freighthop 0.3.3 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Puppetfile +1 -1
- data/Puppetfile.lock +4 -5
- data/README.md +18 -7
- data/Vagrantfile +4 -0
- data/lib/freighthop/cli/help.rb +1 -0
- data/lib/freighthop/cli/init.rb +10 -10
- data/lib/freighthop/cli/version.rb +17 -0
- data/lib/freighthop/cli.rb +3 -1
- data/lib/freighthop/version.rb +1 -1
- data/lib/freighthop.rb +4 -0
- data/modules/apt/CHANGELOG +2 -36
- data/modules/apt/Gemfile +5 -6
- data/modules/apt/Gemfile.lock +7 -40
- data/modules/apt/Modulefile +1 -1
- data/modules/apt/README.md +1 -2
- data/modules/apt/Rakefile +0 -1
- data/modules/apt/manifests/init.pp +2 -5
- data/modules/apt/manifests/params.pp +1 -4
- data/modules/apt/manifests/pin.pp +1 -1
- data/modules/apt/manifests/ppa.pp +10 -24
- data/modules/apt/manifests/update.pp +0 -1
- data/modules/apt/metadata.json +19 -32
- data/modules/apt/spec/defines/ppa_spec.rb +2 -53
- data/modules/apt/spec/defines/source_spec.rb +2 -2
- data/modules/apt/templates/source.list.erb +2 -2
- data/modules/apt/tests/key.pp +3 -3
- data/modules/concat/CHANGELOG +73 -0
- data/modules/concat/Gemfile +20 -0
- data/modules/concat/Gemfile.lock +104 -0
- data/modules/concat/Modulefile +7 -6
- data/modules/concat/README.md +440 -0
- data/modules/concat/Rakefile +5 -1
- data/modules/concat/files/concatfragments.rb +137 -0
- data/modules/concat/files/concatfragments.sh +15 -4
- data/modules/concat/lib/facter/concat_basedir.rb +9 -3
- data/modules/concat/manifests/fragment.pp +108 -48
- data/modules/concat/manifests/init.pp +191 -210
- data/modules/concat/manifests/setup.pp +31 -31
- data/modules/concat/metadata.json +40 -21
- data/modules/{apt → concat}/spec/spec_helper_system.rb +11 -6
- data/modules/{firewall → concat}/spec/system/basic_spec.rb +1 -1
- data/modules/concat/spec/system/concat_spec.rb +154 -0
- data/modules/concat/spec/system/deprecation_warnings_spec.rb +247 -0
- data/modules/concat/spec/system/empty_spec.rb +27 -0
- data/modules/concat/spec/system/fragment_source_spec.rb +142 -0
- data/modules/concat/spec/system/replace_spec.rb +257 -0
- data/modules/concat/spec/system/symbolic_name_spec.rb +35 -0
- data/modules/concat/spec/system/warn_spec.rb +106 -0
- data/modules/concat/spec/unit/classes/concat_setup_spec.rb +42 -0
- data/modules/concat/spec/unit/defines/concat_fragment_spec.rb +267 -0
- data/modules/concat/spec/unit/defines/concat_spec.rb +380 -0
- data/modules/concat/spec/unit/facts/concat_basedir_spec.rb +18 -0
- data/modules/concat/tests/fragment.pp +19 -0
- data/modules/concat/tests/init.pp +7 -0
- data/modules/firewall/Changelog +38 -0
- data/modules/firewall/Gemfile +5 -2
- data/modules/firewall/Gemfile.lock +76 -26
- data/modules/firewall/Modulefile +1 -1
- data/modules/firewall/README.markdown +47 -15
- data/modules/firewall/Rakefile +0 -7
- data/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb +50 -7
- data/modules/firewall/lib/puppet/provider/firewall/iptables.rb +147 -31
- data/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb +19 -8
- data/modules/firewall/lib/puppet/type/firewall.rb +207 -3
- data/modules/firewall/lib/puppet/type/firewallchain.rb +73 -2
- data/modules/firewall/lib/puppet/util/firewall.rb +14 -0
- data/modules/firewall/metadata.json +181 -76
- data/modules/firewall/spec/acceptance/basic_spec.rb +8 -0
- data/modules/firewall/spec/acceptance/change_source_spec.rb +77 -0
- data/modules/firewall/spec/acceptance/class_spec.rb +27 -0
- data/modules/firewall/spec/acceptance/firewall_spec.rb +1608 -0
- data/modules/firewall/spec/acceptance/firewallchain_spec.rb +125 -0
- data/modules/firewall/spec/acceptance/ip6_fragment_spec.rb +94 -0
- data/modules/firewall/spec/acceptance/isfragment_spec.rb +92 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-fusion.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-70rc1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/fedora-18-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/sles-11sp1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/firewall/spec/{system → acceptance}/params_spec.rb +44 -52
- data/modules/firewall/spec/acceptance/purge_spec.rb +124 -0
- data/modules/firewall/spec/acceptance/resource_cmd_spec.rb +93 -0
- data/modules/firewall/spec/acceptance/rules_spec.rb +248 -0
- data/modules/firewall/spec/acceptance/socket_spec.rb +96 -0
- data/modules/firewall/spec/{system → acceptance}/standard_usage_spec.rb +6 -10
- data/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb +107 -0
- data/modules/firewall/spec/fixtures/iptables/conversion_hash.rb +56 -2
- data/modules/firewall/spec/spec_helper_acceptance.rb +38 -0
- data/modules/firewall/spec/unit/classes/firewall_spec.rb +2 -2
- data/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb +8 -5
- data/modules/firewall/spec/unit/facter/iptables_spec.rb +6 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb +14 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb +246 -5
- data/modules/firewall/spec/unit/puppet/type/firewall_spec.rb +99 -8
- data/modules/firewall/spec/unit/puppet/type/firewallchain_spec.rb +50 -6
- data/modules/firewall/spec/unit/puppet/util/firewall_spec.rb +21 -0
- data/modules/mysql/CHANGELOG +0 -30
- data/modules/mysql/Gemfile +0 -1
- data/modules/mysql/Gemfile.lock +30 -31
- data/modules/mysql/Modulefile +1 -1
- data/modules/mysql/README.md +2 -49
- data/modules/mysql/files/mysqltuner.pl +1 -1
- data/modules/mysql/lib/puppet/provider/database/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_grant/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_user/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/mysql.rb +1 -2
- data/modules/mysql/lib/puppet/provider/mysql_database/mysql.rb +13 -2
- data/modules/mysql/lib/puppet/provider/mysql_user/mysql.rb +12 -0
- data/modules/mysql/lib/puppet/type/database_user.rb +1 -1
- data/modules/mysql/lib/puppet/type/mysql_grant.rb +3 -5
- data/modules/mysql/manifests/client.pp +0 -7
- data/modules/mysql/manifests/server/root_password.pp +0 -2
- data/modules/mysql/manifests/server.pp +0 -6
- data/modules/mysql/metadata.json +79 -81
- data/modules/mysql/spec/classes/mysql_server_spec.rb +0 -74
- data/modules/mysql/spec/system/mysql_server_root_password_spec.rb +1 -7
- data/modules/mysql/spec/system/mysql_server_spec.rb +3 -6
- data/modules/mysql/spec/system/types/mysql_grant_spec.rb +0 -27
- data/modules/mysql/spec/unit/puppet/functions/mysql_deepmerge_spec.rb +1 -1
- data/modules/mysql/spec/unit/puppet/provider/database/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/database_grant/mysql_spec.rb +15 -15
- data/modules/mysql/spec/unit/puppet/provider/database_user/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/mysql_database/mysql_spec.rb +3 -3
- data/modules/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb +3 -3
- data/modules/mysql/templates/my.cnf.erb +2 -4
- data/modules/mysql/tests/mysql_grant.pp +1 -1
- data/modules/postgresql/Changelog +31 -0
- data/modules/postgresql/Gemfile +4 -2
- data/modules/postgresql/Modulefile +1 -1
- data/modules/postgresql/README.md +10 -4
- data/modules/postgresql/Rakefile +0 -1
- data/modules/postgresql/lib/puppet/provider/postgresql_psql/ruby.rb +25 -3
- data/modules/postgresql/manifests/globals.pp +2 -0
- data/modules/postgresql/manifests/params.pp +21 -0
- data/modules/postgresql/manifests/server/config.pp +0 -5
- data/modules/postgresql/manifests/server/config_entry.pp +1 -1
- data/modules/postgresql/manifests/server/database.pp +2 -1
- data/modules/postgresql/manifests/server/db.pp +2 -0
- data/modules/postgresql/manifests/server/grant.pp +20 -16
- data/modules/postgresql/manifests/server/initdb.pp +27 -3
- data/modules/postgresql/manifests/server/pg_hba_rule.pp +2 -4
- data/modules/postgresql/manifests/server/role.pp +8 -2
- data/modules/postgresql/manifests/server/service.pp +5 -0
- data/modules/postgresql/manifests/server.pp +2 -0
- data/modules/postgresql/metadata.json +88 -65
- data/modules/postgresql/spec/acceptance/client_spec.rb +18 -0
- data/modules/postgresql/spec/{system → acceptance}/common_patterns_spec.rb +8 -14
- data/modules/postgresql/spec/{system → acceptance}/contrib_spec.rb +4 -9
- data/modules/postgresql/spec/acceptance/lib/devel_spec.rb +17 -0
- data/modules/postgresql/spec/acceptance/lib/java_spec.rb +20 -0
- data/modules/postgresql/spec/acceptance/lib/python_spec.rb +19 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-510-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-73-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/postgresql/spec/{system → acceptance}/postgresql_psql_spec.rb +6 -14
- data/modules/postgresql/spec/{system → acceptance}/server/config_entry_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/db_spec.rb +47 -42
- data/modules/postgresql/spec/{system → acceptance}/server/grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/pg_hba_rule_spec.rb +10 -23
- data/modules/postgresql/spec/{system → acceptance}/server/plperl_spec.rb +6 -10
- data/modules/postgresql/spec/{system → acceptance}/server/role_spec.rb +13 -28
- data/modules/postgresql/spec/acceptance/server/table_grant_spec.rb +124 -0
- data/modules/postgresql/spec/{system → acceptance}/server/tablespace_spec.rb +8 -22
- data/modules/postgresql/spec/{system → acceptance}/server_spec.rb +38 -61
- data/modules/postgresql/spec/{system → acceptance}/validate_db_connection_spec.rb +8 -20
- data/modules/postgresql/spec/spec_helper_acceptance.rb +70 -0
- data/modules/postgresql/spec/unit/classes/globals_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/lib/devel_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/params_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/repo_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/server/initdb_spec.rb +2 -1
- data/modules/postgresql/spec/unit/classes/server/plperl_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/server_spec.rb +9 -2
- data/modules/postgresql/spec/unit/puppet/provider/postgresql_psql/ruby_spec.rb +15 -17
- data/modules/rbenv/bin/autospec +0 -0
- data/modules/rbenv/bin/facter +0 -0
- data/modules/rbenv/bin/filebucket +0 -0
- data/modules/rbenv/bin/hiera +0 -0
- data/modules/rbenv/bin/htmldiff +0 -0
- data/modules/rbenv/bin/ldiff +0 -0
- data/modules/rbenv/bin/pi +0 -0
- data/modules/rbenv/bin/puppet +0 -0
- data/modules/rbenv/bin/puppet-lint +0 -0
- data/modules/rbenv/bin/puppet-module +0 -0
- data/modules/rbenv/bin/puppetca +0 -0
- data/modules/rbenv/bin/puppetd +0 -0
- data/modules/rbenv/bin/puppetdoc +0 -0
- data/modules/rbenv/bin/puppetmasterd +0 -0
- data/modules/rbenv/bin/puppetqd +0 -0
- data/modules/rbenv/bin/puppetrun +0 -0
- data/modules/rbenv/bin/rake +0 -0
- data/modules/rbenv/bin/ralsh +0 -0
- data/modules/rbenv/bin/rspec +0 -0
- data/modules/rbenv/bin/rspec-puppet-init +0 -0
- data/modules/stdlib/spec/monkey_patches/alias_should_to_must.rb +0 -0
- data/modules/stdlib/spec/monkey_patches/publicize_methods.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/abs_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/bool2num_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/capitalize_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chomp_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chop_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_at_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/dirname_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/downcase_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/empty_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/flatten_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/grep_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_interface_with_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_address_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_network_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/max_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/min_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/reject_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/to_bytes_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/validate_slength_spec.rb +0 -0
- metadata +92 -77
- data/modules/apt/manifests/unattended_upgrades.pp +0 -68
- data/modules/apt/spec/classes/unattended_upgrades_spec.rb +0 -204
- data/modules/apt/spec/system/apt_builddep_spec.rb +0 -38
- data/modules/apt/spec/system/apt_key_spec.rb +0 -53
- data/modules/apt/spec/system/apt_ppa_spec.rb +0 -59
- data/modules/apt/spec/system/apt_source_spec.rb +0 -51
- data/modules/apt/spec/system/basic_spec.rb +0 -10
- data/modules/apt/spec/system/class_spec.rb +0 -20
- data/modules/apt/templates/10periodic.erb +0 -12
- data/modules/apt/templates/50unattended-upgrades.erb +0 -53
- data/modules/apt/tests/unattended-upgrades.pp +0 -1
- data/modules/concat/README.markdown +0 -150
- data/modules/concat/spec/defines/init_spec.rb +0 -115
- data/modules/concat/spec/fixtures/manifests/site.pp +0 -0
- data/modules/firewall/spec/spec_helper_system.rb +0 -49
- data/modules/firewall/spec/system/class_spec.rb +0 -39
- data/modules/firewall/spec/system/purge_spec.rb +0 -29
- data/modules/firewall/spec/system/resource_cmd_spec.rb +0 -53
- data/modules/mysql/manifests/server/providers.pp +0 -8
- data/modules/mysql/tests/bindings.pp +0 -3
- data/modules/postgresql/Gemfile.lock +0 -74
- data/modules/postgresql/spec/spec_helper_system.rb +0 -66
- data/modules/postgresql/spec/system/client_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/devel_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/java_spec.rb +0 -25
- data/modules/postgresql/spec/system/lib/python_spec.rb +0 -24
- data/modules/postgresql/spec/system/server/table_grant_spec.rb +0 -72
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
require 'spec_helper_acceptance'
|
|
2
|
+
|
|
3
|
+
describe 'puppet resource firewallchain command:' do
|
|
4
|
+
before :all do
|
|
5
|
+
iptables_flush_all_tables
|
|
6
|
+
end
|
|
7
|
+
describe 'ensure' do
|
|
8
|
+
context 'present' do
|
|
9
|
+
it 'applies cleanly' do
|
|
10
|
+
pp = <<-EOS
|
|
11
|
+
firewallchain { 'MY_CHAIN:filter:IPv4':
|
|
12
|
+
ensure => present,
|
|
13
|
+
}
|
|
14
|
+
EOS
|
|
15
|
+
# Run it twice and test for idempotency
|
|
16
|
+
apply_manifest(pp, :catch_failures => true)
|
|
17
|
+
apply_manifest(pp, :catch_changes => true)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
it 'finds the chain' do
|
|
21
|
+
shell('iptables -S') do |r|
|
|
22
|
+
expect(r.stdout).to match(/-N MY_CHAIN/)
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
context 'absent' do
|
|
28
|
+
it 'applies cleanly' do
|
|
29
|
+
pp = <<-EOS
|
|
30
|
+
firewallchain { 'MY_CHAIN:filter:IPv4':
|
|
31
|
+
ensure => absent,
|
|
32
|
+
}
|
|
33
|
+
EOS
|
|
34
|
+
# Run it twice and test for idempotency
|
|
35
|
+
apply_manifest(pp, :catch_failures => true)
|
|
36
|
+
apply_manifest(pp, :catch_changes => true)
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
it 'fails to find the chain' do
|
|
40
|
+
shell('iptables -S') do |r|
|
|
41
|
+
expect(r.stdout).to_not match(/-N MY_CHAIN/)
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
# XXX purge => false is not yet implemented
|
|
48
|
+
#context 'adding a firewall rule to a chain:' do
|
|
49
|
+
# it 'applies cleanly' do
|
|
50
|
+
# pp = <<-EOS
|
|
51
|
+
# firewallchain { 'MY_CHAIN:filter:IPv4':
|
|
52
|
+
# ensure => present,
|
|
53
|
+
# }
|
|
54
|
+
# firewall { '100 my rule':
|
|
55
|
+
# chain => 'MY_CHAIN',
|
|
56
|
+
# action => 'accept',
|
|
57
|
+
# proto => 'tcp',
|
|
58
|
+
# dport => 5000,
|
|
59
|
+
# }
|
|
60
|
+
# EOS
|
|
61
|
+
# # Run it twice and test for idempotency
|
|
62
|
+
# apply_manifest(pp, :catch_failures => true)
|
|
63
|
+
# apply_manifest(pp, :catch_changes => true)
|
|
64
|
+
# end
|
|
65
|
+
#end
|
|
66
|
+
|
|
67
|
+
#context 'not purge firewallchain chains:' do
|
|
68
|
+
# it 'does not purge the rule' do
|
|
69
|
+
# pp = <<-EOS
|
|
70
|
+
# firewallchain { 'MY_CHAIN:filter:IPv4':
|
|
71
|
+
# ensure => present,
|
|
72
|
+
# purge => false,
|
|
73
|
+
# before => Resources['firewall'],
|
|
74
|
+
# }
|
|
75
|
+
# resources { 'firewall':
|
|
76
|
+
# purge => true,
|
|
77
|
+
# }
|
|
78
|
+
# EOS
|
|
79
|
+
# # Run it twice and test for idempotency
|
|
80
|
+
# apply_manifest(pp, :catch_failures => true) do |r|
|
|
81
|
+
# expect(r.stdout).to_not match(/removed/)
|
|
82
|
+
# expect(r.stderr).to eq('')
|
|
83
|
+
# end
|
|
84
|
+
# apply_manifest(pp, :catch_changes => true)
|
|
85
|
+
# end
|
|
86
|
+
|
|
87
|
+
# it 'still has the rule' do
|
|
88
|
+
# pp = <<-EOS
|
|
89
|
+
# firewall { '100 my rule':
|
|
90
|
+
# chain => 'MY_CHAIN',
|
|
91
|
+
# action => 'accept',
|
|
92
|
+
# proto => 'tcp',
|
|
93
|
+
# dport => 5000,
|
|
94
|
+
# }
|
|
95
|
+
# EOS
|
|
96
|
+
# # Run it twice and test for idempotency
|
|
97
|
+
# apply_manifest(pp, :catch_changes => true)
|
|
98
|
+
# end
|
|
99
|
+
#end
|
|
100
|
+
|
|
101
|
+
describe 'policy' do
|
|
102
|
+
after :all do
|
|
103
|
+
shell('iptables -t filter -P FORWARD ACCEPT')
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
context 'DROP' do
|
|
107
|
+
it 'applies cleanly' do
|
|
108
|
+
pp = <<-EOS
|
|
109
|
+
firewallchain { 'FORWARD:filter:IPv4':
|
|
110
|
+
policy => 'drop',
|
|
111
|
+
}
|
|
112
|
+
EOS
|
|
113
|
+
# Run it twice and test for idempotency
|
|
114
|
+
apply_manifest(pp, :catch_failures => true)
|
|
115
|
+
apply_manifest(pp, :catch_changes => true)
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
it 'finds the chain' do
|
|
119
|
+
shell('iptables -S') do |r|
|
|
120
|
+
expect(r.stdout).to match(/-P FORWARD DROP/)
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
end
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
require 'spec_helper_acceptance'
|
|
2
|
+
|
|
3
|
+
describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do
|
|
4
|
+
before :all do
|
|
5
|
+
ip6tables_flush_all_tables
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
shared_examples "is idempotent" do |values, line_match|
|
|
9
|
+
it "changes the values to #{values}" do
|
|
10
|
+
pp = <<-EOS
|
|
11
|
+
class { '::firewall': }
|
|
12
|
+
firewall { '599 - test':
|
|
13
|
+
ensure => present,
|
|
14
|
+
proto => 'tcp',
|
|
15
|
+
provider => 'ip6tables',
|
|
16
|
+
#{values}
|
|
17
|
+
}
|
|
18
|
+
EOS
|
|
19
|
+
|
|
20
|
+
apply_manifest(pp, :catch_failures => true)
|
|
21
|
+
apply_manifest(pp, :catch_changes => true)
|
|
22
|
+
|
|
23
|
+
shell('ip6tables -S') do |r|
|
|
24
|
+
expect(r.stdout).to match(/#{line_match}/)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
shared_examples "doesn't change" do |values, line_match|
|
|
29
|
+
it "doesn't change the values to #{values}" do
|
|
30
|
+
pp = <<-EOS
|
|
31
|
+
class { '::firewall': }
|
|
32
|
+
firewall { '599 - test':
|
|
33
|
+
ensure => present,
|
|
34
|
+
proto => 'tcp',
|
|
35
|
+
provider => 'ip6tables',
|
|
36
|
+
#{values}
|
|
37
|
+
}
|
|
38
|
+
EOS
|
|
39
|
+
|
|
40
|
+
apply_manifest(pp, :catch_changes => true)
|
|
41
|
+
|
|
42
|
+
shell('ip6tables -S') do |r|
|
|
43
|
+
expect(r.stdout).to match(/#{line_match}/)
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
describe 'adding a rule' do
|
|
49
|
+
context 'when unset' do
|
|
50
|
+
before :all do
|
|
51
|
+
ip6tables_flush_all_tables
|
|
52
|
+
end
|
|
53
|
+
it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/
|
|
54
|
+
end
|
|
55
|
+
context 'when set to true' do
|
|
56
|
+
before :all do
|
|
57
|
+
ip6tables_flush_all_tables
|
|
58
|
+
end
|
|
59
|
+
it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
|
|
60
|
+
end
|
|
61
|
+
context 'when set to false' do
|
|
62
|
+
before :all do
|
|
63
|
+
ip6tables_flush_all_tables
|
|
64
|
+
end
|
|
65
|
+
it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
describe 'editing a rule' do
|
|
69
|
+
context 'when unset or false' do
|
|
70
|
+
before :each do
|
|
71
|
+
ip6tables_flush_all_tables
|
|
72
|
+
shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
|
|
73
|
+
end
|
|
74
|
+
context 'and current value is false' do
|
|
75
|
+
it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
|
|
76
|
+
end
|
|
77
|
+
context 'and current value is true' do
|
|
78
|
+
it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
context 'when set to true' do
|
|
82
|
+
before :each do
|
|
83
|
+
ip6tables_flush_all_tables
|
|
84
|
+
shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
|
|
85
|
+
end
|
|
86
|
+
context 'and current value is false' do
|
|
87
|
+
it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
|
|
88
|
+
end
|
|
89
|
+
context 'and current value is true' do
|
|
90
|
+
it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
|
|
91
|
+
end
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
end
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
require 'spec_helper_acceptance'
|
|
2
|
+
|
|
3
|
+
describe 'firewall isfragment property' do
|
|
4
|
+
before :all do
|
|
5
|
+
iptables_flush_all_tables
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
shared_examples "is idempotent" do |value, line_match|
|
|
9
|
+
it "changes the value to #{value}" do
|
|
10
|
+
pp = <<-EOS
|
|
11
|
+
class { '::firewall': }
|
|
12
|
+
firewall { '597 - test':
|
|
13
|
+
ensure => present,
|
|
14
|
+
proto => 'tcp',
|
|
15
|
+
#{value}
|
|
16
|
+
}
|
|
17
|
+
EOS
|
|
18
|
+
|
|
19
|
+
apply_manifest(pp, :catch_failures => true)
|
|
20
|
+
apply_manifest(pp, :catch_changes => true)
|
|
21
|
+
|
|
22
|
+
shell('iptables -S') do |r|
|
|
23
|
+
expect(r.stdout).to match(/#{line_match}/)
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
shared_examples "doesn't change" do |value, line_match|
|
|
28
|
+
it "doesn't change the value to #{value}" do
|
|
29
|
+
pp = <<-EOS
|
|
30
|
+
class { '::firewall': }
|
|
31
|
+
firewall { '597 - test':
|
|
32
|
+
ensure => present,
|
|
33
|
+
proto => 'tcp',
|
|
34
|
+
#{value}
|
|
35
|
+
}
|
|
36
|
+
EOS
|
|
37
|
+
|
|
38
|
+
apply_manifest(pp, :catch_changes => true)
|
|
39
|
+
|
|
40
|
+
shell('iptables -S') do |r|
|
|
41
|
+
expect(r.stdout).to match(/#{line_match}/)
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
describe 'adding a rule' do
|
|
47
|
+
context 'when unset' do
|
|
48
|
+
before :all do
|
|
49
|
+
iptables_flush_all_tables
|
|
50
|
+
end
|
|
51
|
+
it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "597 - test"/
|
|
52
|
+
end
|
|
53
|
+
context 'when set to true' do
|
|
54
|
+
before :all do
|
|
55
|
+
iptables_flush_all_tables
|
|
56
|
+
end
|
|
57
|
+
it_behaves_like 'is idempotent', 'isfragment => true,', /-A INPUT -p tcp -f -m comment --comment "597 - test"/
|
|
58
|
+
end
|
|
59
|
+
context 'when set to false' do
|
|
60
|
+
before :all do
|
|
61
|
+
iptables_flush_all_tables
|
|
62
|
+
end
|
|
63
|
+
it_behaves_like "is idempotent", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
describe 'editing a rule' do
|
|
67
|
+
context 'when unset or false' do
|
|
68
|
+
before :each do
|
|
69
|
+
iptables_flush_all_tables
|
|
70
|
+
shell('/sbin/iptables -A INPUT -p tcp -m comment --comment "597 - test"')
|
|
71
|
+
end
|
|
72
|
+
context 'and current value is false' do
|
|
73
|
+
it_behaves_like "doesn't change", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/
|
|
74
|
+
end
|
|
75
|
+
context 'and current value is true' do
|
|
76
|
+
it_behaves_like "is idempotent", 'isfragment => true,', /-A INPUT -p tcp -f -m comment --comment "597 - test"/
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
context 'when set to true' do
|
|
80
|
+
before :each do
|
|
81
|
+
iptables_flush_all_tables
|
|
82
|
+
shell('/sbin/iptables -A INPUT -p tcp -f -m comment --comment "597 - test"')
|
|
83
|
+
end
|
|
84
|
+
context 'and current value is false' do
|
|
85
|
+
it_behaves_like "is idempotent", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/
|
|
86
|
+
end
|
|
87
|
+
context 'and current value is true' do
|
|
88
|
+
it_behaves_like "doesn't change", 'isfragment => true,', /-A INPUT -p tcp -f -m comment --comment "597 - test"/
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
HOSTS:
|
|
2
|
+
centos-64-x64:
|
|
3
|
+
roles:
|
|
4
|
+
- master
|
|
5
|
+
- database
|
|
6
|
+
- dashboard
|
|
7
|
+
platform: el-6-x86_64
|
|
8
|
+
box : centos-64-x64-vbox4210-nocm
|
|
9
|
+
box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box
|
|
10
|
+
hypervisor : vagrant
|
|
11
|
+
CONFIG:
|
|
12
|
+
type: pe
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
HOSTS:
|
|
2
|
+
ubuntu-server-10044-x64:
|
|
3
|
+
roles:
|
|
4
|
+
- master
|
|
5
|
+
platform: ubuntu-10.04-amd64
|
|
6
|
+
box : ubuntu-server-10044-x64-vbox4210-nocm
|
|
7
|
+
box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-10044-x64-vbox4210-nocm.box
|
|
8
|
+
hypervisor : vagrant
|
|
9
|
+
CONFIG:
|
|
10
|
+
type: git
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
HOSTS:
|
|
2
|
+
ubuntu-server-12042-x64:
|
|
3
|
+
roles:
|
|
4
|
+
- master
|
|
5
|
+
platform: ubuntu-12.04-amd64
|
|
6
|
+
box : ubuntu-server-12042-x64-vbox4210-nocm
|
|
7
|
+
box_url : http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box
|
|
8
|
+
hypervisor : vagrant
|
|
9
|
+
CONFIG:
|
|
10
|
+
type: foss
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require '
|
|
1
|
+
require 'spec_helper_acceptance'
|
|
2
2
|
|
|
3
3
|
describe "param based tests:" do
|
|
4
4
|
# Takes a hash and converts it into a firewall resource
|
|
@@ -8,7 +8,7 @@ describe "param based tests:" do
|
|
|
8
8
|
firewall { '#{name}':
|
|
9
9
|
EOS
|
|
10
10
|
|
|
11
|
-
params.each do |k,v|
|
|
11
|
+
params.each do |k,v|
|
|
12
12
|
pm += <<-EOS
|
|
13
13
|
#{k} => #{v},
|
|
14
14
|
EOS
|
|
@@ -23,10 +23,8 @@ firewall { '#{name}':
|
|
|
23
23
|
it 'test various params' do
|
|
24
24
|
iptables_flush_all_tables
|
|
25
25
|
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
unless (facts['operatingsystem'] == 'CentOS') && \
|
|
29
|
-
facts['operatingsystemrelease'] =~ /^5\./ then
|
|
26
|
+
unless (fact('operatingsystem') == 'CentOS') && \
|
|
27
|
+
fact('operatingsystemrelease') =~ /^5\./ then
|
|
30
28
|
|
|
31
29
|
ppm = pp({
|
|
32
30
|
'table' => "'raw'",
|
|
@@ -36,13 +34,8 @@ firewall { '#{name}':
|
|
|
36
34
|
'log_level' => 'debug',
|
|
37
35
|
})
|
|
38
36
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
r.stderr.should be_empty
|
|
42
|
-
r.refresh
|
|
43
|
-
r.stderr.should be_empty
|
|
44
|
-
r.exit_code.should be_zero
|
|
45
|
-
end
|
|
37
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
|
|
38
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to be_zero
|
|
46
39
|
end
|
|
47
40
|
end
|
|
48
41
|
|
|
@@ -55,13 +48,8 @@ firewall { '#{name}':
|
|
|
55
48
|
'jump' => 'LOG',
|
|
56
49
|
'log_level' => 'debug',
|
|
57
50
|
})
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
r.stderr.should be_empty
|
|
61
|
-
r.refresh
|
|
62
|
-
r.stderr.should be_empty
|
|
63
|
-
r.exit_code.should be_zero
|
|
64
|
-
end
|
|
51
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
|
|
52
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to be_zero
|
|
65
53
|
end
|
|
66
54
|
|
|
67
55
|
it 'test log rule - changing names' do
|
|
@@ -71,7 +59,7 @@ firewall { '#{name}':
|
|
|
71
59
|
'name' => '004 log all INVALID packets',
|
|
72
60
|
'chain' => 'INPUT',
|
|
73
61
|
'proto' => 'all',
|
|
74
|
-
'
|
|
62
|
+
'ctstate' => 'INVALID',
|
|
75
63
|
'jump' => 'LOG',
|
|
76
64
|
'log_level' => '3',
|
|
77
65
|
'log_prefix' => '"IPTABLES dropped invalid: "',
|
|
@@ -81,26 +69,45 @@ firewall { '#{name}':
|
|
|
81
69
|
'name' => '003 log all INVALID packets',
|
|
82
70
|
'chain' => 'INPUT',
|
|
83
71
|
'proto' => 'all',
|
|
84
|
-
'
|
|
72
|
+
'ctstate' => 'INVALID',
|
|
85
73
|
'jump' => 'LOG',
|
|
86
74
|
'log_level' => '3',
|
|
87
75
|
'log_prefix' => '"IPTABLES dropped invalid: "',
|
|
88
76
|
})
|
|
89
77
|
|
|
90
|
-
|
|
91
|
-
r.stderr.should be_empty
|
|
92
|
-
r.exit_code.should == 2
|
|
93
|
-
end
|
|
78
|
+
expect(apply_manifest(ppm1, :catch_failures => true).exit_code).to eq(2)
|
|
94
79
|
|
|
95
80
|
ppm = <<-EOS + "\n" + ppm2
|
|
96
81
|
resources { 'firewall':
|
|
97
82
|
purge => true,
|
|
98
83
|
}
|
|
99
84
|
EOS
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
85
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
it 'test chain - changing names' do
|
|
89
|
+
iptables_flush_all_tables
|
|
90
|
+
|
|
91
|
+
ppm1 = pp({
|
|
92
|
+
'name' => '004 with a chain',
|
|
93
|
+
'chain' => 'INPUT',
|
|
94
|
+
'proto' => 'all',
|
|
95
|
+
})
|
|
96
|
+
|
|
97
|
+
ppm2 = pp({
|
|
98
|
+
'name' => '004 with a chain',
|
|
99
|
+
'chain' => 'OUTPUT',
|
|
100
|
+
'proto' => 'all',
|
|
101
|
+
})
|
|
102
|
+
|
|
103
|
+
apply_manifest(ppm1, :expect_changes => true)
|
|
104
|
+
|
|
105
|
+
ppm = <<-EOS + "\n" + ppm2
|
|
106
|
+
resources { 'firewall':
|
|
107
|
+
purge => true,
|
|
108
|
+
}
|
|
109
|
+
EOS
|
|
110
|
+
expect(apply_manifest(ppm2, :expect_failures => true).stderr).to match(/is not supported/)
|
|
104
111
|
end
|
|
105
112
|
|
|
106
113
|
it 'test log rule - idempotent' do
|
|
@@ -110,19 +117,14 @@ firewall { '#{name}':
|
|
|
110
117
|
'name' => '004 log all INVALID packets',
|
|
111
118
|
'chain' => 'INPUT',
|
|
112
119
|
'proto' => 'all',
|
|
113
|
-
'
|
|
120
|
+
'ctstate' => 'INVALID',
|
|
114
121
|
'jump' => 'LOG',
|
|
115
122
|
'log_level' => '3',
|
|
116
123
|
'log_prefix' => '"IPTABLES dropped invalid: "',
|
|
117
124
|
})
|
|
118
125
|
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
r.stderr.should be_empty
|
|
122
|
-
r.refresh
|
|
123
|
-
r.stderr.should be_empty
|
|
124
|
-
r.exit_code.should be_zero
|
|
125
|
-
end
|
|
126
|
+
expect(apply_manifest(ppm1, :catch_failures => true).exit_code).to eq(2)
|
|
127
|
+
expect(apply_manifest(ppm1, :catch_failures => true).exit_code).to be_zero
|
|
126
128
|
end
|
|
127
129
|
|
|
128
130
|
it 'test src_range rule' do
|
|
@@ -135,13 +137,8 @@ firewall { '#{name}':
|
|
|
135
137
|
'action' => 'drop',
|
|
136
138
|
'src_range' => '"10.0.0.1-10.0.0.10"',
|
|
137
139
|
})
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
r.stderr.should be_empty
|
|
141
|
-
r.refresh
|
|
142
|
-
r.stderr.should be_empty
|
|
143
|
-
r.exit_code.should be_zero
|
|
144
|
-
end
|
|
140
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
|
|
141
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to be_zero
|
|
145
142
|
end
|
|
146
143
|
|
|
147
144
|
it 'test dst_range rule' do
|
|
@@ -154,13 +151,8 @@ firewall { '#{name}':
|
|
|
154
151
|
'action' => 'drop',
|
|
155
152
|
'dst_range' => '"10.0.0.2-10.0.0.20"',
|
|
156
153
|
})
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
r.stderr.should be_empty
|
|
160
|
-
r.refresh
|
|
161
|
-
r.stderr.should be_empty
|
|
162
|
-
r.exit_code.should be_zero
|
|
163
|
-
end
|
|
154
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to eq(2)
|
|
155
|
+
expect(apply_manifest(ppm, :catch_failures => true).exit_code).to be_zero
|
|
164
156
|
end
|
|
165
157
|
|
|
166
158
|
end
|