Просмотр исходного кода

Merge pull request #42 from myii/test/verify-yaml_dump

test: verify map output using `yaml_dump`
tags/v0.10.1
Imran Iqbal 4 лет назад
Родитель
Сommit
51873948c2
Аккаунт пользователя с таким Email не найден
4 измененных файлов: 187 добавлений и 0 удалений
  1. +16
    -0
      firewalld/yaml_dump/init.sls
  2. +4
    -0
      firewalld/yaml_dump/yaml_dump.jinja
  3. +1
    -0
      kitchen.yml
  4. +166
    -0
      test/integration/default/controls/yaml_dump_spec.rb

+ 16
- 0
firewalld/yaml_dump/init.sls Просмотреть файл

@@ -0,0 +1,16 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}

{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}

yaml-dump-{{ tplroot }}:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
- template: jinja
- context:
map: {{ map | yaml }}

+ 4
- 0
firewalld/yaml_dump/yaml_dump.jinja Просмотреть файл

@@ -0,0 +1,4 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
---
{{ map|yaml(False)|trim }}

+ 1
- 0
kitchen.yml Просмотреть файл

@@ -160,6 +160,7 @@ suites:
state_top:
base:
'*':
- firewalld.yaml_dump
- firewalld
pillars:
top.sls:

+ 166
- 0
test/integration/default/controls/yaml_dump_spec.rb Просмотреть файл

@@ -0,0 +1,166 @@
# frozen_string_literal: true

control 'firewalld `map.jinja` YAML dump' do
title 'should contain the lines'

yaml_dump = "---\n"
yaml_dump += <<~YAML_DUMP.chomp
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: '0'
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: -t raw -A MYCHAIN -j DROP
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: hash:ip
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: hash:ip
options:
family:
- inet6
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 2a01::1
package: firewalld
service: firewalld
services:
sshcustom:
short: sshcustom
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure encrypted
communications. If you plan on accessing your machine remotely via SSH over
a firewalled interface, enable this option. You need the openssh-server package
installed for this option to be useful.
ports:
tcp:
- 3232
- 5252
modules:
- some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: zabbix custom rule
ports:
tcp:
- '10051'
salt-minion:
short: salt-minion
description: salt-minion
ports:
tcp:
- '8000'
zones:
public:
short: Public
description: For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections are accepted.
services:
- http
- https
- ssh
- salt-minion
other_services:
- zabbixcustom
protocols:
- igmp
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
short: rich_public
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
YAML_DUMP

describe file('/tmp/salt_yaml_dump.yaml') do
its('content') { should include yaml_dump }
end
end

Загрузка…
Отмена
Сохранить