From 6f7b91f574d490881a65abfa93c42c19c1db069b Mon Sep 17 00:00:00 2001 From: tphoney Date: Tue, 19 Feb 2019 17:02:29 +0000 Subject: [PATCH] clean uid and gid testing --- spec/acceptance/firewall_attributes_spec.rb | 36 ++++++++ spec/acceptance/firewall_gid_spec.rb | 98 --------------------- spec/acceptance/firewall_spec.rb | 25 ------ spec/acceptance/firewall_uid_spec.rb | 98 --------------------- 4 files changed, 36 insertions(+), 221 deletions(-) delete mode 100644 spec/acceptance/firewall_gid_spec.rb delete mode 100644 spec/acceptance/firewall_uid_spec.rb diff --git a/spec/acceptance/firewall_attributes_spec.rb b/spec/acceptance/firewall_attributes_spec.rb index 41634b2..18abccc 100644 --- a/spec/acceptance/firewall_attributes_spec.rb +++ b/spec/acceptance/firewall_attributes_spec.rb @@ -22,6 +22,30 @@ describe 'connlimit property' do connmark => '0x1', action => reject, } + firewall { '801 - gid root': + chain => 'OUTPUT', + action => accept, + gid => 'root', + proto => 'all', + } + firewall { '802 - gid not root': + chain => 'OUTPUT', + action => accept, + gid => '!root', + proto => 'all', + } + firewall { '803 - uid 0': + chain => 'OUTPUT', + action => accept, + uid => '0', + proto => 'all', + } + firewall { '804 - uid not 0': + chain => 'OUTPUT', + action => accept, + uid => '!0', + proto => 'all', + } PUPPETCODE apply_manifest(pp, catch_failures: true) apply_manifest(pp, catch_changes: do_catch_changes) @@ -36,5 +60,17 @@ describe 'connlimit property' do it 'contains the connmark' do expect(result.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - connmark" -j REJECT --reject-with icmp-port-unreachable}) end + it 'when gid set to root' do + expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) + end + it 'when gid set to not root' do + expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "802 - gid not root" -j ACCEPT}) + end + it 'when uid set to 0' do + expect(result.stdout).to match(%r{-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "803 - uid 0" -j ACCEPT}) + end + it 'when uid set to not 0' do + expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - uid not 0" -j ACCEPT}) + end end end diff --git a/spec/acceptance/firewall_gid_spec.rb b/spec/acceptance/firewall_gid_spec.rb deleted file mode 100644 index f5c360d..0000000 --- a/spec/acceptance/firewall_gid_spec.rb +++ /dev/null @@ -1,98 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'firewall gid' do - before :all do - iptables_flush_all_tables - ip6tables_flush_all_tables - end - - describe 'gid tests' do - context 'when gid set to root' do - pp1 = <<-PUPPETCODE - class { '::firewall': } - firewall { '801 - test': - chain => 'OUTPUT', - action => accept, - gid => 'root', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - test" -j ACCEPT}) - end - end - end - - context 'when gid set to !root' do - pp2 = <<-PUPPETCODE - class { '::firewall': } - firewall { '802 - test': - chain => 'OUTPUT', - action => accept, - gid => '!root', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp2, catch_failures: true) - apply_manifest(pp2, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "802 - test" -j ACCEPT}) - end - end - end - - context 'when gid set to 0' do - pp3 = <<-PUPPETCODE - class { '::firewall': } - firewall { '803 - test': - chain => 'OUTPUT', - action => accept, - gid => '0', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp3, catch_failures: true) - apply_manifest(pp3, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "803 - test" -j ACCEPT}) - end - end - end - - context 'when gid set to !0' do - pp4 = <<-PUPPETCODE - class { '::firewall': } - firewall { '804 - test': - chain => 'OUTPUT', - action => accept, - gid => '!0', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp4, catch_failures: true) - apply_manifest(pp4, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "804 - test" -j ACCEPT}) - end - end - end - end -end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 4f77048..17ebfbc 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1880,31 +1880,6 @@ describe 'firewall basics', docker: true do end end - describe 'gid' do - context 'when root' do - pp72 = <<-PUPPETCODE - class { '::firewall': } - firewall { '575 - test': - ensure => present, - proto => tcp, - chain => 'OUTPUT', - port => '575', - action => accept, - gid => 'root', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp72, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m owner --gid-owner (root|\d+) -m multiport --ports 575 -m comment --comment "575 - test" -j ACCEPT}) - end - end - end - end - # iptables version 1.3.5 does not support masks on MARK rules if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'set_mark' do diff --git a/spec/acceptance/firewall_uid_spec.rb b/spec/acceptance/firewall_uid_spec.rb deleted file mode 100644 index adeb39d..0000000 --- a/spec/acceptance/firewall_uid_spec.rb +++ /dev/null @@ -1,98 +0,0 @@ -require 'spec_helper_acceptance' - -describe 'firewall uid' do - before :all do - iptables_flush_all_tables - ip6tables_flush_all_tables - end - - describe 'uid tests' do - context 'when uid set to root' do - pp1 = <<-PUPPETCODE - class { '::firewall': } - firewall { '801 - test': - chain => 'OUTPUT', - action => accept, - uid => 'root', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "801 - test" -j ACCEPT}) - end - end - end - - context 'when uid set to !root' do - pp2 = <<-PUPPETCODE - class { '::firewall': } - firewall { '802 - test': - chain => 'OUTPUT', - action => accept, - uid => '!root', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp2, catch_failures: true) - apply_manifest(pp2, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "802 - test" -j ACCEPT}) - end - end - end - - context 'when uid set to 0' do - pp3 = <<-PUPPETCODE - class { '::firewall': } - firewall { '803 - test': - chain => 'OUTPUT', - action => accept, - uid => '0', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp3, catch_failures: true) - apply_manifest(pp3, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "803 - test" -j ACCEPT}) - end - end - end - - context 'when uid set to !0' do - pp4 = <<-PUPPETCODE - class { '::firewall': } - firewall { '804 - test': - chain => 'OUTPUT', - action => accept, - uid => '!0', - proto => 'all', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp4, catch_failures: true) - apply_manifest(pp4, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - test" -j ACCEPT}) - end - end - end - end -end -- 2.45.2