puppetlabs-firewall/spec/acceptance/firewallchain_spec.rb at master · jonnytdevops/puppetlabs-firewall · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
require 'spec_helper_acceptance'

describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
  before :all do
    iptables_flush_all_tables
  end
  describe 'ensure' do
    context 'present' do
      it 'applies cleanly' do
        pp = <<-EOS
          firewallchain { 'MY_CHAIN:filter:IPv4':
            ensure  => present,
          }
        EOS
        # Run it twice and test for idempotency
        apply_manifest(pp, :catch_failures => true)
        unless fact('selinux') == 'true'
          apply_manifest(pp, :catch_changes => true)
        end
      end

      it 'finds the chain' do
        shell('iptables-save') do |r|
          expect(r.stdout).to match(/MY_CHAIN/)
        end
      end
    end

    context 'absent' do
      it 'applies cleanly' do
        pp = <<-EOS
          firewallchain { 'MY_CHAIN:filter:IPv4':
            ensure  => absent,
          }
        EOS
        # Run it twice and test for idempotency
        apply_manifest(pp, :catch_failures => true)
        unless fact('selinux') == 'true'
          apply_manifest(pp, :catch_changes => true)
        end
      end

      it 'fails to find the chain' do
        shell('iptables-save') do |r|
          expect(r.stdout).to_not match(/MY_CHAIN/)
        end
      end
    end
  end

  # XXX purge => false is not yet implemented
  #context 'adding a firewall rule to a chain:' do
  #  it 'applies cleanly' do
  #    pp = <<-EOS
  #      firewallchain { 'MY_CHAIN:filter:IPv4':
  #        ensure  => present,
  #      }
  #      firewall { '100 my rule':
  #        chain   => 'MY_CHAIN',
  #        action  => 'accept',
  #        proto   => 'tcp',
  #        dport   => 5000,
  #      }
  #    EOS
  #    # Run it twice and test for idempotency
  #    apply_manifest(pp, :catch_failures => true)
  #    apply_manifest(pp, :catch_changes => true)
  #  end
  #end

  #context 'not purge firewallchain chains:' do
  #  it 'does not purge the rule' do
  #    pp = <<-EOS
  #      firewallchain { 'MY_CHAIN:filter:IPv4':
  #        ensure  => present,
  #        purge   => false,
  #        before  => Resources['firewall'],
  #      }
  #      resources { 'firewall':
  #        purge => true,
  #      }
  #    EOS
  #    # Run it twice and test for idempotency
  #    apply_manifest(pp, :catch_failures => true) do |r|
  #      expect(r.stdout).to_not match(/removed/)
  #      expect(r.stderr).to eq('')
  #    end
  #    apply_manifest(pp, :catch_changes => true)
  #  end

  #  it 'still has the rule' do
  #    pp = <<-EOS
  #      firewall { '100 my rule':
  #        chain   => 'MY_CHAIN',
  #        action  => 'accept',
  #        proto   => 'tcp',
  #        dport   => 5000,
  #      }
  #    EOS
  #    # Run it twice and test for idempotency
  #    apply_manifest(pp, :catch_changes => true)
  #  end
  #end

  describe 'policy' do
    after :all do
      shell('iptables -t filter -P FORWARD ACCEPT')
    end

    context 'DROP' do
      it 'applies cleanly' do
        pp = <<-EOS
          firewallchain { 'FORWARD:filter:IPv4':
            policy  => 'drop',
          }
        EOS
        # Run it twice and test for idempotency
        apply_manifest(pp, :catch_failures => true)
        unless fact('selinux') == 'true'
          apply_manifest(pp, :catch_changes => true)
        end
      end

      it 'finds the chain' do
        shell('iptables-save') do |r|
          expect(r.stdout).to match(/FORWARD DROP/)
        end
      end
    end
  end
end