/spec/classes/nftables_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / classes / nftables_spec.rb @ 7937a13b

Historique | Voir | Annoter | Télécharger (8,69 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	64134e4e	tr	require 'spec_helper'
4
5			describe 'nftables' do
6			let(:pre_condition) { 'Exec{path => "/bin"}' }
7
8			on_supported_os.each do \|os, os_facts\|
9			context "on #{os}" do
10			let(:facts) { os_facts }
11
12	8842a597	Tim Meusel	nft_path = case os_facts[:os]['family']
13			when 'Archlinux'
14			'/usr/bin/nft'
15			else
16			'/usr/sbin/nft'
17			end
18	008c95d7	Kienan Stewart	nft_config = case os_facts[:os]['family']
19			when 'RedHat'
20			'/etc/sysconfig/nftables.conf'
21			else
22			'/etc/nftables.conf'
23			end
24	8842a597	Tim Meusel
25			it { is_expected.to compile.with_all_deps }
26	5acb554a	tr
27			it { is_expected.to contain_package('nftables') }
28
29	01d8a819	tr	it {
30	0c9bc308	hashworks	is_expected.to contain_file('/etc/nftables').with(
31			ensure: 'directory',
32			owner: 'root',
33			group: 'root',
34			mode: '0750'
35			)
36			}
37
38			it {
39	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet.nft').with(
40	01d8a819	tr	ensure: 'file',
41	c82b960a	Steve Traylen	owner: 'root',
42			group: 'root',
43			mode: '0640',
44	fa92e118	Romain Tartière	content: %r{flush ruleset}
45	01d8a819	tr	)
46			}
47
48			it {
49	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet').with(
50			ensure: 'directory',
51			owner: 'root',
52			group: 'root',
53			mode: '0750',
54			purge: true,
55			force: true,
56	fa92e118	Romain Tartière	recurse: true
57	01d8a819	tr	)
58			}
59
60			it {
61	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').with(
62	30462da1	Steve Traylen	ensure: 'file',
63	c82b960a	Steve Traylen	owner: 'root',
64			group: 'root',
65			mode: '0640',
66	fa92e118	Romain Tartière	content: %r{flush ruleset}
67	30462da1	Steve Traylen	)
68			}
69
70			it {
71	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight').with(
72			ensure: 'directory',
73			owner: 'root',
74			group: 'root',
75			mode: '0750',
76			purge: true,
77			force: true,
78	fa92e118	Romain Tartière	recurse: true
79	30462da1	Steve Traylen	)
80			}
81
82			it {
83	c82b960a	Steve Traylen	expect(subject).to contain_exec('nft validate').with(
84	30462da1	Steve Traylen	refreshonly: true,
85	8842a597	Tim Meusel	command: %r{^#{nft_path} -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*}
86	30462da1	Steve Traylen	)
87			}
88
89			it {
90	c82b960a	Steve Traylen	expect(subject).to contain_service('nftables').with(
91	01d8a819	tr	ensure: 'running',
92			enable: true,
93	30462da1	Steve Traylen	hasrestart: true,
94	cc9fc807	Tim Meusel	restart: %r{PATH=/usr/bin:/bin systemctl reload nft.*}
95	01d8a819	tr	)
96			}
97
98	008c95d7	Kienan Stewart	it {
99			expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
100			content: %r{^ExecReload=#{nft_path} -I /etc/nftables/puppet -f #{nft_config}$}
101			)
102			}
103
104			case os_facts[:os]['family']
105			when 'Archlinux'
106	ce22630b	Steve Traylen
107	0c9bc308	hashworks	it {
108			expect(subject).to contain_service('firewalld').with(
109			ensure: 'stopped',
110			enable: false
111			)
112			}
113	008c95d7	Kienan Stewart	when 'Debian'
114	0c9bc308	hashworks	it {
115	008c95d7	Kienan Stewart	is_expected.to contain_service('firewalld').with(
116			ensure: 'stopped',
117			enable: false
118	0c9bc308	hashworks	)
119			}
120	008c95d7	Kienan Stewart	else
121	0c9bc308	hashworks	it {
122			expect(subject).to contain_service('firewalld').with(
123			ensure: 'stopped',
124			enable: 'mask'
125			)
126			}
127			end
128	c82b960a	Steve Traylen
129	7b9d6ffc	Nacho Barrientos	it { is_expected.to contain_class('nftables::inet_filter') }
130			it { is_expected.to contain_class('nftables::ip_nat') }
131	e17693e3	Steve Traylen	it { is_expected.to contain_class('nftables::rules::out::http') }
132			it { is_expected.to contain_class('nftables::rules::out::https') }
133			it { is_expected.to contain_class('nftables::rules::out::dns') }
134			it { is_expected.to contain_class('nftables::rules::out::chrony') }
135			it { is_expected.not_to contain_class('nftables::rules::out::all') }
136			it { is_expected.not_to contain_nftables__rule('default_out-all') }
137
138			context 'with out_all set true' do
139	b171ac7f	mh	let(:params) do
140			{
141			out_all: true,
142			}
143	e17693e3	Steve Traylen	end
144
145			it { is_expected.to contain_class('nftables::rules::out::all') }
146			it { is_expected.not_to contain_class('nftables::rules::out::http') }
147			it { is_expected.not_to contain_class('nftables::rules::out::https') }
148			it { is_expected.not_to contain_class('nftables::rules::out::dns') }
149			it { is_expected.not_to contain_class('nftables::rules::out::chrony') }
150			it { is_expected.to contain_nftables__rule('default_out-all').with_content('accept') }
151			it { is_expected.to contain_nftables__rule('default_out-all').with_order('90') }
152			end
153	b3a7a6dd	tr
154			context 'with custom rules' do
155			let(:params) do
156			{
157			rules: {
158			'INPUT-web_accept' => {
159			order: '50',
160			content: 'iifname eth0 tcp dport { 80, 443 } accept',
161			},
162			},
163			}
164			end
165
166			it {
167	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
168			target: 'nftables-inet-filter-chain-INPUT',
169	b3a7a6dd	tr	content: %r{^ iifname eth0 tcp dport \{ 80, 443 \} accept$},
170	c82b960a	Steve Traylen	order: '50-nftables-inet-filter-chain-INPUT-rule-web_accept-b'
171	b3a7a6dd	tr	)
172			}
173			end
174	ae9872e2	Nacho Barrientos
175	802d80d1	Nacho Barrientos	context 'with custom sets' do
176			let(:params) do
177			{
178			sets: {
179			'testset1' => {
180			type: 'ipv4_addr',
181			gc_interval: 2,
182			},
183			'testset2' => {
184			type: 'ipv6_addr',
185			elements: ['2a02:62:c601::dead:beef'],
186			},
187			},
188			}
189			end
190
191			it {
192	c82b960a	Steve Traylen	expect(subject).to contain_nftables__set('testset1').with(
193	802d80d1	Nacho Barrientos	type: 'ipv4_addr',
194			gc_interval: 2,
195	fa92e118	Romain Tartière	table: 'inet-filter'
196	802d80d1	Nacho Barrientos	)
197			}
198	c82b960a	Steve Traylen
199	802d80d1	Nacho Barrientos	it {
200	c82b960a	Steve Traylen	expect(subject).to contain_nftables__set('testset2').with(
201	802d80d1	Nacho Barrientos	type: 'ipv6_addr',
202			elements: ['2a02:62:c601::dead:beef'],
203	fa92e118	Romain Tartière	table: 'inet-filter'
204	802d80d1	Nacho Barrientos	)
205			}
206			end
207
208	ae9872e2	Nacho Barrientos	context 'without masking firewalld' do
209			let(:params) do
210			{
211			'firewalld_enable' => false,
212			}
213			end
214
215			it {
216	c82b960a	Steve Traylen	expect(subject).to contain_service('firewalld').with(
217	ae9872e2	Nacho Barrientos	ensure: 'stopped',
218	fa92e118	Romain Tartière	enable: false
219	ae9872e2	Nacho Barrientos	)
220			}
221			end
222	03d9e7da	Steve Traylen
223	7b9d6ffc	Nacho Barrientos	context 'with no default filtering rules' do
224			let(:params) do
225			{
226			'inet_filter' => false,
227			}
228			end
229
230			it { is_expected.to contain_class('nftables::ip_nat') }
231			it { is_expected.not_to contain_class('nftables::inet_filter') }
232			end
233
234			context 'with no default tables, chains or rules' do
235			let(:params) do
236			{
237			'inet_filter' => false,
238			'nat' => false,
239			}
240			end
241
242			it { is_expected.not_to contain_class('nftables::ip_nat') }
243			it { is_expected.not_to contain_class('nftables::inet_filter') }
244			it { is_expected.to have_nftables__config_resource_count(0) }
245			it { is_expected.to have_nftables__chain_resource_count(0) }
246			it { is_expected.to have_nftables__rule_resource_count(0) }
247			it { is_expected.to have_nftables__set_resource_count(0) }
248			end
249
250	03d9e7da	Steve Traylen	context 'with with noflush_tables parameter' do
251			let(:params) do
252			{
253			noflush_tables: ['inet-f2b-table'],
254			}
255			end
256
257			context 'with no nftables fact' do
258			it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
259			end
260
261			context 'with nftables fact matching' do
262			let(:facts) do
263	c82b960a	Steve Traylen	super().merge(nftables: { tables: %w[inet-abc inet-f2b-table] })
264	03d9e7da	Steve Traylen	end
265
266			it {
267	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
268	92e0fcb6	duritong	with_content(%r{^table inet abc \{\}$})
269			}
270	c82b960a	Steve Traylen
271	92e0fcb6	duritong	it {
272	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
273	7e5b657a	Steve Traylen	with_content(%r{^flush table inet abc$})
274	03d9e7da	Steve Traylen	}
275			end
276	c82b960a	Steve Traylen
277	03d9e7da	Steve Traylen	context 'with nftables fact not matching' do
278			let(:facts) do
279	c82b960a	Steve Traylen	super().merge(nftables: { tables: %w[inet-abc inet-ijk] })
280	03d9e7da	Steve Traylen	end
281
282			it {
283	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
284	92e0fcb6	duritong	with_content(%r{^table inet abc \{\}$})
285			}
286	c82b960a	Steve Traylen
287	92e0fcb6	duritong	it {
288	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
289	92e0fcb6	duritong	with_content(%r{^flush table inet abc$})
290			}
291	c82b960a	Steve Traylen
292	92e0fcb6	duritong	it {
293	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
294	92e0fcb6	duritong	with_content(%r{^table inet ijk \{\}$})
295			}
296	c82b960a	Steve Traylen
297	92e0fcb6	duritong	it {
298	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
299	92e0fcb6	duritong	with_content(%r{^flush table inet ijk$})
300	03d9e7da	Steve Traylen	}
301			end
302			end
303	64134e4e	tr	end
304			end
305			end

Projet

Général

Profil

puppet nftables

root / spec / classes / nftables_spec.rb @ 7937a13b