From 84bdfade0a14e0bc7056a598ecc4f61a81ad045f Mon Sep 17 00:00:00 2001 From: tphoney Date: Thu, 21 Feb 2019 15:45:07 +0000 Subject: [PATCH] (maint) continued acceptance test cleaning --- .../firewall_attributes_happy_path_spec.rb | 32 ++ spec/acceptance/firewall_bridging_spec.rb | 353 +++++------------- 2 files changed, 125 insertions(+), 260 deletions(-) diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index e42478d..a95b5f8 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -175,6 +175,29 @@ describe 'firewall attribute testing, happy path' do jump => 'LOG', log_uid => true, } + firewall { '711 - physdev_in': + chain => 'FORWARD', + proto => tcp, + port => '711', + action => accept, + physdev_in => 'eth0', + } + firewall { '712 - physdev_out': + chain => 'FORWARD', + proto => tcp, + port => '712', + action => accept, + physdev_out => 'eth1', + } + firewall { '713 - physdev_in physdev_out physdev_is_bridged': + chain => 'FORWARD', + proto => tcp, + port => '713', + action => accept, + physdev_in => 'eth0', + physdev_out => 'eth1', + physdev_is_bridged => true, + } firewall { '801 - gid root': chain => 'OUTPUT', action => accept, @@ -285,6 +308,15 @@ describe 'firewall attribute testing, happy path' do it 'set log_uid' do expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid}) end + it 'set physdev_in' do + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 711 -m comment --comment "711 - physdev_in" -j ACCEPT}) + end + it 'set physdev_out' do + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 712 -m comment --comment "712 - physdev_out" -j ACCEPT}) + end + it 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength + end it 'gid set to root' do expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) end diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb index 813386c..6f68dea 100644 --- a/spec/acceptance/firewall_bridging_spec.rb +++ b/spec/acceptance/firewall_bridging_spec.rb @@ -5,180 +5,12 @@ describe 'firewall bridging' do iptables_flush_all_tables ip6tables_flush_all_tables end - describe 'iptables physdev tests' do - context 'when physdev_in eth0' do - pp1 = <<-PUPPETCODE - class { '::firewall': } - firewall { '701 - test': - chain => 'FORWARD', - proto => tcp, - port => '701', - action => accept, - physdev_in => 'eth0', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp1, catch_failures: true) - apply_manifest(pp1, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) - end - end - end - - context 'when physdev_out eth1' do - pp2 = <<-PUPPETCODE - class { '::firewall': } - firewall { '702 - test': - chain => 'FORWARD', - proto => tcp, - port => '702', - action => accept, - physdev_out => 'eth1', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp2, catch_failures: true) - apply_manifest(pp2, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT}) - end - end - end - - context 'when physdev_in eth0 and physdev_out eth1' do - pp3 = <<-PUPPETCODE - class { '::firewall': } - firewall { '703 - test': - chain => 'FORWARD', - proto => tcp, - port => '703', - action => accept, - physdev_in => 'eth0', - physdev_out => 'eth1', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp3, catch_failures: true) - apply_manifest(pp3, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT}) - end - end - end - - context 'when physdev_is_bridged' do - pp4 = <<-PUPPETCODE - class { '::firewall': } - firewall { '704 - test': - chain => 'FORWARD', - proto => tcp, - port => '704', - action => accept, - physdev_is_bridged => true, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp4, catch_failures: true) - apply_manifest(pp4, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT}) - end - end - end - - context 'when physdev_in eth0 and physdev_is_bridged' do - pp5 = <<-PUPPETCODE - class { '::firewall': } - firewall { '705 - test': - chain => 'FORWARD', - proto => tcp, - port => '705', - action => accept, - physdev_in => 'eth0', - physdev_is_bridged => true, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp5, catch_failures: true) - apply_manifest(pp5, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT}) - end - end - end - - context 'when physdev_out eth1 and physdev_is_bridged' do - pp6 = <<-PUPPETCODE - class { '::firewall': } - firewall { '706 - test': - chain => 'FORWARD', - proto => tcp, - port => '706', - action => accept, - physdev_out => 'eth1', - physdev_is_bridged => true, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp6, catch_failures: true) - apply_manifest(pp6, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT}) - end - end - end - - context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - pp7 = <<-PUPPETCODE - class { '::firewall': } - firewall { '707 - test': - chain => 'FORWARD', - proto => tcp, - port => '707', - action => accept, - physdev_in => 'eth0', - physdev_out => 'eth1', - physdev_is_bridged => true, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp7, catch_failures: true) - apply_manifest(pp7, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) - end - end - end - end - - # iptables version 1.3.5 is not suppored by the ip6tables provider - if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} - describe 'ip6tables physdev tests' do - context 'when physdev_in eth0' do - pp8 = <<-PUPPETCODE + # iptables version 1.3.5 is not suppored by the ip6tables provider + if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} + describe 'ip6tables physdev tests' do + context 'when physdev_in eth0' do + pp8 = <<-PUPPETCODE class { '::firewall': } firewall { '701 - test': provider => 'ip6tables', @@ -189,20 +21,20 @@ describe 'firewall bridging' do physdev_in => 'eth0', } PUPPETCODE - it 'applies' do - apply_manifest(pp8, catch_failures: true) - apply_manifest(pp8, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp8, catch_failures: true) + apply_manifest(pp8, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) + end end end - end - context 'when physdev_out eth1' do - pp9 = <<-PUPPETCODE + context 'when physdev_out eth1' do + pp9 = <<-PUPPETCODE class { '::firewall': } firewall { '702 - test': provider => 'ip6tables', @@ -213,20 +45,20 @@ describe 'firewall bridging' do physdev_out => 'eth1', } PUPPETCODE - it 'applies' do - apply_manifest(pp9, catch_failures: true) - apply_manifest(pp9, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp9, catch_failures: true) + apply_manifest(pp9, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT}) + end end end - end - context 'when physdev_in eth0 and physdev_out eth1' do - pp10 = <<-PUPPETCODE + context 'when physdev_in eth0 and physdev_out eth1' do + pp10 = <<-PUPPETCODE class { '::firewall': } firewall { '703 - test': provider => 'ip6tables', @@ -238,20 +70,20 @@ describe 'firewall bridging' do physdev_out => 'eth1', } PUPPETCODE - it 'applies' do - apply_manifest(pp10, catch_failures: true) - apply_manifest(pp10, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp10, catch_failures: true) + apply_manifest(pp10, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT}) + end end end - end - context 'when physdev_is_bridged' do - pp11 = <<-PUPPETCODE + context 'when physdev_is_bridged' do + pp11 = <<-PUPPETCODE class { '::firewall': } firewall { '704 - test': provider => 'ip6tables', @@ -262,20 +94,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp11, catch_failures: true) - apply_manifest(pp11, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp11, catch_failures: true) + apply_manifest(pp11, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT}) + end end end - end - context 'when physdev_in eth0 and physdev_is_bridged' do - pp12 = <<-PUPPETCODE + context 'when physdev_in eth0 and physdev_is_bridged' do + pp12 = <<-PUPPETCODE class { '::firewall': } firewall { '705 - test': provider => 'ip6tables', @@ -287,20 +119,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp12, catch_failures: true) - apply_manifest(pp12, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp12, catch_failures: true) + apply_manifest(pp12, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT}) + end end end - end - context 'when physdev_out eth1 and physdev_is_bridged' do - pp13 = <<-PUPPETCODE + context 'when physdev_out eth1 and physdev_is_bridged' do + pp13 = <<-PUPPETCODE class { '::firewall': } firewall { '706 - test': provider => 'ip6tables', @@ -312,20 +144,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp13, catch_failures: true) - apply_manifest(pp13, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp13, catch_failures: true) + apply_manifest(pp13, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT}) + end end end - end - context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - pp14 = <<-PUPPETCODE + context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do + pp14 = <<-PUPPETCODE class { '::firewall': } firewall { '707 - test': provider => 'ip6tables', @@ -338,20 +170,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp14, catch_failures: true) - apply_manifest(pp14, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp14, catch_failures: true) + apply_manifest(pp14, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) # rubocop:disable Metrics/LineLength + end end end - end - context 'when physdev_is_in' do - pp15 = <<-PUPPETCODE + context 'when physdev_is_in' do + pp15 = <<-PUPPETCODE class { '::firewall': } firewall { '708 - test': provider => 'ip6tables', @@ -362,20 +194,20 @@ describe 'firewall bridging' do physdev_is_in => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp15, catch_failures: true) - apply_manifest(pp15, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp15, catch_failures: true) + apply_manifest(pp15, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT}) + end end end - end - context 'when physdev_is_out' do - pp16 = <<-PUPPETCODE + context 'when physdev_is_out' do + pp16 = <<-PUPPETCODE class { '::firewall': } firewall { '709 - test': provider => 'ip6tables', @@ -386,14 +218,15 @@ describe 'firewall bridging' do physdev_is_out => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp16, catch_failures: true) - apply_manifest(pp16, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp16, catch_failures: true) + apply_manifest(pp16, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT}) + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT}) + end end end end -- 2.45.2