asbestos 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/.gitignore +18 -0
- data/.rspec +3 -0
- data/Gemfile +10 -0
- data/Guardfile +9 -0
- data/LICENSE.txt +22 -0
- data/README.md +461 -0
- data/Rakefile +1 -0
- data/asbestos.gemspec +26 -0
- data/bin/asbestos +112 -0
- data/examples/0_simple.rb +5 -0
- data/examples/10_kitchen_sink.rb +72 -0
- data/examples/1_two_hosts.rb +18 -0
- data/examples/2_accept_from_many.rb +19 -0
- data/examples/3_groups.rb +39 -0
- data/examples/4_host_templates.rb +29 -0
- data/examples/5_static_addresses.rb +7 -0
- data/examples/6_interface_addresses.rb +19 -0
- data/examples/7_services.rb +9 -0
- data/examples/8_rule_sets.rb +37 -0
- data/examples/9_literal_commands.rb +8 -0
- data/lib/asbestos.rb +108 -0
- data/lib/asbestos/address.rb +8 -0
- data/lib/asbestos/dsl.rb +40 -0
- data/lib/asbestos/firewalls/iptables.rb +127 -0
- data/lib/asbestos/host.rb +244 -0
- data/lib/asbestos/host_template.rb +15 -0
- data/lib/asbestos/metadata.rb +4 -0
- data/lib/asbestos/rule_set.rb +131 -0
- data/lib/asbestos/rule_sets/accept_from_self.rb +19 -0
- data/lib/asbestos/rule_sets/allow_related_established.rb +5 -0
- data/lib/asbestos/rule_sets/icmp_protection.rb +28 -0
- data/lib/asbestos/rule_sets/sanity_check.rb +41 -0
- data/lib/asbestos/service.rb +86 -0
- data/lib/asbestos/services/chef.rb +4 -0
- data/lib/asbestos/services/cube.rb +14 -0
- data/lib/asbestos/services/http.rb +8 -0
- data/lib/asbestos/services/memcached.rb +4 -0
- data/lib/asbestos/services/mongodb.rb +28 -0
- data/lib/asbestos/services/monit.rb +4 -0
- data/lib/asbestos/services/mysql.rb +4 -0
- data/lib/asbestos/services/nfs.rb +5 -0
- data/lib/asbestos/services/redis.rb +4 -0
- data/lib/asbestos/services/ssh.rb +4 -0
- data/spec/asbestos/address_spec.rb +25 -0
- data/spec/asbestos/firewalls/iptables_spec.rb +179 -0
- data/spec/asbestos/host_spec.rb +173 -0
- data/spec/asbestos/host_template_spec.rb +32 -0
- data/spec/asbestos/rule_set_spec.rb +55 -0
- data/spec/asbestos/service_spec.rb +60 -0
- data/spec/spec_helper.rb +20 -0
- metadata +159 -0
@@ -0,0 +1,173 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe Asbestos::Host do
|
4
|
+
before(:each) do
|
5
|
+
Asbestos.reset!
|
6
|
+
end
|
7
|
+
|
8
|
+
context "the 'host' DSL call" do
|
9
|
+
|
10
|
+
context "when a block is provided" do
|
11
|
+
it "should create a new host" do
|
12
|
+
Host.all.tap do |hosts|
|
13
|
+
hosts.should be_empty
|
14
|
+
host 'hostname' do
|
15
|
+
end
|
16
|
+
|
17
|
+
hosts.should_not be_empty
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
it "should evaluate the block in the context of the new host" do
|
22
|
+
context = nil
|
23
|
+
|
24
|
+
host 'hostname' do
|
25
|
+
context = self
|
26
|
+
end
|
27
|
+
|
28
|
+
Host['hostname'].call.should be context
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
context "when a block is not provided" do
|
33
|
+
it "should create a new host" do
|
34
|
+
Host.all.tap do |hosts|
|
35
|
+
hosts.should be_empty
|
36
|
+
host 'hostname'
|
37
|
+
hosts.should_not be_empty
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
context "context DSL" do
|
44
|
+
it "should properly add services via 'runs'" do
|
45
|
+
service :ssh do
|
46
|
+
port :ssh
|
47
|
+
end
|
48
|
+
|
49
|
+
host 'hostname' do
|
50
|
+
runs :ssh
|
51
|
+
end
|
52
|
+
|
53
|
+
Host['hostname'].call.rulesets.first.name.should be :ssh
|
54
|
+
end
|
55
|
+
|
56
|
+
it "should properly add be added to groups via 'group'" do
|
57
|
+
host 'hostname' do
|
58
|
+
group :some_group
|
59
|
+
end
|
60
|
+
|
61
|
+
Host.groups.should have_key(:some_group)
|
62
|
+
Host.groups[:some_group].should == [Host['hostname'].call]
|
63
|
+
end
|
64
|
+
|
65
|
+
context "the 'interface' call" do
|
66
|
+
it "should tag singular interfaces" do
|
67
|
+
host 'hostname' do
|
68
|
+
interface :some_tag, :eth0
|
69
|
+
end
|
70
|
+
|
71
|
+
Host['hostname'].call.interfaces[:some_tag].should == [:eth0]
|
72
|
+
end
|
73
|
+
|
74
|
+
it "should tag multiple interfaces" do
|
75
|
+
host 'hostname' do
|
76
|
+
interface :some_tag, [:eth0, :eth1]
|
77
|
+
end
|
78
|
+
|
79
|
+
Host['hostname'].call.interfaces[:some_tag].should == [:eth0, :eth1]
|
80
|
+
end
|
81
|
+
|
82
|
+
context "generating addresses" do
|
83
|
+
context "defaults" do
|
84
|
+
it "should generate defaults for singular interfaces" do
|
85
|
+
host 'hostname' do
|
86
|
+
interface :some_tag, :eth0
|
87
|
+
end
|
88
|
+
|
89
|
+
Host['hostname'].call.addresses[:eth0].should == 'hostname_some_tag'
|
90
|
+
end
|
91
|
+
|
92
|
+
it "should generate defaults for multiple interfaces" do
|
93
|
+
host 'hostname' do
|
94
|
+
interface :some_tag, [:eth0, :eth1]
|
95
|
+
end
|
96
|
+
|
97
|
+
Host['hostname'].call.addresses[:eth0].should == 'hostname_some_tag_eth0'
|
98
|
+
Host['hostname'].call.addresses[:eth1].should == 'hostname_some_tag_eth1'
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
context "overriding" do
|
103
|
+
context "singular interface" do
|
104
|
+
it "should allow overriding with a static address" do
|
105
|
+
host 'hostname' do
|
106
|
+
interface :some_tag, :eth0, "1.2.3.4"
|
107
|
+
end
|
108
|
+
|
109
|
+
Host['hostname'].call.addresses[:eth0].should == '1.2.3.4'
|
110
|
+
end
|
111
|
+
|
112
|
+
it "should allow overriding with a block" do
|
113
|
+
host 'hostname' do
|
114
|
+
interface :some_tag, :eth0 do |host|
|
115
|
+
"#{host.name}_blah"
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
Host['hostname'].call.addresses[:eth0].should == 'hostname_blah'
|
120
|
+
end
|
121
|
+
end
|
122
|
+
|
123
|
+
context "multiple interfaces" do
|
124
|
+
it "should not allow overriding with a static address" do
|
125
|
+
expect do
|
126
|
+
host 'hostname' do
|
127
|
+
interface :some_tag, [:eth0, :eth1], '1.2.3.4'
|
128
|
+
end
|
129
|
+
end.to raise_error
|
130
|
+
end
|
131
|
+
|
132
|
+
it "should allow overriding with a block" do
|
133
|
+
host 'hostname' do
|
134
|
+
interface :some_tag, [:eth0, :eth1] do |host, if_name|
|
135
|
+
"#{host.name}_blah_#{if_name}"
|
136
|
+
end
|
137
|
+
end
|
138
|
+
|
139
|
+
Host['hostname'].call.addresses[:eth0].should == 'hostname_blah_eth0'
|
140
|
+
Host['hostname'].call.addresses[:eth1].should == 'hostname_blah_eth1'
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
it "should turn on denial logging with 'log_denials'" do
|
148
|
+
host 'hostname' do
|
149
|
+
log_denials
|
150
|
+
end
|
151
|
+
|
152
|
+
Host['hostname'].call.log_denials?.should be_true
|
153
|
+
end
|
154
|
+
|
155
|
+
it "should add iptables chains with the 'chain' call" do
|
156
|
+
host 'hostname' do
|
157
|
+
chain :some_chain, :drop
|
158
|
+
end
|
159
|
+
|
160
|
+
Host['hostname'].call.chains[:some_chain].should be :drop
|
161
|
+
end
|
162
|
+
|
163
|
+
it "should raise an error for unknown DSL calls" do
|
164
|
+
expect {
|
165
|
+
host 'hostname' do
|
166
|
+
this_isnt_a_dsl_call
|
167
|
+
end
|
168
|
+
}.to raise_error
|
169
|
+
end
|
170
|
+
|
171
|
+
end # context DSL
|
172
|
+
|
173
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
|
2
|
+
require 'spec_helper'
|
3
|
+
|
4
|
+
describe Asbestos::HostTemplate do
|
5
|
+
before(:each) do
|
6
|
+
Asbestos.reset!
|
7
|
+
end
|
8
|
+
|
9
|
+
context "the 'host_template' DSL call" do
|
10
|
+
it "should store the block as a template" do
|
11
|
+
|
12
|
+
block = proc do;
|
13
|
+
end
|
14
|
+
|
15
|
+
host_template 'hosttemplatename', &block
|
16
|
+
|
17
|
+
Asbestos::HostTemplate[:hosttemplatename].template.should be block
|
18
|
+
end
|
19
|
+
|
20
|
+
it "should execute the template block in the context of the host" do
|
21
|
+
context = nil
|
22
|
+
host_template 'hosttemplatename' do
|
23
|
+
context = self
|
24
|
+
end
|
25
|
+
|
26
|
+
hosttemplatename 'hostname' do
|
27
|
+
end
|
28
|
+
|
29
|
+
Host['hostname'].call.should be context
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,55 @@
|
|
1
|
+
|
2
|
+
require 'spec_helper'
|
3
|
+
|
4
|
+
describe Asbestos::RuleSet do
|
5
|
+
before(:each) do
|
6
|
+
Asbestos.reset!
|
7
|
+
end
|
8
|
+
|
9
|
+
context "the 'rule_set' DSL call" do
|
10
|
+
it "should store the block as a template" do
|
11
|
+
|
12
|
+
block = proc do;
|
13
|
+
end
|
14
|
+
|
15
|
+
rule_set 'rulesetname', &block
|
16
|
+
|
17
|
+
Asbestos::RuleSet[:rulesetname].should be block
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
context "context DSL" do
|
22
|
+
[:rule, :accept, :reject, :drop, :log].each do |action|
|
23
|
+
it "should send '#{action}' to the firewall module" do
|
24
|
+
|
25
|
+
Asbestos.firewall.should_receive action
|
26
|
+
|
27
|
+
rule_set 'rulesetname' do
|
28
|
+
eval "#{action} :chain => 'input', :remote_address => '224.0.0.0/4'"
|
29
|
+
end
|
30
|
+
|
31
|
+
host 'hostname' do
|
32
|
+
rulesetname
|
33
|
+
end
|
34
|
+
|
35
|
+
Host['hostname'].call.ruleset_rules
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
it "should add raw commands with 'command'" do
|
40
|
+
rule_set 'rulesetname' do
|
41
|
+
command "some raw firewall command"
|
42
|
+
end
|
43
|
+
|
44
|
+
host 'hostname' do
|
45
|
+
rulesetname
|
46
|
+
end
|
47
|
+
|
48
|
+
Host['hostname'].call.rules.join("\n").should match(/some raw firewall command/)
|
49
|
+
end
|
50
|
+
|
51
|
+
it "should generate firewall rules properly"
|
52
|
+
it "should handle the :from argument to from_each properly"
|
53
|
+
it "should handle the :from argument to from_each_address properly"
|
54
|
+
end
|
55
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe Asbestos::Service do
|
4
|
+
before(:each) do
|
5
|
+
Asbestos.reset!
|
6
|
+
end
|
7
|
+
|
8
|
+
context "the 'service' DSL call" do
|
9
|
+
it "should store the block as a template" do
|
10
|
+
|
11
|
+
block = proc do;
|
12
|
+
end
|
13
|
+
|
14
|
+
service 'servicename', &block
|
15
|
+
|
16
|
+
Asbestos::Service[:servicename].should be block
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
context "context DSL" do
|
21
|
+
it "should store arbitrary calls as attributes" do
|
22
|
+
service 'servicename' do
|
23
|
+
some_attribute :some_value
|
24
|
+
end
|
25
|
+
|
26
|
+
host 'hostname' do
|
27
|
+
runs :servicename
|
28
|
+
end
|
29
|
+
|
30
|
+
Host['hostname'].call.rulesets.first.name.should be :servicename
|
31
|
+
Host['hostname'].call.rulesets.first.some_attribute.should be :some_value
|
32
|
+
end
|
33
|
+
|
34
|
+
it "should store certain attributes under their plural name" do
|
35
|
+
service 'servicename' do
|
36
|
+
port 9000
|
37
|
+
protocol :icmp
|
38
|
+
group :service_group
|
39
|
+
end
|
40
|
+
|
41
|
+
host 'hostname' do
|
42
|
+
runs :servicename
|
43
|
+
end
|
44
|
+
|
45
|
+
Host['hostname'].call.rulesets.first.name.should be :servicename
|
46
|
+
|
47
|
+
Host['hostname'].call.rulesets.first.port.should == [9000]
|
48
|
+
Host['hostname'].call.rulesets.first.ports.should == [9000]
|
49
|
+
|
50
|
+
Host['hostname'].call.rulesets.first.protocol.should == [:icmp]
|
51
|
+
Host['hostname'].call.rulesets.first.protocols.should == [:icmp]
|
52
|
+
|
53
|
+
Host['hostname'].call.rulesets.first.group.should == [:service_group]
|
54
|
+
Host['hostname'].call.rulesets.first.groups.should == [:service_group]
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
it "should generate firewall rules properly"
|
59
|
+
it "should handle the :from argument to open_port properly"
|
60
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
# This file was generated by the `rspec --init` command. Conventionally, all
|
2
|
+
# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
|
3
|
+
# Require this file using `require "spec_helper"` to ensure that it is only
|
4
|
+
# loaded once.
|
5
|
+
#
|
6
|
+
# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
|
7
|
+
|
8
|
+
require 'asbestos'
|
9
|
+
|
10
|
+
RSpec.configure do |config|
|
11
|
+
config.treat_symbols_as_metadata_keys_with_true_values = true
|
12
|
+
config.run_all_when_everything_filtered = true
|
13
|
+
config.filter_run :focus
|
14
|
+
|
15
|
+
# Run specs in random order to surface order dependencies. If you find an
|
16
|
+
# order dependency and want to debug it, you can fix the order by providing
|
17
|
+
# the seed, which is printed after each run.
|
18
|
+
# --seed 1234
|
19
|
+
config.order = 'random'
|
20
|
+
end
|
metadata
ADDED
@@ -0,0 +1,159 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: asbestos
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.0.1
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Michael Shapiro
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2013-06-21 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: bundler
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ~>
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '1.3'
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ~>
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '1.3'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: rake
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ! '>='
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ! '>='
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rspec
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - ! '>='
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - ! '>='
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: system-getifaddrs
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ~>
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 0.1.5
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ~>
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: 0.1.5
|
69
|
+
description: Asbestos is a declarative DSL for building firewall rules (iptables,
|
70
|
+
at this point)
|
71
|
+
email:
|
72
|
+
- koudelka@ryoukai.org
|
73
|
+
executables:
|
74
|
+
- asbestos
|
75
|
+
extensions: []
|
76
|
+
extra_rdoc_files: []
|
77
|
+
files:
|
78
|
+
- .gitignore
|
79
|
+
- .rspec
|
80
|
+
- Gemfile
|
81
|
+
- Guardfile
|
82
|
+
- LICENSE.txt
|
83
|
+
- README.md
|
84
|
+
- Rakefile
|
85
|
+
- asbestos.gemspec
|
86
|
+
- bin/asbestos
|
87
|
+
- examples/0_simple.rb
|
88
|
+
- examples/10_kitchen_sink.rb
|
89
|
+
- examples/1_two_hosts.rb
|
90
|
+
- examples/2_accept_from_many.rb
|
91
|
+
- examples/3_groups.rb
|
92
|
+
- examples/4_host_templates.rb
|
93
|
+
- examples/5_static_addresses.rb
|
94
|
+
- examples/6_interface_addresses.rb
|
95
|
+
- examples/7_services.rb
|
96
|
+
- examples/8_rule_sets.rb
|
97
|
+
- examples/9_literal_commands.rb
|
98
|
+
- lib/asbestos.rb
|
99
|
+
- lib/asbestos/address.rb
|
100
|
+
- lib/asbestos/dsl.rb
|
101
|
+
- lib/asbestos/firewalls/iptables.rb
|
102
|
+
- lib/asbestos/host.rb
|
103
|
+
- lib/asbestos/host_template.rb
|
104
|
+
- lib/asbestos/metadata.rb
|
105
|
+
- lib/asbestos/rule_set.rb
|
106
|
+
- lib/asbestos/rule_sets/accept_from_self.rb
|
107
|
+
- lib/asbestos/rule_sets/allow_related_established.rb
|
108
|
+
- lib/asbestos/rule_sets/icmp_protection.rb
|
109
|
+
- lib/asbestos/rule_sets/sanity_check.rb
|
110
|
+
- lib/asbestos/service.rb
|
111
|
+
- lib/asbestos/services/chef.rb
|
112
|
+
- lib/asbestos/services/cube.rb
|
113
|
+
- lib/asbestos/services/http.rb
|
114
|
+
- lib/asbestos/services/memcached.rb
|
115
|
+
- lib/asbestos/services/mongodb.rb
|
116
|
+
- lib/asbestos/services/monit.rb
|
117
|
+
- lib/asbestos/services/mysql.rb
|
118
|
+
- lib/asbestos/services/nfs.rb
|
119
|
+
- lib/asbestos/services/redis.rb
|
120
|
+
- lib/asbestos/services/ssh.rb
|
121
|
+
- spec/asbestos/address_spec.rb
|
122
|
+
- spec/asbestos/firewalls/iptables_spec.rb
|
123
|
+
- spec/asbestos/host_spec.rb
|
124
|
+
- spec/asbestos/host_template_spec.rb
|
125
|
+
- spec/asbestos/rule_set_spec.rb
|
126
|
+
- spec/asbestos/service_spec.rb
|
127
|
+
- spec/spec_helper.rb
|
128
|
+
homepage: http://www.github.com/koudelka/asbestos
|
129
|
+
licenses:
|
130
|
+
- MIT
|
131
|
+
metadata: {}
|
132
|
+
post_install_message:
|
133
|
+
rdoc_options: []
|
134
|
+
require_paths:
|
135
|
+
- lib
|
136
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
137
|
+
requirements:
|
138
|
+
- - ! '>='
|
139
|
+
- !ruby/object:Gem::Version
|
140
|
+
version: '0'
|
141
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - ! '>='
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '0'
|
146
|
+
requirements: []
|
147
|
+
rubyforge_project:
|
148
|
+
rubygems_version: 2.0.3
|
149
|
+
signing_key:
|
150
|
+
specification_version: 4
|
151
|
+
summary: Declarative firewall(iptables) DSL.
|
152
|
+
test_files:
|
153
|
+
- spec/asbestos/address_spec.rb
|
154
|
+
- spec/asbestos/firewalls/iptables_spec.rb
|
155
|
+
- spec/asbestos/host_spec.rb
|
156
|
+
- spec/asbestos/host_template_spec.rb
|
157
|
+
- spec/asbestos/rule_set_spec.rb
|
158
|
+
- spec/asbestos/service_spec.rb
|
159
|
+
- spec/spec_helper.rb
|