Merge pull request #115 from voxpupuli/release-v5.0.0

Release v5.0.0
author: Thore Bödecker <me@foxxx0.de> 2020-07-02 15:34:54 +0200
committer: GitHub <noreply@github.com> 2020-07-02 15:34:54 +0200
commit: 5929f907fd3e74150f1b84640a80d6fd5472419a (patch)
tree: 99d83798d646d6eabb901ad72e1e0d6d731cc9b2 /spec
parent: 8d967c7b915fec97846b1d6b567489646b3096a3 (diff)
parent: 3d1a935519f01a7c5ad23d54d0b997876967dbf3 (diff)
download: puppet-ferm-5929f907fd3e74150f1b84640a80d6fd5472419a.tar.gz
puppet-ferm-5929f907fd3e74150f1b84640a80d6fd5472419a.tar.bz2
7 files changed, 304 insertions, 12 deletions
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index f8f0ef4..eee01fa 100644
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -126,14 +126,14 @@ describe 'ferm' do
           chain             => 'INPUT',
           action            => 'HTTP',
           proto             => 'tcp',
-          dport             => '80',
+          dport             => 80,
           require           => Ferm::Chain['check-http'],
         }
         ferm::rule { 'allow_http_localhost':
           chain             => 'HTTP',
           action            => 'ACCEPT',
           proto             => 'tcp',
-          dport             => '80',
+          dport             => 80,
           saddr             => '127.0.0.1',
           require           => Ferm::Chain['check-http'],
         }
diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index 5e4ad69..f2601c6 100644
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -17,7 +17,7 @@ describe 'ferm::rule', type: :define do
           {
             chain: 'INPUT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             saddr: '127.0.0.1'
           }
         end
@@ -33,7 +33,7 @@ describe 'ferm::rule', type: :define do
             policy: 'ACCEPT',
             action: 'ACCEPT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             saddr: '127.0.0.1'
           }
         end
@@ -48,7 +48,7 @@ describe 'ferm::rule', type: :define do
             chain: 'INPUT',
             policy: 'ACCEPT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             saddr: '127.0.0.1'
           }
         end
@@ -64,7 +64,7 @@ describe 'ferm::rule', type: :define do
             chain: 'INPUT',
             action: 'ACCEPT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             saddr: '127.0.0.1'
           }
         end
@@ -83,7 +83,7 @@ describe 'ferm::rule', type: :define do
             chain: 'INPUT',
             action: 'ACCEPT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             saddr: '127.0.0.1',
             interface: 'eth0'
           }
@@ -102,7 +102,7 @@ describe 'ferm::rule', type: :define do
             chain: 'INPUT',
             action: 'ACCEPT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             daddr: ['127.0.0.1', '123.123.123.123', ['10.0.0.1', '10.0.0.2']],
             interface: 'eth0'
           }
@@ -121,18 +121,97 @@ describe 'ferm::rule', type: :define do
             chain: 'INPUT',
             action: 'ACCEPT',
             proto: %w[tcp udp],
-            dport: '(8301 8302)',
+            dport: [8301, 8302],
             saddr: '127.0.0.1'
           }
         end
 
         it { is_expected.to compile.with_all_deps }
-        it { is_expected.to contain_concat__fragment('INPUT-filter-consul').with_content("mod comment comment 'filter-consul' proto (tcp udp) dport (8301 8302) saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-filter-consul').with_content("mod comment comment 'filter-consul' proto (tcp udp) mod multiport destination-ports (8301 8302) saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
         it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
         it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') }
         it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') }
       end
 
+      context 'with a valid destination-port range' do
+        let(:title) { 'filter-portrange' }
+        let :params do
+          {
+            chain: 'INPUT',
+            action: 'ACCEPT',
+            proto: 'tcp',
+            dport: '20000:25000',
+            saddr: '127.0.0.1'
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_concat__fragment('INPUT-filter-portrange').with_content("mod comment comment 'filter-portrange' proto tcp dport 20000:25000 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
+        it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') }
+        it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') }
+      end
+
+      context 'with a malformed source-port range' do
+        let(:title) { 'filter-malformed-portrange' }
+        let :params do
+          {
+            chain: 'INPUT',
+            action: 'ACCEPT',
+            proto: 'tcp',
+            sport: '25000:20000',
+            saddr: '127.0.0.1'
+          }
+        end
+
+        it { is_expected.to compile.and_raise_error(%r{Lower port number of the port range is larger than upper. 25000:20000}) }
+      end
+
+      context 'with an invalid destination-port range' do
+        let(:title) { 'filter-invalid-portrange' }
+        let :params do
+          {
+            chain: 'INPUT',
+            action: 'ACCEPT',
+            proto: 'tcp',
+            dport: '50000:65538',
+            saddr: '127.0.0.1'
+          }
+        end
+
+        it { is_expected.to compile.and_raise_error(%r{The data type should be 'Tuple\[Stdlib::Port, Stdlib::Port\]', not 'Tuple\[Integer\[50000, 50000\], Integer\[65538, 65538\]\]'. The data is \[50000, 65538\]}) }
+      end
+
+      context 'with an invalid destination-port string' do
+        let(:title) { 'filter-invalid-portnumber' }
+        let :params do
+          {
+            chain: 'INPUT',
+            action: 'ACCEPT',
+            proto: 'tcp',
+            dport: '65538',
+            saddr: '127.0.0.1'
+          }
+        end
+
+        it { is_expected.to compile.and_raise_error(%r{parameter 'dport' expects a Ferm::Port .* value, got String}) }
+      end
+
+      context 'with an invalid source-port number' do
+        let(:title) { 'filter-invalid-portnumber' }
+        let :params do
+          {
+            chain: 'INPUT',
+            action: 'ACCEPT',
+            proto: 'tcp',
+            sport: 65_538,
+            saddr: '127.0.0.1'
+          }
+        end
+
+        it { is_expected.to compile.and_raise_error(%r{parameter 'sport' expects a Ferm::Port .* value, got Integer}) }
+      end
+
       context 'with jumping to custom chains' do
         # create custom chain
         let(:pre_condition) do
@@ -149,7 +228,7 @@ describe 'ferm::rule', type: :define do
             chain: 'INPUT',
             action: 'SSH',
             proto: 'tcp',
-            dport: '22'
+            dport: 22
           }
         end
 
@@ -184,7 +263,7 @@ describe 'ferm::rule', type: :define do
             chain: 'SSH',
             action: 'ACCEPT',
             proto: 'tcp',
-            dport: '22',
+            dport: 22,
             saddr: '127.0.0.1'
           }
         end
diff --git a/spec/type_aliases/actions_spec.rb b/spec/type_aliases/actions_spec.rb
new file mode 100644
index 0000000..9c42e12
--- /dev/null
+++ b/spec/type_aliases/actions_spec.rb
@@ -0,0 +1,46 @@
+# rubocop:disable Style/WordArray, Style/TrailingCommaInLiteral
+require 'spec_helper'
+
+describe 'Ferm::Actions' do
+  describe 'valid values' do
+    [
+      'RETURN',
+      'ACCEPT',
+      'DROP',
+      'REJECT',
+      'NOTRACK',
+      'LOG',
+      'MARK',
+      'DNAT',
+      'SNAT',
+      'MASQUERADE',
+      'REDIRECT',
+      'MYFANCYCUSTOMCHAINNAMEISALSOVALID',
+    ].each do |value|
+      describe value.inspect do
+        it { is_expected.to allow_value(value) }
+      end
+    end
+  end
+
+  describe 'invalid values' do
+    context 'with garbage inputs' do
+      [
+        # :symbol, # this should not match but seems liks String[1] allows it?
+        # nil,     # this should not match but seems liks String[1] allows it?
+        '',
+        true,
+        false,
+        ['meep', 'meep'],
+        65_538,
+        [95_000, 67_000],
+        {},
+        { 'foo' => 'bar' },
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.not_to allow_value(value) }
+        end
+      end
+    end
+  end
+end
diff --git a/spec/type_aliases/policies_spec.rb b/spec/type_aliases/policies_spec.rb
new file mode 100644
index 0000000..bc45423
--- /dev/null
+++ b/spec/type_aliases/policies_spec.rb
@@ -0,0 +1,39 @@
+# rubocop:disable Style/WordArray, Style/TrailingCommaInLiteral
+require 'spec_helper'
+
+describe 'Ferm::Policies' do
+  describe 'valid values' do
+    [
+      'ACCEPT',
+      'DROP',
+    ].each do |value|
+      describe value.inspect do
+        it { is_expected.to allow_value(value) }
+      end
+    end
+  end
+
+  describe 'invalid values' do
+    context 'with garbage inputs' do
+      [
+        'RETURN',
+        'REJECT',
+        'foobar',
+        :symbol,
+        nil,
+        '',
+        true,
+        false,
+        ['meep', 'meep'],
+        65_538,
+        [95_000, 67_000],
+        {},
+        { 'foo' => 'bar' },
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.not_to allow_value(value) }
+        end
+      end
+    end
+  end
+end
diff --git a/spec/type_aliases/port_spec.rb b/spec/type_aliases/port_spec.rb
new file mode 100644
index 0000000..e2b0d43
--- /dev/null
+++ b/spec/type_aliases/port_spec.rb
@@ -0,0 +1,43 @@
+# rubocop:disable Style/WordArray, Style/TrailingCommaInLiteral
+require 'spec_helper'
+
+describe 'Ferm::Port' do
+  describe 'valid values' do
+    [
+      17,
+      65_535,
+      '25:30',
+      ':22',
+      [80, 443, 8080, 8443],
+    ].each do |value|
+      describe value.inspect do
+        it { is_expected.to allow_value(value) }
+      end
+    end
+  end
+
+  describe 'invalid values' do
+    context 'with garbage inputs' do
+      [
+        'asdf',
+        true,
+        false,
+        :symbol,
+        ['meep', 'meep'],
+        65_538,
+        [95_000, 67_000],
+        '12345',
+        '20:22:23',
+        '1024:',
+        'ネット',
+        nil,
+        {},
+        { 'foo' => 'bar' },
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.not_to allow_value(value) }
+        end
+      end
+    end
+  end
+end
diff --git a/spec/type_aliases/protocols_spec.rb b/spec/type_aliases/protocols_spec.rb
new file mode 100644
index 0000000..a067b69
--- /dev/null
+++ b/spec/type_aliases/protocols_spec.rb
@@ -0,0 +1,46 @@
+# rubocop:disable Style/WordArray, Style/TrailingCommaInLiteral
+require 'spec_helper'
+
+describe 'Ferm::Protocols' do
+  describe 'valid values' do
+    [
+      'icmp',
+      'tcp',
+      'udp',
+      'udplite',
+      'icmpv6',
+      'esp',
+      'ah',
+      'sctp',
+      'mh',
+      'all',
+      ['icmp', 'tcp', 'udp'],
+    ].each do |value|
+      describe value.inspect do
+        it { is_expected.to allow_value(value) }
+      end
+    end
+  end
+
+  describe 'invalid values' do
+    context 'with garbage inputs' do
+      [
+        :symbol,
+        nil,
+        'foobar',
+        '',
+        true,
+        false,
+        ['meep', 'meep'],
+        65_538,
+        [95_000, 67_000],
+        {},
+        { 'foo' => 'bar' },
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.not_to allow_value(value) }
+        end
+      end
+    end
+  end
+end
diff --git a/spec/type_aliases/tables_spec.rb b/spec/type_aliases/tables_spec.rb
new file mode 100644
index 0000000..eb02877
--- /dev/null
+++ b/spec/type_aliases/tables_spec.rb
@@ -0,0 +1,39 @@
+# rubocop:disable Style/WordArray, Style/TrailingCommaInLiteral
+require 'spec_helper'
+
+describe 'Ferm::Tables' do
+  describe 'valid values' do
+    [
+      'raw',
+      'mangle',
+      'nat',
+      'filter',
+    ].each do |value|
+      describe value.inspect do
+        it { is_expected.to allow_value(value) }
+      end
+    end
+  end
+
+  describe 'invalid values' do
+    context 'with garbage inputs' do
+      [
+        :symbol,
+        nil,
+        'foobar',
+        '',
+        true,
+        false,
+        ['meep', 'meep'],
+        65_538,
+        [95_000, 67_000],
+        {},
+        { 'foo' => 'bar' },
+      ].each do |value|
+        describe value.inspect do
+          it { is_expected.not_to allow_value(value) }
+        end
+      end
+    end
+  end
+end
author	Thore Bödecker <me@foxxx0.de>	2020-07-02 15:34:54 +0200
committer	GitHub <noreply@github.com>	2020-07-02 15:34:54 +0200
commit	5929f907fd3e74150f1b84640a80d6fd5472419a (patch)
tree	99d83798d646d6eabb901ad72e1e0d6d731cc9b2 /spec
parent	8d967c7b915fec97846b1d6b567489646b3096a3 (diff)
parent	3d1a935519f01a7c5ad23d54d0b997876967dbf3 (diff)
download	puppet-ferm-5929f907fd3e74150f1b84640a80d6fd5472419a.tar.gz puppet-ferm-5929f907fd3e74150f1b84640a80d6fd5472419a.tar.bz2