From 0f3df72f23d2c6fc90727f554df9daae4d7ea1fc Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Mon, 18 Apr 2016 19:10:21 +0100 Subject: [PATCH] (maint) remove UNSUPPORTED_PLATFORMS filter and improve spec description --- spec/acceptance/change_source_spec.rb | 9 ++++----- spec/acceptance/class_spec.rb | 2 +- spec/acceptance/connlimit_spec.rb | 13 ++++--------- spec/acceptance/connmark_spec.rb | 4 ++-- spec/acceptance/firewall_bridging_spec.rb | 14 ++++---------- spec/acceptance/firewall_dscp_spec.rb | 9 ++++----- spec/acceptance/firewall_iptmodules_spec.rb | 13 ++++--------- spec/acceptance/firewall_mss_spec.rb | 9 ++++----- spec/acceptance/firewall_spec.rb | 10 ++++------ spec/acceptance/firewall_tee_spec.rb | 13 ++++++------- spec/acceptance/firewall_time_spec.rb | 10 ++++------ spec/acceptance/firewall_uid_spec.rb | 13 ++++--------- spec/acceptance/firewallchain_spec.rb | 4 +++- spec/acceptance/invert_spec.rb | 5 +++-- spec/acceptance/ip6_fragment_spec.rb | 6 ++++-- spec/acceptance/isfragment_spec.rb | 3 ++- spec/acceptance/match_mark_spec.rb | 9 ++++----- spec/acceptance/params_spec.rb | 11 +++++------ spec/acceptance/purge_spec.rb | 7 ++++++- spec/acceptance/resource_cmd_spec.rb | 2 +- spec/acceptance/rules_spec.rb | 5 +++-- spec/acceptance/socket_spec.rb | 3 ++- spec/acceptance/standard_usage_spec.rb | 2 +- spec/acceptance/unsupported_spec.rb | 10 ---------- spec/spec_helper_acceptance.rb | 9 ++------- 25 files changed, 81 insertions(+), 114 deletions(-) delete mode 100644 spec/acceptance/unsupported_spec.rb diff --git a/spec/acceptance/change_source_spec.rb b/spec/acceptance/change_source_spec.rb index f591108..3a5dbeb 100644 --- a/spec/acceptance/change_source_spec.rb +++ b/spec/acceptance/change_source_spec.rb @@ -1,10 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - describe 'reset' do - it 'deletes all rules' do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - end +describe 'changing the source' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe 'when unmanaged rules exist' do diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 0c74f97..1a516ab 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -1,6 +1,6 @@ require 'spec_helper_acceptance' -describe "firewall class:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe "firewall class" do it 'should run successfully' do pp = "class { 'firewall': }" diff --git a/spec/acceptance/connlimit_spec.rb b/spec/acceptance/connlimit_spec.rb index 1dfbf1c..9ec4615 100644 --- a/spec/acceptance/connlimit_spec.rb +++ b/spec/acceptance/connlimit_spec.rb @@ -1,14 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - describe 'reset' do - it 'deletes all iptables rules' do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - end - it 'deletes all ip6tables rules' do - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') - end +describe 'connlimit property' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end if default['platform'] !~ /sles-10/ diff --git a/spec/acceptance/connmark_spec.rb b/spec/acceptance/connmark_spec.rb index b3409ab..ab3b764 100644 --- a/spec/acceptance/connmark_spec.rb +++ b/spec/acceptance/connmark_spec.rb @@ -1,6 +1,6 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'connmark property' do describe 'connmark' do context '50' do @@ -9,7 +9,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami class { '::firewall': } firewall { '502 - test': proto => 'all', - connmark => '0x1', + connmark => '0x1', action => reject, } EOS diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb index 487f151..568d64c 100644 --- a/spec/acceptance/firewall_bridging_spec.rb +++ b/spec/acceptance/firewall_bridging_spec.rb @@ -1,14 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - describe 'reset' do - it 'deletes all iptables rules' do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - end - it 'deletes all ip6tables rules' do - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') - end +describe 'firewall bridging' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe 'iptables physdev tests' do @@ -371,5 +366,4 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end end - end diff --git a/spec/acceptance/firewall_dscp_spec.rb b/spec/acceptance/firewall_dscp_spec.rb index a85100a..581f117 100644 --- a/spec/acceptance/firewall_dscp_spec.rb +++ b/spec/acceptance/firewall_dscp_spec.rb @@ -1,10 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +describe 'firewall DSCP' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe 'dscp ipv4 tests' do diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb index 259a472..24234c0 100644 --- a/spec/acceptance/firewall_iptmodules_spec.rb +++ b/spec/acceptance/firewall_iptmodules_spec.rb @@ -1,14 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - describe 'reset' do - it 'deletes all iptables rules' do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - end - it 'deletes all ip6tables rules' do - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') - end +describe 'firewall iptmodules' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe 'iptables ipt_modules tests' do diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb index 4a2125b..06390fb 100644 --- a/spec/acceptance/firewall_mss_spec.rb +++ b/spec/acceptance/firewall_mss_spec.rb @@ -1,10 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +describe 'firewall MSS' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe 'mss ipv4 tests' do diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index def7d17..9f39c7e 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1,11 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - describe 'reset' do - it 'deletes all rules' do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - end +describe 'firewall basics' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe 'name' do diff --git a/spec/acceptance/firewall_tee_spec.rb b/spec/acceptance/firewall_tee_spec.rb index c64c80c..da07a28 100644 --- a/spec/acceptance/firewall_tee_spec.rb +++ b/spec/acceptance/firewall_tee_spec.rb @@ -1,10 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +describe 'firewall tee' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /ubuntu-1204/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/ @@ -13,7 +12,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami it 'applies' do pp = <<-EOS class { '::firewall': } - firewall { + firewall { '810 - tee_gateway': chain => 'PREROUTING', table => 'mangle', @@ -39,7 +38,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami it 'applies' do pp = <<-EOS class { '::firewall': } - firewall { + firewall { '811 - tee_gateway6': chain => 'PREROUTING', table => 'mangle', diff --git a/spec/acceptance/firewall_time_spec.rb b/spec/acceptance/firewall_time_spec.rb index e6ea34e..2569770 100644 --- a/spec/acceptance/firewall_time_spec.rb +++ b/spec/acceptance/firewall_time_spec.rb @@ -1,11 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +describe 'firewall time' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/ diff --git a/spec/acceptance/firewall_uid_spec.rb b/spec/acceptance/firewall_uid_spec.rb index ce45333..e4df7f8 100644 --- a/spec/acceptance/firewall_uid_spec.rb +++ b/spec/acceptance/firewall_uid_spec.rb @@ -1,14 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - describe 'reset' do - it 'deletes all rules' do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - end - it 'deletes all ip6tables rules' do - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') - end +describe 'firewall uid' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end describe "uid tests" do diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb index eaf71cc..ffc4e22 100644 --- a/spec/acceptance/firewallchain_spec.rb +++ b/spec/acceptance/firewallchain_spec.rb @@ -1,9 +1,11 @@ require 'spec_helper_acceptance' -describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'puppet resource firewallchain command' do before :all do iptables_flush_all_tables + ip6tables_flush_all_tables end + describe 'ensure' do context 'present' do it 'applies cleanly' do diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb index 07d698a..5eba941 100644 --- a/spec/acceptance/invert_spec.rb +++ b/spec/acceptance/invert_spec.rb @@ -1,8 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - before(:all) do +describe 'firewall inverting' do + before :all do iptables_flush_all_tables + ip6tables_flush_all_tables end context "inverting rules" do diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb index 64728ed..ed2256f 100644 --- a/spec/acceptance/ip6_fragment_spec.rb +++ b/spec/acceptance/ip6_fragment_spec.rb @@ -1,8 +1,9 @@ require 'spec_helper_acceptance' if default['platform'] =~ /el-5/ or default['platform'] =~ /sles-10/ - describe "firewall ip6tables doesn't work on 1.3.5 because --comment is missing", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do + describe "firewall ip6tables doesn't work on 1.3.5 because --comment is missing" do before :all do + iptables_flush_all_tables ip6tables_flush_all_tables end @@ -19,8 +20,9 @@ if default['platform'] =~ /el-5/ or default['platform'] =~ /sles-10/ end end else - describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do + describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do before :all do + iptables_flush_all_tables ip6tables_flush_all_tables end diff --git a/spec/acceptance/isfragment_spec.rb b/spec/acceptance/isfragment_spec.rb index f48f272..8e879b2 100644 --- a/spec/acceptance/isfragment_spec.rb +++ b/spec/acceptance/isfragment_spec.rb @@ -1,8 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall isfragment property', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'firewall isfragment property' do before :all do iptables_flush_all_tables + ip6tables_flush_all_tables end shared_examples "is idempotent" do |value, line_match| diff --git a/spec/acceptance/match_mark_spec.rb b/spec/acceptance/match_mark_spec.rb index cf5858d..17b80b4 100644 --- a/spec/acceptance/match_mark_spec.rb +++ b/spec/acceptance/match_mark_spec.rb @@ -1,10 +1,9 @@ require 'spec_helper_acceptance' -describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +describe 'firewall match marks' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ diff --git a/spec/acceptance/params_spec.rb b/spec/acceptance/params_spec.rb index ca6652e..cac685a 100644 --- a/spec/acceptance/params_spec.rb +++ b/spec/acceptance/params_spec.rb @@ -1,17 +1,16 @@ require 'spec_helper_acceptance' -describe "param based tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - - before(:all) do - shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush') - shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') +describe 'param based tests' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables end it 'test various params', :unless => (default['platform'].match(/el-5/) || fact('operatingsystem') == 'SLES') do iptables_flush_all_tables ppm = <<-EOS - firewall { '100 test': + firewall { '100 test': table => 'raw', socket => 'true', chain => 'PREROUTING', diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index e191c12..4e052ba 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -1,6 +1,11 @@ require 'spec_helper_acceptance' -describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'purge tests' do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables + end + context('resources purge') do before(:all) do iptables_flush_all_tables diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index 19fd3af..39845fb 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper_acceptance' # Here we want to test the the resource commands ability to work with different # existing ruleset scenarios. This will give the parsing capabilities of the # code a good work out. -describe 'puppet resource firewall command:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'puppet resource firewall command' do before(:all) do # In order to properly check stderr for anomalies we need to fix the deprecation warnings from puppet.conf. config = shell('puppet config print config').stdout diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index fee12dd..3b27bd5 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -1,8 +1,9 @@ require 'spec_helper_acceptance' -describe 'complex ruleset 1', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'complex ruleset 1' do before :all do iptables_flush_all_tables + ip6tables_flush_all_tables end after :all do @@ -127,7 +128,7 @@ describe 'complex ruleset 2' do it 'applies cleanly' do pp = <<-EOS class { '::firewall': } - + Firewall { proto => 'all', stage => 'pre', diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb index 5503a9a..84a5361 100644 --- a/spec/acceptance/socket_spec.rb +++ b/spec/acceptance/socket_spec.rb @@ -1,9 +1,10 @@ require 'spec_helper_acceptance' # RHEL5 does not support -m socket -describe 'firewall socket property', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) || default['platform'] =~ /el-5/ || fact('operatingsystem') == 'SLES') do +describe 'firewall socket property', :unless => default['platform'] =~ /el-5/ || fact('operatingsystem') == 'SLES' do before :all do iptables_flush_all_tables + ip6tables_flush_all_tables end shared_examples "is idempotent" do |value, line_match| diff --git a/spec/acceptance/standard_usage_spec.rb b/spec/acceptance/standard_usage_spec.rb index afc0c42..6c54f8c 100644 --- a/spec/acceptance/standard_usage_spec.rb +++ b/spec/acceptance/standard_usage_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper_acceptance' # Some tests for the standard recommended usage -describe 'standard usage tests:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do +describe 'standard usage tests' do it 'applies twice' do pp = <<-EOS class my_fw::pre { diff --git a/spec/acceptance/unsupported_spec.rb b/spec/acceptance/unsupported_spec.rb deleted file mode 100644 index dfb75e2..0000000 --- a/spec/acceptance/unsupported_spec.rb +++ /dev/null @@ -1,10 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'unsupported distributions and OSes', :if => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do - it 'should fail' do - pp = <<-EOS - class { 'firewall': } - EOS - expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/not currently supported/i) - end -end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 44b5f8d..a200bc8 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -8,7 +8,7 @@ def iptables_flush_all_tables end def ip6tables_flush_all_tables - ['filter'].each do |t| + ['filter', 'nat', 'mangle'].each do |t| expect(shell("ip6tables -t #{t} -F").stderr).to eq("") end end @@ -23,21 +23,16 @@ end run_puppet_install_helper -UNSUPPORTED_PLATFORMS = ['windows','Solaris','Darwin'] - RSpec.configure do |c| # Project root proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) - # Readable test descriptions - c.formatter = :documentation - # Configure all nodes in nodeset c.before :suite do # Install module and dependencies hosts.each do |host| copy_module_to(host, :source => proj_root, :module_name => 'firewall') - on host, puppet('module install puppetlabs-stdlib --version 3.2.0'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module install puppetlabs-stdlib --version 3.2.0') end end end -- 2.45.2