From 856eca997158141e084b9e8c2002d7491a4720a1 Mon Sep 17 00:00:00 2001 From: Thore Bödecker Date: Thu, 25 Jun 2020 17:07:07 +0200 Subject: use proper types and validations for port handling - implement validations for port ranges - add test cases for these scenarios --- spec/defines/rule_spec.rb | 79 ++++++++++++++++++++++++++++++++++++++++++ spec/type_aliases/port_spec.rb | 43 +++++++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 spec/type_aliases/port_spec.rb (limited to 'spec') diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index b2a2abd..f2601c6 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -133,6 +133,85 @@ describe 'ferm::rule', type: :define do it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') } end + context 'with a valid destination-port range' do + let(:title) { 'filter-portrange' } + let :params do + { + chain: 'INPUT', + action: 'ACCEPT', + proto: 'tcp', + dport: '20000:25000', + saddr: '127.0.0.1' + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('INPUT-filter-portrange').with_content("mod comment comment 'filter-portrange' proto tcp dport 20000:25000 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') } + it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') } + it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') } + end + + context 'with a malformed source-port range' do + let(:title) { 'filter-malformed-portrange' } + let :params do + { + chain: 'INPUT', + action: 'ACCEPT', + proto: 'tcp', + sport: '25000:20000', + saddr: '127.0.0.1' + } + end + + it { is_expected.to compile.and_raise_error(%r{Lower port number of the port range is larger than upper. 25000:20000}) } + end + + context 'with an invalid destination-port range' do + let(:title) { 'filter-invalid-portrange' } + let :params do + { + chain: 'INPUT', + action: 'ACCEPT', + proto: 'tcp', + dport: '50000:65538', + saddr: '127.0.0.1' + } + end + + it { is_expected.to compile.and_raise_error(%r{The data type should be 'Tuple\[Stdlib::Port, Stdlib::Port\]', not 'Tuple\[Integer\[50000, 50000\], Integer\[65538, 65538\]\]'. The data is \[50000, 65538\]}) } + end + + context 'with an invalid destination-port string' do + let(:title) { 'filter-invalid-portnumber' } + let :params do + { + chain: 'INPUT', + action: 'ACCEPT', + proto: 'tcp', + dport: '65538', + saddr: '127.0.0.1' + } + end + + it { is_expected.to compile.and_raise_error(%r{parameter 'dport' expects a Ferm::Port .* value, got String}) } + end + + context 'with an invalid source-port number' do + let(:title) { 'filter-invalid-portnumber' } + let :params do + { + chain: 'INPUT', + action: 'ACCEPT', + proto: 'tcp', + sport: 65_538, + saddr: '127.0.0.1' + } + end + + it { is_expected.to compile.and_raise_error(%r{parameter 'sport' expects a Ferm::Port .* value, got Integer}) } + end + context 'with jumping to custom chains' do # create custom chain let(:pre_condition) do diff --git a/spec/type_aliases/port_spec.rb b/spec/type_aliases/port_spec.rb new file mode 100644 index 0000000..e2b0d43 --- /dev/null +++ b/spec/type_aliases/port_spec.rb @@ -0,0 +1,43 @@ +# rubocop:disable Style/WordArray, Style/TrailingCommaInLiteral +require 'spec_helper' + +describe 'Ferm::Port' do + describe 'valid values' do + [ + 17, + 65_535, + '25:30', + ':22', + [80, 443, 8080, 8443], + ].each do |value| + describe value.inspect do + it { is_expected.to allow_value(value) } + end + end + end + + describe 'invalid values' do + context 'with garbage inputs' do + [ + 'asdf', + true, + false, + :symbol, + ['meep', 'meep'], + 65_538, + [95_000, 67_000], + '12345', + '20:22:23', + '1024:', + 'ネット', + nil, + {}, + { 'foo' => 'bar' }, + ].each do |value| + describe value.inspect do + it { is_expected.not_to allow_value(value) } + end + end + end + end +end -- cgit v1.2.3