diff --git a/lib/resources/iptables.rb b/lib/resources/iptables.rb index 8ee8201ef..494e8ed09 100644 --- a/lib/resources/iptables.rb +++ b/lib/resources/iptables.rb @@ -31,8 +31,8 @@ class IpTables < Inspec.resource(1) " def initialize(params = {}) - @table = params[:table] || nil - @chain = params[:chain] || nil + @table = params[:table] + @chain = params[:chain] # we're done if we are on linux return if inspec.os.linux? @@ -43,29 +43,26 @@ class IpTables < Inspec.resource(1) end def has_rule?(rule = nil, _table = nil, _chain = nil) - found = false - retrieve_rules.each { |line| - # checks if the rule is part of the ruleset - # for now, we expect an excact match - found = true if line.casecmp(rule) == 0 - } - found + # checks if the rule is part of the ruleset + # for now, we expect an exact match + retrieve_rules.any? { |line| line.casecmp(rule) == 0 } end def retrieve_rules return @iptables_cache if defined?(@iptables_cache) # construct iptables command to read all rules - @table.nil? ? table_cmd = '' : table_cmd = " -t #{@table} " - @chain.nil? ? chain_cmd = '' : chain_cmd = " #{@chain}" - cmd = inspec.command(format('iptables %s -S %s', table_cmd, chain_cmd).strip) + table_cmd = "-t #{@table}" if @table + iptables_cmd = format('iptables %s -S %s', table_cmd, @chain).strip + + cmd = inspec.command(iptables_cmd) return [] if cmd.exit_status.to_i != 0 # split rules, returns array or rules - @iptables_cache = cmd.stdout.chomp.split("\n") + @iptables_cache = cmd.stdout.split("\n").map(&:strip) end def to_s - format('Iptables %s %s', @table.nil? ? '' : "table: #{@table}", @chain.nil? ? '' : "chain: #{@chain}").strip + format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip end end diff --git a/test/integration/cookbooks/os_prepare/recipes/default.rb b/test/integration/cookbooks/os_prepare/recipes/default.rb index a4296ad68..e214fae37 100644 --- a/test/integration/cookbooks/os_prepare/recipes/default.rb +++ b/test/integration/cookbooks/os_prepare/recipes/default.rb @@ -11,6 +11,7 @@ include_recipe('os_prepare::mount') include_recipe('os_prepare::service') include_recipe('os_prepare::package') include_recipe('os_prepare::registry_key') +include_recipe('os_prepare::iptables') # configure repos, eg. nginx include_recipe('os_prepare::apt') diff --git a/test/integration/cookbooks/os_prepare/recipes/iptables.rb b/test/integration/cookbooks/os_prepare/recipes/iptables.rb new file mode 100644 index 000000000..c9121d72d --- /dev/null +++ b/test/integration/cookbooks/os_prepare/recipes/iptables.rb @@ -0,0 +1,13 @@ +# encoding: utf-8 +# author: Stephan Renatus + +case node['platform'] +when 'ubuntu', 'rhel', 'centos', 'fedora' + execute 'iptables -A INPUT -i eth0 -p tcp -m tcp '\ + '--dport 80 -m state --state NEW -m comment '\ + '--comment "http on 80" -j ACCEPT' + execute 'iptables -N derby-cognos-web' + execute 'iptables -A INPUT -j derby-cognos-web' + execute 'iptables -A derby-cognos-web -p tcp -m tcp --dport 80 '\ + '-m comment --comment "derby-cognos-web" -j ACCEPT' +end diff --git a/test/integration/test/integration/default/iptables_spec.rb b/test/integration/test/integration/default/iptables_spec.rb new file mode 100644 index 000000000..1bf0008da --- /dev/null +++ b/test/integration/test/integration/default/iptables_spec.rb @@ -0,0 +1,25 @@ +# encoding: utf-8 + +case os[:family] +when 'ubuntu', 'fedora' + describe iptables do + it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') } + it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') } + + # single-word comments have their quotes dropped + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') } + end +when 'rhel', 'centos' + describe iptables do + it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') } + it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') } + end + + describe iptables do + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') } + end if os[:release] == 6 + + describe iptables do + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') } + end if os[:release] == 7 +end diff --git a/test/unit/mock/cmd/iptables-s b/test/unit/mock/cmd/iptables-s index 57a642322..c86c36d30 100644 --- a/test/unit/mock/cmd/iptables-s +++ b/test/unit/mock/cmd/iptables-s @@ -3,4 +3,4 @@ -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT --A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT diff --git a/test/unit/resources/iptables_test.rb b/test/unit/resources/iptables_test.rb index 64bb8bf54..2bcc5428b 100644 --- a/test/unit/resources/iptables_test.rb +++ b/test/unit/resources/iptables_test.rb @@ -14,6 +14,11 @@ describe 'Inspec::Resources::Iptables' do _(resource.has_rule?('-P OUTPUT DROP')).must_equal false end + it 'verify iptables with comments on ubuntu' do + resource = MockLoader.new(:ubuntu1404).load_resource('iptables') + _(resource.has_rule?('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT')).must_equal true + end + it 'verify iptables on windows' do resource = MockLoader.new(:windows).load_resource('iptables') _(resource.has_rule?('-P OUTPUT ACCEPT')).must_equal false