ipscriptables 0.0.1

data/spec/ipscriptables/runtime_spec.rb

@@ -0,0 +1,227 @@
+# -*- coding: utf-8 -*-
+# rubocop:disable LineLength
+require 'spec_helper'
+
+require 'stringio'
+
+module IPScriptables
+  describe Runtime do
+    let(:fixture_text) { File.read(fixture('only-docker-c.txt')) }
+    let(:fixture6_text) { File.read(fixture('ip6tables-empty.txt')) }
+    let(:runtime) { Runtime.new }
+
+    before do
+      IO.expects(:popen).never  # just to be safe
+      Helpers.expects(:run_command).with('ip6tables-save', '-c').never
+        .at_most_once
+        .returns(fixture6_text)
+      Helpers.expects(:run_command).with('iptables-save', '-c').never
+        .at_most_once
+        .returns(fixture_text)
+    end
+
+    it 'does not run undefined rulesets' do
+      out, err = capture_io { runtime.execute! }
+      expect { out == '' }
+      deny   { err =~ /Would restore inet/ }
+      deny   { err =~ /Would restore inet6/ }
+    end
+
+    it 'can load rulesets from file' do
+      out, err = capture_io do
+        runtime.load_file(fixture('runtime.rb'))
+        runtime.execute!
+      end
+
+      expect { err =~ /Loading configuration from #{fixture('runtime.rb')}/ }
+      deny   { err =~ /Loading configuration from #{fixture('runtime2.rb')}/ }
+      expect { out.lines.grep(/^\S/).length == 4 }
+      expect { err =~ /Would restore inet/ }
+      deny   { err =~ /Would restore inet6/ }
+    end
+
+    it 'can load multiple files & won\'t run if rules are unchanged' do
+      out, err = capture_io do
+        runtime.load_file(fixture('runtime.rb'))
+        runtime.load_file(fixture('runtime2.rb'))
+        runtime.execute!
+      end
+
+      expect { err =~ /Loading configuration from #{fixture('runtime.rb')}/ }
+      expect { err =~ /Loading configuration from #{fixture('runtime2.rb')}/ }
+      expect { out.lines.grep(/^\S/).empty? }
+      expect { err =~ /No changes for inet, moving along./ }
+    end
+
+    it 'accepts blocks as well as files' do
+      out, err = capture_io do
+        runtime.load_file(fixture('runtime.rb'))
+        runtime.dsl_eval do
+          iptables do
+            table :nat do
+              chain :PREROUTING do
+                rule '-m addrtype --dst-type LOCAL -j DOCKER'
+              end
+              chain :OUTPUT do
+                rule '! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER'
+              end
+              chain :POSTROUTING do
+                rule '-s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE'
+                rule '-s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE'
+              end
+            end
+          end
+        end
+        runtime.execute!
+      end
+
+      expect { err =~ /Loading configuration from #{fixture('runtime.rb')}/ }
+      expect { out.lines.grep(/^\S/).empty? }
+      expect { err =~ /No changes for inet, moving along./ }
+    end
+
+    it 'configures ipv6' do
+      out, err = capture_io do
+        runtime.dsl_eval do
+          ip6tables do
+            table :filter do
+              chain :INPUT do
+                rule :m => :tcp, :p => :tcp, :dport => 22, :j => :ACCEPT
+              end
+            end
+          end
+        end
+        runtime.execute!
+      end
+
+      expect { out =~ /^\+\[0:0\] -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT$/ }
+      expect { err =~ /Would restore inet6/ }
+    end
+
+    it 'doesn\'t allow triggering execution from within DSL' do
+      expect do
+        rescuing { runtime.dsl_eval { execute! } }.to_s =~
+          /I can't let you do that/
+      end
+    end
+
+    describe 'options' do
+      before do
+        $CHILD_STATUS.expects(:success?).at_least(0).returns(true)
+
+        @out, @err = capture_io do
+          runtime.load_file(fixture('runtime.rb'))
+          runtime.dsl_eval do
+            ip6tables do
+              table :filter do
+                chain :FORWARD, :DROP
+                chain :INPUT, :DROP do
+                  rule :m => :tcp, :p => :tcp, :dport => 22, :j => :ACCEPT
+                end
+              end
+            end
+          end
+        end
+      end
+
+      it 'behaves normally without options' do
+        out, _err = capture_io { runtime.execute! }
+        expect { out.lines.grep(/^\S/).length == 9 }
+        expect { @err =~ /Would restore inet/ }
+        expect { @err =~ /Would restore inet6/ }
+      end
+
+      it 'can be instructed to skip a ruleset' do
+        runtime.opts[:inet6] = false
+        out, _err = capture_io { runtime.execute! }
+        expect { out.lines.grep(/^\S/).length == 4 }
+        expect { @err =~ /Would restore inet/ }
+        expect { @err =~ /Skipping inet6 as requested/ }
+      end
+
+      it 'applies rules only when specifically told' do
+        runtime.opts[:apply] = true
+
+        iptables_restore_io = mock('IO')
+        iptables_restore_io.expects(:write).once.with <<EOF
+*filter
+:INPUT ACCEPT [211:14626]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [122:11280]
+[1:2] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[1:2] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+[1:2] -A FORWARD -i docker0 -o docker0 -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT [5:1208]
+:INPUT ACCEPT [5:1208]
+:OUTPUT ACCEPT [42:3215]
+:POSTROUTING ACCEPT [42:3215]
+:DOCKER - [0:0]
+COMMIT
+EOF
+
+        ip6tables_restore_io = mock('IO')
+        ip6tables_restore_io.expects(:write).once.with <<EOF
+*filter
+:INPUT DROP [128:11760]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [75:12168]
+[0:0] -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
+COMMIT
+EOF
+
+        IO.expects(:popen).with(%w(iptables-restore -c), 'w').once.yields(iptables_restore_io)
+        IO.expects(:popen).with(%w(ip6tables-restore -c), 'w').once.yields(ip6tables_restore_io)
+
+        begin
+          capture_io { @rv = runtime.execute! }
+        rescue Exception => e
+          STDERR.puts <<EOF
+ERR
+#{@err}
+
+OUT
+#{@out}
+EOF
+          raise e
+        end
+        expect { @err =~ /Restoring inet/ }
+        expect { @err =~ /Restoring inet6/ }
+        deny   { @err =~ /There were errors/ }
+        expect { @rv == true }
+      end
+
+      it 'logs error and proceeds, but returns false, when restore command fails' do
+        runtime.opts[:apply] = true
+
+        iptables_restore_io = mock('IO')
+        iptables_restore_io.expects(:write).once
+        ip6tables_restore_io = mock('IO')
+        ip6tables_restore_io.expects(:write).once
+        $CHILD_STATUS.expects(:success?)
+          .once.returns(false).then.returns(true)
+
+        IO.expects(:popen).with(%w(iptables-restore -c), 'w').once.yields(iptables_restore_io)
+        IO.expects(:popen).with(%w(ip6tables-restore -c), 'w').once.yields(ip6tables_restore_io)
+
+        out, _err = capture_io { @rv = runtime.execute! }
+        expect { out.lines.grep(/^\S/).length == 9 }
+        expect { @err =~ /Restoring inet/ }
+        expect { @err =~ /Restoring inet6/ }
+        expect { @err =~ /ERROR.* Failure restoring inet:/ }
+        expect { @err =~ /There were errors/ }
+        expect { @rv == false }
+      end
+
+      it 'does not output diff when quiet flag is specified' do
+        runtime.opts[:quiet] = true
+
+        out, _err = capture_io { @rv = runtime.execute! }
+        expect { out == '' }
+        expect { @err =~ /Would restore inet/ }
+        expect { @err =~ /Would restore inet6/ }
+      end
+    end
+  end
+end

data/spec/ipscriptables/table_spec.rb

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+module IPScriptables
+  describe Table do
+    let(:ruleset) do
+      rs = mock('ruleset')
+      rs.expects(:opts).at_least_once.returns({})
+      rs
+    end
+
+    it 'creates built-in chains by default' do
+      {
+        filter:   [:INPUT, :FORWARD, :OUTPUT],
+        nat:      [:PREROUTING, :INPUT, :OUTPUT, :POSTROUTING],
+        mangle:   [:PREROUTING, :INPUT, :OUTPUT, :FORWARD, :POSTROUTING],
+        raw:      [:PREROUTING, :OUTPUT],
+        security: [:INPUT, :FORWARD, :OUTPUT]
+      }.each do |table_name, expected_chains|
+        created_chains = Table.new(table_name, ruleset).map(&:name)
+        expect { Set[*created_chains] == Set[*expected_chains] }
+      end
+    end
+
+    it 'warns about unrecognized table' do
+      out, err = capture_io { @table = Table.new(:whatever, ruleset) }
+      expect { out == '' }      # sanity
+      expect { err =~ /Unrecognized table whatever/ }
+      expect { @table.empty? }
+    end
+  end
+end

data/spec/ipscriptables/version_spec.rb

@@ -0,0 +1,12 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+# A smoke test spec to make sure tests actually work
+
+module IPScriptables
+  describe VERSION do
+    it 'is equal to itself' do
+      expect { VERSION == IPScriptables::VERSION }
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+
+require 'rubygems'
+require 'bundler/setup'
+
+if ENV['COVERAGE']
+  require 'simplecov'
+  SimpleCov.start do
+    add_filter '/spec/' unless ENV['SPEC_COVERAGE']
+    add_filter '/lib/ipscriptables/pretty_print.rb'
+  end
+  SimpleCov.command_name 'spec'
+end
+
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'minitest/pride' if $stderr.tty?
+require 'mocha/setup'
+require 'wrong'
+require 'fauxhai'
+require 'ohai'
+
+Wrong.config.alias_assert :expect, override: true
+include Wrong
+
+# Prepare testing environment
+class Minitest::Spec            # rubocop:disable ClassAndModuleChildren
+  include ::Wrong::Assert
+  include ::Wrong::Helpers
+
+  def fauxhai!(args = nil)
+    args ||= { platform: 'ubuntu', version: '12.04' }
+    fauxhai = Hashie::Mash[Fauxhai.mock(args).data]
+    fauxhai.expects(:require_plugin).at_least(0)
+    Ohai::System.expects(:new).at_most_once.returns(fauxhai)
+  end
+
+  def slow_case
+    skip if !ENV['CI'] && ENV['FASTER']
+  end
+
+  def self.fixture(*path)
+    File.join(File.realpath(File.dirname(__FILE__)), 'fixtures', *path)
+  end
+
+  def fixture(*path)
+    # Why the hell can't I have module_function in a class, huh?
+    self.class.fixture(*path)
+  end
+
+  def increment_assertion_count
+    self.assertions += 1
+  end
+
+  def failure_class
+    Minitest::Assertion
+  end
+end
+
+require 'ipscriptables'

metadata

@@ -0,0 +1,350 @@
+--- !ruby/object:Gem::Specification
+name: ipscriptables
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Maciej Pasternacki
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-05-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: docile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: hashie
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: systemu
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ohai
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sigar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ipaddr_extensions
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: diffy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: clamp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.1'
+- !ruby/object:Gem::Dependency
+  name: wrong
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: fauxhai
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Ruby-driven IPTables
+email:
+- maciej@3ofcoins.net
+executables:
+- ipscriptables
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rubocop.yml
+- .travis.yml
+- CHANGELOG.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/ipscriptables
+- cookbook/.gitignore
+- cookbook/.kitchen.yml
+- cookbook/Berksfile
+- cookbook/README.md
+- cookbook/attributes/default.rb
+- cookbook/chefignore
+- cookbook/libraries/default.rb
+- cookbook/metadata.rb
+- cookbook/providers/rules.rb
+- cookbook/recipes/default.rb
+- cookbook/recipes/load.rb
+- cookbook/resources/rules.rb
+- cookbook/test/cookbooks/ipscriptables-test/#metadata.rb#
+- cookbook/test/cookbooks/ipscriptables-test/metadata.rb
+- cookbook/test/cookbooks/ipscriptables-test/recipes/default.rb
+- cookbook/test/cookbooks/ipscriptables-test/recipes/prepare.rb
+- cookbook/test/data/.gitignore
+- cookbook/test/integration/default/bats/default.bats
+- doc/iptables-switches.txt
+- ipscriptables.gemspec
+- lib/ipscriptables.rb
+- lib/ipscriptables/chain.rb
+- lib/ipscriptables/cli.rb
+- lib/ipscriptables/helpers.rb
+- lib/ipscriptables/pretty_print.rb
+- lib/ipscriptables/rule.rb
+- lib/ipscriptables/ruleset.rb
+- lib/ipscriptables/ruleset/class_methods.rb
+- lib/ipscriptables/runtime.rb
+- lib/ipscriptables/table.rb
+- lib/ipscriptables/version.rb
+- spec/fixtures/clyhq.txt
+- spec/fixtures/docker-plus.txt
+- spec/fixtures/drumknott.txt
+- spec/fixtures/falcor.txt
+- spec/fixtures/ghq.txt
+- spec/fixtures/ip6tables-empty.txt
+- spec/fixtures/only-docker-c.txt
+- spec/fixtures/only-docker.txt
+- spec/fixtures/only_docker.rb
+- spec/fixtures/runtime.rb
+- spec/fixtures/runtime2.rb
+- spec/ipscriptables/dsl_spec.rb
+- spec/ipscriptables/helpers_spec.rb
+- spec/ipscriptables/rule_spec.rb
+- spec/ipscriptables/ruleset/class_methods_spec.rb
+- spec/ipscriptables/ruleset_spec.rb
+- spec/ipscriptables/runtime_spec.rb
+- spec/ipscriptables/table_spec.rb
+- spec/ipscriptables/version_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/3ofcoins/ipscriptables/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Ruby-driven IPTables
+test_files:
+- spec/fixtures/clyhq.txt
+- spec/fixtures/docker-plus.txt
+- spec/fixtures/drumknott.txt
+- spec/fixtures/falcor.txt
+- spec/fixtures/ghq.txt
+- spec/fixtures/ip6tables-empty.txt
+- spec/fixtures/only-docker-c.txt
+- spec/fixtures/only-docker.txt
+- spec/fixtures/only_docker.rb
+- spec/fixtures/runtime.rb
+- spec/fixtures/runtime2.rb
+- spec/ipscriptables/dsl_spec.rb
+- spec/ipscriptables/helpers_spec.rb
+- spec/ipscriptables/rule_spec.rb
+- spec/ipscriptables/ruleset/class_methods_spec.rb
+- spec/ipscriptables/ruleset_spec.rb
+- spec/ipscriptables/runtime_spec.rb
+- spec/ipscriptables/table_spec.rb
+- spec/ipscriptables/version_spec.rb
+- spec/spec_helper.rb