infrataster-plugin-firewall 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 36a35d83702e05bc1eb186299fd7007e1f9fa27d
+  data.tar.gz: cdb6310a44878446dd3d72e2888f6eb37f6fb7de
+SHA512:
+  metadata.gz: 536be10b3c0f5b31b36731083402785f3371cc6a5b09ce07053a6545dbc1edf5cbcd350bfa83fafbf9e4574d6655229e6833bb85fb8e80f68f187fb241ca1e05
+  data.tar.gz: 5c45ad6042cd4429bf2ba4766587f9a56c36edd978e9455ad08264e8fad8e89fce07e5262ba4a3e1da360ba149397547980bf07d81b3b642a02261b727b415d0

data/.gitignore

@@ -0,0 +1,16 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/vendor/
+.vagrant/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.rubocop.yml

@@ -0,0 +1,19 @@
+# Avoid methods longer than 10 lines of code
+MethodLength:
+  Enabled: false
+
+# Avoid classes longer than 100 lines of code
+ClassLength:
+  Enabled: false
+
+# allow is_a? or have_* method_name
+Style/PredicateName:
+  Enabled: false
+
+# allow lib/infrataster-plugin-dns.rb
+Style/FileName:
+  Enabled: false
+
+# allow 5 digit not separated
+NumericLiterals:
+  MinDigits: 6

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+cache: bundler
+sudo: false
+
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in infrataster-plugin-firewall.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Hiroshi Ota
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,67 @@
+# Infrataster::Plugin::Firewall
+[![Gem Version](https://badge.fury.io/rb/infrataster-plugin-firewall.svg)](http://badge.fury.io/rb/infrataster-plugin-firewall)
+[![Build Status](https://travis-ci.org/otahi/infrataster-plugin-firewall.svg)](https://travis-ci.org/otahi/infrataster-plugin-firewall)
+[![Coverage Status](https://coveralls.io/repos/otahi/infrataster-plugin-firewall/badge.png)](https://coveralls.io/r/otahi/infrataster-plugin-firewall)
+
+Firewall plugin for Infrataster.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'infrataster-plugin-firewall'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install infrataster-plugin-firewall
+
+## Usage
+
+The usage is as same as [Infrataster](https://github.com/ryotarai/infrataster).
+
+```ruby
+require 'infrataster-plugin-firewall'
+
+describe server(:src) do
+  describe firewall(server(:dst)) do
+    it { is_expected.to be_reachable } #ICMP ping
+    it { is_expected.to be_reachable.dest_port(80) } #TCP:80
+    it { is_expected.to be_reachable.tcp.dest_port(80) }
+    it { is_expected.to be_reachable.udp.dest_port(53) }
+    it { is_expected.to be_reachable.tcp.dest_port(80).source_port(30123) }
+  end
+end
+```
+
+You can get following result:
+
+```
+$ bundle exec rspec
+
+server 'src'
+  via firewall
+    should reach to server 'dst'
+    should reach to server 'dst' dest_port: 80
+    should reach to server 'dst' tcp dest_port: 80
+    should reach to server 'dst' udp dest_port: 53
+    should reach to server 'dst' tcp dest_port: 80 source_port: 30123
+
+Finished in 15.87 seconds (files took 0.58711 seconds to load)
+5 examples, 0 failures
+$
+```
+
+
+## Contributing
+
+1. Fork it ( https://github.com/otahi/infrataster-plugin-firewall/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,58 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'open-uri'
+require 'coveralls/rake/task'
+require 'rubocop/rake_task'
+
+task :default => ['spec:unit', :quality]
+
+def yellow(str)
+  "\e[33m#{str}\e[m"
+end
+
+ENV['VAGRANT_CWD'] = File.expand_path('spec/integration/vm')
+
+desc 'Run unit and integration tests'
+task :spec => ['spec:unit', 'spec:integration']
+
+namespace :spec do
+  RSpec::Core::RakeTask.new('unit') do |task|
+    task.pattern = './spec/unit{,/*/**}/*_spec.rb'
+  end
+
+  RSpec::Core::RakeTask.new('integration') do |task|
+    task.pattern = './spec/integration{,/*/**}/*_spec.rb'
+  end
+
+  namespace :integration do
+    integration_dir = 'spec/integration'
+
+    desc 'Clean'
+    task :clean => ['destroy_vm'] do
+    end
+
+    desc 'Prepare'
+    task :prepare => ['start_vm'] do
+    end
+
+    task :start_vm do
+      puts yellow('Starting VM...')
+      system 'vagrant reload --provision | grep "not created" && vagrant up'
+    end
+
+    task :destroy_vm do
+      puts yellow('Destroying VM...')
+      system 'vagrant', 'destroy', '-f'
+    end
+  end
+end
+
+
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.patterns = %w(lib/**/*.rb spec/unit/**/*.rb)
+end
+
+task :quality => :rubocop do
+  Coveralls::RakeTask.new
+end
+

data/infrataster-plugin-firewall.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'infrataster/plugin/firewall/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'infrataster-plugin-firewall'
+  spec.version       = Infrataster::Plugin::Firewall::VERSION
+  spec.authors       = ['Hiroshi Ota']
+  spec.email         = ['otahi.pub@gmail.com']
+  spec.summary       = 'Firewall plugin for Infrataster.'
+  spec.description   = 'Firewall plugin for Infrataster.'
+  spec.homepage      = 'https://github.com/otahi/infrataster-plugin-firewall'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'infrataster', '~> 0.2.0'
+
+  spec.add_development_dependency 'bundler', '~> 1.7'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '0.28.0'
+  spec.add_development_dependency 'coveralls', '~> 0.7'
+  spec.add_development_dependency 'byebug' if RUBY_VERSION >= '2.0'
+end

data/lib/infrataster-plugin-firewall.rb

@@ -0,0 +1,10 @@
+require 'infrataster'
+
+require 'infrataster/plugin/firewall/version'
+require 'infrataster/plugin/firewall/util'
+require 'infrataster/plugin/firewall/capture'
+require 'infrataster/plugin/firewall/transfer'
+
+require 'infrataster/resources/firewall_resource'
+require 'infrataster/helpers/firewall_resource_helper'
+require 'infrataster/contexts/firewall_context'

data/lib/infrataster/contexts/firewall_context.rb

@@ -0,0 +1,71 @@
+require 'infrataster'
+require 'infrataster-plugin-firewall'
+
+module Infrataster
+  module Contexts
+    # Infrataster Firewall context
+    class FirewallContext < BaseContext
+      extend RSpec::Matchers::DSL
+
+      matcher(:be_reachable) do
+        match do
+          @options ||= {}
+          transfer =
+            Plugin::Firewall::Transfer.new(resource.src_node,
+                                           resource.dest_node,
+                                           @options)
+          transfer.reachable?
+        end
+
+        chain :icmp do
+          @options ||= {}
+          @options.merge!(protocol: :ICMP) unless @options[:protocol]
+        end
+
+        chain :tcp do
+          @options ||= {}
+          @options.merge!(protocol: :TCP) unless @options[:protocol]
+          @chain_string ||= ''
+          @chain_string += ' tcp'
+        end
+
+        chain :udp do
+          @options ||= {}
+          @options.merge!(protocol: :UDP) unless @options[:protocol]
+          @chain_string ||= ''
+          @chain_string += ' udp'
+        end
+
+        chain :dest_port do |port|
+          @options ||= {}
+          @options.merge!(dest_port: port)
+          @options.merge!(protocol: :TCP) unless @options[:protocol]
+          @chain_string ||= ''
+          @chain_string += " dest_port: #{port}"
+        end
+
+        chain :source_port do |port|
+          @options ||= {}
+          @options.merge!(source_port: port)
+          @options.merge!(protocol: :TCP) unless @options[:protocol]
+          @chain_string ||= ''
+          @chain_string += " source_port: #{port}"
+        end
+
+        failure_message do
+          s = "expected to reach to #{resource.dest_node}"
+          s + "#{@chain_string}, but did not."
+        end
+
+        failure_message_when_negated do
+          s = "expected not to reach to #{resource.dest_node}"
+          s + "#{@chain_string}, but did."
+        end
+
+        description do
+          "reach to #{resource.dest_node}#{@chain_string}"
+        end
+      end
+    end
+  end
+end

data/lib/infrataster/helpers/firewall_resource_helper.rb

@@ -0,0 +1,13 @@
+require 'rspec'
+require 'infrataster/resources'
+
+module Infrataster
+  module Helpers
+    # Firewall resouce helper
+    module ResourceHelper
+      def firewall(*args)
+        Resources::FirewallResource.new(described_class, *args)
+      end
+    end
+  end
+end

data/lib/infrataster/plugin/firewall.rb

@@ -0,0 +1,10 @@
+require 'infrataster/plugin/firewall/version'
+
+module Infrataster
+  module Plugin
+    # Infrataster plugin for firewall
+    module Firewall
+      # Your code goes here...
+    end
+  end
+end

data/lib/infrataster/plugin/firewall/capture.rb

@@ -0,0 +1,102 @@
+module Infrataster
+  module Plugin
+    # Infrataster plugin for firewall
+    module Firewall
+      # Reqresent capture
+      class Capture
+        attr_reader :result, :output
+
+        def initialize(node, bpf = nil, term_sec = nil)
+          @node = node.respond_to?(:server) ? node.server :
+            Net::SSH.start(node, config: true)
+          @bpf = bpf ? bpf : ''
+          @connected = false
+          @term_sec = term_sec ? term_sec : 5
+          @thread = nil
+          @ssh = nil
+          @result = false
+          @output = ''
+        end
+
+        def open(&block)
+          open_node
+          wait_connected
+          return unless block
+
+          block.call
+          close
+        end
+
+        def close
+          sleep 0.5 until capture_done?
+          @thread.kill
+          @ssh.close unless @ssh.closed?
+        end
+
+        def self.bpf(options = {})
+          is_first = true
+          filter = ''
+
+          options.each do |k, v|
+            filter << ' and ' unless is_first
+            filter << "#{k} #{v}"
+            is_first = false
+          end
+          filter
+        end
+
+        private
+
+        def open_node
+          @thread = Thread.new do
+            @node.ssh do |ssh|
+              @ssh = ssh
+              ssh.open_channel do |channel|
+                output = run_check(channel)
+                @output << output.to_s
+              end
+            end
+          end
+        end
+
+        def wait_connected
+          sleep 0.5 until @connected
+          sleep 1 # after connected wait for tcpdump ready
+        end
+
+        def run_check(channel)
+          channel.request_pty do |chan, success|
+            fail 'Could not obtain pty' unless success
+            exec_capture(chan)
+          end
+        end
+
+        def exec_capture(channel)
+          @start_sec = Time.now.to_i + 1
+          channel.exec(capture_command) do |ch, _stream, _data|
+            receive_data(ch)
+            break if capture_done?
+          end
+        end
+
+        def receive_data(channel)
+          data = ''
+          channel.on_data do |_c, d|
+            @connected = true
+            data << d
+            @result = data.include?('RECEIVED')
+          end
+        end
+
+        def capture_done?
+          now_sec = Time.now.to_i
+          (@term_sec > 0 && now_sec - @start_sec > @term_sec) ? true : @result
+        end
+
+        def capture_command
+          "sudo tcpdump -c1 -nnn -i any #{@bpf} > /dev/null && echo RECEIVED"
+        end
+      end
+    end
+  end
+end

data/lib/infrataster/plugin/firewall/transfer.rb

@@ -0,0 +1,52 @@
+module Infrataster
+  module Plugin
+    # Infrataster plugin for firewall
+    module Firewall
+      # Represent transfer
+      class Transfer
+        def initialize(src_node, dest_node, options = {})
+          @src_node = src_node
+          @dest_node = dest_node
+          @protocol = options[:protocol] ? options[:protocol] : :ICMP
+          @dest_port = options[:dest_port] ? options[:dest_port] : 80
+          @source_port = options[:source_port] ? options[:source_port] : nil
+        end
+
+        def reachable?
+          case @protocol
+          when :ICMP
+            icmp_reachable?
+          when :TCP, :UDP
+            transport_reachable?
+          end
+        end
+
+        private
+
+        def icmp_reachable?
+          dest_addr = Util.address(@dest_node)
+          @src_node.server
+            .ssh_exec("ping -c1 -W3 #{dest_addr} && echo PING_OK")
+            .include?('PING_OK')
+        end
+
+        def transport_reachable?
+          dest_addr = Util.address(@dest_node)
+          bpf_options = { :'dst host' => dest_addr,
+                          :'dst port' => @dest_port,
+                          @protocol.downcase => nil }
+          bpf_options.merge!(:'src port' => @source_port) if @source_port
+          bpf = Capture.bpf(bpf_options)
+          capture = Capture.new(@dest_node, bpf)
+          capture.open do
+            nc_option = @protocol == :UDP ? '-u' : '-t'
+            nc_option += @source_port ? " -p #{@source_port}" : ''
+            @src_node.server
+              .ssh_exec("echo test|nc #{dest_addr} #{@dest_port} #{nc_option}")
+          end
+          capture.result
+        end
+      end
+    end
+  end
+end

data/lib/infrataster/plugin/firewall/util.rb

@@ -0,0 +1,17 @@
+module Infrataster
+  module Plugin
+    # Infrataster plugin for firewall
+    module Firewall
+      # Util
+      class Util
+        def self.address(node)
+          if node.respond_to?(:server)
+            node.server.address
+          else
+            node.to_s
+          end
+        end
+      end
+    end
+  end
+end

data/lib/infrataster/plugin/firewall/version.rb

@@ -0,0 +1,8 @@
+module Infrataster
+  module Plugin
+    # Infrataster plugin for firewall
+    module Firewall
+      VERSION = '0.1.0'
+    end
+  end
+end

data/lib/infrataster/resources/firewall_resource.rb

@@ -0,0 +1,22 @@
+require 'infrataster'
+
+module Infrataster
+  module Resources
+    # Infrataster Firewall resource
+    class FirewallResource < BaseResource
+      Error = Class.new(StandardError)
+
+      attr_reader :src_node
+      attr_reader :dest_node
+
+      def initialize(src_node, dest_node)
+        @src_node = src_node
+        @dest_node = dest_node
+      end
+
+      def to_s
+        'via firewall'
+      end
+    end
+  end
+end

data/spec/integration/firewall_spec.rb

@@ -0,0 +1,11 @@
+require 'spec_helper'
+
+describe server(:src) do
+  describe firewall(server(:dst)) do
+    it { is_expected.to be_reachable }
+    it { is_expected.to be_reachable.dest_port(80) }
+    it { is_expected.to be_reachable.tcp.dest_port(80) }
+    it { is_expected.to be_reachable.udp.dest_port(53) }
+    it { is_expected.to be_reachable.tcp.dest_port(80).source_port(30123) }
+  end
+end

data/spec/integration/vm/Vagrantfile

@@ -0,0 +1,18 @@
+# Vagrantfile
+Vagrant.configure('2') do |config|
+  config.vm.box = 'hfm4/centos7'
+
+  config.vm.define :src do |c|
+    c.vm.network 'private_network', ip: '192.168.33.10'
+    c.vm.synced_folder '.', '/vagrant', disabled: true
+  end
+  config.vm.define :dst do |c|
+    c.vm.network 'private_network', ip: '192.168.33.11'
+    c.vm.synced_folder '.', '/vagrant', disabled: true
+  end
+  config.vm.provider 'virtualbox' do |v|
+    v.customize ['modifyvm', :id, '--memory', '256']
+  end
+
+  config.vm.provision :shell, inline: 'yum install tcpdump nc -y'
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+require 'infrataster/rspec'
+require 'infrataster-plugin-firewall'
+
+Infrataster::Server.define(:src) do |server|
+  server.address = '192.168.33.10/32'
+  server.vagrant = true
+end
+Infrataster::Server.define(:dst) do |server|
+  server.address = '192.168.33.11/32'
+  server.vagrant = true
+end

metadata

@@ -0,0 +1,165 @@
+--- !ruby/object:Gem::Specification
+name: infrataster-plugin-firewall
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Hiroshi Ota
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-04-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: infrataster
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.28.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.28.0
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Firewall plugin for Infrataster.
+email:
+- otahi.pub@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- infrataster-plugin-firewall.gemspec
+- lib/infrataster-plugin-firewall.rb
+- lib/infrataster/contexts/firewall_context.rb
+- lib/infrataster/helpers/firewall_resource_helper.rb
+- lib/infrataster/plugin/firewall.rb
+- lib/infrataster/plugin/firewall/capture.rb
+- lib/infrataster/plugin/firewall/transfer.rb
+- lib/infrataster/plugin/firewall/util.rb
+- lib/infrataster/plugin/firewall/version.rb
+- lib/infrataster/resources/firewall_resource.rb
+- spec/integration/firewall_spec.rb
+- spec/integration/vm/Vagrantfile
+- spec/spec_helper.rb
+homepage: https://github.com/otahi/infrataster-plugin-firewall
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Firewall plugin for Infrataster.
+test_files:
+- spec/integration/firewall_spec.rb
+- spec/integration/vm/Vagrantfile
+- spec/spec_helper.rb