From: Patrick Hemmer <patrick.hemmer@gmail.com>
Date: Sun, 5 Jan 2014 19:55:33 +0000 (-0500)
Subject: add specs for chain purge
X-Git-Tag: 0.5.0~12^2~1
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=9392187530cac9240b2e5f14a6f20cb31c6dab04;p=puppet-modules%2Fpuppetlabs-firewall.git

add specs for chain purge
---

diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb
index e1c29e8..3c4df3f 100644
--- a/spec/acceptance/purge_spec.rb
+++ b/spec/acceptance/purge_spec.rb
@@ -1,30 +1,84 @@
 require 'spec_helper_acceptance'
 
 describe "purge tests:" do
-  before(:all) do
-    iptables_flush_all_tables
+  context('resources purge') do
+    before(:all) do
+      iptables_flush_all_tables
 
-    shell('/sbin/iptables -A INPUT -s 1.2.1.2')
-    shell('/sbin/iptables -A INPUT -s 1.2.1.2')
-  end
+      shell('/sbin/iptables -A INPUT -s 1.2.1.2')
+      shell('/sbin/iptables -A INPUT -s 1.2.1.2')
+    end
 
-  it 'make sure duplicate existing rules get purged' do
+    it 'make sure duplicate existing rules get purged' do
 
-    pp = <<-EOS
-      class { 'firewall': }
-      resources { 'firewall':
-        purge => true,
-      }
-    EOS
+      pp = <<-EOS
+        class { 'firewall': }
+        resources { 'firewall':
+          purge => true,
+        }
+      EOS
 
-    expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(2)
-  end
+      expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(2)
+    end
 
-  it 'saves' do
-    shell('/sbin/iptables-save') do |r|
-      r.stdout.should_not =~ /1\.2\.1\.2/
-      r.stderr.should be_empty
+    it 'saves' do
+      shell('/sbin/iptables-save') do |r|
+        r.stdout.should_not =~ /1\.2\.1\.2/
+        r.stderr.should be_empty
+      end
     end
   end
 
+  context('chain purge') do
+    before(:each) do
+      iptables_flush_all_tables
+
+      shell('/sbin/iptables -A INPUT -s 1.2.1.1')
+      shell('/sbin/iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
+    end
+
+    it 'purges only the specified chain' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv4':
+          purge => true,
+        }
+      EOS
+
+      expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(2)
+
+      shell('/sbin/iptables-save') do |r|
+        r.stdout.should =~ /010 output-1\.2\.1\.2/
+        r.stderr.should be_empty
+      end
+    end
+
+    it 'ignores managed rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'OUTPUT:filter:IPv4':
+          purge => true,
+        }
+        firewall { '010 output-1.2.1.2':
+          source => '1.2.1.2',
+        }
+      EOS
+
+      expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(0)
+    end
+
+    it 'ignores specified rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv4':
+          purge => true,
+          ignore => [
+            '-s 1\.2\.1\.1',
+          ],
+        }
+      EOS
+
+      expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(0)
+    end
+  end
 end
diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb
index e3efda0..88ca99d 100755
--- a/spec/unit/puppet/type/firewallchain_spec.rb
+++ b/spec/unit/puppet/type/firewallchain_spec.rb
@@ -138,4 +138,48 @@ describe firewallchain do
       end
     end
   end
+
+  describe 'purge iptables rules' do
+    before(:each) do
+      allow(Puppet::Type.type(:firewall).provider(:iptables)).to receive(:iptables_save).and_return(<<EOS
+# Completed on Sun Jan  5 19:30:21 2014
+# Generated by iptables-save v1.4.12 on Sun Jan  5 19:30:21 2014
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:LOCAL_FORWARD - [0:0]
+:LOCAL_FORWARD_PRE - [0:0]
+:LOCAL_INPUT - [0:0]
+:LOCAL_INPUT_PRE - [0:0]
+:fail2ban-ssh - [0:0]
+-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
+-A INPUT -i lo -m comment --comment "012 accept loopback" -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "020 ssh" -j ACCEPT
+-A OUTPUT -d 1.2.1.2 -j DROP
+-A fail2ban-ssh -j RETURN
+COMMIT
+# Completed on Sun Jan  5 19:30:21 2014
+EOS
+)
+    end
+
+    it 'should generate iptables resources' do
+      resource = Puppet::Type::Firewallchain.new(:name => 'INPUT:filter:IPv4', :purge => true)
+
+      expect(resource.generate.size).to eq(3)
+    end
+
+    it 'should not generate ignored iptables rules' do
+      resource = Puppet::Type::Firewallchain.new(:name => 'INPUT:filter:IPv4', :purge => true, :ignore => ['-j fail2ban-ssh'])
+
+      expect(resource.generate.size).to eq(2)
+    end
+
+    it 'should not generate iptables resources when not enabled' do
+      resource = Puppet::Type::Firewallchain.new(:name => 'INPUT:filter:IPv4')
+
+      expect(resource.generate.size).to eq(0)
+    end
+  end
 end