infrataster-plugin-firewall 0.1.3 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +0 -0
- data/.rubocop.yml +0 -0
- data/.travis.yml +0 -0
- data/Gemfile +0 -0
- data/LICENSE.txt +0 -0
- data/README.md +5 -1
- data/RELEASE_NOTES.md +5 -0
- data/Rakefile +9 -0
- data/infrataster-plugin-firewall.gemspec +1 -1
- data/lib/infrataster-plugin-firewall.rb +0 -0
- data/lib/infrataster/contexts/firewall_context.rb +5 -0
- data/lib/infrataster/helpers/firewall_resource_helper.rb +0 -0
- data/lib/infrataster/plugin/firewall.rb +0 -0
- data/lib/infrataster/plugin/firewall/capture.rb +0 -0
- data/lib/infrataster/plugin/firewall/transfer.rb +51 -12
- data/lib/infrataster/plugin/firewall/util.rb +0 -0
- data/lib/infrataster/plugin/firewall/version.rb +1 -1
- data/lib/infrataster/resources/firewall_resource.rb +0 -0
- data/spec/integration/firewall_spec.rb +5 -1
- data/spec/integration/vm/Vagrantfile +0 -0
- data/spec/spec_helper.rb +0 -0
- data/spec/unit/lib/infrataster/contexts/firewall_context_spec.rb +3 -0
- data/spec/unit/lib/infrataster/helpers/firewall_resource_helper_spec.rb +0 -0
- data/spec/unit/lib/infrataster/plugin/firewall/capture_spec.rb +1 -1
- data/spec/unit/lib/infrataster/plugin/firewall/transfer_spec.rb +1 -1
- data/spec/unit/lib/infrataster/plugin/firewall/util_spec.rb +0 -0
- data/spec/unit/lib/infrataster/plugin/firewall/version_spec.rb +0 -0
- data/spec/unit/lib/infrataster/resources/firewall_resource_spec.rb +0 -0
- data/spec/unit/spec_helper.rb +0 -0
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dab37701a4a6c138072f1e492afeba8a10a72858
|
4
|
+
data.tar.gz: d8ff612f64c33a1caaae7505e4abdede09525b3b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1e8c0a5497bab4cf8b0862784ad5ecbe2350a9d6710ca7a7b9150ace55b767f669d512a212f3ebadc2f697735ac2ced29ca749b8960dd336ecbaddca2f4d6ead
|
7
|
+
data.tar.gz: 098f89b3e1da836f3bf3b10c5847c0921bcd332d9a4cd908dc6294f650f46fdea20aeebdbdca7c9556f800467e3b2593fc531b47959664a01ff4ec07033258bd
|
data/.gitignore
CHANGED
File without changes
|
data/.rubocop.yml
CHANGED
File without changes
|
data/.travis.yml
CHANGED
File without changes
|
data/Gemfile
CHANGED
File without changes
|
data/LICENSE.txt
CHANGED
File without changes
|
data/README.md
CHANGED
@@ -24,6 +24,8 @@ describe server(:src) do
|
|
24
24
|
it { is_expected.to be_reachable } #ICMP ping
|
25
25
|
it { is_expected.to be_reachable.dest_port(80) } #TCP:80
|
26
26
|
it { is_expected.to be_reachable.tcp.dest_port(80) }
|
27
|
+
it { is_expected.to be_reachable.tcp.dest_port(22).ack } # judge with both ACK and captured SYN
|
28
|
+
it { is_expected.to be_reachable.tcp.dest_port(22).ack(:only) } # judge with only ACK
|
27
29
|
it { is_expected.to be_reachable.udp.dest_port(53) }
|
28
30
|
it { is_expected.to be_reachable.dest_port('80/tcp') }
|
29
31
|
it { is_expected.to be_reachable.dest_port('53/udp') }
|
@@ -42,13 +44,15 @@ server 'src'
|
|
42
44
|
should reach to server 'dst'
|
43
45
|
should reach to server 'dst' dest_port: 80
|
44
46
|
should reach to server 'dst' tcp dest_port: 80
|
47
|
+
should reach to server 'dst' tcp dest_port: 22
|
48
|
+
should reach to server 'dst' tcp dest_port: 22
|
45
49
|
should reach to server 'dst' udp dest_port: 53
|
46
50
|
should reach to server 'dst' dest_port: 80/tcp
|
47
51
|
should reach to server 'dst' dest_port: 53/udp
|
48
52
|
should reach to server 'dst' tcp dest_port: 80 source_port: 30123
|
49
53
|
|
50
54
|
Finished in 21.35 seconds (files took 0.7851 seconds to load)
|
51
|
-
|
55
|
+
9 examples, 0 failures
|
52
56
|
$
|
53
57
|
```
|
54
58
|
|
data/RELEASE_NOTES.md
CHANGED
data/Rakefile
CHANGED
@@ -31,6 +31,10 @@ namespace :spec do
|
|
31
31
|
task :clean => ['destroy_vm'] do
|
32
32
|
end
|
33
33
|
|
34
|
+
desc 'Stop'
|
35
|
+
task :stop => ['stop_vm'] do
|
36
|
+
end
|
37
|
+
|
34
38
|
desc 'Prepare'
|
35
39
|
task :prepare => ['start_vm'] do
|
36
40
|
end
|
@@ -40,6 +44,11 @@ namespace :spec do
|
|
40
44
|
system 'vagrant reload --provision | grep "not created" && vagrant up'
|
41
45
|
end
|
42
46
|
|
47
|
+
task :stop_vm do
|
48
|
+
puts yellow('Stopping VM...')
|
49
|
+
system 'vagrant halt'
|
50
|
+
end
|
51
|
+
|
43
52
|
task :destroy_vm do
|
44
53
|
puts yellow('Destroying VM...')
|
45
54
|
system 'vagrant', 'destroy', '-f'
|
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
|
|
18
18
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
19
19
|
spec.require_paths = ['lib']
|
20
20
|
|
21
|
-
spec.add_runtime_dependency 'infrataster', '~> 0.
|
21
|
+
spec.add_runtime_dependency 'infrataster', '~> 0.3.0'
|
22
22
|
|
23
23
|
spec.add_development_dependency 'bundler', '~> 1.7'
|
24
24
|
spec.add_development_dependency 'rake', '~> 10.0'
|
File without changes
|
@@ -56,6 +56,11 @@ module Infrataster
|
|
56
56
|
@chain_string += " source_port: #{port}"
|
57
57
|
end
|
58
58
|
|
59
|
+
chain :ack do |mode = :both|
|
60
|
+
@options ||= {}
|
61
|
+
@options.merge!(ack: mode)
|
62
|
+
end
|
63
|
+
|
59
64
|
failure_message do
|
60
65
|
s = "expected to reach to #{resource.dest_node}"
|
61
66
|
s + "#{@chain_string}, but did not."
|
File without changes
|
File without changes
|
File without changes
|
@@ -10,6 +10,7 @@ module Infrataster
|
|
10
10
|
@protocol = options[:protocol] ? options[:protocol] : :icmp
|
11
11
|
@dest_port = options[:dest_port] ? options[:dest_port] : 80
|
12
12
|
@source_port = options[:source_port] ? options[:source_port] : nil
|
13
|
+
@ack = options[:ack] ? options[:ack] : nil
|
13
14
|
end
|
14
15
|
|
15
16
|
def reachable?
|
@@ -31,23 +32,61 @@ module Infrataster
|
|
31
32
|
end
|
32
33
|
|
33
34
|
def transport_reachable?
|
34
|
-
|
35
|
+
if @protocol == :tcp && @ack == :only
|
36
|
+
jugde_with_only_ack
|
37
|
+
else
|
38
|
+
jugde_with_capture
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def jugde_with_only_ack
|
35
43
|
dest_addr = Util.address(@dest_node)
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
44
|
+
|
45
|
+
nc_result =
|
46
|
+
@src_node.server
|
47
|
+
.ssh_exec('echo test_with_infrataster | ' \
|
48
|
+
+ "nc #{dest_addr} #{@dest_port} #{nc_options}" \
|
49
|
+
'&& echo NC_OK')
|
50
|
+
nc_result.to_s.include?('NC_OK')
|
51
|
+
end
|
52
|
+
|
53
|
+
def jugde_with_capture
|
54
|
+
src_addr = Util.address(@src_node)
|
55
|
+
dest_addr = Util.address(@dest_node)
|
56
|
+
|
57
|
+
bpf = Capture.bpf(bpf_options(src_addr, dest_addr))
|
42
58
|
capture = Capture.new(@dest_node, bpf)
|
59
|
+
nc_result = nil
|
43
60
|
capture.open do
|
44
|
-
|
45
|
-
|
46
|
-
@src_node.server
|
61
|
+
nc_result =
|
62
|
+
@src_node.server
|
47
63
|
.ssh_exec('echo test_with_infrataster | ' \
|
48
|
-
+ "nc #{dest_addr} #{@dest_port} #{
|
64
|
+
+ "nc #{dest_addr} #{@dest_port} #{nc_options}" \
|
65
|
+
'&& echo NC_OK')
|
66
|
+
end
|
67
|
+
capture_succedded?(capture.result, nc_result)
|
68
|
+
end
|
69
|
+
|
70
|
+
def capture_succedded?(capture_result, nc_result)
|
71
|
+
if @protocol == :tcp && @ack == :both
|
72
|
+
capture_result && nc_result.to_s.include?('NC_OK')
|
73
|
+
else
|
74
|
+
capture_result
|
49
75
|
end
|
50
|
-
|
76
|
+
end
|
77
|
+
|
78
|
+
def nc_options
|
79
|
+
nc_option = @protocol == :udp ? '-w1 -u' : '-w1 -t'
|
80
|
+
nc_option + (@source_port ? " -p #{@source_port}" : '')
|
81
|
+
end
|
82
|
+
|
83
|
+
def bpf_options(src_addr, dest_addr)
|
84
|
+
options = { :'src host' => src_addr,
|
85
|
+
:'dst host' => dest_addr,
|
86
|
+
:'dst port' => @dest_port,
|
87
|
+
@protocol.downcase => nil }
|
88
|
+
options.merge!(:'src port' => @source_port) if @source_port
|
89
|
+
options
|
51
90
|
end
|
52
91
|
end
|
53
92
|
end
|
File without changes
|
File without changes
|
@@ -2,9 +2,13 @@ require 'spec_helper'
|
|
2
2
|
|
3
3
|
describe server(:src) do
|
4
4
|
describe firewall(server(:dst)) do
|
5
|
-
it {
|
5
|
+
it {
|
6
|
+
is_expected.to be_reachable
|
7
|
+
}
|
6
8
|
it { is_expected.to be_reachable.dest_port(80) }
|
7
9
|
it { is_expected.to be_reachable.tcp.dest_port(80) }
|
10
|
+
it { is_expected.to be_reachable.tcp.dest_port(22).ack }
|
11
|
+
it { is_expected.to be_reachable.tcp.dest_port(22).ack(:only) }
|
8
12
|
it { is_expected.to be_reachable.udp.dest_port(53) }
|
9
13
|
it { is_expected.to be_reachable.dest_port('80/tcp') }
|
10
14
|
it { is_expected.to be_reachable.dest_port('53/udp') }
|
File without changes
|
data/spec/spec_helper.rb
CHANGED
File without changes
|
@@ -25,6 +25,9 @@ module Infrataster
|
|
25
25
|
it 'should have chain `source_port`' do
|
26
26
|
expect(context.be_reachable).to respond_to(:source_port)
|
27
27
|
end
|
28
|
+
it 'should have chain `ack`' do
|
29
|
+
expect(context.be_reachable).to respond_to(:ack)
|
30
|
+
end
|
28
31
|
it 'should have failure_message' do
|
29
32
|
expect(context.be_reachable)
|
30
33
|
.to respond_to(:failure_message)
|
File without changes
|
@@ -9,7 +9,7 @@ module Infrataster
|
|
9
9
|
Infrataster::Server.define(:src, '192.168.33.10')
|
10
10
|
Infrataster::Server.define(:dst, '192.168.33.11')
|
11
11
|
end
|
12
|
-
after(:all) { Infrataster::Server.
|
12
|
+
after(:all) { Infrataster::Server.clear_defined_servers }
|
13
13
|
describe '#open' do
|
14
14
|
let(:capture) do
|
15
15
|
ssh = double('ssh')
|
@@ -9,7 +9,7 @@ module Infrataster
|
|
9
9
|
Infrataster::Server.define(:src, '192.168.33.10')
|
10
10
|
Infrataster::Server.define(:dst, '192.168.33.11')
|
11
11
|
end
|
12
|
-
after(:all) { Infrataster::Server.
|
12
|
+
after(:all) { Infrataster::Server.clear_defined_servers }
|
13
13
|
describe '#reachable?' do
|
14
14
|
context 'if @protocol == :icmp' do
|
15
15
|
let(:transfer) do
|
File without changes
|
File without changes
|
File without changes
|
data/spec/unit/spec_helper.rb
CHANGED
File without changes
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: infrataster-plugin-firewall
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Hiroshi Ota
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-06-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: infrataster
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.3.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.3.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: bundler
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|