asbestos 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (52) hide show
  1. checksums.yaml +15 -0
  2. data/.gitignore +18 -0
  3. data/.rspec +3 -0
  4. data/Gemfile +10 -0
  5. data/Guardfile +9 -0
  6. data/LICENSE.txt +22 -0
  7. data/README.md +461 -0
  8. data/Rakefile +1 -0
  9. data/asbestos.gemspec +26 -0
  10. data/bin/asbestos +112 -0
  11. data/examples/0_simple.rb +5 -0
  12. data/examples/10_kitchen_sink.rb +72 -0
  13. data/examples/1_two_hosts.rb +18 -0
  14. data/examples/2_accept_from_many.rb +19 -0
  15. data/examples/3_groups.rb +39 -0
  16. data/examples/4_host_templates.rb +29 -0
  17. data/examples/5_static_addresses.rb +7 -0
  18. data/examples/6_interface_addresses.rb +19 -0
  19. data/examples/7_services.rb +9 -0
  20. data/examples/8_rule_sets.rb +37 -0
  21. data/examples/9_literal_commands.rb +8 -0
  22. data/lib/asbestos.rb +108 -0
  23. data/lib/asbestos/address.rb +8 -0
  24. data/lib/asbestos/dsl.rb +40 -0
  25. data/lib/asbestos/firewalls/iptables.rb +127 -0
  26. data/lib/asbestos/host.rb +244 -0
  27. data/lib/asbestos/host_template.rb +15 -0
  28. data/lib/asbestos/metadata.rb +4 -0
  29. data/lib/asbestos/rule_set.rb +131 -0
  30. data/lib/asbestos/rule_sets/accept_from_self.rb +19 -0
  31. data/lib/asbestos/rule_sets/allow_related_established.rb +5 -0
  32. data/lib/asbestos/rule_sets/icmp_protection.rb +28 -0
  33. data/lib/asbestos/rule_sets/sanity_check.rb +41 -0
  34. data/lib/asbestos/service.rb +86 -0
  35. data/lib/asbestos/services/chef.rb +4 -0
  36. data/lib/asbestos/services/cube.rb +14 -0
  37. data/lib/asbestos/services/http.rb +8 -0
  38. data/lib/asbestos/services/memcached.rb +4 -0
  39. data/lib/asbestos/services/mongodb.rb +28 -0
  40. data/lib/asbestos/services/monit.rb +4 -0
  41. data/lib/asbestos/services/mysql.rb +4 -0
  42. data/lib/asbestos/services/nfs.rb +5 -0
  43. data/lib/asbestos/services/redis.rb +4 -0
  44. data/lib/asbestos/services/ssh.rb +4 -0
  45. data/spec/asbestos/address_spec.rb +25 -0
  46. data/spec/asbestos/firewalls/iptables_spec.rb +179 -0
  47. data/spec/asbestos/host_spec.rb +173 -0
  48. data/spec/asbestos/host_template_spec.rb +32 -0
  49. data/spec/asbestos/rule_set_spec.rb +55 -0
  50. data/spec/asbestos/service_spec.rb +60 -0
  51. data/spec/spec_helper.rb +20 -0
  52. metadata +159 -0
@@ -0,0 +1,173 @@
1
+ require 'spec_helper'
2
+
3
+ describe Asbestos::Host do
4
+ before(:each) do
5
+ Asbestos.reset!
6
+ end
7
+
8
+ context "the 'host' DSL call" do
9
+
10
+ context "when a block is provided" do
11
+ it "should create a new host" do
12
+ Host.all.tap do |hosts|
13
+ hosts.should be_empty
14
+ host 'hostname' do
15
+ end
16
+
17
+ hosts.should_not be_empty
18
+ end
19
+ end
20
+
21
+ it "should evaluate the block in the context of the new host" do
22
+ context = nil
23
+
24
+ host 'hostname' do
25
+ context = self
26
+ end
27
+
28
+ Host['hostname'].call.should be context
29
+ end
30
+ end
31
+
32
+ context "when a block is not provided" do
33
+ it "should create a new host" do
34
+ Host.all.tap do |hosts|
35
+ hosts.should be_empty
36
+ host 'hostname'
37
+ hosts.should_not be_empty
38
+ end
39
+ end
40
+ end
41
+ end
42
+
43
+ context "context DSL" do
44
+ it "should properly add services via 'runs'" do
45
+ service :ssh do
46
+ port :ssh
47
+ end
48
+
49
+ host 'hostname' do
50
+ runs :ssh
51
+ end
52
+
53
+ Host['hostname'].call.rulesets.first.name.should be :ssh
54
+ end
55
+
56
+ it "should properly add be added to groups via 'group'" do
57
+ host 'hostname' do
58
+ group :some_group
59
+ end
60
+
61
+ Host.groups.should have_key(:some_group)
62
+ Host.groups[:some_group].should == [Host['hostname'].call]
63
+ end
64
+
65
+ context "the 'interface' call" do
66
+ it "should tag singular interfaces" do
67
+ host 'hostname' do
68
+ interface :some_tag, :eth0
69
+ end
70
+
71
+ Host['hostname'].call.interfaces[:some_tag].should == [:eth0]
72
+ end
73
+
74
+ it "should tag multiple interfaces" do
75
+ host 'hostname' do
76
+ interface :some_tag, [:eth0, :eth1]
77
+ end
78
+
79
+ Host['hostname'].call.interfaces[:some_tag].should == [:eth0, :eth1]
80
+ end
81
+
82
+ context "generating addresses" do
83
+ context "defaults" do
84
+ it "should generate defaults for singular interfaces" do
85
+ host 'hostname' do
86
+ interface :some_tag, :eth0
87
+ end
88
+
89
+ Host['hostname'].call.addresses[:eth0].should == 'hostname_some_tag'
90
+ end
91
+
92
+ it "should generate defaults for multiple interfaces" do
93
+ host 'hostname' do
94
+ interface :some_tag, [:eth0, :eth1]
95
+ end
96
+
97
+ Host['hostname'].call.addresses[:eth0].should == 'hostname_some_tag_eth0'
98
+ Host['hostname'].call.addresses[:eth1].should == 'hostname_some_tag_eth1'
99
+ end
100
+ end
101
+
102
+ context "overriding" do
103
+ context "singular interface" do
104
+ it "should allow overriding with a static address" do
105
+ host 'hostname' do
106
+ interface :some_tag, :eth0, "1.2.3.4"
107
+ end
108
+
109
+ Host['hostname'].call.addresses[:eth0].should == '1.2.3.4'
110
+ end
111
+
112
+ it "should allow overriding with a block" do
113
+ host 'hostname' do
114
+ interface :some_tag, :eth0 do |host|
115
+ "#{host.name}_blah"
116
+ end
117
+ end
118
+
119
+ Host['hostname'].call.addresses[:eth0].should == 'hostname_blah'
120
+ end
121
+ end
122
+
123
+ context "multiple interfaces" do
124
+ it "should not allow overriding with a static address" do
125
+ expect do
126
+ host 'hostname' do
127
+ interface :some_tag, [:eth0, :eth1], '1.2.3.4'
128
+ end
129
+ end.to raise_error
130
+ end
131
+
132
+ it "should allow overriding with a block" do
133
+ host 'hostname' do
134
+ interface :some_tag, [:eth0, :eth1] do |host, if_name|
135
+ "#{host.name}_blah_#{if_name}"
136
+ end
137
+ end
138
+
139
+ Host['hostname'].call.addresses[:eth0].should == 'hostname_blah_eth0'
140
+ Host['hostname'].call.addresses[:eth1].should == 'hostname_blah_eth1'
141
+ end
142
+ end
143
+ end
144
+ end
145
+ end
146
+
147
+ it "should turn on denial logging with 'log_denials'" do
148
+ host 'hostname' do
149
+ log_denials
150
+ end
151
+
152
+ Host['hostname'].call.log_denials?.should be_true
153
+ end
154
+
155
+ it "should add iptables chains with the 'chain' call" do
156
+ host 'hostname' do
157
+ chain :some_chain, :drop
158
+ end
159
+
160
+ Host['hostname'].call.chains[:some_chain].should be :drop
161
+ end
162
+
163
+ it "should raise an error for unknown DSL calls" do
164
+ expect {
165
+ host 'hostname' do
166
+ this_isnt_a_dsl_call
167
+ end
168
+ }.to raise_error
169
+ end
170
+
171
+ end # context DSL
172
+
173
+ end
@@ -0,0 +1,32 @@
1
+
2
+ require 'spec_helper'
3
+
4
+ describe Asbestos::HostTemplate do
5
+ before(:each) do
6
+ Asbestos.reset!
7
+ end
8
+
9
+ context "the 'host_template' DSL call" do
10
+ it "should store the block as a template" do
11
+
12
+ block = proc do;
13
+ end
14
+
15
+ host_template 'hosttemplatename', &block
16
+
17
+ Asbestos::HostTemplate[:hosttemplatename].template.should be block
18
+ end
19
+
20
+ it "should execute the template block in the context of the host" do
21
+ context = nil
22
+ host_template 'hosttemplatename' do
23
+ context = self
24
+ end
25
+
26
+ hosttemplatename 'hostname' do
27
+ end
28
+
29
+ Host['hostname'].call.should be context
30
+ end
31
+ end
32
+ end
@@ -0,0 +1,55 @@
1
+
2
+ require 'spec_helper'
3
+
4
+ describe Asbestos::RuleSet do
5
+ before(:each) do
6
+ Asbestos.reset!
7
+ end
8
+
9
+ context "the 'rule_set' DSL call" do
10
+ it "should store the block as a template" do
11
+
12
+ block = proc do;
13
+ end
14
+
15
+ rule_set 'rulesetname', &block
16
+
17
+ Asbestos::RuleSet[:rulesetname].should be block
18
+ end
19
+ end
20
+
21
+ context "context DSL" do
22
+ [:rule, :accept, :reject, :drop, :log].each do |action|
23
+ it "should send '#{action}' to the firewall module" do
24
+
25
+ Asbestos.firewall.should_receive action
26
+
27
+ rule_set 'rulesetname' do
28
+ eval "#{action} :chain => 'input', :remote_address => '224.0.0.0/4'"
29
+ end
30
+
31
+ host 'hostname' do
32
+ rulesetname
33
+ end
34
+
35
+ Host['hostname'].call.ruleset_rules
36
+ end
37
+ end
38
+
39
+ it "should add raw commands with 'command'" do
40
+ rule_set 'rulesetname' do
41
+ command "some raw firewall command"
42
+ end
43
+
44
+ host 'hostname' do
45
+ rulesetname
46
+ end
47
+
48
+ Host['hostname'].call.rules.join("\n").should match(/some raw firewall command/)
49
+ end
50
+
51
+ it "should generate firewall rules properly"
52
+ it "should handle the :from argument to from_each properly"
53
+ it "should handle the :from argument to from_each_address properly"
54
+ end
55
+ end
@@ -0,0 +1,60 @@
1
+ require 'spec_helper'
2
+
3
+ describe Asbestos::Service do
4
+ before(:each) do
5
+ Asbestos.reset!
6
+ end
7
+
8
+ context "the 'service' DSL call" do
9
+ it "should store the block as a template" do
10
+
11
+ block = proc do;
12
+ end
13
+
14
+ service 'servicename', &block
15
+
16
+ Asbestos::Service[:servicename].should be block
17
+ end
18
+ end
19
+
20
+ context "context DSL" do
21
+ it "should store arbitrary calls as attributes" do
22
+ service 'servicename' do
23
+ some_attribute :some_value
24
+ end
25
+
26
+ host 'hostname' do
27
+ runs :servicename
28
+ end
29
+
30
+ Host['hostname'].call.rulesets.first.name.should be :servicename
31
+ Host['hostname'].call.rulesets.first.some_attribute.should be :some_value
32
+ end
33
+
34
+ it "should store certain attributes under their plural name" do
35
+ service 'servicename' do
36
+ port 9000
37
+ protocol :icmp
38
+ group :service_group
39
+ end
40
+
41
+ host 'hostname' do
42
+ runs :servicename
43
+ end
44
+
45
+ Host['hostname'].call.rulesets.first.name.should be :servicename
46
+
47
+ Host['hostname'].call.rulesets.first.port.should == [9000]
48
+ Host['hostname'].call.rulesets.first.ports.should == [9000]
49
+
50
+ Host['hostname'].call.rulesets.first.protocol.should == [:icmp]
51
+ Host['hostname'].call.rulesets.first.protocols.should == [:icmp]
52
+
53
+ Host['hostname'].call.rulesets.first.group.should == [:service_group]
54
+ Host['hostname'].call.rulesets.first.groups.should == [:service_group]
55
+ end
56
+ end
57
+
58
+ it "should generate firewall rules properly"
59
+ it "should handle the :from argument to open_port properly"
60
+ end
@@ -0,0 +1,20 @@
1
+ # This file was generated by the `rspec --init` command. Conventionally, all
2
+ # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
3
+ # Require this file using `require "spec_helper"` to ensure that it is only
4
+ # loaded once.
5
+ #
6
+ # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
7
+
8
+ require 'asbestos'
9
+
10
+ RSpec.configure do |config|
11
+ config.treat_symbols_as_metadata_keys_with_true_values = true
12
+ config.run_all_when_everything_filtered = true
13
+ config.filter_run :focus
14
+
15
+ # Run specs in random order to surface order dependencies. If you find an
16
+ # order dependency and want to debug it, you can fix the order by providing
17
+ # the seed, which is printed after each run.
18
+ # --seed 1234
19
+ config.order = 'random'
20
+ end
metadata ADDED
@@ -0,0 +1,159 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: asbestos
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Michael Shapiro
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2013-06-21 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ~>
18
+ - !ruby/object:Gem::Version
19
+ version: '1.3'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ~>
25
+ - !ruby/object:Gem::Version
26
+ version: '1.3'
27
+ - !ruby/object:Gem::Dependency
28
+ name: rake
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ! '>='
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ! '>='
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rspec
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ! '>='
46
+ - !ruby/object:Gem::Version
47
+ version: '0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ! '>='
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: system-getifaddrs
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ~>
60
+ - !ruby/object:Gem::Version
61
+ version: 0.1.5
62
+ type: :runtime
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ~>
67
+ - !ruby/object:Gem::Version
68
+ version: 0.1.5
69
+ description: Asbestos is a declarative DSL for building firewall rules (iptables,
70
+ at this point)
71
+ email:
72
+ - koudelka@ryoukai.org
73
+ executables:
74
+ - asbestos
75
+ extensions: []
76
+ extra_rdoc_files: []
77
+ files:
78
+ - .gitignore
79
+ - .rspec
80
+ - Gemfile
81
+ - Guardfile
82
+ - LICENSE.txt
83
+ - README.md
84
+ - Rakefile
85
+ - asbestos.gemspec
86
+ - bin/asbestos
87
+ - examples/0_simple.rb
88
+ - examples/10_kitchen_sink.rb
89
+ - examples/1_two_hosts.rb
90
+ - examples/2_accept_from_many.rb
91
+ - examples/3_groups.rb
92
+ - examples/4_host_templates.rb
93
+ - examples/5_static_addresses.rb
94
+ - examples/6_interface_addresses.rb
95
+ - examples/7_services.rb
96
+ - examples/8_rule_sets.rb
97
+ - examples/9_literal_commands.rb
98
+ - lib/asbestos.rb
99
+ - lib/asbestos/address.rb
100
+ - lib/asbestos/dsl.rb
101
+ - lib/asbestos/firewalls/iptables.rb
102
+ - lib/asbestos/host.rb
103
+ - lib/asbestos/host_template.rb
104
+ - lib/asbestos/metadata.rb
105
+ - lib/asbestos/rule_set.rb
106
+ - lib/asbestos/rule_sets/accept_from_self.rb
107
+ - lib/asbestos/rule_sets/allow_related_established.rb
108
+ - lib/asbestos/rule_sets/icmp_protection.rb
109
+ - lib/asbestos/rule_sets/sanity_check.rb
110
+ - lib/asbestos/service.rb
111
+ - lib/asbestos/services/chef.rb
112
+ - lib/asbestos/services/cube.rb
113
+ - lib/asbestos/services/http.rb
114
+ - lib/asbestos/services/memcached.rb
115
+ - lib/asbestos/services/mongodb.rb
116
+ - lib/asbestos/services/monit.rb
117
+ - lib/asbestos/services/mysql.rb
118
+ - lib/asbestos/services/nfs.rb
119
+ - lib/asbestos/services/redis.rb
120
+ - lib/asbestos/services/ssh.rb
121
+ - spec/asbestos/address_spec.rb
122
+ - spec/asbestos/firewalls/iptables_spec.rb
123
+ - spec/asbestos/host_spec.rb
124
+ - spec/asbestos/host_template_spec.rb
125
+ - spec/asbestos/rule_set_spec.rb
126
+ - spec/asbestos/service_spec.rb
127
+ - spec/spec_helper.rb
128
+ homepage: http://www.github.com/koudelka/asbestos
129
+ licenses:
130
+ - MIT
131
+ metadata: {}
132
+ post_install_message:
133
+ rdoc_options: []
134
+ require_paths:
135
+ - lib
136
+ required_ruby_version: !ruby/object:Gem::Requirement
137
+ requirements:
138
+ - - ! '>='
139
+ - !ruby/object:Gem::Version
140
+ version: '0'
141
+ required_rubygems_version: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - ! '>='
144
+ - !ruby/object:Gem::Version
145
+ version: '0'
146
+ requirements: []
147
+ rubyforge_project:
148
+ rubygems_version: 2.0.3
149
+ signing_key:
150
+ specification_version: 4
151
+ summary: Declarative firewall(iptables) DSL.
152
+ test_files:
153
+ - spec/asbestos/address_spec.rb
154
+ - spec/asbestos/firewalls/iptables_spec.rb
155
+ - spec/asbestos/host_spec.rb
156
+ - spec/asbestos/host_template_spec.rb
157
+ - spec/asbestos/rule_set_spec.rb
158
+ - spec/asbestos/service_spec.rb
159
+ - spec/spec_helper.rb