infrataster-plugin-firewall 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1a9d0058206c52c806c0506af6c3c3e525f43a0e
-  data.tar.gz: 52a5e832e03721db499b672ea3e2cd4d2ee704b6
+  metadata.gz: dab37701a4a6c138072f1e492afeba8a10a72858
+  data.tar.gz: d8ff612f64c33a1caaae7505e4abdede09525b3b
 SHA512:
-  metadata.gz: 0eaa89edf8d58059eb89236b83c07cc1c0d98c58ac0962338c88730b1c505fce2e01f4b073307032cb53c0829da6f4ade5009b606e13a4d1a8a71dbf7a0e1225
-  data.tar.gz: 88866ecd302ee50988c3225e31658ee45142882021282cd38c49a24441bd91590ae8a53d37bccf1350fd35f5e9368a6d14e126239b639c4437e690ca95cb3095
+  metadata.gz: 1e8c0a5497bab4cf8b0862784ad5ecbe2350a9d6710ca7a7b9150ace55b767f669d512a212f3ebadc2f697735ac2ced29ca749b8960dd336ecbaddca2f4d6ead
+  data.tar.gz: 098f89b3e1da836f3bf3b10c5847c0921bcd332d9a4cd908dc6294f650f46fdea20aeebdbdca7c9556f800467e3b2593fc531b47959664a01ff4ec07033258bd

data/README.md

@@ -24,6 +24,8 @@ describe server(:src) do
     it { is_expected.to be_reachable } #ICMP ping
     it { is_expected.to be_reachable.dest_port(80) } #TCP:80
     it { is_expected.to be_reachable.tcp.dest_port(80) }
+    it { is_expected.to be_reachable.tcp.dest_port(22).ack } # judge with both ACK and captured SYN
+    it { is_expected.to be_reachable.tcp.dest_port(22).ack(:only) } # judge with only ACK
     it { is_expected.to be_reachable.udp.dest_port(53) }
     it { is_expected.to be_reachable.dest_port('80/tcp') }
     it { is_expected.to be_reachable.dest_port('53/udp') }
@@ -42,13 +44,15 @@ server 'src'
     should reach to server 'dst'
     should reach to server 'dst' dest_port: 80
     should reach to server 'dst' tcp dest_port: 80
+    should reach to server 'dst' tcp dest_port: 22
+    should reach to server 'dst' tcp dest_port: 22
     should reach to server 'dst' udp dest_port: 53
     should reach to server 'dst' dest_port: 80/tcp
     should reach to server 'dst' dest_port: 53/udp
     should reach to server 'dst' tcp dest_port: 80 source_port: 30123
 
 Finished in 21.35 seconds (files took 0.7851 seconds to load)
-7 examples, 0 failures
+9 examples, 0 failures
 $
 ```
 

data/RELEASE_NOTES.md

@@ -1,5 +1,10 @@
 # Release Notes
 
+## v0.1.4
+
+* Add feature to judge with ACK #2
+* Change dependency infrataster version 0.2.0 -> 0.3.0 
+
 ## v0.1.3
 
 * Fix to netcat send tiny string on udp #1

data/Rakefile

@@ -31,6 +31,10 @@ namespace :spec do
     task :clean => ['destroy_vm'] do
     end
 
+    desc 'Stop'
+    task :stop => ['stop_vm'] do
+    end
+
     desc 'Prepare'
     task :prepare => ['start_vm'] do
     end
@@ -40,6 +44,11 @@ namespace :spec do
       system 'vagrant reload --provision | grep "not created" && vagrant up'
     end
 
+    task :stop_vm do
+      puts yellow('Stopping VM...')
+      system 'vagrant halt'
+    end
+
     task :destroy_vm do
       puts yellow('Destroying VM...')
       system 'vagrant', 'destroy', '-f'

data/infrataster-plugin-firewall.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'infrataster', '~> 0.2.0'
+  spec.add_runtime_dependency 'infrataster', '~> 0.3.0'
 
   spec.add_development_dependency 'bundler', '~> 1.7'
   spec.add_development_dependency 'rake', '~> 10.0'

data/lib/infrataster/contexts/firewall_context.rb

@@ -56,6 +56,11 @@ module Infrataster
           @chain_string += " source_port: #{port}"
         end
 
+        chain :ack do |mode = :both|
+          @options ||= {}
+          @options.merge!(ack: mode)
+        end
+
         failure_message do
           s = "expected to reach to #{resource.dest_node}"
           s + "#{@chain_string}, but did not."

data/lib/infrataster/plugin/firewall/transfer.rb

@@ -10,6 +10,7 @@ module Infrataster
           @protocol = options[:protocol] ? options[:protocol] : :icmp
           @dest_port = options[:dest_port] ? options[:dest_port] : 80
           @source_port = options[:source_port] ? options[:source_port] : nil
+          @ack = options[:ack] ? options[:ack] : nil
         end
 
         def reachable?
@@ -31,23 +32,61 @@ module Infrataster
         end
 
         def transport_reachable?
-          src_addr  = Util.address(@src_node)
+          if @protocol == :tcp && @ack == :only
+            jugde_with_only_ack
+          else
+            jugde_with_capture
+          end
+        end
+
+        def jugde_with_only_ack
           dest_addr = Util.address(@dest_node)
-          bpf_options = { :'src host' => src_addr,
-                          :'dst host' => dest_addr,
-                          :'dst port' => @dest_port,
-                          @protocol.downcase => nil }
-          bpf_options.merge!(:'src port' => @source_port) if @source_port
-          bpf = Capture.bpf(bpf_options)
+
+          nc_result =
+            @src_node.server
+            .ssh_exec('echo test_with_infrataster | ' \
+                      + "nc #{dest_addr} #{@dest_port} #{nc_options}" \
+                      '&& echo NC_OK')
+          nc_result.to_s.include?('NC_OK')
+        end
+
+        def jugde_with_capture
+          src_addr = Util.address(@src_node)
+          dest_addr = Util.address(@dest_node)
+
+          bpf = Capture.bpf(bpf_options(src_addr, dest_addr))
           capture = Capture.new(@dest_node, bpf)
+          nc_result = nil
           capture.open do
-            nc_option = @protocol == :udp ? '-w1 -u' : '-w1 -t'
-            nc_option += @source_port ? " -p #{@source_port}" : ''
-            @src_node.server
+            nc_result =
+              @src_node.server
               .ssh_exec('echo test_with_infrataster | ' \
-                        + "nc #{dest_addr} #{@dest_port} #{nc_option}")
+                        + "nc #{dest_addr} #{@dest_port} #{nc_options}" \
+                        '&& echo NC_OK')
+          end
+          capture_succedded?(capture.result, nc_result)
+        end
+
+        def capture_succedded?(capture_result, nc_result)
+          if @protocol == :tcp && @ack == :both
+            capture_result && nc_result.to_s.include?('NC_OK')
+          else
+            capture_result
           end
-          capture.result
+        end
+
+        def nc_options
+          nc_option = @protocol == :udp ? '-w1 -u' : '-w1 -t'
+          nc_option + (@source_port ? " -p #{@source_port}" : '')
+        end
+
+        def bpf_options(src_addr, dest_addr)
+          options = { :'src host' => src_addr,
+                      :'dst host' => dest_addr,
+                      :'dst port' => @dest_port,
+                      @protocol.downcase => nil }
+          options.merge!(:'src port' => @source_port) if @source_port
+          options
         end
       end
     end

data/lib/infrataster/plugin/firewall/version.rb

@@ -2,7 +2,7 @@ module Infrataster
   module Plugin
     # Infrataster plugin for firewall
     module Firewall
-      VERSION = '0.1.3'
+      VERSION = '0.1.4'
     end
   end
 end

data/spec/integration/firewall_spec.rb

@@ -2,9 +2,13 @@ require 'spec_helper'
 
 describe server(:src) do
   describe firewall(server(:dst)) do
-    it { is_expected.to be_reachable }
+    it {
+      is_expected.to be_reachable
+    }
     it { is_expected.to be_reachable.dest_port(80) }
     it { is_expected.to be_reachable.tcp.dest_port(80) }
+    it { is_expected.to be_reachable.tcp.dest_port(22).ack }
+    it { is_expected.to be_reachable.tcp.dest_port(22).ack(:only) }
     it { is_expected.to be_reachable.udp.dest_port(53) }
     it { is_expected.to be_reachable.dest_port('80/tcp') }
     it { is_expected.to be_reachable.dest_port('53/udp') }

data/spec/unit/lib/infrataster/contexts/firewall_context_spec.rb

@@ -25,6 +25,9 @@ module Infrataster
       it 'should have chain `source_port`' do
         expect(context.be_reachable).to respond_to(:source_port)
       end
+      it 'should have chain `ack`' do
+        expect(context.be_reachable).to respond_to(:ack)
+      end
       it 'should have failure_message' do
         expect(context.be_reachable)
           .to respond_to(:failure_message)

data/spec/unit/lib/infrataster/plugin/firewall/capture_spec.rb

@@ -9,7 +9,7 @@ module Infrataster
           Infrataster::Server.define(:src, '192.168.33.10')
           Infrataster::Server.define(:dst, '192.168.33.11')
         end
-        after(:all)  { Infrataster::Server.clear_all }
+        after(:all)  { Infrataster::Server.clear_defined_servers }
         describe '#open' do
           let(:capture) do
             ssh  = double('ssh')

data/spec/unit/lib/infrataster/plugin/firewall/transfer_spec.rb

@@ -9,7 +9,7 @@ module Infrataster
           Infrataster::Server.define(:src, '192.168.33.10')
           Infrataster::Server.define(:dst, '192.168.33.11')
         end
-        after(:all)  { Infrataster::Server.clear_all }
+        after(:all)  { Infrataster::Server.clear_defined_servers }
         describe '#reachable?' do
           context 'if @protocol == :icmp' do
             let(:transfer) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: infrataster-plugin-firewall
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Hiroshi Ota
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-30 00:00:00.000000000 Z
+date: 2015-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: infrataster
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement