From 1b87851b1b14e889a935444ec4ba85d6f401796a Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 17 Dec 2024 12:57:43 -0600 Subject: [PATCH] Additional cleanup --- spec/defines/rule/ah_esp_spec.rb | 56 ++++++++-------- spec/defines/rule/all_spec.rb | 89 ++++++++++++-------------- spec/defines/rule/icmp_spec.rb | 34 +++++----- spec/defines/rule/tcp_stateful_spec.rb | 34 +++++----- spec/defines/rule/udp_spec.rb | 34 +++++----- 5 files changed, 111 insertions(+), 136 deletions(-) diff --git a/spec/defines/rule/ah_esp_spec.rb b/spec/defines/rule/ah_esp_spec.rb index 26dc406..3e849e7 100644 --- a/spec/defines/rule/ah_esp_spec.rb +++ b/spec/defines/rule/ah_esp_spec.rb @@ -5,9 +5,7 @@ on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts.merge({ - simplib__firewalls: ['iptables', 'firewalld'] - }) + os_facts.merge(simplib__firewalls: ['iptables', 'firewalld']) end let(:ipv4_nets) do @@ -33,38 +31,36 @@ let(:params) do { protocol: 'ah', - trusted_nets: ipv4_nets + ipv6_nets, - order: 15 + trusted_nets: ipv4_nets + ipv6_nets, + order: 15, } end it { is_expected.to create_simp_firewalld__rule(title) } - it { - is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS") + .with( ensure: 'present', family: 'ipv4', source: { 'ipset' => 'simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS' }, action: 'accept', zone: '99_simp', protocol: 'ah', - }, - ) - } + ) + end - it { - is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e") + .with( ensure: 'present', family: 'ipv6', source: { 'ipset' => 'simp-07jxibAQvZRtfJna9ZG6dLvz2e' }, action: 'accept', zone: '99_simp', protocol: 'ah', - }, - ) - } + ) + end end context 'esp with trusted_nets in CIDR format' do @@ -72,38 +68,36 @@ let(:params) do { protocol: 'esp', - trusted_nets: ipv4_nets + ipv6_nets, - order: 15 + trusted_nets: ipv4_nets + ipv6_nets, + order: 15, } end it { is_expected.to create_simp_firewalld__rule(title) } - it { - is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS") + .with( ensure: 'present', family: 'ipv4', source: { 'ipset' => 'simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS' }, action: 'accept', zone: '99_simp', protocol: 'esp', - }, - ) - } + ) + end - it { - is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_15_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e") + .with( ensure: 'present', family: 'ipv6', source: { 'ipset' => 'simp-07jxibAQvZRtfJna9ZG6dLvz2e' }, action: 'accept', zone: '99_simp', protocol: 'esp', - }, - ) - } + ) + end end end end diff --git a/spec/defines/rule/all_spec.rb b/spec/defines/rule/all_spec.rb index 901eb5b..85d9f30 100644 --- a/spec/defines/rule/all_spec.rb +++ b/spec/defines/rule/all_spec.rb @@ -15,9 +15,7 @@ on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts.merge({ - simplib__firewalls: ['iptables', 'firewalld'] - }) + os_facts.merge(simplib__firewalls: ['iptables', 'firewalld']) end let(:ipv4_nets) do @@ -51,20 +49,19 @@ let(:params) do { protocol: 'all', - trusted_nets: ipv4_nets + hostnames + ipv6_nets + trusted_nets: ipv4_nets + hostnames + ipv6_nets, } end it { is_expected.to compile.with_all_deps } - it { - is_expected.to create_notify("simp_firewalld::rule[#{title}] - hostname warning").with( - { + it do + is_expected.to create_notify("simp_firewalld::rule[#{title}] - hostname warning") + .with( message: %r{foo\.bar\.baz, i\.like\.cheese}, withpath: true, - loglevel: 'warning' - }, - ) - } + loglevel: 'warning', + ) + end end context "with '0.0.0.0/0' in the address list" do @@ -74,7 +71,7 @@ let(:params) do { protocol: 'all', - trusted_nets: ipv4_nets + ['0.0.0.0/0'] + trusted_nets: ipv4_nets + ['0.0.0.0/0'], } end @@ -84,32 +81,30 @@ it { is_expected.not_to create_firewalld_service("simp_all_#{title}") } it { is_expected.not_to create_firewalld_ipset('simp-JLn9X7BmpTacRGDKNCKSeIJhbZ') } it { is_expected.not_to create_firewalld_ipset('simp-siFVMk3fjxaKSgTnYmVONaUP7g') } - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-JLn9X7BmpTacRGDKNCKSeIJhbZ").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-JLn9X7BmpTacRGDKNCKSeIJhbZ") + .with( ensure: 'present', family: 'ipv4', source: '0.0.0.0/0', service: nil, action: 'accept', zone: '99_simp', - require: 'Service[firewalld]' - }, - ) - } - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-siFVMk3fjxaKSgTnYmVONaUP7g").with( - { + require: 'Service[firewalld]', + ) + end + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-siFVMk3fjxaKSgTnYmVONaUP7g") + .with( ensure: 'present', family: 'ipv6', source: '::/0', service: nil, action: 'accept', zone: '99_simp', - require: 'Service[firewalld]' - }, - ) - } + require: 'Service[firewalld]', + ) + end end context 'IPv4 only' do @@ -118,24 +113,23 @@ let(:params) do { protocol: 'all', - trusted_nets: ipv4_nets + ['0.0.0.0/0'], - apply_to: 'ipv4' + trusted_nets: ipv4_nets + ['0.0.0.0/0'], + apply_to: 'ipv4', } end - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-JLn9X7BmpTacRGDKNCKSeIJhbZ").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-JLn9X7BmpTacRGDKNCKSeIJhbZ") + .with( ensure: 'present', family: 'ipv4', source: '0.0.0.0/0', service: nil, action: 'accept', zone: '99_simp', - require: 'Service[firewalld]' - }, - ) - } + require: 'Service[firewalld]', + ) + end it { is_expected.not_to create_firewalld_rich_rule("simp_11_#{title}_simp-siFVMk3fjxaKSgTnYmVONaUP7g") } end @@ -146,24 +140,23 @@ let(:params) do { protocol: 'all', - trusted_nets: ipv4_nets + ['::/0'], - apply_to: 'ipv6' + trusted_nets: ipv4_nets + ['::/0'], + apply_to: 'ipv6', } end - it { - is_expected.not_to create_firewalld_rich_rule("simp_11_#{title}_simp-siFVMk3fjxaKSgTnYmVONaUP7g").with( - { + it do + is_expected.not_to create_firewalld_rich_rule("simp_11_#{title}_simp-siFVMk3fjxaKSgTnYmVONaUP7g") + .with( ensure: 'present', family: 'ipv6', source: '[::]/0', service: nil, action: 'accept', zone: 'simp', - require: 'Service[firewalld]' - }, - ) - } + require: 'Service[firewalld]', + ) + end it { is_expected.not_to create_firewalld_rich_rule("simp_11_#{title}_simp-JLn9X7BmpTacRGDKNCKSeIJhbZ") } end @@ -174,8 +167,8 @@ let(:params) do { protocol: 'all', - trusted_nets: ipv4_nets, - apply_to: 'ipv6' + trusted_nets: ipv4_nets, + apply_to: 'ipv6', } end @@ -190,8 +183,8 @@ let(:params) do { protocol: 'all', - trusted_nets: ipv6_nets, - apply_to: 'ipv4' + trusted_nets: ipv6_nets, + apply_to: 'ipv4', } end diff --git a/spec/defines/rule/icmp_spec.rb b/spec/defines/rule/icmp_spec.rb index fd31eb5..60acb92 100644 --- a/spec/defines/rule/icmp_spec.rb +++ b/spec/defines/rule/icmp_spec.rb @@ -5,9 +5,7 @@ on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts.merge({ - simplib__firewalls: ['iptables', 'firewalld'] - }) + os_facts.merge(simplib__firewalls: ['iptables', 'firewalld']) end let(:ipv4_nets) do @@ -33,38 +31,36 @@ let(:params) do { protocol: 'icmp', - icmp_blocks: '8', - trusted_nets: ipv4_nets + ipv6_nets + icmp_blocks: '8', + trusted_nets: ipv4_nets + ipv6_nets, } end it { is_expected.to create_simp_firewalld__rule(title) } - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS") + .with( ensure: 'present', family: 'ipv4', icmp_block: ['8'], source: { 'ipset' => 'simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS' }, action: 'accept', - zone: '99_simp' - }, - ) - } + zone: '99_simp', + ) + end - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e") + .with( ensure: 'present', family: 'ipv6', icmp_block: ['8'], source: { 'ipset' => 'simp-07jxibAQvZRtfJna9ZG6dLvz2e' }, action: 'accept', - zone: '99_simp' - }, - ) - } + zone: '99_simp', + ) + end end end end diff --git a/spec/defines/rule/tcp_stateful_spec.rb b/spec/defines/rule/tcp_stateful_spec.rb index f3abb80..403104e 100644 --- a/spec/defines/rule/tcp_stateful_spec.rb +++ b/spec/defines/rule/tcp_stateful_spec.rb @@ -5,9 +5,7 @@ on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts.merge({ - simplib__firewalls: ['iptables', 'firewalld'] - }) + os_facts.merge(simplib__firewalls: ['iptables', 'firewalld']) end let(:ipv4_nets) do @@ -34,38 +32,36 @@ let(:params) do { protocol: 'tcp', - trusted_nets: ipv4_nets + ipv6_nets, - dports: [1234, '234:567'] + trusted_nets: ipv4_nets + ipv6_nets, + dports: [1234, '234:567'], } end it { is_expected.to create_simp_firewalld__rule(title).with_dports(params[:dports]) } - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS") + .with( ensure: 'present', family: 'ipv4', source: { 'ipset' => 'simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS' }, service: "simp_#{title}", action: 'accept', - zone: '99_simp' - }, - ) - } + zone: '99_simp', + ) + end - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e") + .with( ensure: 'present', family: 'ipv6', source: { 'ipset' => 'simp-07jxibAQvZRtfJna9ZG6dLvz2e' }, service: "simp_#{title}", action: 'accept', - zone: '99_simp' - }, - ) - } + zone: '99_simp', + ) + end end end end diff --git a/spec/defines/rule/udp_spec.rb b/spec/defines/rule/udp_spec.rb index 0044aac..64b5128 100644 --- a/spec/defines/rule/udp_spec.rb +++ b/spec/defines/rule/udp_spec.rb @@ -5,9 +5,7 @@ on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts.merge({ - simplib__firewalls: ['iptables', 'firewalld'] - }) + os_facts.merge(simplib__firewalls: ['iptables', 'firewalld']) end let(:ipv4_nets) do @@ -34,38 +32,36 @@ let(:params) do { protocol: 'udp', - trusted_nets: ipv4_nets + ipv6_nets, - dports: [1234, '234:567'] + trusted_nets: ipv4_nets + ipv6_nets, + dports: [1234, '234:567'], } end it { is_expected.to create_simp_firewalld__rule(title).with_dports(params[:dports]) } - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS") + .with( ensure: 'present', family: 'ipv4', source: { 'ipset' => 'simp-CmxLn8c8yuIQ2VyzgvzR4yi8TS' }, service: "simp_#{title}", action: 'accept', - zone: '99_simp' - }, - ) - } + zone: '99_simp', + ) + end - it { - is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e").with( - { + it do + is_expected.to create_firewalld_rich_rule("simp_11_#{title}_simp-07jxibAQvZRtfJna9ZG6dLvz2e") + .with( ensure: 'present', family: 'ipv6', source: { 'ipset' => 'simp-07jxibAQvZRtfJna9ZG6dLvz2e' }, service: "simp_#{title}", action: 'accept', - zone: '99_simp' - }, - ) - } + zone: '99_simp', + ) + end end end end