itamae-plugin-resource-firewalld 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c1cdfebfa66e315a7929c7db7c3d9399c78d5644
+  data.tar.gz: cf94da496215a5308a406299728ae21d56b9f533
+SHA512:
+  metadata.gz: e67bd2557effbdf6467ac7d06e723881d3cdbfab429a15c87d0eed3901eee8806a30b097e895c1fbf1919db53898ce8169d93d212494b9ae0574b63bd81a4838
+  data.tar.gz: aea44043417f0b12d525c3ebad4062dcdce8b8b08a263b49508c90f739e7ef6b8566ce7bfe0d3b68d06bc6a39c7d6d05f69440ec6d476b90c2fe200c95af3bc2

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/tmp/
+*.bundle
+/vendor
+/examples/.vagrant

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.1.4
+script: bundle exec rake test

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in itamae-plugin-resource-firewalld.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Wataru MIYAGUNI
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,124 @@
+# Itamae::Plugin::Resource::Firewalld
+
+[Itamae](https://github.com/ryotarai/itamae) resource plugin to manage [firewalld](https://fedorahosted.org/firewalld/).
+
+[![Build Status](https://travis-ci.org/gongo/itamae-plugin-resource-firewalld.svg?branch=master)](https://travis-ci.org/gongo/itamae-plugin-resource-firewalld)
+[![Coverage Status](https://coveralls.io/repos/gongo/itamae-plugin-resource-firewalld/badge.png?branch=master)](https://coveralls.io/r/gongo/itamae-plugin-resource-firewalld?branch=master)
+[![Code Climate](https://codeclimate.com/github/gongo/itamae-plugin-resource-firewalld/badges/gpa.svg)](https://codeclimate.com/github/gongo/itamae-plugin-resource-firewalld)
+
+## Usage
+
+```ruby
+service 'firewalld' do
+  action [:start, :enable]
+end
+
+firewalld_zone 'external' do
+  interfaces %w(enp0s8 enp0s9)
+  services   %w(ssh)
+
+  masquerade true
+
+  notifies  :restart, 'service[firewalld]'
+end
+
+firewalld_zone 'public' do
+  interfaces %w(enp0s3)
+  services   %w(ssh https mysql)
+  ports      %w(8080/tcp 4243/udp)
+
+  default_zone true
+
+  notifies :restart, 'service[firewalld]'
+end
+```
+
+After `itamae` execute:
+
+```
+$ sudo firewall-cmd --list-all --zone external
+external (active)
+  interfaces: enp0s8 enp0s9
+  sources:
+  services: ssh
+  ports:
+  masquerade: yes
+  forward-ports:
+  icmp-blocks:
+  rich rules:
+
+$ sudo firewall-cmd --list-all --zone public
+public (default, active)
+  interfaces: enp0s3
+  sources:
+  services: https mysql ssh
+  ports: 4243/udp 8080/tcp
+  masquerade: no
+  forward-ports:
+  icmp-blocks:
+  rich rules:
+```
+
+### See also
+
+Demonstration environment [examples](./examples)
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'itamae-plugin-resource-firewalld'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install itamae-plugin-resource-firewalld
+
+## Features
+
+Provides a `firewalld_zone` resource that operation of `Zone`:
+
+```ruby
+firewalld_zone 'zone_name' do
+  name          # [String]
+
+  interfaces    # [Array of string]
+  sources       # [Array of string]
+  services      # [Array of string]
+  ports         # [Array of string]
+  forward_ports # [Array of string]
+  icmp_blocks   # [Array of string]
+  rich_rules    # [Array of string]
+
+  masquerade    # [True / False]
+  default_zone  # [True] Ignored other
+end
+```
+
+**IMPORTANT**
+
+`firewalld_zone` resource performs the processing `firewall-cmd` with [--permanent](http://fedoraproject.org/wiki/FirewallD#Permanent_zone_handling) .
+
+## TODO
+
+Unimplemented:
+
+- Add a new `zone`, `icmptype` and `service`
+- Operation of `Direct`, `Lockdown`
+- Etc...
+
+I'll be waiting for your pull request :bow:
+
+## Contributing
+
+1. Fork it ( https://github.com/gongo/itamae-plugin-resource-firewalld/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,8 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  t.test_files = Dir['test/**/test_*.rb']
+  t.verbose = true
+end

data/examples/README.md

@@ -0,0 +1,67 @@
+`Itamae::Plugin::Resource::Firewalld` demonstration virtual machine.
+
+Usage
+--------------------
+
+### Preparation
+
+```sh
+$ cd /path/to/itamae-plugin-resource-firewalld/
+$ bundle install --path vendor/bundle
+```
+
+### Provision
+
+```sh
+$ cd ./examples/
+$ vagrant up
+$ bundle exec itamae ssh -h default --vagrant recipe.rb
+ INFO : Starting Itamae...
+ INFO : Recipe: /path/to/itamae-plugin-resource-firewalld/examples/recipe.rb
+ INFO :    service[firewalld]
+ INFO :       action: start
+ INFO :          running will change from 'false' to 'true'
+ INFO :       action: enable
+ INFO :          enabled will change from 'false' to 'true'
+ INFO :    firewalld_zone[home]
+ INFO :       action: update
+ INFO :          services will change from '["dhcpv6-client", "ipp-client", "mdns", "samba-client", "ssh"]' to '["samba", "ssh", "vnc-server"]'
+ INFO :          ports will change from '[]' to '["1900/udp", "32469/tcp", "5353/udp"]'
+ INFO :       Notifying restart to service resource 'firewalld' (delayed)
+ INFO :    firewalld_zone[public]
+ INFO :       action: update
+ INFO :          services will change from '["dhcpv6-client", "ssh"]' to '["https", "mysql", "ssh"]'
+ INFO :       Notifying restart to service resource 'firewalld' (delayed)
+ INFO :    service[firewalld]
+ INFO :       action: restart
+```
+
+### Confirmation
+
+```sh
+$ vagrant ssh
+[vagrant@localhost ~]$ sudo systemctl is-enabled firewalld
+enabled
+
+[vagrant@localhost ~]$ sudo firewall-cmd --list-all --zone home
+home
+  interfaces:
+  sources:
+  services: samba ssh vnc-server
+  ports: 5353/udp 32469/tcp 1900/udp
+  masquerade: no
+  forward-ports:
+  icmp-blocks:
+  rich rules:
+
+[vagrant@localhost ~]$ sudo firewall-cmd --list-all --zone public
+public (default, active)
+  interfaces: enp0s3
+  sources:
+  services: https mysql ssh
+  ports:
+  masquerade: no
+  forward-ports:
+  icmp-blocks:
+  rich rules:
+```

data/examples/Vagrantfile

@@ -0,0 +1,7 @@
+# -*- mode: ruby -*-
+
+VAGRANTFILE_API_VERSION = '2'
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = "chef/centos-7.0"
+end

data/examples/recipe.rb

@@ -0,0 +1,19 @@
+require 'itamae/plugin/resource/firewalld'
+
+service 'firewalld' do
+  action [:start, :enable]
+end
+
+firewalld_zone 'home' do
+  services  %w(samba ssh vnc-server)
+  ports     %w(1900/udp 5353/udp 32469/tcp)
+
+  notifies :restart, 'service[firewalld]'
+end
+
+firewalld_zone 'public' do
+  services     %w(ssh https mysql)
+  default_zone true
+
+  notifies :restart, 'service[firewalld]'
+end

data/itamae-plugin-resource-firewalld.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'itamae/plugin/resource/firewalld/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "itamae-plugin-resource-firewalld"
+  spec.version       = Itamae::Plugin::Resource::Firewalld::VERSION
+  spec.authors       = ["Wataru MIYAGUNI"]
+  spec.email         = ["gonngo@gmail.com"]
+  spec.summary       = %q{Itamae resource plugin to manage firewalld.}
+  spec.description   = %q{Itamae resource plugin to manage firewalld.}
+  spec.homepage      = "https://github.com/gongo/itamae-plugin-resource-firewalld"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency 'bundler', '~> 1.7'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'test-unit', '~> 3.0.1'
+  spec.add_development_dependency 'mocha'
+  spec.add_development_dependency 'coveralls'
+  spec.add_dependency 'itamae'
+end

data/lib/itamae/plugin/resource/firewalld.rb

@@ -0,0 +1,12 @@
+require 'itamae/plugin/resource/firewalld/version'
+require 'itamae/plugin/resource/firewalld_zone'
+
+module Itamae
+  module Plugin
+    module Resource
+      module Firewalld
+        # Your code goes here...
+      end
+    end
+  end
+end

data/lib/itamae/plugin/resource/firewalld/version.rb

@@ -0,0 +1,9 @@
+module Itamae
+  module Plugin
+    module Resource
+      module Firewalld
+        VERSION = "0.0.1"
+      end
+    end
+  end
+end

data/lib/itamae/plugin/resource/firewalld_zone.rb

@@ -0,0 +1,112 @@
+require 'itamae/resource/base'
+
+module Itamae
+  module Plugin
+    module Resource
+      class FirewalldZone < Itamae::Resource::Base
+
+        define_attribute :action, default: :update
+        define_attribute :name, type: String, default_name: true
+
+        define_attribute :masquerade,    type: [TrueClass, FalseClass]
+        define_attribute :default_zone,  type: [TrueClass, FalseClass]
+
+        ARRAYABLE_SETTINGS = [
+          :interfaces,
+          :sources,
+          :services,
+          :ports,
+          :forward_ports,
+          :icmp_blocks,
+          :rich_rules
+        ]
+
+        ARRAYABLE_SETTINGS.each do |name|
+          define_attribute name, type: Array
+        end
+
+        def pre_action
+          ARRAYABLE_SETTINGS.each do |name|
+            attributes[name].sort! if attributes[name]
+          end
+        end
+
+        def set_current_attributes
+          ARRAYABLE_SETTINGS.each do |name|
+            attributes[name].sort! if attributes[name]
+            current[name] = current_setting(name) if attributes[name]
+          end
+
+          current.masquerade    = masquerade_enabled? unless attributes.masquerade.nil?
+          current.default_zone  = default_zone?       unless attributes.default_zone.nil?
+        end
+
+        def action_update(options)
+          ARRAYABLE_SETTINGS.each do |name|
+            update_setting(name, current[name], attributes[name]) if attributes[name]
+          end
+
+          if !attributes.masquerade.nil? && (current.masquerade != attributes.masquerade)
+            update_masquerade(attributes.masquerade)
+            updated!
+          end
+
+          if attributes.default_zone && !current.default_zone
+            set_default_zone
+            updated!
+          end
+        end
+
+        private
+
+        #
+        # @param  [String]  name      setting name
+        # @param  [Array]   current   current.{property_name}
+        # @param  [Array]   updated   updated.{property_name}
+        #
+        def update_setting(name, current, updated)
+          #
+          # singularize (e.g. forward_ports -> forward-port)
+          #
+          # TODO: Not beautiful..
+          #
+          name = name.to_s.gsub('_', '-').chop
+
+          add_args = ["--add-#{name}"].product(updated - (current & updated)).flatten
+          remove_args = ["--remove-#{name}"].product(current - updated).flatten
+
+          run_zone_command(add_args) unless add_args.empty?
+          run_zone_command(remove_args) unless remove_args.empty?
+        end
+
+        def update_masquerade(enabled)
+          action = enabled ? 'add' : 'remove'
+          run_zone_command(["--#{action}-masquerade"])
+        end
+
+        def current_setting(name)
+          name = name.to_s.gsub('_', '-')
+          run_zone_command(["--list-#{name}"]).stdout.strip.split.sort
+        end
+
+        def masquerade_enabled?
+          run_zone_command(['--query-masquerade'], error: false).success?
+        end
+
+        def run_zone_command(args, options = {})
+          command = ['firewall-cmd', '--zone', attributes.name, '--permanent']
+          run_command(command + args, options)
+        end
+
+        def default_zone?
+          command = ['firewall-cmd', '--get-default-zone']
+          run_command(command).stdout.strip == attributes.name
+        end
+
+        def set_default_zone
+          run_command(['firewall-cmd', '--set-default-zone', attributes.name])
+        end
+      end
+    end
+  end
+end

data/test/helper.rb

@@ -0,0 +1,8 @@
+require 'coveralls'
+Coveralls.wear!
+
+require 'test/unit'
+require 'mocha/test_unit'
+require 'itamae'
+
+Itamae::Logger.log_device = StringIO.new

data/test/itamae/plugin/resource/test_firewalld_zone.rb

@@ -0,0 +1,127 @@
+require 'helper'
+require 'itamae/plugin/resource/firewalld_zone'
+
+module Itamae
+  module Plugin
+    module Resource
+      class TestFirewalldZone < Test::Unit::TestCase
+        setup do
+          @resource = FirewalldZone.new(stub, 'public')
+        end
+
+        sub_test_case 'settings' do
+          setup do
+            #
+            # $ firewall-cmd --zone public --list-all
+            # public (default, active)
+            #   ..
+            #   services: pop3s ssh
+            #   ..
+            #
+            @resource.stubs(:run_zone_command)
+              .with(['--list-services'])
+              .returns(stub(stdout: 'pop3s ssh'))
+          end
+
+          test 'Change the setting' do
+            @resource.attributes.services = ['ssh', 'http', 'smtp']
+            @resource.expects(:run_zone_command).with(['--add-service', 'http', '--add-service', 'smtp'])
+            @resource.expects(:run_zone_command).with(['--remove-service', 'pop3s'])
+            @resource.expects(:notify)
+            @resource.run
+          end
+
+          test 'No change the setting (noop)' do
+            @resource.attributes.services = ['ssh', 'pop3s']
+            @resource.expects(:notify).never
+            @resource.run
+          end
+        end
+
+        sub_test_case 'masquerade' do
+          sub_test_case 'enable' do
+            setup do
+              #
+              # $ firewall-cmd --zone public --query-masquerade
+              # yes
+              #
+              @resource.stubs(:masquerade_enabled?).returns(true)
+            end
+
+            test 'To enbale (noop)' do
+              @resource.attributes.masquerade = true
+              @resource.expects(:notify).never
+              @resource.run
+            end
+
+            test 'To disable' do
+              @resource.attributes.masquerade = false
+              @resource.expects(:run_zone_command).with(['--remove-masquerade'])
+              @resource.expects(:notify)
+              @resource.run
+            end
+          end
+
+          sub_test_case 'disable' do
+            setup do
+              #
+              # $ firewall-cmd --zone public --query-masquerade
+              # no
+              #
+              @resource.stubs(:masquerade_enabled?).returns(false)
+            end
+
+            test 'To enable' do
+              @resource.attributes.masquerade = true
+              @resource.expects(:run_zone_command).with(['--add-masquerade'])
+              @resource.expects(:notify)
+              @resource.run
+            end
+
+            test 'To disable (noop)' do
+              @resource.attributes.masquerade = false
+              @resource.expects(:notify).never
+              @resource.run
+            end
+          end
+        end
+
+        sub_test_case 'default_zone' do
+          setup do
+            @resource.stubs(:run_command)
+              .with(['firewall-cmd', '--get-default-zone'])
+              .returns(stub(stdout: 'home'))
+          end
+
+          test 'Set default zone' do
+            @resource.attributes.default_zone = true
+            @resource.expects(:set_default_zone)
+            @resource.expects(:notify)
+            @resource.run
+          end
+
+          sub_test_case 'already default zone' do
+            setup do
+              @resource.stubs(:run_command)
+                .with(['firewall-cmd', '--get-default-zone'])
+                .returns(stub(stdout: 'public'))
+            end
+
+            test 'Set default zone (noop)' do
+              @resource.attributes.default_zone = true
+              @resource.expects(:set_default_zone).never
+              @resource.expects(:notify).never
+              @resource.run
+            end
+
+            test 'Do not perform unset default zone (noop)' do
+              @resource.attributes.default_zone = false
+              @resource.expects(:notify).never
+              @resource.run
+            end
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,145 @@
+--- !ruby/object:Gem::Specification
+name: itamae-plugin-resource-firewalld
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Wataru MIYAGUNI
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-12-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.1
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: itamae
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Itamae resource plugin to manage firewalld.
+email:
+- gonngo@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- examples/README.md
+- examples/Vagrantfile
+- examples/recipe.rb
+- itamae-plugin-resource-firewalld.gemspec
+- lib/itamae/plugin/resource/firewalld.rb
+- lib/itamae/plugin/resource/firewalld/version.rb
+- lib/itamae/plugin/resource/firewalld_zone.rb
+- test/helper.rb
+- test/itamae/plugin/resource/test_firewalld_zone.rb
+homepage: https://github.com/gongo/itamae-plugin-resource-firewalld
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Itamae resource plugin to manage firewalld.
+test_files:
+- test/helper.rb
+- test/itamae/plugin/resource/test_firewalld_zone.rb