ipscriptables 0.0.1

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MTE1NjBhZDBmYmIxNTU5YjdiNjBkNGJmNDBhZWJkODA1ZDBmYmZiYw==
+  data.tar.gz: !binary |-
+    OGU0OTA1MzA1MDQ3ODhhYzNjZGZlYmFlZDNlMDZhOTFlZjY1NzlkZQ==
+SHA512:
+  metadata.gz: !binary |-
+    ZTIzOTU5Y2JmZDIwYWRhMzVjZDlhMDFjNDVjMjcwOGJjZjlhZTRkZjRlNGFi
+    NGMyMTI2YWNkNmU0OWU0MmZjMDJlYzEyNmYyOWY0MjAzMDNlZTQ0MGY4NmEy
+    OGJiMWE1ZmZlMDc2MjcyMDA0ZTRlYTc3MWNiZDk4NmI2MWFkNTY=
+  data.tar.gz: !binary |-
+    ZWFkOTcwOWEzNGYzMjJjYjNjYjhlYzkzMGI5MjkwZjViMjA3ODI0MjY1YTll
+    ZThhMDFhNjQwY2YxOGFkMDc2YWM0YjYwZmNlMGY0ZTU3ZDNhYzc2YWY1N2Nh
+    NzJlOTQxM2M3NWU2YjRhYWQwNmI4MTQ3ZmUxZDNkOWRhZjhkOGE=

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+*~
+.*.swp
+.DS_Store
+/.bundle
+/.config
+/.yardoc
+/Gemfile.lock
+/InstalledFiles
+/coverage
+/doc/public
+/lib/bundler/man
+/pkg
+/spec/reports
+/tmp
+/vendor/cache

data/.rubocop.yml

@@ -0,0 +1,15 @@
+AllCops:
+  Exclude:
+    - tmp/**
+
+PerlBackrefs:
+  Enabled: false
+
+SpecialGlobalVars:
+  Enabled: false
+
+Documentation:
+  Enabled: false
+
+HashSyntax:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,10 @@
+bundler_args: --without developer_workstation
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+#  - jruby-1.7.10
+#  - rbx
+notifications:
+  hipchat:
+    secure: "bds8WNPnAmnj2ommhDk2JNclAY1Ei/bGeWONRhhKNv1zwrqMvZ7B6M5UapEZ\n6K8z70vFMrdIDEJjzuf+ATYS0BVWKnXCYaofiIfJ7V2hiBm7/xNZ15m2bIrM\nQFIMR/Lrkd+wFA0O8z6SaPjvdEgZC6im4zAAuRq7LpH3NTy6qaA="

data/CHANGELOG.md

@@ -0,0 +1,6 @@
+# Changes
+
+## 0.0.1
+
+ * Initial release
+ * Created on Tuesday, 2014-02-18

data/CONTRIBUTING.md

@@ -0,0 +1,43 @@
+# Contributing
+
+## Developing
+
+1. Fork the repository on GitHub
+2. Create your feature branch (`git checkout -b feature/awesomeness`)
+3. Create your changes.
+   * Add test cases in `spec/`. It's best if you first write a failing
+     test case, commit it, and then fix it in next commit - this makes
+     the whole change easier to review.
+   * Document your changes.
+4. Commit your changes (`git commit -am 'Add more awesomeness'`)
+5. Push to the branch (`git push -u origin feature/awesomeness`)
+6. Create new Pull Request on GitHub
+
+## Testing
+
+### Install what's needed
+
+Make sure you have [http://gembundler.com/](Gem Bundler) version 1.3
+or greater installed.  If in doubt, just use [http://rvm.io/](RVM) or
+[http://rbenv.org/](rbenv).
+
+    $ gem install bundler
+
+Clone the project:
+
+    $ git clone git://github.com/3ofcoins/ipscriptables.git
+
+Then, run:
+
+    $ cd ipscriptables
+    $ bundle install
+    
+Bundler will install all the needed gems and their dependencies.
+
+### Running tests
+
+    $ bundle exec thor spec
+    
+To generate test coverage report, tell it to Thor
+    
+    $ bundle exec thor spec --coverage

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# Helpers used with development, but not needed in runtime, build
+# time, or for tests.
+group :developer_workstation do
+  gem 'awesome_print'
+  gem 'pry'
+  gem 'pry-debugger'
+  gem 'pry-rescue'
+  gem 'pry-stack_explorer'
+end

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (C) 2014 Maciej Pasternacki <maciej@3ofcoins.net>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+# Ipscriptables
+
+Ruby-driven IPTables
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'ipscriptables'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install ipscriptables
+
+## Usage
+
+TODO: write real instructions.
+
+Write a script a bit like this (ip6tables work too):
+
+```ruby
+family :inet do
+  table :nat do
+    inherit(:DOCKER)
+    inherit(:PREROUTING, :OUTPUT) { |rule| rule.target == 'DOCKER' }
+    inherit(:POSTROUTING) { |rule| rule.target == 'MASQUERADE' }
+  end
+
+  table :filter do
+    inherit(:INPUT) { |rule| rule.target == 'FWR' || rule.target == 'LXC' }
+    inherit(:FORWARD) { |rule| rule[:i] == 'docker0' || rule[:o] == 'docker0' }
+    inherit(:LXC)
+    chain :FWR do
+      rule :i => ['lo', 'docker0'], :j => 'ACCEPT'
+      rule '-m state --state RELATED,ESTABLISHED -j ACCEPT'
+      rule '-p icmp -j ACCEPT'
+      rule '-p tcp -m tcp --dport', [22, 80, 443], '-j ACCEPT'
+      rule '-p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable'
+      rule '-p udp -j REJECT --reject-with icmp-port-unreachable'
+    end
+  end
+end
+```
+
+Run `ipscriptables path/to/script.rb`, review diff, run `ipscriptables
+--apply path/to/script.rb`.
+
+## Contributing
+
+See the [CONTRIBUTING.md](CONTRIBUTING.md) file

data/Rakefile

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+require 'rubygems'
+require 'bundler/setup'
+require 'rake/testtask'
+require 'rubocop/rake_task'
+
+namespace(:gem) { Bundler::GemHelper.install_tasks }
+
+Rake::TestTask.new :spec do |task|
+  task.libs << 'spec'
+  task.options = '--verbose' if ENV['VERBOSE']
+  task.test_files = FileList['spec/**/*_spec.rb']
+end
+
+desc 'Run Rubocop'
+Rubocop::RakeTask.new(:rubocop) do |t|
+  t.fail_on_error = true
+  t.patterns = %w(Rakefile bin/* lib/**/*.rb spec/**/*.rb)
+end
+
+task :default => [:rubocop, :spec]

data/bin/ipscriptables

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# -*- coding: utf-8 -*-
+require 'rubygems'
+require 'ipscriptables/cli'
+
+exit IPScriptables::CLI.run

data/cookbook/.gitignore

@@ -0,0 +1,2 @@
+/.kitchen
+/Berksfile.lock

data/cookbook/.kitchen.yml

@@ -0,0 +1,28 @@
+---
+driver:
+  name: vagrant
+  pre_create_command: |
+    set -e -x
+    dir=`pwd`/test/data
+    rm -fv $dir/*.gem
+    cd ..
+    gem build ipscriptables.gemspec
+    mv -v ipscriptables-*.gem $dir
+
+provisioner:
+  name: chef_solo
+  data_path: test/data
+
+platforms:
+  - name: ubuntu-12.04
+    driver_config:
+      box: opscode_ubuntu-12.04_provisionerless
+      box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
+
+suites:
+  - name: default
+    run_list:
+      - recipe[ipscriptables-test]
+    attributes:
+      ipscriptables:
+        version: null

data/cookbook/Berksfile

@@ -0,0 +1,6 @@
+source "https://api.berkshelf.com"
+
+metadata
+
+cookbook 'ipscriptables-test',
+         path: 'test/cookbooks/ipscriptables-test'

data/cookbook/README.md

@@ -0,0 +1,53 @@
+The IPScriptables Cookbook
+==========================
+
+This cookbook installs
+[IPScriptables](https://github.com/3ofcoins/ipscriptables/) as a Chef
+gem and adds an `ipscriptables` call to recipe DSL to easily configure
+your firewall.
+
+Usage
+-----
+
+Add `ipscriptables` cookbook to your cookbook's dependencies (or
+`recipe[ipscriptables::load]`, or (currently empty)
+`recipe[ipscriptables]` to your run list). Then, in recipe code, you
+can use following call:
+
+```ruby
+ipscriptables do
+  # …IPScriptables DSL…
+end
+```
+
+If you need low-level access to an underlying resource, you can call
+it directly and add some layers of syntactic cruft:
+
+```ruby
+ipscriptables_rules "useless name" do
+  rules do
+    # …IPScriptables DSL…
+  end
+end
+```
+
+The LWRP does not execute the rules as it goes, but evaluates them at
+converge time in a single IPScriptables runtime (like one
+IPScriptables CLI call evaluating multiple files). It installs
+a report handler that, at the end of a successful Chef run, applies
+the rules (in whyrun mode it's a dry run).
+
+Attributes
+----------
+
+ - `node['ipscriptables']['gem_version']` (default: `"latest"`) --
+   version of the IPScriptables gem to install. If left as *latest*,
+   the gem is upgraded to newest available version (`:upgrade`
+   action). If set to `nil` or `false`, the gem is `:install`ed at
+   newest version, but not upgraded if it has already been installed.
+
+Outstanding Issues
+------------------
+
+ - [ ] The cookbook should install init script and save rules to be
+   applied on reboot.

data/cookbook/attributes/default.rb

@@ -0,0 +1,3 @@
+# -*- coding: utf-8 -*-
+
+default['ipscriptables']['gem_version'] = 'latest'

data/cookbook/chefignore

@@ -0,0 +1,96 @@
+# Put files/directories that should be ignored in this file when uploading
+# or sharing to the community site.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+Icon?
+nohup.out
+ehthumbs.db
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+\#*
+.#*
+*~
+*.sw[a-z]
+*.bak
+REVISION
+TAGS*
+tmtags
+*_flymake.*
+*_flymake
+*.tmproj
+.project
+.settings
+mkmf.log
+
+## COMPILED ##
+##############
+a.out
+*.o
+*.pyc
+*.so
+*.com
+*.class
+*.dll
+*.exe
+*/rdoc/
+
+# Testing #
+###########
+.watchr
+.rspec
+spec/*
+spec/fixtures/*
+test/*
+features/*
+Guardfile
+Procfile
+
+# SCM #
+#######
+.git
+*/.git
+.gitignore
+.gitmodules
+.gitconfig
+.gitattributes
+.svn
+*/.bzr/*
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Cookbooks #
+#############
+CONTRIBUTING
+CHANGELOG*
+
+# Strainer #
+############
+Colanderfile
+Strainerfile
+.colander
+.strainer
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile
+
+# Travis #
+##########
+.travis.yml

data/cookbook/libraries/default.rb

@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+
+module IPScriptables
+  class ChefHandler < Chef::Handler
+    def report
+      runtime.execute! if runtime
+    end
+
+    private
+
+    def runtime
+      node.run_state['ipscriptables_runtime']
+    end
+  end
+
+  module ChefRecipeDSL
+    def ipscriptables(name = nil, &block)
+      name ||= "#{cookbook_name}::#{recipe_name}::#{_ipscriptables_counter}"
+      ipscriptables_rules(name) { rules(&block) }
+    end
+
+    private
+
+    def _ipscriptables_counter
+      @ipscriptables_counter ||= 0
+      @ipscriptables_counter += 1
+    end
+  end
+end
+
+class Chef
+  class Recipe
+    include IPScriptables::ChefRecipeDSL
+  end
+end