From bee4a8914b69aa2ffe219384c4afc5f55551acab Mon Sep 17 00:00:00 2001 From: tphoney Date: Wed, 20 Feb 2019 11:39:10 +0000 Subject: [PATCH] clean dst_type src_type tcp_flags chain source tests --- .../firewall_attributes_exceptions_spec.rb | 109 ------------------ .../firewall_attributes_happy_path_spec.rb | 42 +++++++ 2 files changed, 42 insertions(+), 109 deletions(-) diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index 6aa4f13..336367a 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -243,47 +243,6 @@ describe 'firewall basics', docker: true do ['dst_type', 'src_type'].each do |type| describe type.to_s do - context 'when MULTICAST' do - pp26 = <<-PUPPETCODE - class { '::firewall': } - firewall { '563 - test': - proto => tcp, - action => accept, - #{type} => 'MULTICAST', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp26, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "563 - test" -j ACCEPT}) - end - end - end - - context 'when ! MULTICAST' do - pp27 = <<-PUPPETCODE - class { '::firewall': } - firewall { '563 - test inversion': - proto => tcp, - action => accept, - #{type} => '! MULTICAST', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp27, catch_failures: true) - apply_manifest(pp27, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "563 - test inversion" -j ACCEPT}) - end - end - end - context 'when BROKEN' do pp28 = <<-PUPPETCODE class { '::firewall': } @@ -414,50 +373,6 @@ describe 'firewall basics', docker: true do end end - describe 'tcp_flags' do - context 'when FIN,SYN ACK' do - pp29 = <<-PUPPETCODE - class { '::firewall': } - firewall { '564 - test': - proto => tcp, - action => accept, - tcp_flags => 'FIN,SYN ACK', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp29, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN ACK -m comment --comment "564 - test" -j ACCEPT}) - end - end - end - end - - describe 'chain' do - context 'when INPUT' do - pp30 = <<-PUPPETCODE - class { '::firewall': } - firewall { '565 - test': - proto => tcp, - action => accept, - chain => 'FORWARD', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp30, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m comment --comment "565 - test" -j ACCEPT}) - end - end - end - end - describe 'table' do context 'when mangle' do pp31 = <<-PUPPETCODE @@ -529,30 +444,6 @@ describe 'firewall basics', docker: true do end end - describe 'tosource' do - context 'when 192.168.1.1' do - pp35 = <<-PUPPETCODE - class { '::firewall': } - firewall { '568 - test': - proto => tcp, - table => 'nat', - chain => 'POSTROUTING', - jump => 'SNAT', - tosource => '192.168.1.1', - } - PUPPETCODE - it 'applies' do - apply_manifest(pp35, catch_failures: true) - end - - it 'contains the rule' do - shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(%r{A POSTROUTING -p tcp -m comment --comment "568 - test" -j SNAT --to-source 192.168.1.1}) - end - end - end - end - describe 'todest' do context 'when 192.168.1.1' do pp36 = <<-PUPPETCODE diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index ca25dda..0f29650 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -73,6 +73,33 @@ describe 'firewall attribute testing, happy path' do port => '562-563', action => accept, } + firewall { '563 - dst_type': + proto => tcp, + action => accept, + dst_type => 'MULTICAST', + } + firewall { '564 - src_type negated': + proto => tcp, + action => accept, + src_type => '! MULTICAST', + } + firewall { '565 - tcp_flags': + proto => tcp, + action => accept, + tcp_flags => 'FIN,SYN ACK', + } + firewall { '566 - chain': + proto => tcp, + action => accept, + chain => 'FORWARD', + } + firewall { '568 - tosource': + proto => tcp, + table => 'nat', + chain => 'POSTROUTING', + jump => 'SNAT', + tosource => '192.168.1.1', + } firewall { '801 - gid root': chain => 'OUTPUT', action => accept, @@ -138,6 +165,21 @@ describe 'firewall attribute testing, happy path' do it 'port range is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - port range" -j ACCEPT}) end + it 'dst_type is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --dst-type MULTICAST -m comment --comment "563 - dst_type" -j ACCEPT}) + end + it 'src_type is negated' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype ! --src-type MULTICAST -m comment --comment "564 - src_type negated" -j ACCEPT}) + end + it 'tcp_flags is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN ACK -m comment --comment "565 - tcp_flags" -j ACCEPT}) + end + it 'chain is set' do + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m comment --comment "566 - chain" -j ACCEPT}) + end + it 'tosource is set' do + expect(result.stdout).to match(%r{A POSTROUTING -p tcp -m comment --comment "568 - tosource" -j SNAT --to-source 192.168.1.1}) + end it 'gid set to root' do expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) end -- 2.45.2