/spec/classes/nftables_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / classes / nftables_spec.rb @ c82b960a

Historique | Voir | Annoter | Télécharger (7,68 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	64134e4e	tr	require 'spec_helper'
4
5			describe 'nftables' do
6			let(:pre_condition) { 'Exec{path => "/bin"}' }
7
8			on_supported_os.each do \|os, os_facts\|
9			context "on #{os}" do
10			let(:facts) { os_facts }
11
12			it { is_expected.to compile }
13	5acb554a	tr
14			it { is_expected.to contain_package('nftables') }
15
16	01d8a819	tr	it {
17	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet.nft').with(
18	01d8a819	tr	ensure: 'file',
19	c82b960a	Steve Traylen	owner: 'root',
20			group: 'root',
21			mode: '0640',
22	fa92e118	Romain Tartière	content: %r{flush ruleset}
23	01d8a819	tr	)
24			}
25
26			it {
27	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet').with(
28			ensure: 'directory',
29			owner: 'root',
30			group: 'root',
31			mode: '0750',
32			purge: true,
33			force: true,
34	fa92e118	Romain Tartière	recurse: true
35	01d8a819	tr	)
36			}
37
38			it {
39	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').with(
40	30462da1	Steve Traylen	ensure: 'file',
41	c82b960a	Steve Traylen	owner: 'root',
42			group: 'root',
43			mode: '0640',
44	fa92e118	Romain Tartière	content: %r{flush ruleset}
45	30462da1	Steve Traylen	)
46			}
47
48			it {
49	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight').with(
50			ensure: 'directory',
51			owner: 'root',
52			group: 'root',
53			mode: '0750',
54			purge: true,
55			force: true,
56	fa92e118	Romain Tartière	recurse: true
57	30462da1	Steve Traylen	)
58			}
59
60			it {
61	c82b960a	Steve Traylen	expect(subject).to contain_exec('nft validate').with(
62	30462da1	Steve Traylen	refreshonly: true,
63	fa92e118	Romain Tartière	command: %r{^/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*}
64	30462da1	Steve Traylen	)
65			}
66
67			it {
68	c82b960a	Steve Traylen	expect(subject).to contain_service('nftables').with(
69	01d8a819	tr	ensure: 'running',
70			enable: true,
71	30462da1	Steve Traylen	hasrestart: true,
72	fa92e118	Romain Tartière	restart: %r{/usr/bin/systemctl reload nft.*}
73	01d8a819	tr	)
74			}
75
76			it {
77	c82b960a	Steve Traylen	expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
78	fa92e118	Romain Tartière	content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$}
79	ce22630b	Steve Traylen	)
80			}
81
82			it {
83	c82b960a	Steve Traylen	expect(subject).to contain_service('firewalld').with(
84	01d8a819	tr	ensure: 'stopped',
85	fa92e118	Romain Tartière	enable: 'mask'
86	01d8a819	tr	)
87			}
88	c82b960a	Steve Traylen
89	7b9d6ffc	Nacho Barrientos	it { is_expected.to contain_class('nftables::inet_filter') }
90			it { is_expected.to contain_class('nftables::ip_nat') }
91	e17693e3	Steve Traylen	it { is_expected.to contain_class('nftables::rules::out::http') }
92			it { is_expected.to contain_class('nftables::rules::out::https') }
93			it { is_expected.to contain_class('nftables::rules::out::dns') }
94			it { is_expected.to contain_class('nftables::rules::out::chrony') }
95			it { is_expected.not_to contain_class('nftables::rules::out::all') }
96			it { is_expected.not_to contain_nftables__rule('default_out-all') }
97
98			context 'with out_all set true' do
99	b171ac7f	mh	let(:params) do
100			{
101			out_all: true,
102			}
103	e17693e3	Steve Traylen	end
104
105			it { is_expected.to contain_class('nftables::rules::out::all') }
106			it { is_expected.not_to contain_class('nftables::rules::out::http') }
107			it { is_expected.not_to contain_class('nftables::rules::out::https') }
108			it { is_expected.not_to contain_class('nftables::rules::out::dns') }
109			it { is_expected.not_to contain_class('nftables::rules::out::chrony') }
110			it { is_expected.to contain_nftables__rule('default_out-all').with_content('accept') }
111			it { is_expected.to contain_nftables__rule('default_out-all').with_order('90') }
112			end
113	b3a7a6dd	tr
114			context 'with custom rules' do
115			let(:params) do
116			{
117			rules: {
118			'INPUT-web_accept' => {
119			order: '50',
120			content: 'iifname eth0 tcp dport { 80, 443 } accept',
121			},
122			},
123			}
124			end
125
126			it {
127	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
128			target: 'nftables-inet-filter-chain-INPUT',
129	b3a7a6dd	tr	content: %r{^ iifname eth0 tcp dport \{ 80, 443 \} accept$},
130	c82b960a	Steve Traylen	order: '50-nftables-inet-filter-chain-INPUT-rule-web_accept-b'
131	b3a7a6dd	tr	)
132			}
133			end
134	ae9872e2	Nacho Barrientos
135	802d80d1	Nacho Barrientos	context 'with custom sets' do
136			let(:params) do
137			{
138			sets: {
139			'testset1' => {
140			type: 'ipv4_addr',
141			gc_interval: 2,
142			},
143			'testset2' => {
144			type: 'ipv6_addr',
145			elements: ['2a02:62:c601::dead:beef'],
146			},
147			},
148			}
149			end
150
151			it {
152	c82b960a	Steve Traylen	expect(subject).to contain_nftables__set('testset1').with(
153	802d80d1	Nacho Barrientos	type: 'ipv4_addr',
154			gc_interval: 2,
155	fa92e118	Romain Tartière	table: 'inet-filter'
156	802d80d1	Nacho Barrientos	)
157			}
158	c82b960a	Steve Traylen
159	802d80d1	Nacho Barrientos	it {
160	c82b960a	Steve Traylen	expect(subject).to contain_nftables__set('testset2').with(
161	802d80d1	Nacho Barrientos	type: 'ipv6_addr',
162			elements: ['2a02:62:c601::dead:beef'],
163	fa92e118	Romain Tartière	table: 'inet-filter'
164	802d80d1	Nacho Barrientos	)
165			}
166			end
167
168	ae9872e2	Nacho Barrientos	context 'without masking firewalld' do
169			let(:params) do
170			{
171			'firewalld_enable' => false,
172			}
173			end
174
175			it {
176	c82b960a	Steve Traylen	expect(subject).to contain_service('firewalld').with(
177	ae9872e2	Nacho Barrientos	ensure: 'stopped',
178	fa92e118	Romain Tartière	enable: false
179	ae9872e2	Nacho Barrientos	)
180			}
181			end
182	03d9e7da	Steve Traylen
183	7b9d6ffc	Nacho Barrientos	context 'with no default filtering rules' do
184			let(:params) do
185			{
186			'inet_filter' => false,
187			}
188			end
189
190			it { is_expected.to contain_class('nftables::ip_nat') }
191			it { is_expected.not_to contain_class('nftables::inet_filter') }
192			end
193
194			context 'with no default tables, chains or rules' do
195			let(:params) do
196			{
197			'inet_filter' => false,
198			'nat' => false,
199			}
200			end
201
202			it { is_expected.not_to contain_class('nftables::ip_nat') }
203			it { is_expected.not_to contain_class('nftables::inet_filter') }
204			it { is_expected.to have_nftables__config_resource_count(0) }
205			it { is_expected.to have_nftables__chain_resource_count(0) }
206			it { is_expected.to have_nftables__rule_resource_count(0) }
207			it { is_expected.to have_nftables__set_resource_count(0) }
208			end
209
210	03d9e7da	Steve Traylen	context 'with with noflush_tables parameter' do
211			let(:params) do
212			{
213			noflush_tables: ['inet-f2b-table'],
214			}
215			end
216
217			context 'with no nftables fact' do
218			it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
219			end
220
221			context 'with nftables fact matching' do
222			let(:facts) do
223	c82b960a	Steve Traylen	super().merge(nftables: { tables: %w[inet-abc inet-f2b-table] })
224	03d9e7da	Steve Traylen	end
225
226			it {
227	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
228	92e0fcb6	duritong	with_content(%r{^table inet abc \{\}$})
229			}
230	c82b960a	Steve Traylen
231	92e0fcb6	duritong	it {
232	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
233	7e5b657a	Steve Traylen	with_content(%r{^flush table inet abc$})
234	03d9e7da	Steve Traylen	}
235			end
236	c82b960a	Steve Traylen
237	03d9e7da	Steve Traylen	context 'with nftables fact not matching' do
238			let(:facts) do
239	c82b960a	Steve Traylen	super().merge(nftables: { tables: %w[inet-abc inet-ijk] })
240	03d9e7da	Steve Traylen	end
241
242			it {
243	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
244	92e0fcb6	duritong	with_content(%r{^table inet abc \{\}$})
245			}
246	c82b960a	Steve Traylen
247	92e0fcb6	duritong	it {
248	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
249	92e0fcb6	duritong	with_content(%r{^flush table inet abc$})
250			}
251	c82b960a	Steve Traylen
252	92e0fcb6	duritong	it {
253	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
254	92e0fcb6	duritong	with_content(%r{^table inet ijk \{\}$})
255			}
256	c82b960a	Steve Traylen
257	92e0fcb6	duritong	it {
258	c82b960a	Steve Traylen	expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
259	92e0fcb6	duritong	with_content(%r{^flush table inet ijk$})
260	03d9e7da	Steve Traylen	}
261			end
262			end
263	64134e4e	tr	end
264			end
265			end

Projet

Général

Profil

puppet nftables

root / spec / classes / nftables_spec.rb @ c82b960a