infrataster-plugin-firewall 0.1.1 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +27 -14
- data/RELEASE_NOTES.md +6 -0
- data/lib/infrataster/plugin/firewall/transfer.rb +4 -2
- data/lib/infrataster/plugin/firewall/util.rb +1 -1
- data/lib/infrataster/plugin/firewall/version.rb +1 -1
- data/spec/unit/lib/infrataster/contexts/firewall_context_spec.rb +38 -0
- data/spec/unit/lib/infrataster/helpers/firewall_resource_helper_spec.rb +15 -0
- data/spec/unit/lib/infrataster/plugin/firewall/capture_spec.rb +49 -0
- data/spec/unit/lib/infrataster/plugin/firewall/transfer_spec.rb +54 -0
- data/spec/unit/lib/infrataster/plugin/firewall/util_spec.rb +28 -0
- data/spec/unit/lib/infrataster/plugin/firewall/version_spec.rb +13 -0
- data/spec/unit/lib/infrataster/resources/firewall_resource_spec.rb +26 -0
- data/spec/unit/spec_helper.rb +16 -0
- metadata +18 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c9751ed03e14bd64062a285efc92e046a2d1333a
|
4
|
+
data.tar.gz: 32870da8afb15060171490c4b69723cc18e986fd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f95fcddd18c769bbeee75762ba7010e1b500fcb094a32e339fd216815122bfa5a18e9fcb3c225455cffd2aa5fc9b879176310bbae4695078a5618c38a11cdd7f
|
7
|
+
data.tar.gz: c74860305244ba8f7bfdc51364b517c3e79c26af87fca2b397174da8faeb08613c9cae47fcca6b0687c2f10ea2d3bd18691bcda063bcb531591c961ce67714d3
|
data/README.md
CHANGED
@@ -5,21 +5,12 @@
|
|
5
5
|
|
6
6
|
Firewall plugin for Infrataster.
|
7
7
|
|
8
|
-
##
|
9
|
-
|
10
|
-
Add this line to your application's Gemfile:
|
11
|
-
|
12
|
-
```ruby
|
13
|
-
gem 'infrataster-plugin-firewall'
|
14
|
-
```
|
15
|
-
|
16
|
-
And then execute:
|
17
|
-
|
18
|
-
$ bundle
|
19
|
-
|
20
|
-
Or install it yourself as:
|
8
|
+
## Why Infrataster::Plugin::Firewall
|
21
9
|
|
22
|
-
|
10
|
+
We want to test connectivity between a source server and a destination server.
|
11
|
+
But the servers could not respond because of no service provided on the port which we want to test.
|
12
|
+
So, this plugin tests tcp/udp with tcpdump which can get packets on destination servers.
|
13
|
+
Tcpdump can capture packets even if iptables or firewalld drops the packets.
|
23
14
|
|
24
15
|
## Usage
|
25
16
|
|
@@ -61,6 +52,28 @@ Finished in 21.35 seconds (files took 0.7851 seconds to load)
|
|
61
52
|
$
|
62
53
|
```
|
63
54
|
|
55
|
+
## Installation
|
56
|
+
|
57
|
+
Add this line to your application's Gemfile:
|
58
|
+
|
59
|
+
```ruby
|
60
|
+
gem 'infrataster-plugin-firewall'
|
61
|
+
```
|
62
|
+
|
63
|
+
And then execute:
|
64
|
+
|
65
|
+
$ bundle
|
66
|
+
|
67
|
+
Or install it yourself as:
|
68
|
+
|
69
|
+
$ gem install infrataster-plugin-firewall
|
70
|
+
|
71
|
+
## Requirement
|
72
|
+
|
73
|
+
This plugin uses nc(netcat) and tcpdump.
|
74
|
+
You need to run tcpdump on destination servers with sudo,
|
75
|
+
and nc on source servers.
|
76
|
+
|
64
77
|
## Release Notes
|
65
78
|
|
66
79
|
[Release Notes](./RELEASE_NOTES.md)
|
data/RELEASE_NOTES.md
CHANGED
@@ -31,15 +31,17 @@ module Infrataster
|
|
31
31
|
end
|
32
32
|
|
33
33
|
def transport_reachable?
|
34
|
+
src_addr = Util.address(@src_node)
|
34
35
|
dest_addr = Util.address(@dest_node)
|
35
|
-
bpf_options = { :'
|
36
|
+
bpf_options = { :'src host' => src_addr,
|
37
|
+
:'dst host' => dest_addr,
|
36
38
|
:'dst port' => @dest_port,
|
37
39
|
@protocol.downcase => nil }
|
38
40
|
bpf_options.merge!(:'src port' => @source_port) if @source_port
|
39
41
|
bpf = Capture.bpf(bpf_options)
|
40
42
|
capture = Capture.new(@dest_node, bpf)
|
41
43
|
capture.open do
|
42
|
-
nc_option = @protocol == :udp ? '-u' : '-t'
|
44
|
+
nc_option = @protocol == :udp ? '-w1 -u' : '-w1 -t'
|
43
45
|
nc_option += @source_port ? " -p #{@source_port}" : ''
|
44
46
|
@src_node.server
|
45
47
|
.ssh_exec("echo test|nc #{dest_addr} #{@dest_port} #{nc_option}")
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
# Infrataster contexts
|
5
|
+
module Contexts
|
6
|
+
describe FirewallContext do
|
7
|
+
let(:context) do
|
8
|
+
Infrataster::Contexts::FirewallContext.new(nil, nil)
|
9
|
+
end
|
10
|
+
it 'should have matcher `be_reachable`' do
|
11
|
+
expect(context).to respond_to(:be_reachable)
|
12
|
+
end
|
13
|
+
it 'should have chain `icmp`' do
|
14
|
+
expect(context.be_reachable).to respond_to(:icmp)
|
15
|
+
end
|
16
|
+
it 'should have chain `tcp`' do
|
17
|
+
expect(context.be_reachable).to respond_to(:tcp)
|
18
|
+
end
|
19
|
+
it 'should have chain `udp`' do
|
20
|
+
expect(context.be_reachable).to respond_to(:udp)
|
21
|
+
end
|
22
|
+
it 'should have chain `dest_port`' do
|
23
|
+
expect(context.be_reachable).to respond_to(:dest_port)
|
24
|
+
end
|
25
|
+
it 'should have chain `source_port`' do
|
26
|
+
expect(context.be_reachable).to respond_to(:source_port)
|
27
|
+
end
|
28
|
+
it 'should have failure_message' do
|
29
|
+
expect(context.be_reachable)
|
30
|
+
.to respond_to(:failure_message)
|
31
|
+
end
|
32
|
+
it 'should have failure_message_when_negated' do
|
33
|
+
expect(context.be_reachable)
|
34
|
+
.to respond_to(:failure_message_when_negated)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
# Infrataster Helpers
|
5
|
+
module Helpers
|
6
|
+
describe ResourceHelper do
|
7
|
+
context '#firewall' do
|
8
|
+
it 'should respond instance of Resources::FirewallResource' do
|
9
|
+
expect(firewall(:dst))
|
10
|
+
.to be_a_kind_of(Resources::FirewallResource)
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,49 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
module Plugin
|
5
|
+
# Infrataster plugin firewall
|
6
|
+
module Firewall
|
7
|
+
describe Capture do
|
8
|
+
before(:all) do
|
9
|
+
Infrataster::Server.define(:src, '192.168.33.10')
|
10
|
+
Infrataster::Server.define(:dst, '192.168.33.11')
|
11
|
+
end
|
12
|
+
after(:all) { Infrataster::Server.clear_all }
|
13
|
+
describe '#open' do
|
14
|
+
let(:capture) do
|
15
|
+
ssh = double('ssh')
|
16
|
+
allow(ssh).to receive(:open_channel)
|
17
|
+
allow(ssh).to receive(:closed?).and_return(false)
|
18
|
+
node = double('node')
|
19
|
+
allow(node).to receive(:server).and_return(ssh)
|
20
|
+
allow(node).to receive(:ssh).and_yield(ssh)
|
21
|
+
capture = Capture.new(node)
|
22
|
+
capture.instance_variable_set(:@ssh, ssh)
|
23
|
+
capture
|
24
|
+
end
|
25
|
+
context 'block given' do
|
26
|
+
it 'should call block with closing' do
|
27
|
+
capture.instance_variable_set(:@connected, true)
|
28
|
+
capture.instance_variable_set(:@start_sec, 0)
|
29
|
+
allow(capture).to receive(:run_check).and_return(true)
|
30
|
+
result = nil
|
31
|
+
expect(capture).to receive(:close).once
|
32
|
+
capture.open { result = true }
|
33
|
+
expect(result).to be true
|
34
|
+
end
|
35
|
+
end
|
36
|
+
context 'no block given' do
|
37
|
+
it 'should call block without closing' do
|
38
|
+
capture.instance_variable_set(:@connected, true)
|
39
|
+
capture.instance_variable_set(:@start_sec, 0)
|
40
|
+
allow(capture).to receive(:run_check).and_return(true)
|
41
|
+
expect(capture).not_to receive(:close)
|
42
|
+
capture.open
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
module Plugin
|
5
|
+
# Infrataster plugin firewall
|
6
|
+
module Firewall
|
7
|
+
describe Transfer do
|
8
|
+
before(:all) do
|
9
|
+
Infrataster::Server.define(:src, '192.168.33.10')
|
10
|
+
Infrataster::Server.define(:dst, '192.168.33.11')
|
11
|
+
end
|
12
|
+
after(:all) { Infrataster::Server.clear_all }
|
13
|
+
describe '#reachable?' do
|
14
|
+
context 'if @protocol == :icmp' do
|
15
|
+
let(:transfer) do
|
16
|
+
Transfer.new(server(:src), server(:dst), protocol: :icmp)
|
17
|
+
end
|
18
|
+
it 'should be true if PING_OK' do
|
19
|
+
allow(server(:src).server)
|
20
|
+
.to receive(:ssh_exec).and_return('PING_OK')
|
21
|
+
expect(transfer.reachable?).to be true
|
22
|
+
end
|
23
|
+
end
|
24
|
+
context 'if @protocol == :tcp' do
|
25
|
+
let(:transfer) do
|
26
|
+
Transfer.new(server(:src), server(:dst), protocol: :tcp)
|
27
|
+
end
|
28
|
+
it 'should be true if capture result is OK' do
|
29
|
+
allow(server(:src).server).to receive(:ssh_exec).and_return(true)
|
30
|
+
allow_any_instance_of(Capture)
|
31
|
+
.to receive(:open) { |&block| block.call }
|
32
|
+
allow_any_instance_of(Capture)
|
33
|
+
.to receive(:result).and_return(true)
|
34
|
+
expect(transfer.reachable?).to be true
|
35
|
+
end
|
36
|
+
end
|
37
|
+
context 'if @protocol == :udp' do
|
38
|
+
let(:transfer) do
|
39
|
+
Transfer.new(server(:src), server(:dst), protocol: :udp)
|
40
|
+
end
|
41
|
+
it 'should be true if capture result is OK' do
|
42
|
+
allow(server(:src).server).to receive(:ssh_exec).and_return(true)
|
43
|
+
allow_any_instance_of(Capture)
|
44
|
+
.to receive(:open) { |&block| block.call }
|
45
|
+
allow_any_instance_of(Capture)
|
46
|
+
.to receive(:result).and_return(true)
|
47
|
+
expect(transfer.reachable?).to be true
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
module Plugin
|
5
|
+
# Infrataster plugin firewall
|
6
|
+
module Firewall
|
7
|
+
describe Util do
|
8
|
+
describe 'address' do
|
9
|
+
before(:all) { Infrataster::Server.define(:src, '192.168.33.10') }
|
10
|
+
after(:all) { Infrataster::Server.clear_all }
|
11
|
+
|
12
|
+
context 'if node.server is given' do
|
13
|
+
let(:node) { server(:src) }
|
14
|
+
it 'should respond node.server.addrress' do
|
15
|
+
expect(Util.address(node)).to eql(node.server.address)
|
16
|
+
end
|
17
|
+
end
|
18
|
+
context 'if node.server is String' do
|
19
|
+
let(:node) { '192.168.33.11' }
|
20
|
+
it 'should respond node.to_s' do
|
21
|
+
expect(Util.address(node)).to eql(node.to_s)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -0,0 +1,13 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
# Infrataster plugin
|
5
|
+
module Plugin
|
6
|
+
describe Firewall do
|
7
|
+
it 'should have VERSION like 0.1.1' do
|
8
|
+
expect(Infrataster::Plugin::Firewall::VERSION)
|
9
|
+
.to match(/^\d+\.\d+\.\d+$/)
|
10
|
+
end
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
require 'unit/spec_helper'
|
2
|
+
|
3
|
+
module Infrataster
|
4
|
+
# Infrataster Resources
|
5
|
+
module Resources
|
6
|
+
describe FirewallResource do
|
7
|
+
let(:resource) { FirewallResource.new(:src, :dst) }
|
8
|
+
|
9
|
+
describe '#to_s' do
|
10
|
+
it 'should respond "via firewall"' do
|
11
|
+
expect(resource.to_s).to eql('via firewall')
|
12
|
+
end
|
13
|
+
end
|
14
|
+
describe '#src_node' do
|
15
|
+
it 'should respond first argument for initializing' do
|
16
|
+
expect(resource.src_node).to eql(:src)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
describe '#dest_node' do
|
20
|
+
it 'should respond second argument for initializing' do
|
21
|
+
expect(resource.dest_node).to eql(:dst)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'coveralls'
|
2
|
+
Coveralls.wear!
|
3
|
+
|
4
|
+
require 'simplecov'
|
5
|
+
|
6
|
+
SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
|
7
|
+
SimpleCov::Formatter::HTMLFormatter,
|
8
|
+
Coveralls::SimpleCov::Formatter
|
9
|
+
]
|
10
|
+
SimpleCov.start do
|
11
|
+
add_filter '.bundle/'
|
12
|
+
end
|
13
|
+
|
14
|
+
require 'rspec'
|
15
|
+
require 'infrataster/rspec'
|
16
|
+
require 'infrataster-plugin-firewall'
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: infrataster-plugin-firewall
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Hiroshi Ota
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-05-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: infrataster
|
@@ -136,6 +136,14 @@ files:
|
|
136
136
|
- spec/integration/firewall_spec.rb
|
137
137
|
- spec/integration/vm/Vagrantfile
|
138
138
|
- spec/spec_helper.rb
|
139
|
+
- spec/unit/lib/infrataster/contexts/firewall_context_spec.rb
|
140
|
+
- spec/unit/lib/infrataster/helpers/firewall_resource_helper_spec.rb
|
141
|
+
- spec/unit/lib/infrataster/plugin/firewall/capture_spec.rb
|
142
|
+
- spec/unit/lib/infrataster/plugin/firewall/transfer_spec.rb
|
143
|
+
- spec/unit/lib/infrataster/plugin/firewall/util_spec.rb
|
144
|
+
- spec/unit/lib/infrataster/plugin/firewall/version_spec.rb
|
145
|
+
- spec/unit/lib/infrataster/resources/firewall_resource_spec.rb
|
146
|
+
- spec/unit/spec_helper.rb
|
139
147
|
homepage: https://github.com/otahi/infrataster-plugin-firewall
|
140
148
|
licenses:
|
141
149
|
- MIT
|
@@ -164,3 +172,11 @@ test_files:
|
|
164
172
|
- spec/integration/firewall_spec.rb
|
165
173
|
- spec/integration/vm/Vagrantfile
|
166
174
|
- spec/spec_helper.rb
|
175
|
+
- spec/unit/lib/infrataster/contexts/firewall_context_spec.rb
|
176
|
+
- spec/unit/lib/infrataster/helpers/firewall_resource_helper_spec.rb
|
177
|
+
- spec/unit/lib/infrataster/plugin/firewall/capture_spec.rb
|
178
|
+
- spec/unit/lib/infrataster/plugin/firewall/transfer_spec.rb
|
179
|
+
- spec/unit/lib/infrataster/plugin/firewall/util_spec.rb
|
180
|
+
- spec/unit/lib/infrataster/plugin/firewall/version_spec.rb
|
181
|
+
- spec/unit/lib/infrataster/resources/firewall_resource_spec.rb
|
182
|
+
- spec/unit/spec_helper.rb
|