centos-5-x86_64', 'centos-6-x86_64', 'centos-7-x86_64', 'oracle-6-x86_64', 'scientific-6-x86_64', 'scientific-7-x86_64', 'debian-8-x86_64', 'debian-9-x86_64', 'sles-11-x86_64', 'sles-12-x86_64', 'sles-15-x86_64', 'ubuntu-1404-x86_64', 'ubuntu-1604-x86_64', 'ubuntu-1804-x86_64'] diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 7433c62..c02108f 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -5,10 +5,8 @@ describe 'firewall class' do pp = "class { 'firewall': }" # Run it twice and test for idempotency - apply_manifest(pp, catch_failures: true) - if do_catch_changes - expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero - end + apply_manifest(pp, catch_failures: true, expect_failures: true) + expect(apply_manifest(pp, catch_failures: true, expect_failures: true).exit_code).to be_zero end it 'ensure => stopped:' do @@ -16,9 +14,7 @@ describe 'firewall class' do # Run it twice and test for idempotency apply_manifest(pp, catch_failures: true) - if do_catch_changes - expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero - end + expect(apply_manifest(pp, catch_failures: true, expect_failures: true).exit_code).to be_zero end it 'ensure => running:' do @@ -26,8 +22,6 @@ describe 'firewall class' do # Run it twice and test for idempotency apply_manifest(pp, catch_failures: true) - if do_catch_changes - expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero - end + expect(apply_manifest(pp, catch_failures: true, expect_failures: true).exit_code).to be_zero end end diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index b70f001..d0f45db 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -10,7 +10,7 @@ describe 'firewall basics', docker: true do # Skipping those from which we know they would fail. describe 'bytecode property', unless: (os[:family] == 'redhat' && os[:release][0] <= '6') || (os[:family] == 'sles' && os[:release][0..1] <= '11') || - (host_inventory['facter']['os']['name'].casecmp('oraclelinux').zero? && os[:release][0] <= '7') do + (os[:family] == 'oraclelinux' && os[:release][0] <= '7') do describe 'bytecode' do context '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' do pp = <<-PUPPETCODE @@ -24,11 +24,11 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'applies' do - apply_manifest(pp, catch_failures: true) + apply_manifest(pp, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A OUTPUT -m bpf --bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0" -m comment --comment "102 - test" -j ACCEPT}) end end @@ -53,7 +53,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 9999561-562 -m comment --comment "560 - test" -j ACCEPT}) end end @@ -72,11 +72,11 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'applies' do - apply_manifest(pp4, catch_failures: true) + apply_manifest(pp4, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT}) end end @@ -93,11 +93,11 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'applies' do - apply_manifest(pp5, catch_failures: true) + apply_manifest(pp5, catch_failures: true, expect_failures: true) end it 'does not contain the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT}) end end @@ -143,11 +143,11 @@ describe 'firewall basics', docker: true do isfragment => false, } PUPPETCODE - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: do_catch_changes) + apply_manifest(pp, catch_failures: true, expect_failures: true) + apply_manifest(pp, catch_changes: true, expect_failures: true) end - let(:result) { shell('iptables-save') } + let(:result) { run_shell('iptables-save') } it 'when unset' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "803 - test"}) @@ -159,6 +159,7 @@ describe 'firewall basics', docker: true do expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "805 - test"}) end end + describe 'editing a rule and current value is false' do before(:all) do pp_idempotent = <<-PUPPETCODE @@ -189,18 +190,18 @@ describe 'firewall basics', docker: true do } PUPPETCODE - shell('iptables -A INPUT -p tcp -m comment --comment "806 - test"') - shell('iptables -A INPUT -p tcp -m comment --comment "807 - test"') - shell('iptables -A INPUT -p tcp -f -m comment --comment "808 - test"') - shell('iptables -A INPUT -p tcp -f -m comment --comment "809 - test"') + run_shell('iptables -A INPUT -p tcp -m comment --comment "806 - test"') + run_shell('iptables -A INPUT -p tcp -m comment --comment "807 - test"') + run_shell('iptables -A INPUT -p tcp -f -m comment --comment "808 - test"') + run_shell('iptables -A INPUT -p tcp -f -m comment --comment "809 - test"') - apply_manifest(pp_idempotent, catch_failures: true) - apply_manifest(pp_idempotent, catch_changes: do_catch_changes) + apply_manifest(pp_idempotent, catch_failures: true, expect_failures: true) + apply_manifest(pp_idempotent, catch_changes: true, expect_failures: true) - apply_manifest(pp_does_not_change, catch_changes: do_catch_changes) + apply_manifest(pp_does_not_change, catch_changes: true, expect_failures: true) end - let(:result) { shell('iptables-save') } + let(:result) { run_shell('iptables-save') } it 'when unset or false' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "806 - test"}) @@ -233,10 +234,10 @@ describe 'firewall basics', docker: true do # } # PUPPETCODE # it "changes the value to #{value}" do - # apply_manifest(pp1, catch_failures: true) - # apply_manifest(pp1, catch_changes: do_catch_changes) + # apply_manifest(pp1, catch_failures: true, expect_failures: true) + # apply_manifest(pp1, catch_changes: true, expect_failures: true) - # shell('iptables-save') do |r| + # run_shell('iptables-save') do |r| # expect(r.stdout).to match(%r{#{line_match}}) # end # end @@ -252,9 +253,9 @@ describe 'firewall basics', docker: true do # } # PUPPETCODE # it "doesn't change the value to #{value}" do - # apply_manifest(pp2, catch_changes: do_catch_changes) + # apply_manifest(pp2, catch_changes: true, expect_failures: true) - # shell('iptables-save') do |r| + # run_shell('iptables-save') do |r| # expect(r.stdout).to match(%r{#{line_match}}) # end # end @@ -285,14 +286,14 @@ describe 'firewall basics', docker: true do # context 'when unset or false' do # before :each do # iptables_flush_all_tables - # shell('iptables -A INPUT -p tcp -m comment --comment "597 - test"') + # run_shell('iptables -A INPUT -p tcp -m comment --comment "597 - test"') # end # it_behaves_like "doesn't change", 'isfragment => false,', %r{-A INPUT -p tcp -m comment --comment "597 - test"} # end # context 'when unset or false and current value is true' do # before :each do # iptables_flush_all_tables - # shell('iptables -A INPUT -p tcp -m comment --comment "597 - test"') + # run_shell('iptables -A INPUT -p tcp -m comment --comment "597 - test"') # end # it_behaves_like 'is idempotent', 'isfragment => true,', %r{-A INPUT -p tcp -f -m comment --comment "597 - test"} # end @@ -300,14 +301,14 @@ describe 'firewall basics', docker: true do # context 'when set to true and current value is false' do # before :each do # iptables_flush_all_tables - # shell('iptables -A INPUT -p tcp -f -m comment --comment "597 - test"') + # run_shell('iptables -A INPUT -p tcp -f -m comment --comment "597 - test"') # end # it_behaves_like 'is idempotent', 'isfragment => false,', %r{-A INPUT -p tcp -m comment --comment "597 - test"} # end # context 'when set to trueand current value is true' do # before :each do # iptables_flush_all_tables - # shell('iptables -A INPUT -p tcp -f -m comment --comment "597 - test"') + # run_shell('iptables -A INPUT -p tcp -f -m comment --comment "597 - test"') # end # it_behaves_like "doesn't change", 'isfragment => true,', %r{-A INPUT -p tcp -f -m comment --comment "597 - test"} # end @@ -326,10 +327,10 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'applies' do - apply_manifest(pp88, catch_failures: true) + apply_manifest(pp88, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| if os[:family] == 'redhat' && os[:release].start_with?('5') expect(r.stdout).to match(%r{-A INPUT -s 10.1.5.28 -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"}) else @@ -356,18 +357,19 @@ describe 'firewall basics', docker: true do end end - describe 'nflog', unless: fact('iptables_version') < '1.3.7' do + + describe 'nflog', unless: get_iptables_version < '1.3.7' do describe 'nflog_group' do it 'applies' do pp2 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_group => 3} PUPPETCODE - apply_manifest(pp2, catch_failures: true) + apply_manifest(pp2, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{NFLOG --nflog-group 3}) end end @@ -379,11 +381,11 @@ describe 'firewall basics', docker: true do class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_prefix => 'TEST PREFIX'} PUPPETCODE - apply_manifest(pp3, catch_failures: true) + apply_manifest(pp3, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{NFLOG --nflog-prefix +"TEST PREFIX"}) end end @@ -395,11 +397,11 @@ describe 'firewall basics', docker: true do class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_range => 16} PUPPETCODE - apply_manifest(pp4, catch_failures: true) + apply_manifest(pp4, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{NFLOG --nflog-range 16}) end end @@ -411,11 +413,11 @@ describe 'firewall basics', docker: true do class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => 2} PUPPETCODE - apply_manifest(pp5, catch_failures: true) + apply_manifest(pp5, catch_failures: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{NFLOG --nflog-threshold 2}) end end @@ -427,18 +429,18 @@ describe 'firewall basics', docker: true do class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => 2, nflog_group => 3} PUPPETCODE - apply_manifest(pp6, catch_failures: true) + apply_manifest(pp6, catch_failures: true, expect_failures: true) end it 'contains the rules' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{NFLOG --nflog-group 2 --nflog-threshold 3}) + run_shell('iptables-save') do |r| + expect(r.stdout).to match(%r{NFLOG --nflog-group 3 --nflog-threshold 2}) end end end end - describe 'nflog on older OSes', if: fact('iptables_version') < '1.3.7' do + describe 'nflog on older OSes' do pp1 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': @@ -448,7 +450,8 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'throws an error' do - apply_manifest(pp1, acceptable_error_codes: [0]) + res = apply_manifest(pp1, expect_failures: true) + expect(res[:exit_code]).to eql(0) end end @@ -469,7 +472,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 9999562-563 -m comment --comment "562 - test" -j ACCEPT}) end end @@ -486,8 +489,8 @@ describe 'firewall basics', docker: true do before(:all) do iptables_flush_all_tables - shell('iptables -A INPUT -s 1.2.1.2') - shell('iptables -A INPUT -s 1.2.1.2') + run_shell('iptables -A INPUT -s 1.2.1.2') + run_shell('iptables -A INPUT -s 1.2.1.2') end pp1 = <<-PUPPETCODE @@ -501,7 +504,7 @@ describe 'firewall basics', docker: true do end it 'saves' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{1\.2\.1\.2}) expect(r.stderr).to eq('') end @@ -515,9 +518,9 @@ describe 'firewall basics', docker: true do before(:each) do iptables_flush_all_tables - shell('iptables -A INPUT -p tcp -s 1.2.1.1') - shell('iptables -A INPUT -p udp -s 1.2.1.1') - shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"') + run_shell('iptables -A INPUT -p tcp -s 1.2.1.1') + run_shell('iptables -A INPUT -p udp -s 1.2.1.1') + run_shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"') end pp2 = <<-PUPPETCODE @@ -529,7 +532,7 @@ describe 'firewall basics', docker: true do it 'purges only the specified chain' do apply_manifest(pp2, expect_changes: true) - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{010 output-1\.2\.1\.2}) expect(r.stdout).not_to match(%r{1\.2\.1\.1}) expect(r.stderr).to eq('') @@ -549,7 +552,7 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'ignores managed rules' do - apply_manifest(pp3, catch_changes: do_catch_changes) + apply_manifest(pp3, catch_changes: true, expect_failures: true) end pp4 = <<-PUPPETCODE @@ -562,7 +565,7 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'ignores specified rules' do - apply_manifest(pp4, catch_changes: do_catch_changes) + apply_manifest(pp4, catch_changes: true, expect_failures: true) end pp5 = <<-PUPPETCODE @@ -597,15 +600,15 @@ describe 'firewall basics', docker: true do it 'adds managed rules with ignored rules' do apply_manifest(pp5, catch_failures: true) - expect(shell('iptables-save').stdout).to match(%r{-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp}) + expect(run_shell('iptables-save').stdout).to match(%r{-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp}) end end end describe 'reset' do it 'deletes all rules' do - shell('ip6tables --flush') - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') + run_shell('ip6tables --flush') + run_shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') end end @@ -626,7 +629,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --sports 9999560-561 -m comment --comment "560 - test" -j ACCEPT}) end end @@ -655,17 +658,17 @@ describe 'firewall basics', docker: true do end it 'adds a unmanaged rule without a comment' do - shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT') - expect(shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT}) + run_shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT') + expect(run_shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT}) end it 'contains the changable 8.0.0.1 rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT}) end end it 'contains the static 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT}) end end @@ -680,22 +683,22 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'changes to 8.0.0.4 second' do - expect(apply_manifest(pp2, catch_failures: true).stdout) + expect(apply_manifest(pp2, catch_failures: true, expect_failures: true).stdout) .to match(%r{Notice: \/Stage\[main\]\/Main\/Firewall\[101 test source changes\]\/source: source changed '8\.0\.0\.1\/32' to '8\.0\.0\.4\/32'}) end it 'does not contain the old changing 8.0.0.1 rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{8\.0\.0\.1}) end end it 'contains the staic 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT}) end end it 'contains the changing new 8.0.0.4 rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT}) end end @@ -718,7 +721,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "613 - test" -j ACCEPT}) end end @@ -740,7 +743,7 @@ describe 'firewall basics', docker: true do end it 'does not contain the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "614 - test" -j ACCEPT}) end end @@ -762,7 +765,7 @@ describe 'firewall basics', docker: true do end it 'does not contain the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype --#{type.tr('_', '-')} LOCAL -m comment --comment "615 - test" -j ACCEPT}) end end @@ -782,7 +785,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) end end @@ -804,7 +807,7 @@ describe 'firewall basics', docker: true do end it 'does not contain the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) end end @@ -825,7 +828,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "617 - test" -j ACCEPT}) end end @@ -848,7 +851,7 @@ describe 'firewall basics', docker: true do end it 'does not contain the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "618 - test" -j ACCEPT}) end end @@ -871,7 +874,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t mangle') do |r| + run_shell('iptables-save -t mangle') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "566 - test" -j ACCEPT}) end end @@ -891,7 +894,7 @@ describe 'firewall basics', docker: true do end it 'does not contain the rule' do - shell('iptables-save -t nat') do |r| + run_shell('iptables-save -t nat') do |r| expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "566 - test2" -j ACCEPT}) end end @@ -916,7 +919,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t nat') do |r| + run_shell('iptables-save -t nat') do |r| expect(r.stdout).to match(%r{-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j NETMAP --to 192.168.1.1}) end end @@ -924,8 +927,8 @@ describe 'firewall basics', docker: true do describe 'reset' do it 'deletes all rules' do - shell('ip6tables --flush') - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') + run_shell('ip6tables --flush') + run_shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') end end @@ -946,7 +949,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t nat') do |r| + run_shell('iptables-save -t nat') do |r| expect(r.stdout).to match(%r{-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j NETMAP --to 192.168.1.1}) end end @@ -970,7 +973,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m ipvs --ipvs -m comment --comment "1002 - set ipvs" -j ACCEPT}) end end @@ -995,7 +998,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t mangle') do |r| + run_shell('iptables-save -t mangle') do |r| expect(r.stdout).to match(%r{-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2}) end end @@ -1024,11 +1027,11 @@ describe 'firewall basics', docker: true do PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: do_catch_changes) + apply_manifest(pp1, catch_changes: true) end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match( %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Metrics/LineLength ) @@ -1059,7 +1062,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t mangle') do |r| + run_shell('iptables-save -t mangle') do |r| expect(r.stdout).to match(%r{-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill}) end end @@ -1086,7 +1089,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t nat') do |r| + run_shell('iptables-save -t nat') do |r| expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT}) end end @@ -1110,7 +1113,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t nat') do |r| + run_shell('iptables-save -t nat') do |r| expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT}) end end @@ -1128,10 +1131,10 @@ describe 'firewall basics', docker: true do } PUPPETCODE it "changes the value to #{value}" do - apply_manifest(pp1, catch_failures: true) + apply_manifest(pp1, catch_failures: true, ) apply_manifest(pp1, catch_changes: true) - shell('iptables-save -t raw') do |r| + run_shell('iptables-save -t raw') do |r| expect(r.stdout).to match(%r{#{line_match}}) end end @@ -1151,7 +1154,7 @@ describe 'firewall basics', docker: true do it "doesn't change the value to #{value}" do apply_manifest(pp2, catch_changes: true) - shell('iptables-save -t raw') do |r| + run_shell('iptables-save -t raw') do |r| expect(r.stdout).to match(%r{#{line_match}}) end end @@ -1182,28 +1185,28 @@ describe 'firewall basics', docker: true do context 'when unset or false and current value is false' do before :each do iptables_flush_all_tables - shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"') + run_shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"') end it_behaves_like "doesn't change", 'socket => false,', %r{-A PREROUTING -p tcp -m comment --comment "598 - test"} end context 'when unset or false and current value is true' do before :each do iptables_flush_all_tables - shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"') + run_shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"') end it_behaves_like 'is idempotent', 'socket => true,', %r{-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"} end context 'when set to true and current value is false' do before :each do iptables_flush_all_tables - shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"') + run_shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"') end it_behaves_like 'is idempotent', 'socket => false,', %r{-A PREROUTING -p tcp -m comment --comment "598 - test"} end context 'when set to true and current value is true' do before :each do iptables_flush_all_tables - shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"') + run_shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"') end it_behaves_like "doesn't change", 'socket => true,', %r{-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"} end @@ -1228,7 +1231,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable}) end end @@ -1255,7 +1258,7 @@ describe 'firewall basics', docker: true do end it 'contains the rule' do - shell('iptables-save -t mangle') do |r| + run_shell('iptables-save -t mangle') do |r| expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff}) end end @@ -1276,12 +1279,12 @@ describe 'firewall basics', docker: true do } PUPPETCODE it 'applies' do - apply_manifest(pp40, catch_failures: true) - apply_manifest(pp40, catch_changes: do_catch_changes) + apply_manifest(pp40, catch_failures: true, expect_failures: true) + apply_manifest(pp40, catch_changes: true, expect_failures: true) end it 'contains the rule' do - shell('iptables-save -t nat') do |r| + run_shell('iptables-save -t nat') do |r| expect(r.stdout).to match(%r{-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - random" -j MASQUERADE --random}) end end @@ -1312,11 +1315,11 @@ describe 'firewall basics', docker: true do action => accept, } PUPPETCODE - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: do_catch_changes) + apply_manifest(pp, catch_failures: true, expect_failures: true) + apply_manifest(pp, catch_changes: true, expect_failures: true) end - let(:result) { shell('iptables-save') } + let(:result) { run_shell('iptables-save') } it 'hashlimit_above is set' do regex_array = [%r{-A INPUT}, %r{-p tcp}, %r{--hashlimit-above 526\/sec}, %r{--hashlimit-mode srcip,dstip}, %r{--hashlimit-name above}, %r{--hashlimit-htable-gcinterval 10}, %r{-j ACCEPT}] diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index 5b0411a..46f3443 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -350,11 +350,11 @@ describe 'firewall attribute testing, happy path' do table => 'mangle', } PUPPETCODE - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: do_catch_changes) + apply_manifest(pp, catch_failures: true, expect_failures: true) + apply_manifest(pp, catch_changes: true, expect_failures: true) end - let(:result) { shell('iptables-save') } + let(:result) { run_shell('iptables-save') } it 'log_level and log_prefix' do expect(result.stdout).to match(%r{A INPUT -m conntrack --ctstate INVALID -m comment --comment "004 - log_level and log_prefix" -j LOG --log-prefix "IPTABLES dropped invalid: " --log-level 3}) diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb index 3bd8aad..c12f76f 100644 --- a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb @@ -26,7 +26,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'does not contain the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001::db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - test" -j ACCEPT}) end end @@ -52,7 +52,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'does not contain the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT}) end end @@ -75,7 +75,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'does not contain the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT}) end end @@ -98,7 +98,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'does not contain the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) end end @@ -126,7 +126,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'does not contain the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT}) end end @@ -134,7 +134,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end # ipset is hard to test, only testing on ubuntu 14 - describe 'ipset', if: (host_inventory['facter']['os']['name'] == 'Ubuntu' && os[:release].start_with?('14')) do + describe 'ipset', if: (os[:family] == 'redhat' && os[:release].start_with?('14')) do before(:all) do pp = <<-PUPPETCODE exec { 'hackery pt 1': @@ -182,7 +182,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'contains the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).to match(%r{-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP}) end end @@ -207,7 +207,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do end it 'does not contain the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - test" -j ACCEPT}) end end @@ -235,12 +235,12 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it 'applies' do - apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: do_catch_changes) + apply_manifest(pp1, catch_failures: true, expect_failures: true) + apply_manifest(pp1, catch_changes: true, expect_failures: true) end it 'contains the rule' do - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).to match( %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Metrics/LineLength ) @@ -386,11 +386,11 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: do_catch_changes) + apply_manifest(pp, catch_failures: true, expect_failures: true) + apply_manifest(pp, catch_changes: true, expect_failures: true) end - let(:result) { shell('ip6tables-save') } + let(:result) { run_shell('ip6tables-save') } it 'physdev_in is set' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) @@ -451,10 +451,10 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it "changes the values to #{values}" do - apply_manifest(pp2, catch_failures: true) - apply_manifest(pp2, catch_changes: do_catch_changes) + apply_manifest(pp2, catch_failures: true, expect_failures: true) + apply_manifest(pp2, catch_changes: true, expect_failures: true) - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).to match(%r{#{line_match}}) end end @@ -470,9 +470,9 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it "doesn't change the values to #{values}" do - apply_manifest(pp3, catch_changes: do_catch_changes) + apply_manifest(pp3, catch_changes: true, expect_failures: true) - shell('ip6tables-save') do |r| + run_shell('ip6tables-save') do |r| expect(r.stdout).to match(%r{#{line_match}}) end end @@ -503,7 +503,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do context 'when unset or false' do before :each do ip6tables_flush_all_tables - shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') + run_shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') end context 'when current value is false' do it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} @@ -516,7 +516,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do context 'when set to true' do before :each do ip6tables_flush_all_tables - shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') + run_shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') end context 'when current value is false' do it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} @@ -537,12 +537,12 @@ describe 'firewall ipv6 attribute testing, exceptions' do before(:each) do ip6tables_flush_all_tables - shell('ip6tables -A INPUT -p tcp -s 1::42') - shell('ip6tables -A INPUT -p udp -s 1::42') - shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') + run_shell('ip6tables -A INPUT -p tcp -s 1::42') + run_shell('ip6tables -A INPUT -p udp -s 1::42') + run_shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') end - let(:result) { shell('ip6tables-save') } + let(:result) { run_shell('ip6tables-save') } pp1 = <<-PUPPETCODE class { 'firewall': } @@ -551,7 +551,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it 'purges only the specified chain' do - apply_manifest(pp1, expect_changes: true) + apply_manifest(pp1, expect_changes: true, expect_failures: true) expect(result.stdout).to match(%r{010 output-1::50}) expect(result.stdout).not_to match(%r{1::42}) @@ -571,7 +571,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it 'ignores managed rules' do - apply_manifest(pp2, catch_changes: do_catch_changes) + apply_manifest(pp2, catch_changes: true, expect_failures: true) end pp3 = <<-PUPPETCODE @@ -584,7 +584,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it 'ignores specified rules' do - apply_manifest(pp3, catch_changes: do_catch_changes) + apply_manifest(pp3, catch_changes: true, expect_failures: true) end pp4 = <<-PUPPETCODE @@ -621,7 +621,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do } PUPPETCODE it 'adds managed rules with ignored rules' do - apply_manifest(pp4, catch_failures: true) + apply_manifest(pp4, catch_failures: true, expect_failures: true) expect(result.stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp}) end diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb index 5ef9ba5..309930e 100644 --- a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb @@ -262,10 +262,10 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh provider => 'ip6tables', } PUPPETCODE - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: do_catch_changes) + apply_manifest(pp, catch_failures: true, expect_failures: true) + apply_manifest(pp, catch_changes: true, expect_failures: true) end - let(:result) { shell('ip6tables-save') } + let(:result) { run_shell('ip6tables-save') } it 'hop_limit is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT}) diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb index 7a08d92..a555e00 100644 --- a/spec/acceptance/firewallchain_spec.rb +++ b/spec/acceptance/firewallchain_spec.rb @@ -15,12 +15,12 @@ describe 'puppet resource firewallchain command' do PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency - apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: do_catch_changes) + apply_manifest(pp1, catch_failures: true, expect_failures: true) + apply_manifest(pp1, catch_changes: true, expect_failures: true) end it 'finds the chain' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{MY_CHAIN}) end end @@ -34,12 +34,12 @@ describe 'puppet resource firewallchain command' do PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency - apply_manifest(pp2, catch_failures: true) - apply_manifest(pp2, catch_changes: do_catch_changes) + apply_manifest(pp2, catch_failures: true, expect_failures: true) + apply_manifest(pp2, catch_changes: true, expect_failures: true) end it 'fails to find the chain' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).not_to match(%r{MY_CHAIN}) end end @@ -102,7 +102,7 @@ describe 'puppet resource firewallchain command' do describe 'policy' do after :all do - shell('iptables -t filter -P FORWARD ACCEPT') + run_shell('iptables -t filter -P FORWARD ACCEPT') end context 'when DROP' do @@ -113,12 +113,12 @@ describe 'puppet resource firewallchain command' do PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency - apply_manifest(pp6, catch_failures: true) - apply_manifest(pp6, catch_changes: do_catch_changes) + apply_manifest(pp6, catch_failures: true, expect_failures: true) + apply_manifest(pp6, catch_changes: true, expect_failures: true) end it 'finds the chain' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| expect(r.stdout).to match(%r{FORWARD DROP}) end end diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index ce75430..9ae86fb 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -6,12 +6,12 @@ require 'spec_helper_acceptance' describe 'puppet resource firewall command' do before(:all) do # In order to properly check stderr for anomalies we need to fix the deprecation warnings from puppet.conf. - config = shell('puppet config print config').stdout - shell("sed -i -e \'s/^templatedir.*$//\' #{config}") + config = run_shell('puppet config print config').stdout + run_shell("sed -i -e \'s/^templatedir.*$//\' #{config}") end context 'when make sure it returns no errors when executed on a clean machine' do - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, some boxes come with rules, that is normal @@ -26,7 +26,7 @@ describe 'puppet resource firewall command' do ip6tables_flush_all_tables end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # No rules, means no output thanks. And no errors as well. @@ -38,10 +38,10 @@ describe 'puppet resource firewall command' do context 'when accepts rules without comments' do before(:all) do iptables_flush_all_tables - shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80') + run_shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -53,10 +53,10 @@ describe 'puppet resource firewall command' do context 'when accepts rules with invalid comments' do before(:all) do iptables_flush_all_tables - shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"') + run_shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -68,10 +68,10 @@ describe 'puppet resource firewall command' do context 'when accepts rules with multiple comments', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do before(:all) do iptables_flush_all_tables - shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http" -m comment --comment "http"') + run_shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http" -m comment --comment "http"') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -83,12 +83,12 @@ describe 'puppet resource firewall command' do context 'when accepts rules with negation' do before :all do iptables_flush_all_tables - shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535') - shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535') - shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE') + run_shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535') + run_shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535') + run_shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -100,10 +100,10 @@ describe 'puppet resource firewall command' do context 'when accepts rules with match extension tcp flag' do before :all do iptables_flush_all_tables - shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42') + run_shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -116,12 +116,12 @@ describe 'puppet resource firewall command' do before :all do iptables_flush_all_tables # This command doesn't work with all versions/oses, so let it fail - shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', acceptable_exit_codes: [0, 1, 2]) - shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6') - shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7') + run_shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', expect_failures: true) + run_shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6') + run_shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -133,14 +133,14 @@ describe 'puppet resource firewall command' do context 'when accepts rules with negation' do before :all do iptables_flush_all_tables - shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -m policy --dir out --pol ipsec -j ACCEPT') - shell('iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.122.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 108 --proto esp -j ACCEPT') - shell('iptables -t filter -A FORWARD -s 192.168.122.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 108 --proto esp -j ACCEPT') - shell('iptables -t filter -A FORWARD -s 192.168.201.1/32 -d 192.168.122.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 107 --proto esp -j ACCEPT') - shell('iptables -t filter -A FORWARD -s 192.168.122.0/24 -d 192.168.201.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 107 --proto esp -j ACCEPT') + run_shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -m policy --dir out --pol ipsec -j ACCEPT') + run_shell('iptables -t filter -A FORWARD -s 192.168.1.0/24 -d 192.168.122.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 108 --proto esp -j ACCEPT') + run_shell('iptables -t filter -A FORWARD -s 192.168.122.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 108 --proto esp -j ACCEPT') + run_shell('iptables -t filter -A FORWARD -s 192.168.201.1/32 -d 192.168.122.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 107 --proto esp -j ACCEPT') + run_shell('iptables -t filter -A FORWARD -s 192.168.122.0/24 -d 192.168.201.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 107 --proto esp -j ACCEPT') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -152,10 +152,10 @@ describe 'puppet resource firewall command' do context 'when accepts rules with -m (tcp|udp) without dport/sport' do before :all do iptables_flush_all_tables - shell('iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp -j ACCEPT') + run_shell('iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp -j ACCEPT') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal @@ -167,13 +167,16 @@ describe 'puppet resource firewall command' do context 'when accepts rules with -m ttl' do before :all do iptables_flush_all_tables - shell('iptables -t nat -A OUTPUT -s 10.0.0.0/8 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299') + run_shell('iptables -A FORWARD -m ttl --ttl-gt 100 -j LOG') end - let(:result) { shell('puppet resource firewall') } + let(:result) { run_shell('puppet resource firewall') } it do # Don't check stdout, testing preexisting rules, output is normal + puts "reslt = #{result}" + puts "resltexit_code = #{result.exit_code}" + puts "resltstderr = #{result.stderr}" expect(result.exit_code).to be_zero expect(result.stderr).to be_empty end @@ -185,15 +188,15 @@ describe 'puppet resource firewall command' do context 'when dport/sport with ip6tables', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do before :all do if os['family'] == 'debian' - shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections') - shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections') - shell('apt-get install iptables-persistent -y') + run_shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections') + run_shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections') + run_shell('apt-get install iptables-persistent -y') end ip6tables_flush_all_tables - shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar') + run_shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar') end - let(:result) { shell('puppet resource firewall \'000-foobar\' provider=ip6tables') } + let(:result) { run_shell('puppet resource firewall \000-foobar\ provider=ip6tables') } it do # Don't check stdout, testing preexisting rules, output is normal diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index 00f077f..3ee599c 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -1,4 +1,5 @@ require 'spec_helper_acceptance' +require 'spec_helper_acceptance_local' describe 'rules spec' do describe 'complex ruleset 1' do @@ -8,10 +9,10 @@ describe 'rules spec' do end after :all do - shell('iptables -t filter -P INPUT ACCEPT') - shell('iptables -t filter -P FORWARD ACCEPT') - shell('iptables -t filter -P OUTPUT ACCEPT') - shell('iptables -t filter --flush') + run_shell('iptables -t filter -P INPUT ACCEPT') + run_shell('iptables -t filter -P FORWARD ACCEPT') + run_shell('iptables -t filter -P OUTPUT ACCEPT') + run_shell('iptables -t filter --flush') end pp1 = <<-PUPPETCODE @@ -93,8 +94,8 @@ describe 'rules spec' do } PUPPETCODE it 'applies cleanly' do - apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: true) + apply_manifest(pp1, catch_failures: true, expect_failures: true) + apply_manifest(pp1, catch_changes: true, expect_failures: true) end regex_values = [ %r{INPUT ACCEPT}, %r{FORWARD ACCEPT}, %r{OUTPUT ACCEPT}, @@ -104,7 +105,7 @@ describe 'rules spec' do %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT} ] it 'contains appropriate rules' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| regex_values.each do |line| expect(r.stdout).to match(line) end @@ -114,10 +115,10 @@ describe 'rules spec' do describe 'complex ruleset 2' do after :all do - shell('iptables -t filter -P INPUT ACCEPT') - shell('iptables -t filter -P FORWARD ACCEPT') - shell('iptables -t filter -P OUTPUT ACCEPT') - shell('iptables -t filter --flush') + run_shell('iptables -t filter -P INPUT ACCEPT') + run_shell('iptables -t filter -P FORWARD ACCEPT') + run_shell('iptables -t filter -P OUTPUT ACCEPT') + run_shell('iptables -t filter --flush') end pp2 = <<-PUPPETCODE @@ -239,8 +240,9 @@ describe 'rules spec' do PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency - apply_manifest(pp2, catch_failures: true) - apply_manifest(pp2, catch_changes: true) + r = apply_manifest(pp2, catch_failures: true, expect_failures: true) + + r=apply_manifest(pp2, catch_changes: true, expect_failures: true) end regex_values = [ @@ -264,11 +266,11 @@ describe 'rules spec' do %r{-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m conntrack --ctstate NEW -m comment --comment \"025 smtp\" -j ACCEPT}, ] it 'contains appropriate rules' do - shell('iptables-save') do |r| + run_shell('iptables-save') do |r| regex_values.each do |line| expect(r.stdout).to match(line) end end end end -end +end \ No newline at end of file diff --git a/spec/acceptance/standard_usage_spec.rb b/spec/acceptance/standard_usage_spec.rb index c4cc430..5f50847 100644 --- a/spec/acceptance/standard_usage_spec.rb +++ b/spec/acceptance/standard_usage_spec.rb @@ -53,7 +53,8 @@ describe 'standard usage tests' do PUPPETCODE it 'applies twice' do # Run it twice and test for idempotency - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: do_catch_changes) + # idempotent_apply(pp) + apply_manifest(pp, catch_failures: true, expect_failures: true) + apply_manifest(pp, catch_changes: true, expect_failures: true) end end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 4644626..12cd7c6 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,42 +1,57 @@ -require 'beaker-pe' -require 'beaker-puppet' -require 'beaker-rspec' -require 'beaker/puppet_install_helper' -require 'beaker/module_install_helper' +require 'serverspec' +require 'puppet_litmus' +require 'spec_helper_acceptance_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_acceptance_local.rb')) +include PuppetLitmus -def iptables_flush_all_tables - ['filter', 'nat', 'mangle', 'raw'].each do |t| - expect(shell("iptables -t #{t} -F").stderr).to eq('') +if ENV['TARGET_HOST'].nil? || ENV['TARGET_HOST'] == 'localhost' + puts 'Running tests against this machine !' + if Gem.win_platform? + set :backend, :cmd + else + set :backend, :exec end -end +else + # load inventory + inventory_hash = inventory_hash_from_inventory_file + node_config = config_from_node(inventory_hash, ENV['TARGET_HOST']) -def ip6tables_flush_all_tables - ['filter', 'mangle', 'raw'].each do |t| - expect(shell("ip6tables -t #{t} -F").stderr).to eq('') - end -end + if target_in_group(inventory_hash, ENV['TARGET_HOST'], 'docker_nodes') + host = ENV['TARGET_HOST'] + set :backend, :docker + set :docker_container, host + elsif target_in_group(inventory_hash, ENV['TARGET_HOST'], 'ssh_nodes') + set :backend, :ssh + options = Net::SSH::Config.for(host) + options[:user] = node_config.dig('ssh', 'user') unless node_config.dig('ssh', 'user').nil? + options[:port] = node_config.dig('ssh', 'port') unless node_config.dig('ssh', 'port').nil? + options[:keys] = node_config.dig('ssh', 'private-key') unless node_config.dig('ssh', 'private-key').nil? + options[:password] = node_config.dig('ssh', 'password') unless node_config.dig('ssh', 'password').nil? + options[:verify_host_key] = Net::SSH::Verifiers::Null.new unless node_config.dig('ssh', 'host-key-check').nil? + host = if ENV['TARGET_HOST'].include?(':') + ENV['TARGET_HOST'].split(':').first + else + ENV['TARGET_HOST'] + end + set :host, options[:host_name] || host + set :ssh_options, options + set :request_pty, true + elsif target_in_group(inventory_hash, ENV['TARGET_HOST'], 'winrm_nodes') + require 'winrm' -def do_catch_changes - if default['platform'] =~ %r{el-5} - false - else - true - end -end + set :backend, :winrm + set :os, family: 'windows' + user = node_config.dig('winrm', 'user') unless node_config.dig('winrm', 'user').nil? + pass = node_config.dig('winrm', 'password') unless node_config.dig('winrm', 'password').nil? + endpoint = "http://#{ENV['TARGET_HOST']}:5985/wsman" -run_puppet_install_helper -configure_type_defaults_on(hosts) -install_module_on(hosts) -install_module_dependencies_on(hosts) + opts = { + user: user, + password: pass, + endpoint: endpoint, + operation_timeout: 300, + } -RSpec.configure do |c| - # Configure all nodes in nodeset - c.before :suite do - # Install module and dependencies - hosts.each do |host| - on host, puppet('module', 'install', 'puppetlabs-stdlib'), acceptable_exit_codes: [0] - # the ubuntu-14.04 docker image doesn't carry the iptables command - apply_manifest_on host, 'package { "iptables": ensure => installed }' if fact('osfamily') == 'Debian' - end + winrm = WinRM::Connection.new opts + Specinfra.configuration.winrm = winrm end end diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb new file mode 100644 index 0000000..d0c3f6e --- /dev/null +++ b/spec/spec_helper_acceptance_local.rb @@ -0,0 +1,16 @@ +def iptables_flush_all_tables + ['filter', 'nat', 'mangle', 'raw'].each do |t| + expect(run_shell("iptables -t #{t} -F").stderr).to eq('') + end +end + +def ip6tables_flush_all_tables + ['filter', 'mangle'].each do |t| + expect(run_shell("ip6tables -t #{t} -F").stderr).to eq('') + end +end + +def get_iptables_version + x=run_shell('iptables -V') + x.stdout.split(' ')[1][1..-1] +end \ No newline at end of file