itamae-plugin-resource-firewalld 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c1cdfebfa66e315a7929c7db7c3d9399c78d5644
-  data.tar.gz: cf94da496215a5308a406299728ae21d56b9f533
+  metadata.gz: 9148fc06b7117db587f794bebaf7b9999273753f
+  data.tar.gz: 909b1ce328e9f8f441bd5cc5597a7aee93164a0a
 SHA512:
-  metadata.gz: e67bd2557effbdf6467ac7d06e723881d3cdbfab429a15c87d0eed3901eee8806a30b097e895c1fbf1919db53898ce8169d93d212494b9ae0574b63bd81a4838
-  data.tar.gz: aea44043417f0b12d525c3ebad4062dcdce8b8b08a263b49508c90f739e7ef6b8566ce7bfe0d3b68d06bc6a39c7d6d05f69440ec6d476b90c2fe200c95af3bc2
+  metadata.gz: 87a0bc3bc89069dc0a46d074e4ffadb1513d8a25f42c5784acd5268759d30d909a41bc00271e8c8fb13093dff67c54f76ab38e34b69d929b4cd5d46547151b83
+  data.tar.gz: a12d69af2f8119a41f8e65093e0b1ef023234a30164f8952dc89c42fb8b329904597f6cdadc738e7c60608f4becc06b2d8250d8837177463de1b4247ff32f2b3

data/README.md

@@ -82,6 +82,8 @@ Or install it yourself as:
 
 ## Features
 
+### firewalld_zone
+
 Provides a `firewalld_zone` resource that operation of `Zone`:
 
 ```ruby
@@ -101,15 +103,35 @@ firewalld_zone 'zone_name' do
 end
 ```
 
-**IMPORTANT**
+### firewalld_service
+
+Provides a `firewalld_service` resource that can create or delete of `Service`:
+
+```ruby
+firewalld_service 'my-service' do
+  action      # [:create or :delete]
+
+  short       # [String]
+  description # [String]
+  port        # [String]
+  protocol    # [String]
+  module_name # [String]
+  to_ipv4     # [String]
+  to_ipv6     # [String]
+end
+```
+
+After `itamae` execute, `/etc/firewalld/service/my-service.xml` is created.
+
+## IMPORTANT
 
-`firewalld_zone` resource performs the processing `firewall-cmd` with [--permanent](http://fedoraproject.org/wiki/FirewallD#Permanent_zone_handling) .
+`itamae-plugin-resource-firewalld`'s resource performs the processing `firewall-cmd` with [--permanent](http://fedoraproject.org/wiki/FirewallD#Permanent_zone_handling) .
 
 ## TODO
 
 Unimplemented:
 
-- Add a new `zone`, `icmptype` and `service`
+- Add a new `zone` and `icmptype` resource
 - Operation of `Direct`, `Lockdown`
 - Etc...
 

data/examples/README.md

@@ -23,6 +23,11 @@ $ bundle exec itamae ssh -h default --vagrant recipe.rb
  INFO :          running will change from 'false' to 'true'
  INFO :       action: enable
  INFO :          enabled will change from 'false' to 'true'
+ INFO :    firewalld_service[my-ssh]
+ INFO :       action: create
+ INFO :       Notifying restart to service resource 'firewalld-add-service' (delayed)
+ INFO :    service[firewalld-add-service]
+ INFO :       action: restart
  INFO :    firewalld_zone[home]
  INFO :       action: update
  INFO :          services will change from '["dhcpv6-client", "ipp-client", "mdns", "samba-client", "ssh"]' to '["samba", "ssh", "vnc-server"]'
@@ -30,11 +35,12 @@ $ bundle exec itamae ssh -h default --vagrant recipe.rb
  INFO :       Notifying restart to service resource 'firewalld' (delayed)
  INFO :    firewalld_zone[public]
  INFO :       action: update
- INFO :          services will change from '["dhcpv6-client", "ssh"]' to '["https", "mysql", "ssh"]'
+ INFO :          services will change from '["dhcpv6-client", "ssh"]' to '["https", "my-ssh", "mysql", "ssh"]'
  INFO :       Notifying restart to service resource 'firewalld' (delayed)
- INFO :    service[firewalld]
+ INFO :    service[firewalld-add-service]
  INFO :       action: restart
-```
+ INFO :    service[firewalld]
+ INFO :       action: restart```
 
 ### Confirmation
 
@@ -58,10 +64,18 @@ home
 public (default, active)
   interfaces: enp0s3
   sources:
-  services: https mysql ssh
+  services: https my-ssh mysql ssh
   ports:
   masquerade: no
   forward-ports:
   icmp-blocks:
   rich rules:
+
+[vagrant@localhost ~]$ sudo cat /etc/firewalld/services/my-ssh.xml # formatting
+<?xml version='1.0' encoding='UTF-8'?>
+<service>
+  <short>my-ssh</short>
+  <description>My perfect ssh!!</description>
+  <port port='2222' protocol='tcp'/>
+</service>
 ```

data/examples/recipe.rb

@@ -4,6 +4,26 @@ service 'firewalld' do
   action [:start, :enable]
 end
 
+firewalld_service 'my-ssh' do
+  short       'my-ssh'
+  description 'My perfect ssh!!'
+  port        '2222'
+  protocol    'tcp'
+
+  #
+  # Necessary to restart before use added service.
+  # Because `firewald_serivce` is permanent configuration.
+  #
+  notifies :restart, 'service[firewalld-add-service]'
+end
+
+service 'firewalld-add-service' do
+  name   'firewalld'
+  action :restart
+
+  notifies :update, 'firewalld_zone[public]'
+end
+
 firewalld_zone 'home' do
   services  %w(samba ssh vnc-server)
   ports     %w(1900/udp 5353/udp 32469/tcp)
@@ -12,7 +32,7 @@ firewalld_zone 'home' do
 end
 
 firewalld_zone 'public' do
-  services     %w(ssh https mysql)
+  services     %w(ssh https mysql my-ssh)
   default_zone true
 
   notifies :restart, 'service[firewalld]'

data/lib/itamae/plugin/resource/firewalld.rb

@@ -1,4 +1,5 @@
 require 'itamae/plugin/resource/firewalld/version'
+require 'itamae/plugin/resource/firewalld_service'
 require 'itamae/plugin/resource/firewalld_zone'
 
 module Itamae

data/lib/itamae/plugin/resource/firewalld/version.rb

@@ -2,7 +2,7 @@ module Itamae
   module Plugin
     module Resource
       module Firewalld
-        VERSION = "0.0.1"
+        VERSION = "0.0.2"
       end
     end
   end

data/lib/itamae/plugin/resource/firewalld_service.rb

@@ -0,0 +1,141 @@
+require 'itamae/resource/base'
+require 'rexml/document'
+
+module Itamae
+  module Plugin
+    module Resource
+      class FirewalldService < ::Itamae::Resource::Base
+
+        define_attribute :action, default: :create
+        define_attribute :name, type: String, default_name: true
+
+        define_attribute :short,       type: String, default: ''
+        define_attribute :description, type: String, default: ''
+        define_attribute :protocol,    type: String, default: ''
+        define_attribute :port,        type: String, default: ''
+        define_attribute :module_name, type: String, default: ''
+        define_attribute :to_ipv4,     type: String, default: ''
+        define_attribute :to_ipv6,     type: String, default: ''
+
+        def pre_action
+          current.status = current_status
+
+          return if (@current_action != :create) || (current.status == :undefined)
+
+          xml = run_specinfra(:get_file_content, service_xmlfile_path).stdout
+          return if xml.empty?
+
+          service = REXML::Document.new(xml).elements['/service'].elements
+
+          if service['short']
+            current.short = service['short'].text
+          end
+
+          if service['description']
+            current.description = service['description'].text
+          end
+
+          if service['port']
+            current.protocol = service['port'].attributes['protocol']
+            current.port = service['port'].attributes['port']
+          end
+
+          if service['module']
+            current.module_name = service['module'].attributes['name']
+          end
+
+          if service['destination']
+            current.to_ipv4 = service['destination'].attributes['ipv4']
+            current.to_ipv6 = service['destination'].attributes['ipv6']
+          end
+        end
+
+        def action_create(options)
+          run_specinfra(:move_file, build_xmlfile_on_remote, service_xmlfile_path)
+          attributes.status = :defined
+        end
+
+        def action_delete(options)
+          return if current.status == :undefined
+
+          run_command(['firewall-cmd', '--permanent', '--delete-service', attributes.name])
+          attributes.status = :undefined
+        end
+
+        private
+
+        def build_xmlfile_on_remote
+          local_path  = build_xmlfile_on_local
+          remote_path = ::File.join(runner.tmpdir, Time.now.to_f.to_s)
+
+          send_file(local_path, remote_path)
+          remote_path
+        end
+
+        def build_xmlfile_on_local
+          root_document  = ::REXML::Document.new
+          root_document << ::REXML::XMLDecl.new('1.0', 'utf-8')
+          @service_document = root_document.add_element('service')
+
+          add_short_tag
+          add_description_tag
+          add_port_tag
+          add_module_tag
+          add_destination_tag
+
+          f = Tempfile.open('itamae_firewalld_service')
+          root_document.write(f)
+          f.close
+          f.path
+        end
+
+        def add_short_tag
+          return if attributes.short.empty?
+
+          short = @service_document.add_element('short')
+          short.text = attributes.short unless attributes.short.empty?
+        end
+
+        def add_description_tag
+          return if attributes.description.empty?
+
+          description = @service_document.add_element('description')
+          description.text = attributes.description unless attributes.description.empty?
+        end
+
+        def add_port_tag
+          return if (attributes.protocol.empty? && attributes.port.empty?)
+
+          node = @service_document.add_element('port')
+          node.add_attribute('protocol', attributes.protocol) unless attributes.protocol.empty?
+          node.add_attribute('port', attributes.port) unless attributes.port.empty?
+        end
+
+        def add_module_tag
+          return if attributes.module_name.empty?
+
+          node = @service_document.add_element('module')
+          node.add_attribute('name', attributes.module_name) unless attributes.module_name.empty?
+        end
+
+        def add_destination_tag
+          return if (attributes.to_ipv4.empty? && attributes.to_ipv6.empty?)
+
+          node = @service_document.add_element('destination')
+          node.add_attribute('ipv4', attributes.to_ipv4) unless attributes.to_ipv4.empty?
+          node.add_attribute('ipv6', attributes.to_ipv6) unless attributes.to_ipv6.empty?
+        end
+
+        def service_xmlfile_path
+          "/etc/firewalld/services/#{attributes.name}.xml"
+        end
+
+        def current_status
+          command  = ['firewall-cmd', '--permanent', '--list-services']
+          services = run_command(command).stdout.strip.split
+          services.include?(attributes.name) ? :defined : :undefined
+        end
+      end
+    end
+  end
+end

data/test/itamae/plugin/resource/test_firewalld_service.rb

@@ -0,0 +1,121 @@
+require 'helper'
+require 'itamae/plugin/resource/firewalld_service'
+
+module Itamae
+  module Plugin
+    module Resource
+      # Stub
+      class FirewalldService
+        def send_file(from, to)
+          @local_path = from
+        end
+
+        def local_path
+          @local_path
+        end
+      end
+
+      class TestFirewalldService < Test::Unit::TestCase
+        setup do
+          @resource = FirewalldService.new(stub, 'test-service')
+        end
+
+        sub_test_case '#action_delete' do
+          setup do
+            @resource.attributes.action = :delete
+          end
+
+          sub_test_case 'predefined service' do
+            setup do
+              @resource.expects(:run_command)
+                .with(['firewall-cmd', '--permanent', '--list-services'])
+                .returns(stub(stdout: 'service1 service2 test-service'))
+            end
+
+            test 'delete service' do
+              @resource.expects(:run_command).with(['firewall-cmd', '--permanent', '--delete-service', 'test-service'])
+              @resource.expects(:notify)
+              @resource.run
+            end
+          end
+
+          sub_test_case 'undefined service' do
+            setup do
+              @resource.expects(:run_command)
+                .with(['firewall-cmd', '--permanent', '--list-services'])
+                .returns(stub(stdout: 'service1 service2'))
+            end
+
+            test 'delete service (noop)' do
+              @resource.expects(:notify).never
+              @resource.run
+            end
+          end
+        end
+
+        sub_test_case '#action_create' do
+          setup do
+            @resource.attributes.action = :create
+            @resource.stubs(:runner).returns(stub(tmpdir: ::Dir.tmpdir))
+            @resource.stubs(:move_file)
+            @resource.stubs(:run_specinfra).with(:move_file, is_a(String), is_a(String))
+
+            @resource.expects(:notify)
+          end
+
+          sub_test_case 'undefined service' do
+            setup do
+              @resource.stubs(:current_status).returns(:undefined)
+            end
+
+            test 'create service' do
+              @resource.run
+
+              assert ::File.exists?(@resource.local_path )
+            end
+          end
+
+          sub_test_case 'predefined service' do
+            setup do
+              @resource.stubs(:current_status).returns(:defined)
+              @resource.stubs(:run_specinfra)
+                .with(:get_file_content, '/etc/firewalld/services/test-service.xml')
+                .returns(stub(stdout: <<-EOS))
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>test-service</short>
+  <description>test-service description</description>
+  <port protocol="tcp" port="2222"/>
+  <module name="test-module"/>
+  <destination ipv4="224.0.0.251" ipv6="ff02::fb"/>
+</service>
+                 EOS
+            end
+
+            test 'update service' do
+              @resource.attributes.short       = 'test-service!!'
+              @resource.attributes.description = 'test-service update description'
+              @resource.attributes.protocol    = 'udp'
+              @resource.attributes.port        = '2222-2224'
+              @resource.attributes.module_name = 'new-test-module'
+              @resource.attributes.to_ipv4     = '172.17.0.1'
+              @resource.attributes.to_ipv6     = 'ffff::fc'
+              @resource.run
+
+              root = REXML::Document.new(File.read(@resource.local_path))
+              service = root.elements['/service'].elements
+
+              assert_equal @resource.attributes.short,       service['short'].text
+              assert_equal @resource.attributes.description, service['description'].text
+              assert_equal @resource.attributes.protocol,    service['port'].attributes['protocol']
+              assert_equal @resource.attributes.port,        service['port'].attributes['port']
+              assert_equal @resource.attributes.module_name, service['module'].attributes['name']
+              assert_equal @resource.attributes.to_ipv4,     service['destination'].attributes['ipv4']
+              assert_equal @resource.attributes.to_ipv6,     service['destination'].attributes['ipv6']
+            end
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: itamae-plugin-resource-firewalld
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Wataru MIYAGUNI
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-20 00:00:00.000000000 Z
+date: 2014-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -113,8 +113,10 @@ files:
 - itamae-plugin-resource-firewalld.gemspec
 - lib/itamae/plugin/resource/firewalld.rb
 - lib/itamae/plugin/resource/firewalld/version.rb
+- lib/itamae/plugin/resource/firewalld_service.rb
 - lib/itamae/plugin/resource/firewalld_zone.rb
 - test/helper.rb
+- test/itamae/plugin/resource/test_firewalld_service.rb
 - test/itamae/plugin/resource/test_firewalld_zone.rb
 homepage: https://github.com/gongo/itamae-plugin-resource-firewalld
 licenses:
@@ -142,4 +144,5 @@ specification_version: 4
 summary: Itamae resource plugin to manage firewalld.
 test_files:
 - test/helper.rb
+- test/itamae/plugin/resource/test_firewalld_service.rb
 - test/itamae/plugin/resource/test_firewalld_zone.rb