From 9c62ccfa04f70d9c6eb87e58a8a1aca654a80fc9 Mon Sep 17 00:00:00 2001 From: David Swan Date: Wed, 6 Dec 2017 15:42:27 +0000 Subject: [PATCH] FullFix --- .rubocop_todo.yml | 23 +- lib/puppet/type/firewall.rb | 500 ++++++++-------- lib/puppet/type/firewallchain.rb | 24 +- spec/acceptance/change_source_spec.rb | 8 +- spec/acceptance/connlimit_spec.rb | 12 +- spec/acceptance/connmark_spec.rb | 6 +- spec/acceptance/firewall_bridging_spec.rb | 96 +-- spec/acceptance/firewall_dscp_spec.rb | 24 +- spec/acceptance/firewall_gid_spec.rb | 24 +- spec/acceptance/firewall_iptmodules_spec.rb | 36 +- spec/acceptance/firewall_mss_spec.rb | 24 +- spec/acceptance/firewall_spec.rb | 560 +++++++++--------- spec/acceptance/firewall_tee_spec.rb | 12 +- spec/acceptance/firewall_time_spec.rb | 12 +- spec/acceptance/firewall_uid_spec.rb | 24 +- spec/acceptance/firewallchain_spec.rb | 34 +- spec/acceptance/hashlimit_spec.rb | 24 +- spec/acceptance/invert_spec.rb | 12 +- spec/acceptance/ip6_fragment_spec.rb | 20 +- spec/acceptance/isfragment_spec.rb | 8 +- spec/acceptance/match_mark_spec.rb | 12 +- spec/acceptance/nflog_spec.rb | 24 +- spec/acceptance/params_spec.rb | 44 +- spec/acceptance/purge_spec.rb | 42 +- spec/acceptance/resource_cmd_spec.rb | 22 +- spec/acceptance/rules_spec.rb | 8 +- spec/acceptance/socket_spec.rb | 8 +- spec/acceptance/standard_usage_spec.rb | 4 +- .../classes/firewall_linux_archlinux_spec.rb | 4 +- .../classes/firewall_linux_debian_spec.rb | 12 +- .../classes/firewall_linux_gentoo_spec.rb | 4 +- .../classes/firewall_linux_redhat_spec.rb | 14 +- spec/unit/classes/firewall_spec.rb | 14 +- .../iptables_persistent_version_spec.rb | 4 +- spec/unit/puppet/provider/ip6tables_spec.rb | 4 +- spec/unit/puppet/type/firewallchain_spec.rb | 12 +- 36 files changed, 849 insertions(+), 866 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index af4b236..cab617e 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1,37 +1,20 @@ # This configuration was generated by # `rubocop --auto-gen-config` -# on 2017-12-06 15:37:07 +0000 using RuboCop version 0.51.0. +# on 2017-12-06 17:50:51 +0000 using RuboCop version 0.51.0. # The point is for the user to remove these configuration records # one by one as the offenses are removed from the code base. # Note that changes in the inspected code, or installation of new # versions of RuboCop, may require this file to be generated again. -# Offense count: 46 +# Offense count: 43 +# Causes errors Lint/BooleanSymbol: Exclude: - 'lib/puppet/provider/firewall/ip6tables.rb' - 'lib/puppet/provider/firewall/iptables.rb' - 'lib/puppet/type/firewall.rb' - - 'lib/puppet/type/firewallchain.rb' # Offense count: 2 Lint/RescueWithoutErrorClass: Exclude: - 'lib/puppet/util/firewall.rb' - -# Offense count: 320 -# Configuration parameters: Blacklist. -# Blacklist: END, (?-mix:EO[A-Z]{1}) -Naming/HeredocDelimiterNaming: - Enabled: false - -# Offense count: 192 -# Configuration parameters: Prefixes. -# Prefixes: when, with, without -RSpec/ContextWording: - Enabled: false - -# Offense count: 4 -Style/CommentedKeyword: - Exclude: - - 'spec/unit/puppet/type/firewallchain_spec.rb' diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 1307f13..a859f28 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -12,7 +12,7 @@ require 'puppet/util/firewall' Puppet::Type.newtype(:firewall) do include Puppet::Util::Firewall - @doc = <<-EOS + @doc = <<-PUPPETCODE This type provides the capability to manage firewall rules within puppet. @@ -26,7 +26,7 @@ Puppet::Type.newtype(:firewall) do and the provider is iptables or ip6tables, the firewall resource will autorequire those packages to ensure that any required binaries are installed. - EOS + PUPPETCODE feature :connection_limiting, 'Connection limiting features.' feature :hop_limiting, 'Hop limiting features.' @@ -73,9 +73,9 @@ Puppet::Type.newtype(:firewall) do feature :iptables, 'The provider provides iptables features.' ensurable do - desc <<-EOS + desc <<-PUPPETCODE Manage the state of this rule. The default action is *present*. - EOS + PUPPETCODE newvalue(:present) do provider.insert @@ -89,7 +89,7 @@ Puppet::Type.newtype(:firewall) do end newparam(:name) do - desc <<-EOS + desc <<-PUPPETCODE The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number: @@ -98,7 +98,7 @@ Puppet::Type.newtype(:firewall) do Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. - EOS + PUPPETCODE isnamevar # Keep rule names simple - they must start with a number @@ -106,7 +106,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:action) do - desc <<-EOS + desc <<-PUPPETCODE This is the action to perform on a match. Can be one of: * accept - the packet is accepted @@ -115,13 +115,13 @@ Puppet::Type.newtype(:firewall) do If you specify no value it will simply match the rule but perform no action unless you provide a provider specific parameter (such as *jump*). - EOS + PUPPETCODE newvalues(:accept, :reject, :drop) end # Generic matching properties newproperty(:source) do - desc <<-EOS + desc <<-PUPPETCODE The source address. For example: source => '192.168.2.0/24' @@ -131,7 +131,7 @@ Puppet::Type.newtype(:firewall) do source => '! 192.168.2.0/24' The source can also be an IPv6 address if your provider supports it. - EOS + PUPPETCODE munge do |value| case @resource[:provider] @@ -153,13 +153,13 @@ Puppet::Type.newtype(:firewall) do # Source IP range newproperty(:src_range, required_features: :iprange) do - desc <<-EOS + desc <<-PUPPETCODE The source IP range. For example: src_range => '192.168.1.1-192.168.1.10' The source IP range must be in 'IP1-IP2' format. - EOS + PUPPETCODE validate do |value| matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(value) @@ -178,7 +178,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:destination) do - desc <<-EOS + desc <<-PUPPETCODE The destination address to match. For example: destination => '192.168.1.0/24' @@ -188,7 +188,7 @@ Puppet::Type.newtype(:firewall) do destination => '! 192.168.2.0/24' The destination can also be an IPv6 address if your provider supports it. - EOS + PUPPETCODE munge do |value| case @resource[:provider] @@ -210,13 +210,13 @@ Puppet::Type.newtype(:firewall) do # Destination IP range newproperty(:dst_range, required_features: :iprange) do - desc <<-EOS + desc <<-PUPPETCODE The destination IP range. For example: dst_range => '192.168.1.1-192.168.1.10' The destination IP range must be in 'IP1-IP2' format. - EOS + PUPPETCODE validate do |value| matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(value) @@ -235,7 +235,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:sport, array_matching: :all) do - desc <<-EOS + desc <<-PUPPETCODE The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. @@ -248,7 +248,7 @@ Puppet::Type.newtype(:firewall) do 1-1024 This would cover ports 1 to 1024. - EOS + PUPPETCODE munge do |value| @resource.string_to_port(value, :proto) @@ -265,7 +265,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:dport, array_matching: :all) do - desc <<-EOS + desc <<-PUPPETCODE The destination port to match for this filter (if the protocol supports ports). Will accept a single element or an array. @@ -278,7 +278,7 @@ Puppet::Type.newtype(:firewall) do 1-1024 This would cover ports 1 to 1024. - EOS + PUPPETCODE munge do |value| @resource.string_to_port(value, :proto) @@ -295,7 +295,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:port, array_matching: :all) do - desc <<-EOS + desc <<-PUPPETCODE DEPRECATED The destination or source port to match for this filter (if the protocol @@ -310,7 +310,7 @@ Puppet::Type.newtype(:firewall) do 1-1024 This would cover ports 1 to 1024. - EOS + PUPPETCODE validate do |_value| Puppet.warning('Passing port to firewall is deprecated and will be removed. Use dport and/or sport instead.') @@ -331,7 +331,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:dst_type, required_features: :address_type) do - desc <<-EOS + desc <<-PUPPETCODE The destination address type. For example: dst_type => 'LOCAL' @@ -350,7 +350,7 @@ Puppet::Type.newtype(:firewall) do * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented - EOS + PUPPETCODE newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| @@ -359,7 +359,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:src_type, required_features: :address_type) do - desc <<-EOS + desc <<-PUPPETCODE The source address type. For example: src_type => 'LOCAL' @@ -378,7 +378,7 @@ Puppet::Type.newtype(:firewall) do * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented - EOS + PUPPETCODE newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| @@ -387,10 +387,10 @@ Puppet::Type.newtype(:firewall) do end newproperty(:proto) do - desc <<-EOS + desc <<-PUPPETCODE The specific protocol to match for this rule. By default this is *tcp*. - EOS + PUPPETCODE newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| [proto, "! #{proto}".to_sym] @@ -400,14 +400,14 @@ Puppet::Type.newtype(:firewall) do # tcp-specific newproperty(:mss) do - desc <<-EOS + desc <<-PUPPETCODE Match a given TCP MSS value or range. - EOS + PUPPETCODE end # tcp-specific newproperty(:tcp_flags, required_features: :tcp_flags) do - desc <<-EOS + desc <<-PUPPETCODE Match when the TCP flags are as specified. Is a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. @@ -417,12 +417,12 @@ Puppet::Type.newtype(:firewall) do Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation. - EOS + PUPPETCODE end # Iptables specific newproperty(:chain, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Name of the chain to use. Can be one of the built-ins: * INPUT @@ -434,14 +434,14 @@ Puppet::Type.newtype(:firewall) do Or you can provide a user-based chain. The default value is 'INPUT'. - EOS + PUPPETCODE defaultto 'INPUT' newvalue(%r{^[a-zA-Z0-9\-_]+$}) end newproperty(:table, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Table to use. Can be one of: * nat @@ -451,14 +451,14 @@ Puppet::Type.newtype(:firewall) do * rawpost By default the setting is 'filter'. - EOS + PUPPETCODE newvalues(:nat, :mangle, :filter, :raw, :rawpost) defaultto 'filter' end newproperty(:jump, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE The value for the iptables --jump parameter. Normal values are: * QUEUE @@ -479,27 +479,27 @@ Puppet::Type.newtype(:firewall) do If you set both 'accept' and 'jump' parameters, you will get an error as only one of the options should be set. - EOS + PUPPETCODE validate do |value| unless value =~ %r{^[a-zA-Z0-9\-_]+$} - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE Jump destination must consist of alphanumeric characters, an underscore or a yphen. - EOS + PUPPETCODE end if %w[accept reject drop].include?(value.downcase) - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE Jump destination should not be one of ACCEPT, REJECT or DROP. Use the action property instead. - EOS + PUPPETCODE end end end newproperty(:goto, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE The value for the iptables --goto parameter. Normal values are: * QUEUE @@ -512,98 +512,98 @@ Puppet::Type.newtype(:firewall) do * MARK But any valid chain name is allowed. - EOS + PUPPETCODE validate do |value| unless value =~ %r{^[a-zA-Z0-9\-_]+$} - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE Goto destination must consist of alphanumeric characters, an underscore or a yphen. - EOS + PUPPETCODE end if %w[accept reject drop].include?(value.downcase) - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE Goto destination should not be one of ACCEPT, REJECT or DROP. Use the action property instead. - EOS + PUPPETCODE end end end # Interface specific matching properties newproperty(:iniface, required_features: :interface_match) do - desc <<-EOS + desc <<-PUPPETCODE Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this: iniface => '! lo', - EOS + PUPPETCODE newvalues(%r{^!?\s?[a-zA-Z0-9\-\._\+\:]+$}) end newproperty(:outiface, required_features: :interface_match) do - desc <<-EOS + desc <<-PUPPETCODE Output interface to filter on. Supports interface alias like eth0:0. To negate the match try this: outiface => '! lo', - EOS + PUPPETCODE newvalues(%r{^!?\s?[a-zA-Z0-9\-\._\+\:]+$}) end # NAT specific properties newproperty(:tosource, required_features: :snat) do - desc <<-EOS + desc <<-PUPPETCODE When using jump => "SNAT" you can specify the new source address using this parameter. - EOS + PUPPETCODE end newproperty(:todest, required_features: :dnat) do - desc <<-EOS + desc <<-PUPPETCODE When using jump => "DNAT" you can specify the new destination address using this paramter. - EOS + PUPPETCODE end newproperty(:toports, required_features: :dnat) do - desc <<-EOS + desc <<-PUPPETCODE For DNAT this is the port that will replace the destination port. - EOS + PUPPETCODE end newproperty(:to, required_features: :netmap) do - desc <<-EOS + desc <<-PUPPETCODE For NETMAP this will replace the destination IP - EOS + PUPPETCODE end newproperty(:random, required_features: :dnat) do - desc <<-EOS + desc <<-PUPPETCODE When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping. - EOS + PUPPETCODE newvalues(:true, :false) end # Reject ICMP type newproperty(:reject, required_features: :reject_type) do - desc <<-EOS + desc <<-PUPPETCODE When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender. - EOS + PUPPETCODE end # Logging properties newproperty(:log_level, required_features: :log_level) do - desc <<-EOS + desc <<-PUPPETCODE When combined with jump => "LOG" specifies the system log level to log to. - EOS + PUPPETCODE munge do |value| if value.is_a?(String) @@ -620,27 +620,27 @@ Puppet::Type.newtype(:firewall) do end newproperty(:log_prefix, required_features: :log_prefix) do - desc <<-EOS + desc <<-PUPPETCODE When combined with jump => "LOG" specifies the log prefix to use when logging. - EOS + PUPPETCODE end newproperty(:log_uid, required_features: :log_uid) do - desc <<-EOS + desc <<-PUPPETCODE When combined with jump => "LOG" specifies the uid of the process making the connection. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:nflog_group, required_features: :nflog_group) do - desc <<-EOS + desc <<-PUPPETCODE Used with the jump target NFLOG. The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). Defaults to 0. - EOS + PUPPETCODE validate do |value| if value.to_i > (2**16) - 1 || value.to_i < 0 @@ -658,11 +658,11 @@ Puppet::Type.newtype(:firewall) do end newproperty(:nflog_prefix, required_features: :nflog_prefix) do - desc <<-EOS + desc <<-PUPPETCODE Used with the jump target NFLOG. A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs. - EOS + PUPPETCODE validate do |value| if value.length > 64 @@ -672,20 +672,20 @@ Puppet::Type.newtype(:firewall) do end newproperty(:nflog_range, required_features: :nflog_range) do - desc <<-EOS + desc <<-PUPPETCODE Used with the jump target NFLOG. The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it. - EOS + PUPPETCODE end newproperty(:nflog_threshold, required_features: :nflog_threshold) do - desc <<-EOS + desc <<-PUPPETCODE Used with the jump target NFLOG. Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1. - EOS + PUPPETCODE munge do |value| if value.is_a?(String) && value =~ %r{^[-0-9]+$} @@ -698,14 +698,14 @@ Puppet::Type.newtype(:firewall) do # ICMP matching property newproperty(:icmp, required_features: :icmp_match) do - desc <<-EOS + desc <<-PUPPETCODE When matching ICMP packets, this is the type of ICMP packet to match. A value of "any" is not supported. To achieve this behaviour the parameter should simply be omitted or undefined. An array of values is also not supported. To match against multiple ICMP types, please use separate rules for each ICMP type. - EOS + PUPPETCODE validate do |value| if value == 'any' @@ -745,7 +745,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:state, array_matching: :all, required_features: :state_match) do - desc <<-EOS + desc <<-PUPPETCODE Matches a packet based on its state in the firewall stateful inspection table. Values can be: @@ -754,7 +754,7 @@ Puppet::Type.newtype(:firewall) do * NEW * RELATED * UNTRACKED - EOS + PUPPETCODE newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED) @@ -775,7 +775,7 @@ Puppet::Type.newtype(:firewall) do end newproperty(:ctstate, array_matching: :all, required_features: :state_match) do - desc <<-EOS + desc <<-PUPPETCODE Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be: @@ -784,7 +784,7 @@ Puppet::Type.newtype(:firewall) do * NEW * RELATED * UNTRACKED - EOS + PUPPETCODE newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED) @@ -806,10 +806,10 @@ Puppet::Type.newtype(:firewall) do # Connection mark newproperty(:connmark, required_features: :mark) do - desc <<-EOS + desc <<-PUPPETCODE Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already. - EOS + PUPPETCODE munge do |value| int_or_hex = '[a-fA-F0-9x]' match = value.to_s.match("(#{int_or_hex}+)(/)?(#{int_or_hex}+)?") @@ -833,52 +833,52 @@ Puppet::Type.newtype(:firewall) do # Connection limiting properties newproperty(:connlimit_above, required_features: :connection_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Connection limiting value for matched connections above n. - EOS + PUPPETCODE newvalue(%r{^\d+$}) end newproperty(:connlimit_mask, required_features: :connection_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Connection limiting by subnet mask for matched connections. IPv4: 0-32 IPv6: 0-128 - EOS + PUPPETCODE newvalue(%r{^\d+$}) end # Hop limiting properties newproperty(:hop_limit, required_features: :hop_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Hop limiting value for matched packets. - EOS + PUPPETCODE newvalue(%r{^\d+$}) end # Rate limiting properties newproperty(:limit, required_features: :rate_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Rate limiting value for matched packets. The format is: rate/[/second/|/minute|/hour|/day]. Example values are: '50/sec', '40/min', '30/hour', '10/day'." - EOS + PUPPETCODE end newproperty(:burst, required_features: :rate_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Rate limiting burst value (per second) before limit checks apply. - EOS + PUPPETCODE newvalue(%r{^\d+$}) end newproperty(:uid, required_features: :owner) do - desc <<-EOS + desc <<-PUPPETCODE UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. - EOS + PUPPETCODE def insync?(is) require 'etc' @@ -921,11 +921,11 @@ Puppet::Type.newtype(:firewall) do end newproperty(:gid, required_features: :owner) do - desc <<-EOS + desc <<-PUPPETCODE GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement. - EOS + PUPPETCODE def insync?(is) require 'etc' @@ -969,10 +969,10 @@ Puppet::Type.newtype(:firewall) do # match mark newproperty(:match_mark, required_features: :mark) do - desc <<-EOS + desc <<-PUPPETCODE Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already. - EOS + PUPPETCODE munge do |value| mark_regex = %r{\A((?:0x)?[0-9A-F]+)(/)?((?:0x)?[0-9A-F]+)?\z}i match = value.to_s.match(mark_regex) @@ -998,10 +998,10 @@ Puppet::Type.newtype(:firewall) do end newproperty(:set_mark, required_features: :mark) do - desc <<-EOS + desc <<-PUPPETCODE Set the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already. - EOS + PUPPETCODE munge do |value| int_or_hex = '[a-fA-F0-9x]' @@ -1040,23 +1040,23 @@ Puppet::Type.newtype(:firewall) do end newproperty(:clamp_mss_to_pmtu, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Sets the clamp mss to pmtu flag. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:set_dscp, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Set DSCP Markings. - EOS + PUPPETCODE end newproperty(:set_dscp_class, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE This sets the DSCP field according to a predefined DiffServ class. - EOS + PUPPETCODE # iptables uses the cisco DSCP classes as the basis for this flag. Values may be found here: # 'http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-packet-marking/10103-dscpvalues.html' valid_codes = %w[ @@ -1072,29 +1072,29 @@ Puppet::Type.newtype(:firewall) do end newproperty(:set_mss, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Sets the TCP MSS value for packets. - EOS + PUPPETCODE end newproperty(:pkttype, required_features: :pkttype) do - desc <<-EOS + desc <<-PUPPETCODE Sets the packet type to match. - EOS + PUPPETCODE newvalues(:unicast, :broadcast, :multicast) end newproperty(:isfragment, required_features: :isfragment) do - desc <<-EOS + desc <<-PUPPETCODE Set to true to match tcp fragments (requires type to be set to tcp) - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:recent, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example: @@ -1119,7 +1119,7 @@ Puppet::Type.newtype(:firewall) do action => 'DROP', chain => 'FORWARD', } - EOS + PUPPETCODE newvalues(:set, :update, :rcheck, :remove) munge do |value| @@ -1128,59 +1128,59 @@ Puppet::Type.newtype(:firewall) do end newproperty(:rdest, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; add the destination IP address to the list. Must be boolean true. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:rsource, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; add the source IP address to the list. Must be boolean true. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:rname, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; The name of the list. Takes a string argument. - EOS + PUPPETCODE end newproperty(:rseconds, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. - EOS + PUPPETCODE end newproperty(:reap, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; can only be used in conjunction with the `rseconds` attribute. When used, this will cause entries older than 'seconds' to be purged. Must be boolean true. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:rhitcount, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; used in conjunction with `recent => 'update'` or `recent => 'rcheck'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. - EOS + PUPPETCODE end newproperty(:rttl, required_features: :recent_limiting) do - desc <<-EOS + desc <<-PUPPETCODE Recent module; may only be used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current @@ -1188,138 +1188,138 @@ Puppet::Type.newtype(:firewall) do This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. Must be boolean true. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:socket, required_features: :socket) do - desc <<-EOS + desc <<-PUPPETCODE If true, matches if an open socket can be found by doing a coket lookup on the packet. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:ishasmorefrags, required_features: :ishasmorefrags) do - desc <<-EOS + desc <<-PUPPETCODE If true, matches if the packet has it's 'more fragments' bit set. ipv6. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:islastfrag, required_features: :islastfrag) do - desc <<-EOS + desc <<-PUPPETCODE If true, matches if the packet is the last fragment. ipv6. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:isfirstfrag, required_features: :isfirstfrag) do - desc <<-EOS + desc <<-PUPPETCODE If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:ipsec_policy, required_features: :ipsec_policy) do - desc <<-EOS + desc <<-PUPPETCODE Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. - EOS + PUPPETCODE newvalues(:none, :ipsec) end newproperty(:ipsec_dir, required_features: :ipsec_dir) do - desc <<-EOS + desc <<-PUPPETCODE Sets the ipsec policy direction - EOS + PUPPETCODE newvalues(:in, :out) end newproperty(:stat_mode) do - desc <<-EOS + desc <<-PUPPETCODE Set the matching mode for statistic matching. Supported modes are `random` and `nth`. - EOS + PUPPETCODE newvalues(:nth, :random) end newproperty(:stat_every) do - desc <<-EOS + desc <<-PUPPETCODE Match one packet every nth packet. Requires `stat_mode => 'nth'` - EOS + PUPPETCODE validate do |value| unless value =~ %r{^\d+$} - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE stat_every value must be a digit - EOS + PUPPETCODE end unless value.to_i > 0 - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE stat_every value must be larger than 0 - EOS + PUPPETCODE end end end newproperty(:stat_packet) do - desc <<-EOS + desc <<-PUPPETCODE Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'` - EOS + PUPPETCODE newvalues(%r{^\d+$}) end newproperty(:stat_probability) do - desc <<-EOS + desc <<-PUPPETCODE Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`. - EOS + PUPPETCODE validate do |value| unless value =~ %r{^([01])\.(\d+)$} - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE stat_probability must be between 0.0 and 1.0 - EOS + PUPPETCODE end if Regexp.last_match(1).to_i == 1 && Regexp.last_match(2).to_i != 0 - raise ArgumentError, <<-EOS + raise ArgumentError, <<-PUPPETCODE start_probability must be between 0.0 and 1.0 - EOS + PUPPETCODE end end end newproperty(:mask, required_features: :mask) do - desc <<-EOS + desc <<-PUPPETCODE Sets the mask to use when `recent` is enabled. - EOS + PUPPETCODE end newproperty(:gateway, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE The TEE target will clone a packet and redirect this clone to another machine on the local network segment. gateway is the target host's IP. - EOS + PUPPETCODE end newproperty(:ipset, required_features: :ipset, array_matching: :all) do - desc <<-EOS + desc <<-PUPPETCODE Matches against the specified ipset list. Requires ipset kernel module. Will accept a single element or an array. The value is the name of the blacklist, followed by a space, and then 'src' and/or 'dst' separated by a comma. For example: 'blacklist src,dst' - EOS + PUPPETCODE def to_s?(value) should_to_s(value) @@ -1332,80 +1332,80 @@ Puppet::Type.newtype(:firewall) do end newproperty(:checksum_fill, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Compute and fill missing packet checksums. - EOS + PUPPETCODE newvalues(:true, :false) end newparam(:line) do - desc <<-EOS + desc <<-PUPPETCODE Read-only property for caching the rule line. - EOS + PUPPETCODE end newproperty(:mac_source) do - desc <<-EOS + desc <<-PUPPETCODE MAC Source - EOS + PUPPETCODE newvalues(%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i) end newproperty(:physdev_in, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Match if the packet is entering a bridge from the given interface. - EOS + PUPPETCODE newvalues(%r{^[a-zA-Z0-9\-\._\+]+$}) end newproperty(:physdev_out, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Match if the packet is leaving a bridge via the given interface. - EOS + PUPPETCODE newvalues(%r{^[a-zA-Z0-9\-\._\+]+$}) end newproperty(:physdev_is_bridged, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Match if the packet is transversing a bridge. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:physdev_is_in, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Matches if the packet has entered through a bridge interface. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:physdev_is_out, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Matches if the packet will leave through a bridge interface. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:date_start, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 - EOS + PUPPETCODE end newproperty(:date_stop, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 - EOS + PUPPETCODE end newproperty(:time_start, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. - EOS + PUPPETCODE munge do |value| if value =~ %r{^([0-9]):} @@ -1421,10 +1421,10 @@ Puppet::Type.newtype(:firewall) do end newproperty(:time_stop, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. - EOS + PUPPETCODE munge do |value| if value =~ %r{^([0-9]):} @@ -1440,11 +1440,11 @@ Puppet::Type.newtype(:firewall) do end newproperty(:month_days, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February. - EOS + PUPPETCODE validate do |value| month = value.to_i @@ -1458,85 +1458,85 @@ Puppet::Type.newtype(:firewall) do end newproperty(:week_days, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun. - EOS + PUPPETCODE newvalues(:Mon, :Tue, :Wed, :Thu, :Fri, :Sat, :Sun) end newproperty(:time_contiguous, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:kernel_timezone, required_features: :iptables) do - desc <<-EOS + desc <<-PUPPETCODE Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:clusterip_new, required_features: :clusterip) do - desc <<-EOS + desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:clusterip_hashmode, required_features: :clusterip) do - desc <<-EOS + desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the hashing mode. Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport. - EOS + PUPPETCODE newvalues(:sourceip, :'sourceip-sourceport', :'sourceip-sourceport-destport') end newproperty(:clusterip_clustermac, required_features: :clusterip) do - desc <<-EOS + desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the ClusterIP MAC address. Has to be a link-layer multicast address. - EOS + PUPPETCODE newvalues(%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i) end newproperty(:clusterip_total_nodes, required_features: :clusterip) do - desc <<-EOS + desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Number of total nodes within this cluster. - EOS + PUPPETCODE newvalues(%r{\d+}) end newproperty(:clusterip_local_node, required_features: :clusterip) do - desc <<-EOS + desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. - EOS + PUPPETCODE newvalues(%r{\d+}) end newproperty(:clusterip_hash_init, required_features: :clusterip) do - desc <<-EOS + desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. - EOS + PUPPETCODE end newproperty(:length, required_features: :length) do - desc <<-EOS + desc <<-PUPPETCODE Sets the length of layer-3 payload to match. - EOS + PUPPETCODE munge do |value| match = value.to_s.match('^([0-9]+)(-)?([0-9]+)?$') @@ -1563,10 +1563,10 @@ Puppet::Type.newtype(:firewall) do end newproperty(:string, required_features: :string_matching) do - desc <<-EOS + desc <<-PUPPETCODE String matching feature. Matches the packet against the pattern given as an argument. - EOS + PUPPETCODE munge do |value| _value = "'" + value + "'" @@ -1574,30 +1574,30 @@ Puppet::Type.newtype(:firewall) do end newproperty(:string_algo, required_features: :string_matching) do - desc <<-EOS + desc <<-PUPPETCODE String matching feature, pattern matching strategy. - EOS + PUPPETCODE newvalues(:bm, :kmp) end newproperty(:string_from, required_features: :string_matching) do - desc <<-EOS + desc <<-PUPPETCODE String matching feature, offset from which we start looking for any matching. - EOS + PUPPETCODE end newproperty(:string_to, required_features: :string_matching) do - desc <<-EOS + desc <<-PUPPETCODE String matching feature, offset up to which we should scan. - EOS + PUPPETCODE end newproperty(:queue_num, required_features: :queue_num) do - desc <<-EOS + desc <<-PUPPETCODE Used with NFQUEUE jump target. What queue number to send packets to - EOS + PUPPETCODE munge do |value| match = value.to_s.match('^([0-9])*$') if match.nil? @@ -1612,98 +1612,98 @@ Puppet::Type.newtype(:firewall) do end newproperty(:queue_bypass, required_features: :queue_bypass) do - desc <<-EOS + desc <<-PUPPETCODE Used with NFQUEUE jump target Allow packets to bypass :queue_num if userspace process is not listening - EOS + PUPPETCODE newvalues(:true, :false) end newproperty(:src_cc) do - desc <<-EOS + desc <<-PUPPETCODE src attribute for the module geoip - EOS + PUPPETCODE newvalues(%r{^[A-Z]{2}(,[A-Z]{2})*$}) end newproperty(:dst_cc) do - desc <<-EOS + desc <<-PUPPETCODE dst attribute for the module geoip - EOS + PUPPETCODE newvalues(%r{^[A-Z]{2}(,[A-Z]{2})*$}) end newproperty(:hashlimit_name) do - desc <<-EOS + desc <<-PUPPETCODE The name for the /proc/net/ipt_hashlimit/foo entry. This parameter is required. - EOS + PUPPETCODE end newproperty(:hashlimit_upto) do - desc <<-EOS + desc <<-PUPPETCODE Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). This parameter or hashlimit_above is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'. - EOS + PUPPETCODE end newproperty(:hashlimit_above) do - desc <<-EOS + desc <<-PUPPETCODE Match if the rate is above amount/quantum. This parameter or hashlimit_upto is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'. - EOS + PUPPETCODE end newproperty(:hashlimit_burst) do - desc <<-EOS + desc <<-PUPPETCODE Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. - EOS + PUPPETCODE newvalue(%r{^\d+$}) end newproperty(:hashlimit_mode) do - desc <<-EOS + desc <<-PUPPETCODE A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. Allowed values are: srcip, srcport, dstip, dstport - EOS + PUPPETCODE end newproperty(:hashlimit_srcmask) do - desc <<-EOS + desc <<-PUPPETCODE When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. - EOS + PUPPETCODE end newproperty(:hashlimit_dstmask) do - desc <<-EOS + desc <<-PUPPETCODE Like --hashlimit-srcmask, but for destination addresses. - EOS + PUPPETCODE end newproperty(:hashlimit_htable_size) do - desc <<-EOS + desc <<-PUPPETCODE The number of buckets of the hash table - EOS + PUPPETCODE end newproperty(:hashlimit_htable_max) do - desc <<-EOS + desc <<-PUPPETCODE Maximum entries in the hash. - EOS + PUPPETCODE end newproperty(:hashlimit_htable_expire) do - desc <<-EOS + desc <<-PUPPETCODE After how many milliseconds do hash entries expire. - EOS + PUPPETCODE end newproperty(:hashlimit_htable_gcinterval) do - desc <<-EOS + desc <<-PUPPETCODE How many milliseconds between garbage collection intervals. - EOS + PUPPETCODE end autorequire(:firewallchain) do diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb index 13c44c1..5a1085f 100644 --- a/lib/puppet/type/firewallchain.rb +++ b/lib/puppet/type/firewallchain.rb @@ -10,7 +10,7 @@ require 'puppet/util/firewall' Puppet::Type.newtype(:firewallchain) do include Puppet::Util::Firewall - @doc = <<-EOS + @doc = <<-PUPPETCODE This type provides the capability to manage rule chains for firewalls. Currently this supports only iptables, ip6tables and ebtables on Linux. And @@ -21,7 +21,7 @@ Puppet::Type.newtype(:firewallchain) do If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables_chain, the firewall resource will autorequire those packages to ensure that any required binaries are installed. - EOS + PUPPETCODE feature :iptables_chain, 'The provider provides iptables chain features.' feature :policy, 'Default policy (inbuilt chains only)' @@ -32,11 +32,11 @@ Puppet::Type.newtype(:firewallchain) do end newparam(:name) do - desc <<-EOS + desc <<-PUPPETCODE The canonical name of the chain. For iptables the format must be {chain}:{table}:{protocol}. - EOS + PUPPETCODE isnamevar validate do |value| @@ -89,7 +89,7 @@ Puppet::Type.newtype(:firewallchain) do end newproperty(:policy) do - desc <<-EOS + desc <<-PUPPETCODE This is the action to when the end of the chain is reached. It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING) and can be one of: @@ -99,7 +99,7 @@ Puppet::Type.newtype(:firewallchain) do * queue - the packet is passed userspace * return - the packet is returned to calling (jump) queue or the default of inbuilt chains - EOS + PUPPETCODE newvalues(:accept, :drop, :queue, :return) defaultto do # ethernet chain have an ACCEPT default while other haven't got an @@ -113,15 +113,15 @@ Puppet::Type.newtype(:firewallchain) do end newparam(:purge, boolean: true) do - desc <<-EOS + desc <<-PUPPETCODE Purge unmanaged firewall rules in this chain - EOS - newvalues(:false, :true) - defaultto :false + PUPPETCODE + newvalues(false, true) + defaultto false end newparam(:ignore) do - desc <<-EOS + desc <<-PUPPETCODE Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled). This is matched against the output of `iptables-save`. @@ -140,7 +140,7 @@ Puppet::Type.newtype(:firewallchain) do '--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule ], } - EOS + PUPPETCODE validate do |value| unless value.is_a?(Array) || value.is_a?(String) || value == false diff --git a/spec/acceptance/change_source_spec.rb b/spec/acceptance/change_source_spec.rb index adb397e..34e119c 100644 --- a/spec/acceptance/change_source_spec.rb +++ b/spec/acceptance/change_source_spec.rb @@ -7,7 +7,7 @@ describe 'changing the source' do end describe 'when unmanaged rules exist' do - pp1 = <<-EOS + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '101 test source changes': proto => tcp, @@ -21,7 +21,7 @@ describe 'changing the source' do action => accept, source => '8.0.0.2', } - EOS + PUPPETCODE it 'applies with 8.0.0.1 first' do apply_manifest(pp1, catch_failures: true) end @@ -42,7 +42,7 @@ describe 'changing the source' do end end - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '101 test source changes': proto => tcp, @@ -50,7 +50,7 @@ describe 'changing the source' do action => accept, source => '8.0.0.4', } - EOS + PUPPETCODE it 'changes to 8.0.0.4 second' do expect(apply_manifest(pp2, catch_failures: true).stdout) .to match(%r{Notice: \/Stage\[main\]\/Main\/Firewall\[101 test source changes\]\/source: source changed '8\.0\.0\.1\/32' to '8\.0\.0\.4\/32'}) diff --git a/spec/acceptance/connlimit_spec.rb b/spec/acceptance/connlimit_spec.rb index f291f7b..674e947 100644 --- a/spec/acceptance/connlimit_spec.rb +++ b/spec/acceptance/connlimit_spec.rb @@ -8,8 +8,8 @@ describe 'connlimit property' do if default['platform'] !~ %r{sles-10} describe 'connlimit_above' do - context '10' do - pp1 = <<-EOS + context 'when 10' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '500 - test': proto => tcp, @@ -17,7 +17,7 @@ describe 'connlimit property' do connlimit_above => '10', action => reject, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -33,8 +33,8 @@ describe 'connlimit property' do end describe 'connlimit_mask' do - context '24' do - pp2 = <<-EOS + context 'when 24' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '501 - test': proto => tcp, @@ -43,7 +43,7 @@ describe 'connlimit property' do connlimit_mask => '24', action => reject, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) diff --git a/spec/acceptance/connmark_spec.rb b/spec/acceptance/connmark_spec.rb index 7f8de2d..1408a23 100644 --- a/spec/acceptance/connmark_spec.rb +++ b/spec/acceptance/connmark_spec.rb @@ -2,15 +2,15 @@ require 'spec_helper_acceptance' describe 'connmark property' do describe 'connmark' do - context '50' do - pp = <<-EOS + context 'when 50' do + pp = <<-PUPPETCODE class { '::firewall': } firewall { '502 - test': proto => 'all', connmark => '0x1', action => reject, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp, catch_failures: true) end diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb index b09c31d..813386c 100644 --- a/spec/acceptance/firewall_bridging_spec.rb +++ b/spec/acceptance/firewall_bridging_spec.rb @@ -7,8 +7,8 @@ describe 'firewall bridging' do end describe 'iptables physdev tests' do - context 'physdev_in eth0' do - pp1 = <<-EOS + context 'when physdev_in eth0' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '701 - test': chain => 'FORWARD', @@ -17,7 +17,7 @@ describe 'firewall bridging' do action => accept, physdev_in => 'eth0', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -30,8 +30,8 @@ describe 'firewall bridging' do end end - context 'physdev_out eth1' do - pp2 = <<-EOS + context 'when physdev_out eth1' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '702 - test': chain => 'FORWARD', @@ -40,7 +40,7 @@ describe 'firewall bridging' do action => accept, physdev_out => 'eth1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) @@ -53,8 +53,8 @@ describe 'firewall bridging' do end end - context 'physdev_in eth0 and physdev_out eth1' do - pp3 = <<-EOS + context 'when physdev_in eth0 and physdev_out eth1' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '703 - test': chain => 'FORWARD', @@ -64,7 +64,7 @@ describe 'firewall bridging' do physdev_in => 'eth0', physdev_out => 'eth1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) apply_manifest(pp3, catch_changes: do_catch_changes) @@ -77,8 +77,8 @@ describe 'firewall bridging' do end end - context 'physdev_is_bridged' do - pp4 = <<-EOS + context 'when physdev_is_bridged' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '704 - test': chain => 'FORWARD', @@ -87,7 +87,7 @@ describe 'firewall bridging' do action => accept, physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) apply_manifest(pp4, catch_changes: do_catch_changes) @@ -100,8 +100,8 @@ describe 'firewall bridging' do end end - context 'physdev_in eth0 and physdev_is_bridged' do - pp5 = <<-EOS + context 'when physdev_in eth0 and physdev_is_bridged' do + pp5 = <<-PUPPETCODE class { '::firewall': } firewall { '705 - test': chain => 'FORWARD', @@ -111,7 +111,7 @@ describe 'firewall bridging' do physdev_in => 'eth0', physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp5, catch_failures: true) apply_manifest(pp5, catch_changes: do_catch_changes) @@ -124,8 +124,8 @@ describe 'firewall bridging' do end end - context 'physdev_out eth1 and physdev_is_bridged' do - pp6 = <<-EOS + context 'when physdev_out eth1 and physdev_is_bridged' do + pp6 = <<-PUPPETCODE class { '::firewall': } firewall { '706 - test': chain => 'FORWARD', @@ -135,7 +135,7 @@ describe 'firewall bridging' do physdev_out => 'eth1', physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp6, catch_failures: true) apply_manifest(pp6, catch_changes: do_catch_changes) @@ -148,8 +148,8 @@ describe 'firewall bridging' do end end - context 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - pp7 = <<-EOS + context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do + pp7 = <<-PUPPETCODE class { '::firewall': } firewall { '707 - test': chain => 'FORWARD', @@ -160,7 +160,7 @@ describe 'firewall bridging' do physdev_out => 'eth1', physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp7, catch_failures: true) apply_manifest(pp7, catch_changes: do_catch_changes) @@ -177,8 +177,8 @@ describe 'firewall bridging' do # iptables version 1.3.5 is not suppored by the ip6tables provider if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'ip6tables physdev tests' do - context 'physdev_in eth0' do - pp8 = <<-EOS + context 'when physdev_in eth0' do + pp8 = <<-PUPPETCODE class { '::firewall': } firewall { '701 - test': provider => 'ip6tables', @@ -188,7 +188,7 @@ describe 'firewall bridging' do action => accept, physdev_in => 'eth0', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp8, catch_failures: true) apply_manifest(pp8, catch_changes: do_catch_changes) @@ -201,8 +201,8 @@ describe 'firewall bridging' do end end - context 'physdev_out eth1' do - pp9 = <<-EOS + context 'when physdev_out eth1' do + pp9 = <<-PUPPETCODE class { '::firewall': } firewall { '702 - test': provider => 'ip6tables', @@ -212,7 +212,7 @@ describe 'firewall bridging' do action => accept, physdev_out => 'eth1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp9, catch_failures: true) apply_manifest(pp9, catch_changes: do_catch_changes) @@ -225,8 +225,8 @@ describe 'firewall bridging' do end end - context 'physdev_in eth0 and physdev_out eth1' do - pp10 = <<-EOS + context 'when physdev_in eth0 and physdev_out eth1' do + pp10 = <<-PUPPETCODE class { '::firewall': } firewall { '703 - test': provider => 'ip6tables', @@ -237,7 +237,7 @@ describe 'firewall bridging' do physdev_in => 'eth0', physdev_out => 'eth1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp10, catch_failures: true) apply_manifest(pp10, catch_changes: do_catch_changes) @@ -250,8 +250,8 @@ describe 'firewall bridging' do end end - context 'physdev_is_bridged' do - pp11 = <<-EOS + context 'when physdev_is_bridged' do + pp11 = <<-PUPPETCODE class { '::firewall': } firewall { '704 - test': provider => 'ip6tables', @@ -261,7 +261,7 @@ describe 'firewall bridging' do action => accept, physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp11, catch_failures: true) apply_manifest(pp11, catch_changes: do_catch_changes) @@ -274,8 +274,8 @@ describe 'firewall bridging' do end end - context 'physdev_in eth0 and physdev_is_bridged' do - pp12 = <<-EOS + context 'when physdev_in eth0 and physdev_is_bridged' do + pp12 = <<-PUPPETCODE class { '::firewall': } firewall { '705 - test': provider => 'ip6tables', @@ -286,7 +286,7 @@ describe 'firewall bridging' do physdev_in => 'eth0', physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp12, catch_failures: true) apply_manifest(pp12, catch_changes: do_catch_changes) @@ -299,8 +299,8 @@ describe 'firewall bridging' do end end - context 'physdev_out eth1 and physdev_is_bridged' do - pp13 = <<-EOS + context 'when physdev_out eth1 and physdev_is_bridged' do + pp13 = <<-PUPPETCODE class { '::firewall': } firewall { '706 - test': provider => 'ip6tables', @@ -311,7 +311,7 @@ describe 'firewall bridging' do physdev_out => 'eth1', physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp13, catch_failures: true) apply_manifest(pp13, catch_changes: do_catch_changes) @@ -324,8 +324,8 @@ describe 'firewall bridging' do end end - context 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - pp14 = <<-EOS + context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do + pp14 = <<-PUPPETCODE class { '::firewall': } firewall { '707 - test': provider => 'ip6tables', @@ -337,7 +337,7 @@ describe 'firewall bridging' do physdev_out => 'eth1', physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp14, catch_failures: true) apply_manifest(pp14, catch_changes: do_catch_changes) @@ -350,8 +350,8 @@ describe 'firewall bridging' do end end - context 'physdev_is_in' do - pp15 = <<-EOS + context 'when physdev_is_in' do + pp15 = <<-PUPPETCODE class { '::firewall': } firewall { '708 - test': provider => 'ip6tables', @@ -361,7 +361,7 @@ describe 'firewall bridging' do action => accept, physdev_is_in => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp15, catch_failures: true) apply_manifest(pp15, catch_changes: do_catch_changes) @@ -374,8 +374,8 @@ describe 'firewall bridging' do end end - context 'physdev_is_out' do - pp16 = <<-EOS + context 'when physdev_is_out' do + pp16 = <<-PUPPETCODE class { '::firewall': } firewall { '709 - test': provider => 'ip6tables', @@ -385,7 +385,7 @@ describe 'firewall bridging' do action => accept, physdev_is_out => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp16, catch_failures: true) apply_manifest(pp16, catch_changes: do_catch_changes) diff --git a/spec/acceptance/firewall_dscp_spec.rb b/spec/acceptance/firewall_dscp_spec.rb index 8a49de5..779411d 100644 --- a/spec/acceptance/firewall_dscp_spec.rb +++ b/spec/acceptance/firewall_dscp_spec.rb @@ -7,8 +7,8 @@ describe 'firewall DSCP' do end describe 'dscp ipv4 tests' do - context 'set_dscp 0x01' do - pp1 = <<-EOS + context 'when set_dscp 0x01' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '1000 - set_dscp': @@ -19,7 +19,7 @@ describe 'firewall DSCP' do chain => 'OUTPUT', table => 'mangle', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) end @@ -31,8 +31,8 @@ describe 'firewall DSCP' do end end - context 'set_dscp_class EF' do - pp2 = <<-EOS + context 'when set_dscp_class EF' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '1001 EF - set_dscp_class': @@ -43,7 +43,7 @@ describe 'firewall DSCP' do chain => 'OUTPUT', table => 'mangle', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) end @@ -58,8 +58,8 @@ describe 'firewall DSCP' do if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'dscp ipv6 tests' do - context 'set_dscp 0x01' do - pp3 = <<-EOS + context 'when set_dscp 0x01' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '1002 - set_dscp': @@ -71,7 +71,7 @@ describe 'firewall DSCP' do table => 'mangle', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) end @@ -83,8 +83,8 @@ describe 'firewall DSCP' do end end - context 'set_dscp_class EF' do - pp4 = <<-EOS + context 'when set_dscp_class EF' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '1003 EF - set_dscp_class': @@ -96,7 +96,7 @@ describe 'firewall DSCP' do table => 'mangle', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) end diff --git a/spec/acceptance/firewall_gid_spec.rb b/spec/acceptance/firewall_gid_spec.rb index 8e8a356..f5c360d 100644 --- a/spec/acceptance/firewall_gid_spec.rb +++ b/spec/acceptance/firewall_gid_spec.rb @@ -7,8 +7,8 @@ describe 'firewall gid' do end describe 'gid tests' do - context 'gid set to root' do - pp1 = <<-EOS + context 'when gid set to root' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - test': chain => 'OUTPUT', @@ -16,7 +16,7 @@ describe 'firewall gid' do gid => 'root', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -29,8 +29,8 @@ describe 'firewall gid' do end end - context 'gid set to !root' do - pp2 = <<-EOS + context 'when gid set to !root' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - test': chain => 'OUTPUT', @@ -38,7 +38,7 @@ describe 'firewall gid' do gid => '!root', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) @@ -51,8 +51,8 @@ describe 'firewall gid' do end end - context 'gid set to 0' do - pp3 = <<-EOS + context 'when gid set to 0' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '803 - test': chain => 'OUTPUT', @@ -60,7 +60,7 @@ describe 'firewall gid' do gid => '0', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) apply_manifest(pp3, catch_changes: do_catch_changes) @@ -73,8 +73,8 @@ describe 'firewall gid' do end end - context 'gid set to !0' do - pp4 = <<-EOS + context 'when gid set to !0' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '804 - test': chain => 'OUTPUT', @@ -82,7 +82,7 @@ describe 'firewall gid' do gid => '!0', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) apply_manifest(pp4, catch_changes: do_catch_changes) diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb index c9aa52a..e2ee32c 100644 --- a/spec/acceptance/firewall_iptmodules_spec.rb +++ b/spec/acceptance/firewall_iptmodules_spec.rb @@ -7,8 +7,8 @@ describe 'firewall iptmodules' do end describe 'iptables ipt_modules tests' do - context 'all the modules with multiple args' do - pp1 = <<-EOS + context 'when all the modules with multiple args' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - ipt_modules tests': proto => tcp, @@ -25,7 +25,7 @@ describe 'firewall iptmodules' do physdev_out => "eth1", physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -38,8 +38,8 @@ describe 'firewall iptmodules' do end end - context 'all the modules with single args' do - pp2 = <<-EOS + context 'when all the modules with single args' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - ipt_modules tests': proto => tcp, @@ -52,7 +52,7 @@ describe 'firewall iptmodules' do physdev_out => "eth1", physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) @@ -69,8 +69,8 @@ describe 'firewall iptmodules' do # iptables version 1.3.5 is not suppored by the ip6tables provider if default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{ubuntu-14\.04} describe 'ip6tables ipt_modules tests' do - context 'all the modules with multiple args' do - pp3 = <<-EOS + context 'when all the modules with multiple args' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - ipt_modules tests': proto => tcp, @@ -88,7 +88,7 @@ describe 'firewall iptmodules' do physdev_out => "eth1", physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) apply_manifest(pp3, catch_changes: do_catch_changes) @@ -101,8 +101,8 @@ describe 'firewall iptmodules' do end end - context 'all the modules with single args' do - pp4 = <<-EOS + context 'when all the modules with single args' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - ipt_modules tests': proto => tcp, @@ -116,7 +116,7 @@ describe 'firewall iptmodules' do physdev_out => "eth1", physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) apply_manifest(pp4, catch_changes: do_catch_changes) @@ -133,8 +133,8 @@ describe 'firewall iptmodules' do # el-5 doesn't support ipv6 by default elsif default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'ip6tables ipt_modules tests' do - context 'all the modules with multiple args' do - pp5 = <<-EOS + context 'when all the modules with multiple args' do + pp5 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - ipt_modules tests': proto => tcp, @@ -150,7 +150,7 @@ describe 'firewall iptmodules' do physdev_out => "eth1", physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp5, catch_failures: true) apply_manifest(pp5, catch_changes: do_catch_changes) @@ -163,8 +163,8 @@ describe 'firewall iptmodules' do end end - context 'all the modules with single args' do - pp6 = <<-EOS + context 'when all the modules with single args' do + pp6 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - ipt_modules tests': proto => tcp, @@ -177,7 +177,7 @@ describe 'firewall iptmodules' do physdev_out => "eth1", physdev_is_bridged => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp6, catch_failures: true) apply_manifest(pp6, catch_changes: do_catch_changes) diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb index f1cc391..2648fe5 100644 --- a/spec/acceptance/firewall_mss_spec.rb +++ b/spec/acceptance/firewall_mss_spec.rb @@ -7,8 +7,8 @@ describe 'firewall MSS' do end describe 'mss ipv4 tests' do - context '1360' do - pp1 = <<-EOS + context 'when 1360' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '502 - set_mss': @@ -20,7 +20,7 @@ describe 'firewall MSS' do chain => 'FORWARD', table => 'mangle', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) end @@ -32,8 +32,8 @@ describe 'firewall MSS' do end end - context 'clamp_mss_to_pmtu' do - pp2 = <<-EOS + context 'when clamp_mss_to_pmtu' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '503 - clamp_mss_to_pmtu': @@ -43,7 +43,7 @@ describe 'firewall MSS' do jump => 'TCPMSS', clamp_mss_to_pmtu => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) end @@ -58,8 +58,8 @@ describe 'firewall MSS' do if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'mss ipv6 tests' do - context '1360' do - pp3 = <<-EOS + context 'when 1360' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '502 - set_mss': @@ -72,7 +72,7 @@ describe 'firewall MSS' do table => 'mangle', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) end @@ -84,8 +84,8 @@ describe 'firewall MSS' do end end - context 'clamp_mss_to_pmtu' do - pp4 = <<-EOS + context 'when clamp_mss_to_pmtu' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '503 - clamp_mss_to_pmtu': @@ -96,7 +96,7 @@ describe 'firewall MSS' do clamp_mss_to_pmtu => true, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index fe409e7..5e8e68f 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -7,21 +7,21 @@ describe 'firewall basics', docker: true do end describe 'name' do - context 'valid' do - pp1 = <<-EOS + context 'when valid' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '001 - test': ensure => present } - EOS + PUPPETCODE it 'applies cleanly' do apply_manifest(pp1, catch_failures: true) end end - context 'invalid' do - pp2 = <<-EOS + context 'when invalid' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { 'test': ensure => present } - EOS + PUPPETCODE it 'fails' do apply_manifest(pp2, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid value "test".}) @@ -31,15 +31,15 @@ describe 'firewall basics', docker: true do end describe 'ensure' do - context 'default' do - pp3 = <<-EOS + context 'when default' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '555 - test': proto => tcp, port => '555', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) end @@ -51,8 +51,8 @@ describe 'firewall basics', docker: true do end end - context 'present' do - pp4 = <<-EOS + context 'when present' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '555 - test': ensure => present, @@ -60,7 +60,7 @@ describe 'firewall basics', docker: true do port => '555', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) end @@ -72,8 +72,8 @@ describe 'firewall basics', docker: true do end end - context 'absent' do - pp5 = <<-EOS + context 'when absent' do + pp5 = <<-PUPPETCODE class { '::firewall': } firewall { '555 - test': ensure => absent, @@ -81,7 +81,7 @@ describe 'firewall basics', docker: true do port => '555', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp5, catch_failures: true) end @@ -95,8 +95,8 @@ describe 'firewall basics', docker: true do end describe 'source' do - context '192.168.2.0/24' do - pp7 = <<-EOS + context 'when 192.168.2.0/24' do + pp7 = <<-PUPPETCODE class { '::firewall': } firewall { '556 - test': proto => tcp, @@ -104,7 +104,7 @@ describe 'firewall basics', docker: true do action => accept, source => '192.168.2.0/24', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp7, catch_failures: true) apply_manifest(pp7, catch_changes: do_catch_changes) @@ -117,8 +117,8 @@ describe 'firewall basics', docker: true do end end - context '! 192.168.2.0/24' do - pp8 = <<-EOS + context 'when ! 192.168.2.0/24' do + pp8 = <<-PUPPETCODE class { '::firewall': } firewall { '556 - test': proto => tcp, @@ -126,7 +126,7 @@ describe 'firewall basics', docker: true do action => accept, source => '! 192.168.2.0/24', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp8, catch_failures: true) apply_manifest(pp8, catch_changes: do_catch_changes) @@ -140,8 +140,8 @@ describe 'firewall basics', docker: true do end # Invalid address - context '256.168.2.0/24' do - pp9 = <<-EOS + context 'when 256.168.2.0/24' do + pp9 = <<-PUPPETCODE class { '::firewall': } firewall { '556 - test': proto => tcp, @@ -149,7 +149,7 @@ describe 'firewall basics', docker: true do action => accept, source => '256.168.2.0/24', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp9, expect_failures: true) do |r| expect(r.stderr).to match(%r{host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)}) @@ -165,8 +165,8 @@ describe 'firewall basics', docker: true do end describe 'src_range' do - context '192.168.1.1-192.168.1.10' do - pp10 = <<-EOS + context 'when 192.168.1.1-192.168.1.10' do + pp10 = <<-PUPPETCODE class { '::firewall': } firewall { '557 - test': proto => tcp, @@ -174,7 +174,7 @@ describe 'firewall basics', docker: true do action => accept, src_range => '192.168.1.1-192.168.1.10', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp10, catch_failures: true) apply_manifest(pp10, catch_changes: do_catch_changes) @@ -188,8 +188,8 @@ describe 'firewall basics', docker: true do end # Invalid IP - context '392.168.1.1-192.168.1.10' do - pp11 = <<-EOS + context 'when 392.168.1.1-192.168.1.10' do + pp11 = <<-PUPPETCODE class { '::firewall': } firewall { '557 - test': proto => tcp, @@ -197,7 +197,7 @@ describe 'firewall basics', docker: true do action => accept, src_range => '392.168.1.1-192.168.1.10', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp11, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid IP address "392.168.1.1" in range "392.168.1.1-192.168.1.10"}) @@ -213,8 +213,8 @@ describe 'firewall basics', docker: true do end describe 'destination' do - context '192.168.2.0/24' do - pp12 = <<-EOS + context 'when 192.168.2.0/24' do + pp12 = <<-PUPPETCODE class { '::firewall': } firewall { '558 - test': proto => tcp, @@ -222,7 +222,7 @@ describe 'firewall basics', docker: true do action => accept, destination => '192.168.2.0/24', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp12, catch_failures: true) apply_manifest(pp12, catch_changes: do_catch_changes) @@ -235,8 +235,8 @@ describe 'firewall basics', docker: true do end end - context '! 192.168.2.0/24' do - pp13 = <<-EOS + context 'when ! 192.168.2.0/24' do + pp13 = <<-PUPPETCODE class { '::firewall': } firewall { '558 - test': proto => tcp, @@ -244,7 +244,7 @@ describe 'firewall basics', docker: true do action => accept, destination => '! 192.168.2.0/24', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp13, catch_failures: true) apply_manifest(pp13, catch_changes: do_catch_changes) @@ -258,8 +258,8 @@ describe 'firewall basics', docker: true do end # Invalid address - context '256.168.2.0/24' do - pp14 = <<-EOS + context 'when 256.168.2.0/24' do + pp14 = <<-PUPPETCODE class { '::firewall': } firewall { '558 - test': proto => tcp, @@ -267,7 +267,7 @@ describe 'firewall basics', docker: true do action => accept, destination => '256.168.2.0/24', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp14, expect_failures: true) do |r| expect(r.stderr).to match(%r{host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)}) @@ -283,8 +283,8 @@ describe 'firewall basics', docker: true do end describe 'dst_range' do - context '192.168.1.1-192.168.1.10' do - pp15 = <<-EOS + context 'when 192.168.1.1-192.168.1.10' do + pp15 = <<-PUPPETCODE class { '::firewall': } firewall { '559 - test': proto => tcp, @@ -292,7 +292,7 @@ describe 'firewall basics', docker: true do action => accept, dst_range => '192.168.1.1-192.168.1.10', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp15, catch_failures: true) apply_manifest(pp15, catch_changes: do_catch_changes) @@ -306,8 +306,8 @@ describe 'firewall basics', docker: true do end # Invalid IP - context '392.168.1.1-192.168.1.10' do - pp16 = <<-EOS + context 'when 392.168.1.1-192.168.1.10' do + pp16 = <<-PUPPETCODE class { '::firewall': } firewall { '559 - test': proto => tcp, @@ -315,7 +315,7 @@ describe 'firewall basics', docker: true do action => accept, dst_range => '392.168.1.1-192.168.1.10', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp16, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid IP address "392.168.1.1" in range "392.168.1.1-192.168.1.10"}) @@ -331,15 +331,15 @@ describe 'firewall basics', docker: true do end describe 'sport' do - context 'single port' do - pp17 = <<-EOS + context 'when single port' do + pp17 = <<-PUPPETCODE class { '::firewall': } firewall { '560 - test': proto => tcp, sport => '560', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp17, catch_failures: true) end @@ -351,15 +351,15 @@ describe 'firewall basics', docker: true do end end - context 'multiple ports' do - pp18 = <<-EOS + context 'when multiple ports' do + pp18 = <<-PUPPETCODE class { '::firewall': } firewall { '560 - test': proto => tcp, sport => '560-561', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp18, catch_failures: true) end @@ -371,15 +371,15 @@ describe 'firewall basics', docker: true do end end - context 'invalid ports' do - pp19 = <<-EOS + context 'when invalid ports' do + pp19 = <<-PUPPETCODE class { '::firewall': } firewall { '560 - test': proto => tcp, sport => '9999560-561', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp19, expect_failures: true) do |r| expect(r.stderr).to match(%r{invalid port\/service `9999560' specified}) @@ -395,15 +395,15 @@ describe 'firewall basics', docker: true do end describe 'dport' do - context 'single port' do - pp20 = <<-EOS + context 'when single port' do + pp20 = <<-PUPPETCODE class { '::firewall': } firewall { '561 - test': proto => tcp, dport => '561', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp20, catch_failures: true) end @@ -415,15 +415,15 @@ describe 'firewall basics', docker: true do end end - context 'multiple ports' do - pp21 = <<-EOS + context 'when multiple ports' do + pp21 = <<-PUPPETCODE class { '::firewall': } firewall { '561 - test': proto => tcp, dport => '561-562', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp21, catch_failures: true) end @@ -435,15 +435,15 @@ describe 'firewall basics', docker: true do end end - context 'invalid ports' do - pp22 = <<-EOS + context 'when invalid ports' do + pp22 = <<-PUPPETCODE class { '::firewall': } firewall { '561 - test': proto => tcp, dport => '9999561-562', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp22, expect_failures: true) do |r| expect(r.stderr).to match(%r{invalid port\/service `9999561' specified}) @@ -459,15 +459,15 @@ describe 'firewall basics', docker: true do end describe 'port' do - context 'single port' do - pp23 = <<-EOS + context 'when single port' do + pp23 = <<-PUPPETCODE class { '::firewall': } firewall { '562 - test': proto => tcp, port => '562', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp23, catch_failures: true) end @@ -479,15 +479,15 @@ describe 'firewall basics', docker: true do end end - context 'multiple ports' do - pp24 = <<-EOS + context 'when multiple ports' do + pp24 = <<-PUPPETCODE class { '::firewall': } firewall { '562 - test': proto => tcp, port => '562-563', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp24, catch_failures: true) end @@ -499,15 +499,15 @@ describe 'firewall basics', docker: true do end end - context 'invalid ports' do - pp25 = <<-EOS + context 'when invalid ports' do + pp25 = <<-PUPPETCODE class { '::firewall': } firewall { '562 - test': proto => tcp, port => '9999562-563', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp25, expect_failures: true) do |r| expect(r.stderr).to match(%r{invalid port\/service `9999562' specified}) @@ -524,15 +524,15 @@ describe 'firewall basics', docker: true do %w[dst_type src_type].each do |type| describe type.to_s do - context 'MULTICAST' do - pp26 = <<-EOS + context 'when MULTICAST' do + pp26 = <<-PUPPETCODE class { '::firewall': } firewall { '563 - test': proto => tcp, action => accept, #{type} => 'MULTICAST', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp26, catch_failures: true) end @@ -544,15 +544,15 @@ describe 'firewall basics', docker: true do end end - context '! MULTICAST' do - pp27 = <<-EOS + context 'when ! MULTICAST' do + pp27 = <<-PUPPETCODE class { '::firewall': } firewall { '563 - test inversion': proto => tcp, action => accept, #{type} => '! MULTICAST', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp27, catch_failures: true) apply_manifest(pp27, catch_changes: do_catch_changes) @@ -565,15 +565,15 @@ describe 'firewall basics', docker: true do end end - context 'BROKEN' do - pp28 = <<-EOS + context 'when BROKEN' do + pp28 = <<-PUPPETCODE class { '::firewall': } firewall { '563 - test': proto => tcp, action => accept, #{type} => 'BROKEN', } - EOS + PUPPETCODE it 'fails' do apply_manifest(pp28, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid value "BROKEN".}) @@ -590,15 +590,15 @@ describe 'firewall basics', docker: true do end describe 'tcp_flags' do - context 'FIN,SYN ACK' do - pp29 = <<-EOS + context 'when FIN,SYN ACK' do + pp29 = <<-PUPPETCODE class { '::firewall': } firewall { '564 - test': proto => tcp, action => accept, tcp_flags => 'FIN,SYN ACK', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp29, catch_failures: true) end @@ -612,15 +612,15 @@ describe 'firewall basics', docker: true do end describe 'chain' do - context 'INPUT' do - pp30 = <<-EOS + context 'when INPUT' do + pp30 = <<-PUPPETCODE class { '::firewall': } firewall { '565 - test': proto => tcp, action => accept, chain => 'FORWARD', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp30, catch_failures: true) end @@ -634,15 +634,15 @@ describe 'firewall basics', docker: true do end describe 'table' do - context 'mangle' do - pp31 = <<-EOS + context 'when mangle' do + pp31 = <<-PUPPETCODE class { '::firewall': } firewall { '566 - test': proto => tcp, action => accept, table => 'mangle', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp31, catch_failures: true) end @@ -653,8 +653,8 @@ describe 'firewall basics', docker: true do end end end - context 'nat' do - pp32 = <<-EOS + context 'when nat' do + pp32 = <<-PUPPETCODE class { '::firewall': } firewall { '566 - test2': proto => tcp, @@ -662,7 +662,7 @@ describe 'firewall basics', docker: true do table => 'nat', chain => 'OUTPUT', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp32, catch_failures: true) end @@ -680,8 +680,8 @@ describe 'firewall basics', docker: true do iptables_flush_all_tables end - context 'MARK' do - pp33 = <<-EOS + context 'when MARK' do + pp33 = <<-PUPPETCODE class { '::firewall': } firewallchain { 'TEST:filter:IPv4': ensure => present, @@ -691,7 +691,7 @@ describe 'firewall basics', docker: true do chain => 'INPUT', jump => 'TEST', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp33, catch_failures: true) end @@ -703,8 +703,8 @@ describe 'firewall basics', docker: true do end end - context 'jump and apply' do - pp34 = <<-EOS + context 'when jump and apply' do + pp34 = <<-PUPPETCODE class { '::firewall': } firewallchain { 'TEST:filter:IPv4': ensure => present, @@ -715,7 +715,7 @@ describe 'firewall basics', docker: true do action => 'accept', jump => 'TEST', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp34, expect_failures: true) do |r| expect(r.stderr).to match(%r{Only one of the parameters 'action' and 'jump' can be set}) @@ -731,8 +731,8 @@ describe 'firewall basics', docker: true do end describe 'tosource' do - context '192.168.1.1' do - pp35 = <<-EOS + context 'when 192.168.1.1' do + pp35 = <<-PUPPETCODE class { '::firewall': } firewall { '568 - test': proto => tcp, @@ -741,7 +741,7 @@ describe 'firewall basics', docker: true do jump => 'SNAT', tosource => '192.168.1.1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp35, catch_failures: true) end @@ -755,8 +755,8 @@ describe 'firewall basics', docker: true do end describe 'todest' do - context '192.168.1.1' do - pp36 = <<-EOS + context 'when 192.168.1.1' do + pp36 = <<-PUPPETCODE class { '::firewall': } firewall { '569 - test': proto => tcp, @@ -766,7 +766,7 @@ describe 'firewall basics', docker: true do source => '200.200.200.200', todest => '192.168.1.1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp36, catch_failures: true) end @@ -780,8 +780,8 @@ describe 'firewall basics', docker: true do end describe 'toports' do - context '192.168.1.1' do - pp37 = <<-EOS + context 'when 192.168.1.1' do + pp37 = <<-PUPPETCODE class { '::firewall': } firewall { '570 - test': proto => icmp, @@ -790,7 +790,7 @@ describe 'firewall basics', docker: true do jump => 'REDIRECT', toports => '2222', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp37, catch_failures: true) end @@ -805,8 +805,8 @@ describe 'firewall basics', docker: true do if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{ubuntu-10\.04} && default['platform'] !~ %r{debian-6} && default['platform'] !~ %r{sles} describe 'checksum_fill' do - context 'virbr' do - pp38 = <<-EOS + context 'when virbr' do + pp38 = <<-PUPPETCODE class { '::firewall': } firewall { '576 - test': proto => udp, @@ -818,7 +818,7 @@ describe 'firewall basics', docker: true do checksum_fill => true, provider => iptables, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp38, catch_failures: true) end @@ -832,8 +832,8 @@ describe 'firewall basics', docker: true do end describe 'checksum_fill6' do - context 'virbr' do - pp39 = <<-EOS + context 'when virbr' do + pp39 = <<-PUPPETCODE class { '::firewall': } firewall { '576 - test': proto => udp, @@ -845,7 +845,7 @@ describe 'firewall basics', docker: true do checksum_fill => true, provider => ip6tables, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp39, catch_failures: true) end @@ -862,8 +862,8 @@ describe 'firewall basics', docker: true do # RHEL5 does not support --random if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'random' do - context '192.168.1.1' do - pp40 = <<-EOS + context 'when 192.168.1.1' do + pp40 = <<-PUPPETCODE class { '::firewall': } firewall { '570 - test 2': proto => all, @@ -873,7 +873,7 @@ describe 'firewall basics', docker: true do source => '172.30.0.0/16', random => true } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp40, catch_failures: true) apply_manifest(pp40, catch_changes: do_catch_changes) @@ -889,14 +889,14 @@ describe 'firewall basics', docker: true do end describe 'icmp' do - context 'any' do - pp41 = <<-EOS + context 'when any' do + pp41 = <<-PUPPETCODE class { '::firewall': } firewall { '571 - test': proto => icmp, icmp => 'any', } - EOS + PUPPETCODE it 'fails' do apply_manifest(pp41, expect_failures: true) do |r| expect(r.stderr).to match(%r{This behaviour should be achieved by omitting or undefining the ICMP parameter}) @@ -915,8 +915,8 @@ describe 'firewall basics', docker: true do # iptables version 1.4.7 fails for multiple hl entries if default['platform'] !~ %r{(el-5|el-6|sles-10|sles-11)} describe 'hop_limit' do - context '5' do - pp42 = <<-EOS + context 'when 5' do + pp42 = <<-PUPPETCODE class { '::firewall': } firewall { '571 - test': ensure => present, @@ -926,7 +926,7 @@ describe 'firewall basics', docker: true do hop_limit => '5', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp42, catch_failures: true) end @@ -938,8 +938,8 @@ describe 'firewall basics', docker: true do end end - context 'invalid' do - pp43 = <<-EOS + context 'when invalid' do + pp43 = <<-PUPPETCODE class { '::firewall': } firewall { '571 - test': ensure => present, @@ -949,7 +949,7 @@ describe 'firewall basics', docker: true do hop_limit => 'invalid', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp43, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid value "invalid".}) @@ -965,8 +965,8 @@ describe 'firewall basics', docker: true do end describe 'ishasmorefrags' do - context 'true' do - pp44 = <<-EOS + context 'when true' do + pp44 = <<-PUPPETCODE class { '::firewall': } firewall { '587 - test': ensure => present, @@ -976,7 +976,7 @@ describe 'firewall basics', docker: true do ishasmorefrags => true, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp44, catch_failures: true) end @@ -988,8 +988,8 @@ describe 'firewall basics', docker: true do end end - context 'false' do - pp45 = <<-EOS + context 'when false' do + pp45 = <<-PUPPETCODE class { '::firewall': } firewall { '588 - test': ensure => present, @@ -999,7 +999,7 @@ describe 'firewall basics', docker: true do ishasmorefrags => false, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp45, catch_failures: true) end @@ -1013,8 +1013,8 @@ describe 'firewall basics', docker: true do end describe 'islastfrag' do - context 'true' do - pp46 = <<-EOS + context 'when true' do + pp46 = <<-PUPPETCODE class { '::firewall': } firewall { '589 - test': ensure => present, @@ -1024,7 +1024,7 @@ describe 'firewall basics', docker: true do islastfrag => true, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp46, catch_failures: true) end @@ -1036,8 +1036,8 @@ describe 'firewall basics', docker: true do end end - context 'false' do - pp47 = <<-EOS + context 'when false' do + pp47 = <<-PUPPETCODE class { '::firewall': } firewall { '590 - test': ensure => present, @@ -1047,7 +1047,7 @@ describe 'firewall basics', docker: true do islastfrag => false, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp47, catch_failures: true) end @@ -1061,8 +1061,8 @@ describe 'firewall basics', docker: true do end describe 'isfirstfrag' do - context 'true' do - pp48 = <<-EOS + context 'when true' do + pp48 = <<-PUPPETCODE class { '::firewall': } firewall { '591 - test': ensure => present, @@ -1072,7 +1072,7 @@ describe 'firewall basics', docker: true do isfirstfrag => true, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp48, catch_failures: true) end @@ -1084,8 +1084,8 @@ describe 'firewall basics', docker: true do end end - context 'false' do - pp49 = <<-EOS + context 'when false' do + pp49 = <<-PUPPETCODE class { '::firewall': } firewall { '592 - test': ensure => present, @@ -1095,7 +1095,7 @@ describe 'firewall basics', docker: true do isfirstfrag => false, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp49, catch_failures: true) end @@ -1109,8 +1109,8 @@ describe 'firewall basics', docker: true do end describe 'tcp_flags' do - context 'FIN,SYN ACK' do - pp50 = <<-EOS + context 'when FIN,SYN ACK' do + pp50 = <<-PUPPETCODE class { '::firewall': } firewall { '593 - test': proto => tcp, @@ -1118,7 +1118,7 @@ describe 'firewall basics', docker: true do tcp_flags => 'FIN,SYN ACK', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp50, catch_failures: true) end @@ -1132,8 +1132,8 @@ describe 'firewall basics', docker: true do end describe 'src_range' do - context '2001:db8::1-2001:db8::ff' do - pp51 = <<-EOS + context 'when 2001:db8::1-2001:db8::ff' do + pp51 = <<-PUPPETCODE class { '::firewall': } firewall { '601 - test': proto => tcp, @@ -1142,7 +1142,7 @@ describe 'firewall basics', docker: true do src_range => '2001:db8::1-2001:db8::ff', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp51, catch_failures: true) apply_manifest(pp51, catch_changes: do_catch_changes) @@ -1156,8 +1156,8 @@ describe 'firewall basics', docker: true do end # Invalid IP - context '2001::db8::1-2001:db8::ff' do - pp52 = <<-EOS + context 'when 2001::db8::1-2001:db8::ff' do + pp52 = <<-PUPPETCODE class { '::firewall': } firewall { '601 - test': proto => tcp, @@ -1166,7 +1166,7 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', src_range => '2001::db8::1-2001:db8::ff', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp52, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"}) @@ -1182,8 +1182,8 @@ describe 'firewall basics', docker: true do end describe 'dst_range' do - context '2001:db8::1-2001:db8::ff' do - pp53 = <<-EOS + context 'when 2001:db8::1-2001:db8::ff' do + pp53 = <<-PUPPETCODE class { '::firewall': } firewall { '602 - test': proto => tcp, @@ -1192,7 +1192,7 @@ describe 'firewall basics', docker: true do dst_range => '2001:db8::1-2001:db8::ff', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp53, catch_failures: true) apply_manifest(pp53, catch_changes: do_catch_changes) @@ -1206,8 +1206,8 @@ describe 'firewall basics', docker: true do end # Invalid IP - context '2001::db8::1-2001:db8::ff' do - pp54 = <<-EOS + context 'when 2001::db8::1-2001:db8::ff' do + pp54 = <<-PUPPETCODE class { '::firewall': } firewall { '602 - test': proto => tcp, @@ -1216,7 +1216,7 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', dst_range => '2001::db8::1-2001:db8::ff', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp54, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"}) @@ -1232,8 +1232,8 @@ describe 'firewall basics', docker: true do end describe 'mac_source' do - context '0A:1B:3C:4D:5E:6F' do - pp55 = <<-EOS + context 'when 0A:1B:3C:4D:5E:6F' do + pp55 = <<-PUPPETCODE class { '::firewall': } firewall { '604 - test': ensure => present, @@ -1242,7 +1242,7 @@ describe 'firewall basics', docker: true do chain => 'INPUT', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp55, catch_failures: true) end @@ -1258,8 +1258,8 @@ describe 'firewall basics', docker: true do # ip6tables has limited `-m socket` support if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{ubuntu-10\.04} && default['platform'] !~ %r{debian-6} && default['platform'] !~ %r{sles} describe 'socket' do - context 'true' do - pp56 = <<-EOS + context 'when true' do + pp56 = <<-PUPPETCODE class { '::firewall': } firewall { '605 - test': ensure => present, @@ -1270,7 +1270,7 @@ describe 'firewall basics', docker: true do socket => true, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp56, catch_failures: true) end @@ -1282,8 +1282,8 @@ describe 'firewall basics', docker: true do end end - context 'false' do - pp57 = <<-EOS + context 'when false' do + pp57 = <<-PUPPETCODE class { '::firewall': } firewall { '606 - test': ensure => present, @@ -1294,7 +1294,7 @@ describe 'firewall basics', docker: true do socket => false, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp57, catch_failures: true) end @@ -1309,8 +1309,8 @@ describe 'firewall basics', docker: true do end describe 'ipsec_policy' do - context 'ipsec' do - pp58 = <<-EOS + context 'when ipsec' do + pp58 = <<-PUPPETCODE class { '::firewall': } firewall { '607 - test': ensure => 'present', @@ -1324,7 +1324,7 @@ describe 'firewall basics', docker: true do table => 'filter', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp58, catch_failures: true) end @@ -1336,8 +1336,8 @@ describe 'firewall basics', docker: true do end end - context 'none' do - pp59 = <<-EOS + context 'when none' do + pp59 = <<-PUPPETCODE class { '::firewall': } firewall { '608 - test': ensure => 'present', @@ -1351,7 +1351,7 @@ describe 'firewall basics', docker: true do table => 'filter', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp59, catch_failures: true) end @@ -1365,8 +1365,8 @@ describe 'firewall basics', docker: true do end describe 'ipsec_dir' do - context 'out' do - pp60 = <<-EOS + context 'when out' do + pp60 = <<-PUPPETCODE class { '::firewall': } firewall { '609 - test': ensure => 'present', @@ -1380,7 +1380,7 @@ describe 'firewall basics', docker: true do table => 'filter', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp60, catch_failures: true) end @@ -1392,8 +1392,8 @@ describe 'firewall basics', docker: true do end end - context 'in' do - pp61 = <<-EOS + context 'when in' do + pp61 = <<-PUPPETCODE class { '::firewall': } firewall { '610 - test': ensure => 'present', @@ -1407,7 +1407,7 @@ describe 'firewall basics', docker: true do table => 'filter', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp61, catch_failures: true) end @@ -1421,8 +1421,8 @@ describe 'firewall basics', docker: true do end describe 'set_mark' do - context '0x3e8/0xffffffff' do - pp62 = <<-EOS + context 'when 0x3e8/0xffffffff' do + pp62 = <<-PUPPETCODE class { '::firewall': } firewall { '611 - test': ensure => present, @@ -1434,7 +1434,7 @@ describe 'firewall basics', docker: true do set_mark => '0x3e8/0xffffffff', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp62, catch_failures: true) end @@ -1452,7 +1452,7 @@ describe 'firewall basics', docker: true do # ipset is really difficult to test, just testing on one platform if default['platform'] =~ %r{ubuntu-14\.04} describe 'ipset' do - pp63 = <<-EOS + pp63 = <<-PUPPETCODE exec { 'hackery pt 1': command => 'service iptables-persistent flush', path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', @@ -1493,7 +1493,7 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', require => Exec['add honeypot'], } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp63, catch_failures: true) end @@ -1509,7 +1509,7 @@ describe 'firewall basics', docker: true do # mask isn't supported on deb7 if default['platform'] !~ %r{debian-7} describe 'mask' do - pp64 = <<-EOS + pp64 = <<-PUPPETCODE class { '::firewall': } firewall { '613 - test': recent => 'update', @@ -1521,7 +1521,7 @@ describe 'firewall basics', docker: true do mask => 'ffff::', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp64, catch_failures: true) end @@ -1536,8 +1536,8 @@ describe 'firewall basics', docker: true do %w[dst_type src_type].each do |type| describe type.to_s do - context 'MULTICAST' do - pp65 = <<-EOS + context 'when MULTICAST' do + pp65 = <<-PUPPETCODE class { '::firewall': } firewall { '603 - test': proto => tcp, @@ -1545,7 +1545,7 @@ describe 'firewall basics', docker: true do #{type} => 'MULTICAST', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp65, catch_failures: true) apply_manifest(pp65, catch_changes: do_catch_changes) @@ -1558,8 +1558,8 @@ describe 'firewall basics', docker: true do end end - context '! MULTICAST' do - pp66 = <<-EOS + context 'when ! MULTICAST' do + pp66 = <<-PUPPETCODE class { '::firewall': } firewall { '603 - test inversion': proto => tcp, @@ -1567,7 +1567,7 @@ describe 'firewall basics', docker: true do #{type} => '! MULTICAST', provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp66, catch_failures: true) apply_manifest(pp66, catch_changes: do_catch_changes) @@ -1580,8 +1580,8 @@ describe 'firewall basics', docker: true do end end - context 'BROKEN' do - pp67 = <<-EOS + context 'when BROKEN' do + pp67 = <<-PUPPETCODE class { '::firewall': } firewall { '603 - test': proto => tcp, @@ -1589,7 +1589,7 @@ describe 'firewall basics', docker: true do #{type} => 'BROKEN', provider => 'ip6tables', } - EOS + PUPPETCODE it 'fails' do apply_manifest(pp67, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid value "BROKEN".}) @@ -1609,8 +1609,8 @@ describe 'firewall basics', docker: true do end describe 'limit' do - context '500/sec' do - pp68 = <<-EOS + context 'when 500/sec' do + pp68 = <<-PUPPETCODE class { '::firewall': } firewall { '572 - test': ensure => present, @@ -1619,7 +1619,7 @@ describe 'firewall basics', docker: true do action => accept, limit => '500/sec', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp68, catch_failures: true) end @@ -1633,8 +1633,8 @@ describe 'firewall basics', docker: true do end describe 'burst' do - context '500' do - pp69 = <<-EOS + context 'when 500' do + pp69 = <<-PUPPETCODE class { '::firewall': } firewall { '573 - test': ensure => present, @@ -1644,7 +1644,7 @@ describe 'firewall basics', docker: true do limit => '500/sec', burst => '1500', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp69, catch_failures: true) end @@ -1656,8 +1656,8 @@ describe 'firewall basics', docker: true do end end - context 'invalid' do - pp70 = <<-EOS + context 'when invalid' do + pp70 = <<-PUPPETCODE class { '::firewall': } firewall { '571 - test': ensure => present, @@ -1667,7 +1667,7 @@ describe 'firewall basics', docker: true do limit => '500/sec', burst => '1500/sec', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp70, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid value "1500\/sec".}) @@ -1683,8 +1683,8 @@ describe 'firewall basics', docker: true do end describe 'uid' do - context 'nobody' do - pp71 = <<-EOS + context 'when nobody' do + pp71 = <<-PUPPETCODE class { '::firewall': } firewall { '574 - test': ensure => present, @@ -1694,7 +1694,7 @@ describe 'firewall basics', docker: true do action => accept, uid => 'nobody', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp71, catch_failures: true) end @@ -1708,8 +1708,8 @@ describe 'firewall basics', docker: true do end describe 'gid' do - context 'root' do - pp72 = <<-EOS + context 'when root' do + pp72 = <<-PUPPETCODE class { '::firewall': } firewall { '575 - test': ensure => present, @@ -1719,7 +1719,7 @@ describe 'firewall basics', docker: true do action => accept, gid => 'root', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp72, catch_failures: true) end @@ -1735,8 +1735,8 @@ describe 'firewall basics', docker: true do # iptables version 1.3.5 does not support masks on MARK rules if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'set_mark' do - context '0x3e8/0xffffffff' do - pp73 = <<-EOS + context 'when 0x3e8/0xffffffff' do + pp73 = <<-PUPPETCODE class { '::firewall': } firewall { '580 - test': ensure => present, @@ -1747,7 +1747,7 @@ describe 'firewall basics', docker: true do table => 'mangle', set_mark => '0x3e8/0xffffffff', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp73, catch_failures: true) end @@ -1762,8 +1762,8 @@ describe 'firewall basics', docker: true do end describe 'pkttype' do - context 'multicast' do - pp74 = <<-EOS + context 'when multicast' do + pp74 = <<-PUPPETCODE class { '::firewall': } firewall { '581 - test': ensure => present, @@ -1772,7 +1772,7 @@ describe 'firewall basics', docker: true do action => accept, pkttype => 'multicast', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp74, catch_failures: true) end @@ -1784,8 +1784,8 @@ describe 'firewall basics', docker: true do end end - context 'test' do - pp75 = <<-EOS + context 'when test' do + pp75 = <<-PUPPETCODE class { '::firewall': } firewall { '582 - test': ensure => present, @@ -1794,7 +1794,7 @@ describe 'firewall basics', docker: true do action => accept, pkttype => 'test', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp75, expect_failures: true) do |r| expect(r.stderr).to match(%r{Invalid value "test".}) @@ -1810,8 +1810,8 @@ describe 'firewall basics', docker: true do end describe 'isfragment' do - context 'true' do - pp76 = <<-EOS + context 'when true' do + pp76 = <<-PUPPETCODE class { '::firewall': } firewall { '583 - test': ensure => present, @@ -1820,7 +1820,7 @@ describe 'firewall basics', docker: true do action => accept, isfragment => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp76, catch_failures: true) end @@ -1832,8 +1832,8 @@ describe 'firewall basics', docker: true do end end - context 'false' do - pp77 = <<-EOS + context 'when false' do + pp77 = <<-PUPPETCODE class { '::firewall': } firewall { '584 - test': ensure => present, @@ -1842,7 +1842,7 @@ describe 'firewall basics', docker: true do action => accept, isfragment => false, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp77, catch_failures: true) end @@ -1857,8 +1857,8 @@ describe 'firewall basics', docker: true do # RHEL5/SLES does not support -m socket describe 'socket', unless: (default['platform'] =~ %r{el-5} || fact('operatingsystem') == 'SLES') do - context 'true' do - pp78 = <<-EOS + context 'when true' do + pp78 = <<-PUPPETCODE class { '::firewall': } firewall { '585 - test': ensure => present, @@ -1869,7 +1869,7 @@ describe 'firewall basics', docker: true do table => 'nat', socket => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp78, catch_failures: true) end @@ -1881,8 +1881,8 @@ describe 'firewall basics', docker: true do end end - context 'false' do - pp79 = <<-EOS + context 'when false' do + pp79 = <<-PUPPETCODE class { '::firewall': } firewall { '586 - test': ensure => present, @@ -1893,7 +1893,7 @@ describe 'firewall basics', docker: true do table => 'nat', socket => false, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp79, catch_failures: true) end @@ -1907,8 +1907,8 @@ describe 'firewall basics', docker: true do end describe 'ipsec_policy' do - context 'ipsec' do - pp80 = <<-EOS + context 'when ipsec' do + pp80 = <<-PUPPETCODE class { '::firewall': } firewall { '593 - test': ensure => 'present', @@ -1921,7 +1921,7 @@ describe 'firewall basics', docker: true do reject => 'icmp-net-unreachable', table => 'filter', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp80, catch_failures: true) end @@ -1933,8 +1933,8 @@ describe 'firewall basics', docker: true do end end - context 'none' do - pp81 = <<-EOS + context 'when none' do + pp81 = <<-PUPPETCODE class { '::firewall': } firewall { '594 - test': ensure => 'present', @@ -1947,7 +1947,7 @@ describe 'firewall basics', docker: true do reject => 'icmp-net-unreachable', table => 'filter', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp81, catch_failures: true) end @@ -1961,8 +1961,8 @@ describe 'firewall basics', docker: true do end describe 'ipsec_dir' do - context 'out' do - pp82 = <<-EOS + context 'when out' do + pp82 = <<-PUPPETCODE class { '::firewall': } firewall { '595 - test': ensure => 'present', @@ -1975,7 +1975,7 @@ describe 'firewall basics', docker: true do reject => 'icmp-net-unreachable', table => 'filter', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp82, catch_failures: true) end @@ -1987,8 +1987,8 @@ describe 'firewall basics', docker: true do end end - context 'in' do - pp83 = <<-EOS + context 'when in' do + pp83 = <<-PUPPETCODE class { '::firewall': } firewall { '596 - test': ensure => 'present', @@ -2001,7 +2001,7 @@ describe 'firewall basics', docker: true do reject => 'icmp-net-unreachable', table => 'filter', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp83, catch_failures: true) end @@ -2015,8 +2015,8 @@ describe 'firewall basics', docker: true do end describe 'recent' do - context 'set' do - pp84 = <<-EOS + context 'when set' do + pp84 = <<-PUPPETCODE class { '::firewall': } firewall { '597 - test': ensure => 'present', @@ -2028,7 +2028,7 @@ describe 'firewall basics', docker: true do rdest => true, rname => 'list1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp84, catch_failures: true) end @@ -2041,8 +2041,8 @@ describe 'firewall basics', docker: true do end end - context 'rcheck' do - pp85 = <<-EOS + context 'when rcheck' do + pp85 = <<-PUPPETCODE class { '::firewall': } firewall { '598 - test': ensure => 'present', @@ -2057,7 +2057,7 @@ describe 'firewall basics', docker: true do rhitcount => 5, rttl => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp85, catch_failures: true) end @@ -2069,8 +2069,8 @@ describe 'firewall basics', docker: true do end end - context 'update' do - pp86 = <<-EOS + context 'when update' do + pp86 = <<-PUPPETCODE class { '::firewall': } firewall { '599 - test': ensure => 'present', @@ -2080,7 +2080,7 @@ describe 'firewall basics', docker: true do table => 'filter', recent => 'update', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp86, catch_failures: true) end @@ -2092,8 +2092,8 @@ describe 'firewall basics', docker: true do end end - context 'remove' do - pp87 = <<-EOS + context 'when remove' do + pp87 = <<-PUPPETCODE class { '::firewall': } firewall { '600 - test': ensure => 'present', @@ -2103,7 +2103,7 @@ describe 'firewall basics', docker: true do table => 'filter', recent => 'remove', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp87, catch_failures: true) end @@ -2117,8 +2117,8 @@ describe 'firewall basics', docker: true do end describe 'mac_source' do - context '0A:1B:3C:4D:5E:6F' do - pp88 = <<-EOS + context 'when 0A:1B:3C:4D:5E:6F' do + pp88 = <<-PUPPETCODE class { '::firewall': } firewall { '610 - test': ensure => present, @@ -2126,7 +2126,7 @@ describe 'firewall basics', docker: true do mac_source => '0A:1B:3C:4D:5E:6F', chain => 'INPUT', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp88, catch_failures: true) end @@ -2152,8 +2152,8 @@ describe 'firewall basics', docker: true do end describe 'to' do - context 'Destination netmap 192.168.1.1' do - pp89 = <<-EOS + context 'when Destination netmap 192.168.1.1' do + pp89 = <<-PUPPETCODE class { '::firewall': } firewall { '569 - test': proto => tcp, @@ -2163,7 +2163,7 @@ describe 'firewall basics', docker: true do source => '200.200.200.200', to => '192.168.1.1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp89, catch_failures: true) end @@ -2182,8 +2182,8 @@ describe 'firewall basics', docker: true do end end - context 'Source netmap 192.168.1.1' do - pp90 = <<-EOS + context 'when Source netmap 192.168.1.1' do + pp90 = <<-PUPPETCODE class { '::firewall': } firewall { '569 - test': proto => tcp, @@ -2193,7 +2193,7 @@ describe 'firewall basics', docker: true do destination => '200.200.200.200', to => '192.168.1.1', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp90, catch_failures: true) end @@ -2206,14 +2206,14 @@ describe 'firewall basics', docker: true do end end - context 'log_prefix containing -A' do - pp91 = <<-EOS + context 'when log_prefix containing -A' do + pp91 = <<-PUPPETCODE class { '::firewall': } firewall { '700 - test': jump => 'LOG', log_prefix => 'FW-A-INPUT: ', } - EOS + PUPPETCODE it 'adds the rule' do apply_manifest(pp91, catch_failures: true) end @@ -2224,14 +2224,14 @@ describe 'firewall basics', docker: true do end end - pp92 = <<-EOS + pp92 = <<-PUPPETCODE class { '::firewall': } firewall { '700 - test': ensure => absent, jump => 'LOG', log_prefix => 'FW-A-INPUT: ', } - EOS + PUPPETCODE it 'removes the rule' do apply_manifest(pp92, catch_failures: true) end @@ -2243,15 +2243,15 @@ describe 'firewall basics', docker: true do end end - context 'log_uid is true' do - pp93 = <<-EOS + context 'when log_uid is true' do + pp93 = <<-PUPPETCODE class { '::firewall': } firewall { '700 - test log_uid': chain => 'OUTPUT', jump => 'LOG', log_uid => true, } - EOS + PUPPETCODE it 'adds the rule' do apply_manifest(pp93, catch_failures: true) end @@ -2262,7 +2262,7 @@ describe 'firewall basics', docker: true do end end - pp94 = <<-EOS + pp94 = <<-PUPPETCODE class { '::firewall': } firewall { '700 - test log_uid': chain => 'OUTPUT', @@ -2270,7 +2270,7 @@ describe 'firewall basics', docker: true do log_uid => false, ensure => absent, } - EOS + PUPPETCODE it 'removes the rule' do apply_manifest(pp94, catch_failures: true) end @@ -2282,14 +2282,14 @@ describe 'firewall basics', docker: true do end end - context 'comment containing "-A "' do - pp95 = <<-EOS + context 'when comment containing "-A "' do + pp95 = <<-PUPPETCODE class { '::firewall': } firewall { '700 - blah-A Test Rule': jump => 'LOG', log_prefix => 'FW-A-INPUT: ', } - EOS + PUPPETCODE it 'adds the rule' do apply_manifest(pp95, catch_failures: true) end @@ -2300,14 +2300,14 @@ describe 'firewall basics', docker: true do end end - pp96 = <<-EOS + pp96 = <<-PUPPETCODE class { '::firewall': } firewall { '700 - blah-A Test Rule': ensure => absent, jump => 'LOG', log_prefix => 'FW-A-INPUT: ', } - EOS + PUPPETCODE it 'removes the rule' do apply_manifest(pp96, catch_failures: true) end diff --git a/spec/acceptance/firewall_tee_spec.rb b/spec/acceptance/firewall_tee_spec.rb index 507fa1d..779f56d 100644 --- a/spec/acceptance/firewall_tee_spec.rb +++ b/spec/acceptance/firewall_tee_spec.rb @@ -8,8 +8,8 @@ describe 'firewall tee' do if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{ubuntu-1204} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7} describe 'tee_gateway' do - context '10.0.0.2' do - pp1 = <<-EOS + context 'when 10.0.0.2' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '810 - tee_gateway': @@ -19,7 +19,7 @@ describe 'firewall tee' do gateway => '10.0.0.2', proto => all, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) end @@ -33,8 +33,8 @@ describe 'firewall tee' do end describe 'tee_gateway6' do - context '2001:db8::1' do - pp2 = <<-EOS + context 'when 2001:db8::1' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '811 - tee_gateway6': @@ -45,7 +45,7 @@ describe 'firewall tee' do proto => all, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) end diff --git a/spec/acceptance/firewall_time_spec.rb b/spec/acceptance/firewall_time_spec.rb index 1cb0482..5d39eed 100644 --- a/spec/acceptance/firewall_time_spec.rb +++ b/spec/acceptance/firewall_time_spec.rb @@ -8,8 +8,8 @@ describe 'firewall time' do if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7} describe 'time tests ipv4' do - context 'set all time parameters' do - pp1 = <<-EOS + context 'when set all time parameters' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '805 - test': proto => tcp, @@ -24,7 +24,7 @@ describe 'firewall time' do week_days => 'Tue', kernel_timezone => true, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -39,8 +39,8 @@ describe 'firewall time' do end describe 'time tests ipv6' do - context 'set all time parameters' do - pp2 = <<-EOS + context 'when when set all time parameters' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '805 - test': proto => tcp, @@ -56,7 +56,7 @@ describe 'firewall time' do kernel_timezone => true, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) diff --git a/spec/acceptance/firewall_uid_spec.rb b/spec/acceptance/firewall_uid_spec.rb index 5d4ff45..adeb39d 100644 --- a/spec/acceptance/firewall_uid_spec.rb +++ b/spec/acceptance/firewall_uid_spec.rb @@ -7,8 +7,8 @@ describe 'firewall uid' do end describe 'uid tests' do - context 'uid set to root' do - pp1 = <<-EOS + context 'when uid set to root' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - test': chain => 'OUTPUT', @@ -16,7 +16,7 @@ describe 'firewall uid' do uid => 'root', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -29,8 +29,8 @@ describe 'firewall uid' do end end - context 'uid set to !root' do - pp2 = <<-EOS + context 'when uid set to !root' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - test': chain => 'OUTPUT', @@ -38,7 +38,7 @@ describe 'firewall uid' do uid => '!root', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) @@ -51,8 +51,8 @@ describe 'firewall uid' do end end - context 'uid set to 0' do - pp3 = <<-EOS + context 'when uid set to 0' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '803 - test': chain => 'OUTPUT', @@ -60,7 +60,7 @@ describe 'firewall uid' do uid => '0', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) apply_manifest(pp3, catch_changes: do_catch_changes) @@ -73,8 +73,8 @@ describe 'firewall uid' do end end - context 'uid set to !0' do - pp4 = <<-EOS + context 'when uid set to !0' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '804 - test': chain => 'OUTPUT', @@ -82,7 +82,7 @@ describe 'firewall uid' do uid => '!0', proto => 'all', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) apply_manifest(pp4, catch_changes: do_catch_changes) diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb index 4b618c0..7a08d92 100644 --- a/spec/acceptance/firewallchain_spec.rb +++ b/spec/acceptance/firewallchain_spec.rb @@ -7,12 +7,12 @@ describe 'puppet resource firewallchain command' do end describe 'ensure' do - context 'present' do - pp1 = <<-EOS + context 'when present' do + pp1 = <<-PUPPETCODE firewallchain { 'MY_CHAIN:filter:IPv4': ensure => present, } - EOS + PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency apply_manifest(pp1, catch_failures: true) @@ -26,12 +26,12 @@ describe 'puppet resource firewallchain command' do end end - context 'absent' do - pp2 = <<-EOS + context 'when absent' do + pp2 = <<-PUPPETCODE firewallchain { 'MY_CHAIN:filter:IPv4': ensure => absent, } - EOS + PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency apply_manifest(pp2, catch_failures: true) @@ -47,8 +47,8 @@ describe 'puppet resource firewallchain command' do end # XXX purge => false is not yet implemented - # context 'adding a firewall rule to a chain:' do - # pp3 = <<-EOS + # context 'when adding a firewall rule to a chain:' do + # pp3 = <<-PUPPETCODE # firewallchain { 'MY_CHAIN:filter:IPv4': # ensure => present, # } @@ -58,7 +58,7 @@ describe 'puppet resource firewallchain command' do # proto => 'tcp', # dport => 5000, # } - # EOS + # PUPPETCODE # it 'applies cleanly' do # # Run it twice and test for idempotency # apply_manifest(pp3, :catch_failures => true) @@ -66,8 +66,8 @@ describe 'puppet resource firewallchain command' do # end # end - # context 'not purge firewallchain chains:' do - # pp4 = <<-EOS + # context 'when not purge firewallchain chains:' do + # pp4 = <<-PUPPETCODE # firewallchain { 'MY_CHAIN:filter:IPv4': # ensure => present, # purge => false, @@ -76,7 +76,7 @@ describe 'puppet resource firewallchain command' do # resources { 'firewall': # purge => true, # } - # EOS + # PUPPETCODE # it 'does not purge the rule' do # # Run it twice and test for idempotency # apply_manifest(pp4, :catch_failures => true) do |r| @@ -86,14 +86,14 @@ describe 'puppet resource firewallchain command' do # apply_manifest(pp4, :catch_changes => do_catch_changes) # end - # pp5 = <<-EOS + # pp5 = <<-PUPPETCODE # firewall { '100 my rule': # chain => 'MY_CHAIN', # action => 'accept', # proto => 'tcp', # dport => 5000, # } - # EOS + # PUPPETCODE # it 'still has the rule' do # # Run it twice and test for idempotency # apply_manifest(pp5, :catch_changes => do_catch_changes) @@ -105,12 +105,12 @@ describe 'puppet resource firewallchain command' do shell('iptables -t filter -P FORWARD ACCEPT') end - context 'DROP' do - pp6 = <<-EOS + context 'when DROP' do + pp6 = <<-PUPPETCODE firewallchain { 'FORWARD:filter:IPv4': policy => 'drop', } - EOS + PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency apply_manifest(pp6, catch_failures: true) diff --git a/spec/acceptance/hashlimit_spec.rb b/spec/acceptance/hashlimit_spec.rb index 97c2187..cd9eca0 100644 --- a/spec/acceptance/hashlimit_spec.rb +++ b/spec/acceptance/hashlimit_spec.rb @@ -8,8 +8,8 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( end describe 'hashlimit_tests' do - context 'hashlimit_above' do - pp1 = <<-EOS + context 'when hashlimit_above' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '800 - hashlimit_above test': chain => 'INPUT', @@ -20,7 +20,7 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( hashlimit_mode => 'srcip,dstip', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -37,8 +37,8 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( end end - context 'hashlimit_above_ip6' do - pp2 = <<-EOS + context 'when hashlimit_above_ip6' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - hashlimit_above test ipv6': chain => 'INPUT', @@ -50,7 +50,7 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( hashlimit_mode => 'srcip,dstip', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) @@ -67,8 +67,8 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( end end - context 'hashlimit_upto' do - pp3 = <<-EOS + context 'when hashlimit_upto' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - hashlimit_upto test': chain => 'INPUT', @@ -80,7 +80,7 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( hashlimit_htable_expire => '36000000', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp3, catch_failures: true) apply_manifest(pp3, catch_changes: do_catch_changes) @@ -93,8 +93,8 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( end end - context 'hashlimit_upto_ip6' do - pp4 = <<-EOS + context 'when hashlimit_upto_ip6' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '803 - hashlimit_upto test ip6': chain => 'INPUT', @@ -107,7 +107,7 @@ describe 'hashlimit property', if: fact('operatingsystemmajrelease') != '5' && ( hashlimit_htable_expire => '36000000', action => accept, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp4, catch_failures: true) apply_manifest(pp4, catch_changes: do_catch_changes) diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb index 9469139..0969ca3 100644 --- a/spec/acceptance/invert_spec.rb +++ b/spec/acceptance/invert_spec.rb @@ -6,8 +6,8 @@ describe 'firewall inverting' do ip6tables_flush_all_tables end - context 'inverting rules' do - pp1 = <<-EOS + context 'when inverting rules' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '601 disallow esp protocol': action => 'accept', @@ -22,7 +22,7 @@ describe 'firewall inverting' do source => '! 10.0.0.0/8', tcp_flags => '! FIN,SYN,RST,ACK SYN', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -39,8 +39,8 @@ describe 'firewall inverting' do end end end - context 'inverting partial array rules' do - pp2 = <<-EOS + context 'when inverting partial array rules' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '603 drop 80,443 traffic': chain => 'INPUT', @@ -48,7 +48,7 @@ describe 'firewall inverting' do proto => 'tcp', sport => ['! http', '443'], } - EOS + PUPPETCODE it 'raises a failure' do apply_manifest(pp2, expect_failures: true) do |r| expect(r.stderr).to match(%r{is not prefixed}) diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb index 19642e0..a83ac71 100644 --- a/spec/acceptance/ip6_fragment_spec.rb +++ b/spec/acceptance/ip6_fragment_spec.rb @@ -7,14 +7,14 @@ if default['platform'] =~ %r{el-5} || default['platform'] =~ %r{sles-10} ip6tables_flush_all_tables end - pp1 = <<-EOS + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '599 - test': ensure => present, proto => 'tcp', provider => 'ip6tables', } - EOS + PUPPETCODE it "can't use ip6tables" do expect(apply_manifest(pp1, expect_failures: true).stderr).to match(%r{ip6tables provider is not supported}) end @@ -27,7 +27,7 @@ else end shared_examples 'is idempotent' do |values, line_match| - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '599 - test': ensure => present, @@ -35,7 +35,7 @@ else provider => 'ip6tables', #{values} } - EOS + PUPPETCODE it "changes the values to #{values}" do apply_manifest(pp2, catch_failures: true) apply_manifest(pp2, catch_changes: do_catch_changes) @@ -46,7 +46,7 @@ else end end shared_examples "doesn't change" do |values, line_match| - pp3 = <<-EOS + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '599 - test': ensure => present, @@ -54,7 +54,7 @@ else provider => 'ip6tables', #{values} } - EOS + PUPPETCODE it "doesn't change the values to #{values}" do apply_manifest(pp3, catch_changes: do_catch_changes) @@ -91,10 +91,10 @@ else ip6tables_flush_all_tables shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') end - context 'and current value is false' do + context 'when current value is false' do it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} end - context 'and current value is true' do + context 'when current value is true' do it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', %r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} end @@ -104,10 +104,10 @@ else ip6tables_flush_all_tables shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') end - context 'and current value is false' do + context 'when current value is false' do it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} end - context 'and current value is true' do + context 'when current value is true' do it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', %r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} end diff --git a/spec/acceptance/isfragment_spec.rb b/spec/acceptance/isfragment_spec.rb index 38afcdc..c11262f 100644 --- a/spec/acceptance/isfragment_spec.rb +++ b/spec/acceptance/isfragment_spec.rb @@ -7,14 +7,14 @@ describe 'firewall isfragment property' do end shared_examples 'is idempotent' do |value, line_match| - pp1 = <<-EOS + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '597 - test': ensure => present, proto => 'tcp', #{value} } - EOS + PUPPETCODE it "changes the value to #{value}" do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: do_catch_changes) @@ -26,14 +26,14 @@ describe 'firewall isfragment property' do end shared_examples "doesn't change" do |value, line_match| - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '597 - test': ensure => present, proto => 'tcp', #{value} } - EOS + PUPPETCODE it "doesn't change the value to #{value}" do apply_manifest(pp2, catch_changes: do_catch_changes) diff --git a/spec/acceptance/match_mark_spec.rb b/spec/acceptance/match_mark_spec.rb index 6cf38ec..e62a339 100644 --- a/spec/acceptance/match_mark_spec.rb +++ b/spec/acceptance/match_mark_spec.rb @@ -8,15 +8,15 @@ describe 'firewall match marks' do if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} describe 'match_mark' do - context '0x1' do - pp1 = <<-EOS + context 'when 0x1' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '503 match_mark - test': proto => 'all', match_mark => '0x1', action => reject, } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp1, catch_failures: true) end @@ -30,8 +30,8 @@ describe 'firewall match marks' do end describe 'match_mark_ip6' do - context '0x1' do - pp2 = <<-EOS + context 'when 0x1' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '503 match_mark ip6tables - test': proto => 'all', @@ -39,7 +39,7 @@ describe 'firewall match marks' do action => reject, provider => 'ip6tables', } - EOS + PUPPETCODE it 'applies' do apply_manifest(pp2, catch_failures: true) end diff --git a/spec/acceptance/nflog_spec.rb b/spec/acceptance/nflog_spec.rb index 1ec0589..f0311be 100644 --- a/spec/acceptance/nflog_spec.rb +++ b/spec/acceptance/nflog_spec.rb @@ -1,14 +1,14 @@ require 'spec_helper_acceptance' describe 'nflog on older OSes', if: fact('iptables_version') < '1.3.7' do # rubocop:disable RSpec/MultipleDescribes : Describes are clearly seperate - pp1 = <<-EOS + pp1 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_group => 3, } - EOS + PUPPETCODE it 'throws an error' do apply_manifest(pp1, acceptable_error_codes: [0]) end @@ -19,10 +19,10 @@ describe 'nflog', unless: fact('iptables_version') < '1.3.7' do let(:group) { 3 } it 'applies' do - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_group => #{group}} - EOS + PUPPETCODE apply_manifest(pp2, catch_failures: true) end @@ -37,10 +37,10 @@ describe 'nflog', unless: fact('iptables_version') < '1.3.7' do let(:prefix) { 'TEST PREFIX' } it 'applies' do - pp3 = <<-EOS + pp3 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_prefix => '#{prefix}'} - EOS + PUPPETCODE apply_manifest(pp3, catch_failures: true) end @@ -55,10 +55,10 @@ describe 'nflog', unless: fact('iptables_version') < '1.3.7' do let(:range) { 16 } it 'applies' do - pp4 = <<-EOS + pp4 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_range => #{range}} - EOS + PUPPETCODE apply_manifest(pp4, catch_failures: true) end @@ -73,10 +73,10 @@ describe 'nflog', unless: fact('iptables_version') < '1.3.7' do let(:threshold) { 2 } it 'applies' do - pp5 = <<-EOS + pp5 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => #{threshold}} - EOS + PUPPETCODE apply_manifest(pp5, catch_failures: true) end @@ -92,10 +92,10 @@ describe 'nflog', unless: fact('iptables_version') < '1.3.7' do let(:group) { 3 } it 'applies' do - pp6 = <<-EOS + pp6 = <<-PUPPETCODE class {'::firewall': } firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => #{threshold}, nflog_group => #{group}} - EOS + PUPPETCODE apply_manifest(pp6, catch_failures: true) end diff --git a/spec/acceptance/params_spec.rb b/spec/acceptance/params_spec.rb index 12dffbb..725daef 100644 --- a/spec/acceptance/params_spec.rb +++ b/spec/acceptance/params_spec.rb @@ -6,7 +6,7 @@ describe 'param based tests' do ip6tables_flush_all_tables end - ppm1 = <<-EOS + ppm1 = <<-PUPPETCODE firewall { '100 test': table => 'raw', socket => 'true', @@ -14,7 +14,7 @@ describe 'param based tests' do jump => 'LOG', log_level => 'debug', } - EOS + PUPPETCODE values = [2, 0] it 'test various params', unless: (default['platform'].match(%r{el-5}) || fact('operatingsystem') == 'SLES') do iptables_flush_all_tables @@ -24,13 +24,13 @@ describe 'param based tests' do end end - ppm2 = <<-EOS + ppm2 = <<-PUPPETCODE firewall { '998 log all': proto => 'all', jump => 'LOG', log_level => 'debug', } - EOS + PUPPETCODE values = [2, 0] it 'test log rule' do iptables_flush_all_tables @@ -40,7 +40,7 @@ describe 'param based tests' do end end - ppm3 = <<-EOS + ppm3 = <<-PUPPETCODE firewall { '004 log all INVALID packets': chain => 'INPUT', proto => 'all', @@ -49,8 +49,8 @@ describe 'param based tests' do log_level => '3', log_prefix => 'IPTABLES dropped invalid: ', } - EOS - ppm4 = <<-EOS + PUPPETCODE + ppm4 = <<-PUPPETCODE firewall { '003 log all INVALID packets': chain => 'INPUT', proto => 'all', @@ -59,12 +59,12 @@ describe 'param based tests' do log_level => '3', log_prefix => 'IPTABLES dropped invalid: ', } - EOS - ppm5 = <<-EOS + "\n" + ppm4 + PUPPETCODE + ppm5 = <<-PUPPETCODE + "\n" + ppm4 resources { 'firewall': purge => true, } - EOS + PUPPETCODE it 'test log rule - changing names' do # rubocop:disable RSpec/MultipleExpectations iptables_flush_all_tables @@ -72,23 +72,23 @@ describe 'param based tests' do expect(apply_manifest(ppm5, catch_failures: true).exit_code).to eq(2) end - ppm6 = <<-EOS + ppm6 = <<-PUPPETCODE firewall { '004 with a chain': chain => 'INPUT', proto => 'all', } - EOS - ppm7 = <<-EOS + PUPPETCODE + ppm7 = <<-PUPPETCODE firewall { '004 with a chain': chain => 'OUTPUT', proto => 'all', } - EOS - _ppm8 = <<-EOS + "\n" + ppm7 + PUPPETCODE + _ppm8 = <<-PUPPETCODE + "\n" + ppm7 resources { 'firewall': purge => true, } - EOS + PUPPETCODE it 'test chain - changing names' do iptables_flush_all_tables @@ -96,7 +96,7 @@ describe 'param based tests' do expect(apply_manifest(ppm7, expect_failures: true).stderr).to match(%r{is not supported}) end - ppm9 = <<-EOS + ppm9 = <<-PUPPETCODE firewall { '004 log all INVALID packets': chain => 'INPUT', proto => 'all', @@ -105,7 +105,7 @@ describe 'param based tests' do log_level => '3', log_prefix => 'IPTABLES dropped invalid: ', } - EOS + PUPPETCODE values = [2, 0] it 'test log rule - idempotent' do iptables_flush_all_tables @@ -115,14 +115,14 @@ describe 'param based tests' do end end - ppm10 = <<-EOS + ppm10 = <<-PUPPETCODE firewall { '997 block src ip range': chain => 'INPUT', proto => 'all', action => 'drop', src_range => '10.0.0.1-10.0.0.10', } - EOS + PUPPETCODE values = [2, 0] it 'test src_range rule' do iptables_flush_all_tables @@ -132,14 +132,14 @@ describe 'param based tests' do end end - ppm11 = <<-EOS + ppm11 = <<-PUPPETCODE firewall { '998 block dst ip range': chain => 'INPUT', proto => 'all', action => 'drop', dst_range => '10.0.0.2-10.0.0.20', } - EOS + PUPPETCODE values = [2, 0] it 'test dst_range rule' do iptables_flush_all_tables diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index 47a03ca..7d056b5 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -6,7 +6,7 @@ describe 'purge tests' do ip6tables_flush_all_tables end - context('resources purge') do + context('when resources purge') do before(:all) do iptables_flush_all_tables @@ -14,12 +14,12 @@ describe 'purge tests' do shell('iptables -A INPUT -s 1.2.1.2') end - pp1 = <<-EOS + pp1 = <<-PUPPETCODE class { 'firewall': } resources { 'firewall': purge => true, } - EOS + PUPPETCODE it 'make sure duplicate existing rules get purged' do apply_manifest(pp1, expect_changes: true) end @@ -32,7 +32,7 @@ describe 'purge tests' do end end - context('ipv4 chain purge') do + context('when ipv4 chain purge') do after(:all) do iptables_flush_all_tables end @@ -44,12 +44,12 @@ describe 'purge tests' do shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"') end - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv4': purge => true, } - EOS + PUPPETCODE # rubocop:disable RSpec/ExampleLength it 'purges only the specified chain' do # rubocop:disable RSpec/MultipleExpectations apply_manifest(pp2, expect_changes: true) @@ -62,7 +62,7 @@ describe 'purge tests' do end # rubocop:enable RSpec/ExampleLength - pp3 = <<-EOS + pp3 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'OUTPUT:filter:IPv4': purge => true, @@ -72,12 +72,12 @@ describe 'purge tests' do proto => 'all', source => '1.2.1.2', } - EOS + PUPPETCODE it 'ignores managed rules' do apply_manifest(pp3, catch_changes: do_catch_changes) end - pp4 = <<-EOS + pp4 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv4': purge => true, @@ -85,12 +85,12 @@ describe 'purge tests' do '-s 1\.2\.1\.1', ], } - EOS + PUPPETCODE it 'ignores specified rules' do apply_manifest(pp4, catch_changes: do_catch_changes) end - pp5 = <<-EOS + pp5 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv4': purge => true, @@ -118,7 +118,7 @@ describe 'purge tests' do proto => 'all', source => '1.2.1.3', } - EOS + PUPPETCODE it 'adds managed rules with ignored rules' do apply_manifest(pp5, catch_failures: true) @@ -127,7 +127,7 @@ describe 'purge tests' do end if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} - context 'ipv6 chain purge' do + context 'when ipv6 chain purge' do after(:all) do ip6tables_flush_all_tables end @@ -139,12 +139,12 @@ describe 'purge tests' do shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') end - pp6 = <<-EOS + pp6 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv6': purge => true, } - EOS + PUPPETCODE # rubocop:disable RSpec/ExampleLength it 'purges only the specified chain' do # rubocop:disable RSpec/MultipleExpectations apply_manifest(pp6, expect_changes: true) @@ -157,7 +157,7 @@ describe 'purge tests' do end # rubocop:enable RSpec/ExampleLength - pp7 = <<-EOS + pp7 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'OUTPUT:filter:IPv6': purge => true, @@ -168,12 +168,12 @@ describe 'purge tests' do source => '1::50', provider => 'ip6tables', } - EOS + PUPPETCODE it 'ignores managed rules' do apply_manifest(pp7, catch_changes: do_catch_changes) end - pp8 = <<-EOS + pp8 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv6': purge => true, @@ -181,12 +181,12 @@ describe 'purge tests' do '-s 1::42', ], } - EOS + PUPPETCODE it 'ignores specified rules' do apply_manifest(pp8, catch_changes: do_catch_changes) end - pp9 = <<-EOS + pp9 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv6': purge => true, @@ -218,7 +218,7 @@ describe 'purge tests' do source => '1::43', provider => 'ip6tables', } - EOS + PUPPETCODE it 'adds managed rules with ignored rules' do apply_manifest(pp9, catch_failures: true) diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index df78250..6ed69eb 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -10,7 +10,7 @@ describe 'puppet resource firewall command' do shell("sed -i -e \'s/^templatedir.*$//\' #{config}") end - context 'make sure it returns no errors when executed on a clean machine' do + context 'when make sure it returns no errors when executed on a clean machine' do it do shell('puppet resource firewall') do |r| r.exit_code.should be_zero @@ -20,7 +20,7 @@ describe 'puppet resource firewall command' do end end - context 'flush iptables and make sure it returns nothing afterwards' do + context 'when flush iptables and make sure it returns nothing afterwards' do before(:all) do iptables_flush_all_tables end @@ -34,7 +34,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules without comments' do + context 'when accepts rules without comments' do before(:all) do iptables_flush_all_tables shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80') @@ -49,7 +49,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules with invalid comments' do + context 'when accepts rules with invalid comments' do before(:all) do iptables_flush_all_tables shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"') @@ -64,7 +64,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules with negation' do + context 'when accepts rules with negation' do before :all do iptables_flush_all_tables shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535') @@ -81,7 +81,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules with match extension tcp flag' do + context 'when accepts rules with match extension tcp flag' do before :all do iptables_flush_all_tables shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42') @@ -97,7 +97,7 @@ describe 'puppet resource firewall command' do end if default['platform'] !~ %r{sles-10} - context 'accepts rules utilizing the statistic module' do + context 'when accepts rules utilizing the statistic module' do before :all do iptables_flush_all_tables # This command doesn't work with all versions/oses, so let it fail @@ -116,7 +116,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules with negation' do + context 'when accepts rules with negation' do before :all do iptables_flush_all_tables shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -m policy --dir out --pol ipsec -j ACCEPT') @@ -135,7 +135,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules with -m (tcp|udp) without dport/sport' do + context 'when accepts rules with -m (tcp|udp) without dport/sport' do before :all do iptables_flush_all_tables shell('iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp -j ACCEPT') @@ -150,7 +150,7 @@ describe 'puppet resource firewall command' do end end - context 'accepts rules with -m ttl' do + context 'when accepts rules with -m ttl' do before :all do iptables_flush_all_tables shell('iptables -t nat -A OUTPUT -s 10.0.0.0/8 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299') @@ -169,7 +169,7 @@ describe 'puppet resource firewall command' do # ip6tables provider # TODO: Test below fails if this file is run seperately. i.e. bundle exec rspec spec/acceptance/resource_cmd_spec.rb if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10} - context 'dport/sport with ip6tables' do + context 'when dport/sport with ip6tables' do before :all do if fact('osfamily') == 'Debian' shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections') diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index d0c9e11..211f350 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -14,7 +14,7 @@ describe 'rules spec' do shell('iptables -t filter --flush') end - pp1 = <<-EOS + pp1 = <<-PUPPETCODE firewall { '090 forward allow local': chain => 'FORWARD', proto => 'all', @@ -91,7 +91,7 @@ describe 'rules spec' do toports => '22', jump => 'REDIRECT', } - EOS + PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency apply_manifest(pp1, catch_failures: true) @@ -121,7 +121,7 @@ describe 'rules spec' do shell('iptables -t filter --flush') end - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class { '::firewall': } Firewall { @@ -237,7 +237,7 @@ describe 'rules spec' do # and the nat table firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: } - EOS + PUPPETCODE it 'applies cleanly' do # Run it twice and test for idempotency apply_manifest(pp2, catch_failures: true) diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb index d6af304..77ee252 100644 --- a/spec/acceptance/socket_spec.rb +++ b/spec/acceptance/socket_spec.rb @@ -8,7 +8,7 @@ describe 'firewall socket property', unless: default['platform'] =~ %r{el-5} || end shared_examples 'is idempotent' do |value, line_match| - pp1 = <<-EOS + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '598 - test': ensure => present, @@ -17,7 +17,7 @@ describe 'firewall socket property', unless: default['platform'] =~ %r{el-5} || table => 'raw', #{value} } - EOS + PUPPETCODE it "changes the value to #{value}" do apply_manifest(pp1, catch_failures: true) apply_manifest(pp1, catch_changes: true) @@ -29,7 +29,7 @@ describe 'firewall socket property', unless: default['platform'] =~ %r{el-5} || end shared_examples "doesn't change" do |value, line_match| - pp2 = <<-EOS + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '598 - test': ensure => present, @@ -38,7 +38,7 @@ describe 'firewall socket property', unless: default['platform'] =~ %r{el-5} || table => 'raw', #{value} } - EOS + PUPPETCODE it "doesn't change the value to #{value}" do apply_manifest(pp2, catch_changes: true) diff --git a/spec/acceptance/standard_usage_spec.rb b/spec/acceptance/standard_usage_spec.rb index 69feb67..c4cc430 100644 --- a/spec/acceptance/standard_usage_spec.rb +++ b/spec/acceptance/standard_usage_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper_acceptance' # Some tests for the standard recommended usage describe 'standard usage tests' do - pp = <<-EOS + pp = <<-PUPPETCODE class my_fw::pre { Firewall { require => undef, @@ -50,7 +50,7 @@ describe 'standard usage tests' do proto => 'tcp', dport => 22, } - EOS + PUPPETCODE it 'applies twice' do # Run it twice and test for idempotency apply_manifest(pp, catch_failures: true) diff --git a/spec/unit/classes/firewall_linux_archlinux_spec.rb b/spec/unit/classes/firewall_linux_archlinux_spec.rb index b63910a..5c69ae3 100644 --- a/spec/unit/classes/firewall_linux_archlinux_spec.rb +++ b/spec/unit/classes/firewall_linux_archlinux_spec.rb @@ -21,7 +21,7 @@ describe 'firewall::linux::archlinux', type: :class do ) } - context 'ensure => stopped' do + context 'with ensure => stopped' do let(:params) { { ensure: 'stopped' } } it { @@ -36,7 +36,7 @@ describe 'firewall::linux::archlinux', type: :class do } end - context 'enable => false' do + context 'with enable => false' do let(:params) { { enable: 'false' } } it { diff --git a/spec/unit/classes/firewall_linux_debian_spec.rb b/spec/unit/classes/firewall_linux_debian_spec.rb index cc7d7a4..81b81a2 100644 --- a/spec/unit/classes/firewall_linux_debian_spec.rb +++ b/spec/unit/classes/firewall_linux_debian_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' describe 'firewall::linux::debian', type: :class do - context 'Debian 7' do + context 'with Debian 7' do let(:facts) do { osfamily: 'Debian', @@ -24,7 +24,7 @@ describe 'firewall::linux::debian', type: :class do } end - context 'deb7 enable => false' do + context 'with deb7 enable => false' do let(:facts) do { osfamily: 'Debian', @@ -41,7 +41,7 @@ describe 'firewall::linux::debian', type: :class do } end - context 'Debian 8' do + context 'with Debian 8' do let(:facts) do { osfamily: 'Debian', @@ -64,7 +64,7 @@ describe 'firewall::linux::debian', type: :class do } end - context 'deb8 enable => false' do + context 'with deb8 enable => false' do let(:facts) do { osfamily: 'Debian', @@ -81,7 +81,7 @@ describe 'firewall::linux::debian', type: :class do } end - context 'Debian 8, alt operatingsystem' do + context 'with Debian 8, alt operatingsystem' do let(:facts) do { osfamily: 'Debian', @@ -104,7 +104,7 @@ describe 'firewall::linux::debian', type: :class do } end - context 'deb8, alt operatingsystem, enable => false' do + context 'with deb8, alt operatingsystem, enable => false' do let(:facts) do { osfamily: 'Debian', diff --git a/spec/unit/classes/firewall_linux_gentoo_spec.rb b/spec/unit/classes/firewall_linux_gentoo_spec.rb index 75d683f..629dced 100644 --- a/spec/unit/classes/firewall_linux_gentoo_spec.rb +++ b/spec/unit/classes/firewall_linux_gentoo_spec.rb @@ -26,7 +26,7 @@ describe 'firewall::linux::gentoo', type: :class do ) } - context 'ensure => stopped' do + context 'with ensure => stopped' do let(:params) { { ensure: 'stopped' } } it { @@ -41,7 +41,7 @@ describe 'firewall::linux::gentoo', type: :class do } end - context 'enable => false' do + context 'with enable => false' do let(:params) { { enable: 'false' } } it { diff --git a/spec/unit/classes/firewall_linux_redhat_spec.rb b/spec/unit/classes/firewall_linux_redhat_spec.rb index b2714af..df71d43 100644 --- a/spec/unit/classes/firewall_linux_redhat_spec.rb +++ b/spec/unit/classes/firewall_linux_redhat_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' RSpec.shared_examples 'ensures iptables service' do - context 'default' do + context 'with default' do it { is_expected.to contain_service('iptables').with( ensure: 'running', @@ -10,7 +10,7 @@ RSpec.shared_examples 'ensures iptables service' do } end - context 'ensure => stopped' do + context 'with ensure => stopped' do let(:params) { { ensure: 'stopped' } } it { @@ -20,7 +20,7 @@ RSpec.shared_examples 'ensures iptables service' do } end - context 'enable => false' do + context 'with enable => false' do let(:params) { { enable: 'false' } } it { @@ -80,7 +80,7 @@ describe 'firewall::linux::redhat', type: :class do ) } - context 'ensure => stopped' do + context 'with ensure => stopped' do let(:params) { { ensure: 'stopped' } } it { @@ -90,7 +90,7 @@ describe 'firewall::linux::redhat', type: :class do } end - context 'ensure_v6 => stopped' do + context 'with ensure_v6 => stopped' do let(:params) { { ensure_v6: 'stopped' } } it { @@ -100,7 +100,7 @@ describe 'firewall::linux::redhat', type: :class do } end - context 'enable => false' do + context 'with enable => false' do let(:params) { { enable: 'false' } } it { @@ -110,7 +110,7 @@ describe 'firewall::linux::redhat', type: :class do } end - context 'enable_v6 => false' do + context 'with enable_v6 => false' do let(:params) { { enable_v6: 'false' } } it { diff --git a/spec/unit/classes/firewall_spec.rb b/spec/unit/classes/firewall_spec.rb index e237f20..0fe37fd 100644 --- a/spec/unit/classes/firewall_spec.rb +++ b/spec/unit/classes/firewall_spec.rb @@ -1,45 +1,45 @@ require 'spec_helper' describe 'firewall', type: :class do - context 'kernel => Linux' do + context 'with kernel => Linux' do with_debian_facts it { is_expected.to contain_class('firewall::linux').with_ensure('running') } end # rubocop:disable RSpec/MultipleExpectations - context 'kernel => Windows' do + context 'with kernel => Windows' do let(:facts) { { kernel: 'Windows' } } it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) } end - context 'kernel => SunOS' do + context 'with kernel => SunOS' do let(:facts) { { kernel: 'SunOS' } } it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) } end - context 'kernel => Darwin' do + context 'with kernel => Darwin' do let(:facts) { { kernel: 'Darwin' } } it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) } end - context 'ensure => stopped' do + context 'with ensure => stopped' do with_debian_facts let(:params) { { ensure: 'stopped' } } it { is_expected.to contain_class('firewall::linux').with_ensure('stopped') } end - context 'ensure => test' do + context 'with ensure => test' do let(:facts) { { kernel: 'Linux' } } let(:params) { { ensure: 'test' } } it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) } end - context 'ebtables_manage => true' do + context 'with ebtables_manage => true' do let(:facts) { { kernel: 'Linux' } } let(:params) { { ebtables_manage: true } } diff --git a/spec/unit/facter/iptables_persistent_version_spec.rb b/spec/unit/facter/iptables_persistent_version_spec.rb index 252089b..a0aeca1 100644 --- a/spec/unit/facter/iptables_persistent_version_spec.rb +++ b/spec/unit/facter/iptables_persistent_version_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' describe 'Facter::Util::Fact iptables_persistent_version' do - context 'iptables-persistent applicable' do + context 'when iptables-persistent applicable' do before(:each) { Facter.clear } let(:dpkg_cmd) { "dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null" } @@ -47,7 +47,7 @@ describe 'Facter::Util::Fact iptables_persistent_version' do end end - context 'netfilter-persistent applicable' do + context 'when netfilter-persistent applicable' do before(:each) { Facter.clear } let(:dpkg_cmd) { "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null" } diff --git a/spec/unit/puppet/provider/ip6tables_spec.rb b/spec/unit/puppet/provider/ip6tables_spec.rb index 4814f15..cf1ebfd 100644 --- a/spec/unit/puppet/provider/ip6tables_spec.rb +++ b/spec/unit/puppet/provider/ip6tables_spec.rb @@ -43,14 +43,14 @@ describe 'ip6tables' do provider.new(resource.new(params)) } end - context 'iptables 1.3' do + context 'when iptables 1.3' do let(:params) { { name: '000 test foo', action: 'accept' } } let(:error_message) { %r{The ip6tables provider is not supported on version 1\.3 of iptables} } let(:ip6tables_version) { '1.3.10' } it_behaves_like 'raise error' end - context 'ip6tables nil' do + context 'when ip6tables nil' do let(:params) { { name: '000 test foo', action: 'accept' } } let(:error_message) { %r{The ip6tables provider is not supported on version 1\.3 of iptables} } let(:ip6tables_version) { nil } diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb index ae71adf..3a0e0af 100755 --- a/spec/unit/puppet/type/firewallchain_spec.rb +++ b/spec/unit/puppet/type/firewallchain_spec.rb @@ -55,8 +55,8 @@ describe firewallchain do # rubocop:disable RSpec/MultipleDescribes expect(resource[:name]).to eql name end end - end # chainname - end # protocol + end + end %w[PREROUTING POSTROUTING BROUTING INPUT FORWARD OUTPUT].each do |internalchain| name = internalchain + ':' + table + ':' @@ -77,8 +77,8 @@ describe firewallchain do # rubocop:disable RSpec/MultipleDescribes expect { resource[:name] = name }.to raise_error(Puppet::Error) end end - end # internalchain - end # table, allowedinternalchainnames + end + end it 'fails with invalid table names' do expect { resource[:name] = 'wrongtablename:test:IPv4' }.to raise_error(Puppet::Error) @@ -149,7 +149,7 @@ describe firewallchain do # rubocop:disable RSpec/MultipleDescribes describe 'purge iptables rules' do # rubocop:disable Layout/IndentHeredoc before(:each) do - stub_return = <