From 2e560f229794a2b6eb74ce8faaa43edcc0ed85bc Mon Sep 17 00:00:00 2001 From: tphoney Date: Wed, 20 Feb 2019 11:03:47 +0000 Subject: [PATCH] port dport sport destination tests cleaned --- .../firewall_attributes_exceptions_spec.rb | 208 ------------------ .../firewall_attributes_happy_path_spec.rb | 60 +++++ 2 files changed, 60 insertions(+), 208 deletions(-) diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index 9517de2..6aa4f13 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -92,28 +92,6 @@ describe 'firewall basics', docker: true do end describe 'src_range' do - context 'when 192.168.1.1-192.168.1.10' do - pp10 = <<-PUPPETCODE - class { '::firewall': } - firewall { '557 - test': - proto => tcp, - port => '557', - action => accept, - src_range => '192.168.1.1-192.168.1.10', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp10, catch_failures: true) - apply_manifest(pp10, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --ports 557 -m comment --comment "557 - test" -j ACCEPT}) - end - end - end - # Invalid IP context 'when 392.168.1.1-192.168.1.10' do pp11 = <<-PUPPETCODE @@ -140,50 +118,6 @@ describe 'firewall basics', docker: true do end describe 'destination' do - context 'when 192.168.2.0/24' do - pp12 = <<-PUPPETCODE - class { '::firewall': } - firewall { '558 - test': - proto => tcp, - port => '558', - action => accept, - destination => '192.168.2.0/24', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp12, catch_failures: true) - apply_manifest(pp12, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT}) - end - end - end - - context 'when ! 192.168.2.0/24' do - pp13 = <<-PUPPETCODE - class { '::firewall': } - firewall { '558 - test': - proto => tcp, - port => '558', - action => accept, - destination => '! 192.168.2.0/24', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp13, catch_failures: true) - apply_manifest(pp13, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT}) - end - end - end - # Invalid address context 'when 256.168.2.0/24' do pp14 = <<-PUPPETCODE @@ -210,28 +144,6 @@ describe 'firewall basics', docker: true do end describe 'dst_range' do - context 'when 192.168.1.1-192.168.1.10' do - pp15 = <<-PUPPETCODE - class { '::firewall': } - firewall { '559 - test': - proto => tcp, - port => '559', - action => accept, - dst_range => '192.168.1.1-192.168.1.10', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp15, catch_failures: true) - apply_manifest(pp15, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - test" -j ACCEPT}) - end - end - end - # Invalid IP context 'when 392.168.1.1-192.168.1.10' do pp16 = <<-PUPPETCODE @@ -258,46 +170,6 @@ describe 'firewall basics', docker: true do end describe 'sport' do - context 'when single port' do - pp17 = <<-PUPPETCODE - class { '::firewall': } - firewall { '560 - test': - proto => tcp, - sport => '560', - action => accept, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp17, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560 -m comment --comment "560 - test" -j ACCEPT}) - end - end - end - - context 'when multiple ports' do - pp18 = <<-PUPPETCODE - class { '::firewall': } - firewall { '560 - test': - proto => tcp, - sport => '560-561', - action => accept, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp18, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560:561 -m comment --comment "560 - test" -j ACCEPT}) - end - end - end - context 'when invalid ports' do pp19 = <<-PUPPETCODE class { '::firewall': } @@ -322,46 +194,6 @@ describe 'firewall basics', docker: true do end describe 'dport' do - context 'when single port' do - pp20 = <<-PUPPETCODE - class { '::firewall': } - firewall { '561 - test': - proto => tcp, - dport => '561', - action => accept, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp20, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561 -m comment --comment "561 - test" -j ACCEPT}) - end - end - end - - context 'when multiple ports' do - pp21 = <<-PUPPETCODE - class { '::firewall': } - firewall { '561 - test': - proto => tcp, - dport => '561-562', - action => accept, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp21, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561:562 -m comment --comment "561 - test" -j ACCEPT}) - end - end - end - context 'when invalid ports' do pp22 = <<-PUPPETCODE class { '::firewall': } @@ -386,46 +218,6 @@ describe 'firewall basics', docker: true do end describe 'port' do - context 'when single port' do - pp23 = <<-PUPPETCODE - class { '::firewall': } - firewall { '562 - test': - proto => tcp, - port => '562', - action => accept, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp23, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562 -m comment --comment "562 - test" -j ACCEPT}) - end - end - end - - context 'when multiple ports' do - pp24 = <<-PUPPETCODE - class { '::firewall': } - firewall { '562 - test': - proto => tcp, - port => '562-563', - action => accept, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp24, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - test" -j ACCEPT}) - end - end - end - context 'when invalid ports' do pp25 = <<-PUPPETCODE class { '::firewall': } diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index bfb65ec..ca25dda 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -22,6 +22,18 @@ describe 'firewall attribute testing, happy path' do connmark => '0x1', action => reject, } + firewall { '550 - destination': + proto => tcp, + port => '550', + action => accept, + destination => '192.168.2.0/24', + } + firewall { '551 - destination negated': + proto => tcp, + port => '551', + action => accept, + destination => '! 192.168.2.0/24', + } firewall { '556 - source': proto => tcp, port => '556', @@ -34,6 +46,33 @@ describe 'firewall attribute testing, happy path' do action => accept, source => '! 192.168.2.0/24', } + firewall { '558 - src_range': + proto => tcp, + port => '558', + action => accept, + src_range => '192.168.1.1-192.168.1.10', + } + firewall { '559 - dst_range': + proto => tcp, + port => '559', + action => accept, + dst_range => '192.168.1.1-192.168.1.10', + } + firewall { '560 - sport range': + proto => tcp, + sport => '560-561', + action => accept, + } + firewall { '561 - dport range': + proto => tcp, + dport => '561-562', + action => accept, + } + firewall { '562 - port range': + proto => tcp, + port => '562-563', + action => accept, + } firewall { '801 - gid root': chain => 'OUTPUT', action => accept, @@ -72,12 +111,33 @@ describe 'firewall attribute testing, happy path' do it 'contains connmark' do expect(result.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - connmark" -j REJECT --reject-with icmp-port-unreachable}) end + it 'destination is set' do + expect(result.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 550 -m comment --comment "550 - destination" -j ACCEPT}) + end + it 'destination is negated' do + expect(result.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 551 -m comment --comment "551 - destination negated" -j ACCEPT}) + end it 'source is set' do expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - source" -j ACCEPT}) end it 'source is negated' do expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 557 -m comment --comment "557 - source negated" -j ACCEPT}) end + it 'src_range is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --ports 558 -m comment --comment "558 - src_range" -j ACCEPT}) + end + it 'dst_range is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - dst_range" -j ACCEPT}) + end + it 'sport range is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560:561 -m comment --comment "560 - sport range" -j ACCEPT}) + end + it 'dport range is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561:562 -m comment --comment "561 - dport range" -j ACCEPT}) + end + it 'port range is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - port range" -j ACCEPT}) + end it 'gid set to root' do expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) end -- 2.45.2