1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
require 'spec_helper_acceptance'
os_name = fact('os.name')
os_release = fact('os.release.major')
sut_os = "#{os_name}-#{os_release}"
manage_initfile = case sut_os
when 'CentOS-6'
true
else
false
end
iptables_output = case sut_os
when 'Debian-10'
[
'-A INPUT -p tcp -m tcp --dport 22 -m comment --comment allow_acceptance_tests -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 80 -m comment --comment jump_http -j HTTP',
'-A HTTP -s 127.0.0.1/32 -p tcp -m tcp --dport 80 -m comment --comment allow_http_localhost -j ACCEPT'
]
else
[
'-A INPUT -p tcp -m comment --comment ["]*allow_acceptance_tests["]* -m tcp --dport 22 -j ACCEPT',
'-A INPUT -p tcp -m comment --comment ["]*jump_http["]* -m tcp --dport 80 -j HTTP',
'-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT'
]
end
basic_manifest = %(
class { 'ferm':
manage_service => true,
manage_configfile => true,
manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script
forward_policy => 'DROP',
output_policy => 'DROP',
input_policy => 'DROP',
rules => {
'allow_acceptance_tests' => {
chain => 'INPUT',
action => 'ACCEPT',
proto => tcp,
dport => 22,
},
},
ip_versions => ['ip'], #only ipv4 available with CI
}
)
describe 'ferm' do
context 'with basics settings' do
pp = basic_manifest
it 'works with no error' do
apply_manifest(pp, catch_failures: true)
end
it 'works idempotently' do
apply_manifest(pp, catch_changes: true)
end
describe package('ferm') do
it { is_expected.to be_installed }
end
describe service('ferm') do
it { is_expected.to be_running }
end
describe command('iptables-save') do
its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT DROP.*}m }
end
describe iptables do
it do
is_expected.to have_rule(iptables_output[0]). \
with_table('filter'). \
with_chain('INPUT')
end
end
context 'with custom chains' do
advanced_manifest = %(
ferm::chain { 'check-http':
chain => 'HTTP',
disable_conntrack => true,
log_dropped_packets => false,
}
ferm::rule { 'jump_http':
chain => 'INPUT',
action => 'HTTP',
proto => 'tcp',
dport => '80',
require => Ferm::Chain['check-http'],
}
ferm::rule { 'allow_http_localhost':
chain => 'HTTP',
action => 'ACCEPT',
proto => 'tcp',
dport => '80',
saddr => '127.0.0.1',
require => Ferm::Chain['check-http'],
}
)
pp = [basic_manifest, advanced_manifest].join("\n")
it 'works with no error' do
apply_manifest(pp, catch_failures: true)
end
it 'works idempotently' do
apply_manifest(pp, catch_changes: true)
end
describe iptables do
it do
is_expected.to have_rule(iptables_output[1]). \
with_table('filter'). \
with_chain('INPUT')
end
it do
is_expected.to have_rule(iptables_output[2]). \
with_table('filter'). \
with_chain('HTTP')
end
end
end
end
end
|
