From e184347c6d3bd6344b4db1376dda09c484b7d74f Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Tue, 9 Feb 2016 16:53:25 +0100 Subject: [PATCH 1/6] iptables unit test: add comment examples this is not broken; but it should stay not broken ;) --- test/unit/mock/cmd/iptables-s | 2 +- test/unit/resources/iptables_test.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/test/unit/mock/cmd/iptables-s b/test/unit/mock/cmd/iptables-s index 57a642322..c86c36d30 100644 --- a/test/unit/mock/cmd/iptables-s +++ b/test/unit/mock/cmd/iptables-s @@ -3,4 +3,4 @@ -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT --A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT diff --git a/test/unit/resources/iptables_test.rb b/test/unit/resources/iptables_test.rb index 64bb8bf54..2bcc5428b 100644 --- a/test/unit/resources/iptables_test.rb +++ b/test/unit/resources/iptables_test.rb @@ -14,6 +14,11 @@ describe 'Inspec::Resources::Iptables' do _(resource.has_rule?('-P OUTPUT DROP')).must_equal false end + it 'verify iptables with comments on ubuntu' do + resource = MockLoader.new(:ubuntu1404).load_resource('iptables') + _(resource.has_rule?('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT')).must_equal true + end + it 'verify iptables on windows' do resource = MockLoader.new(:windows).load_resource('iptables') _(resource.has_rule?('-P OUTPUT ACCEPT')).must_equal false From 81f149fd14e253150c95921bfabc8f87a39ac1f7 Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Tue, 9 Feb 2016 17:10:23 +0100 Subject: [PATCH 2/6] iptables: add integration theses --- .../cookbooks/os_prepare/recipes/default.rb | 1 + .../cookbooks/os_prepare/recipes/iptables.rb | 13 +++++++++++++ .../test/integration/default/iptables_spec.rb | 12 ++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 test/integration/cookbooks/os_prepare/recipes/iptables.rb create mode 100644 test/integration/test/integration/default/iptables_spec.rb diff --git a/test/integration/cookbooks/os_prepare/recipes/default.rb b/test/integration/cookbooks/os_prepare/recipes/default.rb index a4296ad68..e214fae37 100644 --- a/test/integration/cookbooks/os_prepare/recipes/default.rb +++ b/test/integration/cookbooks/os_prepare/recipes/default.rb @@ -11,6 +11,7 @@ include_recipe('os_prepare::mount') include_recipe('os_prepare::service') include_recipe('os_prepare::package') include_recipe('os_prepare::registry_key') +include_recipe('os_prepare::iptables') # configure repos, eg. nginx include_recipe('os_prepare::apt') diff --git a/test/integration/cookbooks/os_prepare/recipes/iptables.rb b/test/integration/cookbooks/os_prepare/recipes/iptables.rb new file mode 100644 index 000000000..c9121d72d --- /dev/null +++ b/test/integration/cookbooks/os_prepare/recipes/iptables.rb @@ -0,0 +1,13 @@ +# encoding: utf-8 +# author: Stephan Renatus + +case node['platform'] +when 'ubuntu', 'rhel', 'centos', 'fedora' + execute 'iptables -A INPUT -i eth0 -p tcp -m tcp '\ + '--dport 80 -m state --state NEW -m comment '\ + '--comment "http on 80" -j ACCEPT' + execute 'iptables -N derby-cognos-web' + execute 'iptables -A INPUT -j derby-cognos-web' + execute 'iptables -A derby-cognos-web -p tcp -m tcp --dport 80 '\ + '-m comment --comment "derby-cognos-web" -j ACCEPT' +end diff --git a/test/integration/test/integration/default/iptables_spec.rb b/test/integration/test/integration/default/iptables_spec.rb new file mode 100644 index 000000000..32c3b8a8e --- /dev/null +++ b/test/integration/test/integration/default/iptables_spec.rb @@ -0,0 +1,12 @@ +# encoding: utf-8 + +case os[:family] +when 'ubuntu', 'rhel', 'centos', 'fedora' + describe iptables do + it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') } + it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') } + + # single-word comments have their quotes dropped + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') } + end +end From cdad6e63c3782c769b02ac576fa28bda03a8a5bd Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Tue, 9 Feb 2016 17:27:43 +0100 Subject: [PATCH 3/6] iptables: some simplifications --- lib/resources/iptables.rb | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/lib/resources/iptables.rb b/lib/resources/iptables.rb index 8ee8201ef..f3937232c 100644 --- a/lib/resources/iptables.rb +++ b/lib/resources/iptables.rb @@ -31,8 +31,8 @@ class IpTables < Inspec.resource(1) " def initialize(params = {}) - @table = params[:table] || nil - @chain = params[:chain] || nil + @table = params[:table] + @chain = params[:chain] # we're done if we are on linux return if inspec.os.linux? @@ -43,22 +43,19 @@ class IpTables < Inspec.resource(1) end def has_rule?(rule = nil, _table = nil, _chain = nil) - found = false - retrieve_rules.each { |line| - # checks if the rule is part of the ruleset - # for now, we expect an excact match - found = true if line.casecmp(rule) == 0 - } - found + # checks if the rule is part of the ruleset + # for now, we expect an exact match + retrieve_rules.any? { |line| line.casecmp(rule) == 0 } end def retrieve_rules return @iptables_cache if defined?(@iptables_cache) # construct iptables command to read all rules - @table.nil? ? table_cmd = '' : table_cmd = " -t #{@table} " - @chain.nil? ? chain_cmd = '' : chain_cmd = " #{@chain}" - cmd = inspec.command(format('iptables %s -S %s', table_cmd, chain_cmd).strip) + table_cmd = "-t #{@table}" if @table + iptables_cmd = format('iptables %s -S %s', table_cmd, @chain).strip + + cmd = inspec.command(iptables_cmd) return [] if cmd.exit_status.to_i != 0 # split rules, returns array or rules @@ -66,6 +63,6 @@ class IpTables < Inspec.resource(1) end def to_s - format('Iptables %s %s', @table.nil? ? '' : "table: #{@table}", @chain.nil? ? '' : "chain: #{@chain}").strip + format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip end end From 4ffc72bf93521a38da6cf3b37b89bf10cba2d3a6 Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Tue, 9 Feb 2016 19:02:39 +0100 Subject: [PATCH 4/6] iptables integration test: split according to platform centos puts quotes where ubuntu drops them --- .../integration/test/integration/default/iptables_spec.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/integration/test/integration/default/iptables_spec.rb b/test/integration/test/integration/default/iptables_spec.rb index 32c3b8a8e..741061844 100644 --- a/test/integration/test/integration/default/iptables_spec.rb +++ b/test/integration/test/integration/default/iptables_spec.rb @@ -1,7 +1,7 @@ # encoding: utf-8 case os[:family] -when 'ubuntu', 'rhel', 'centos', 'fedora' +when 'ubuntu', 'fedora' describe iptables do it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') } it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') } @@ -9,4 +9,10 @@ when 'ubuntu', 'rhel', 'centos', 'fedora' # single-word comments have their quotes dropped it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') } end +when 'rhel', 'centos' + describe iptables do + it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') } + it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') } + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') } + end end From ac2584f51d651e3dbb052f728c030258ac944716 Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Tue, 9 Feb 2016 19:03:31 +0100 Subject: [PATCH 5/6] iptables: strip lines if `iptables -S` output As it turns out, some of the lines on CentOS 6 had a trailing space in it. Fixes #420. --- lib/resources/iptables.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resources/iptables.rb b/lib/resources/iptables.rb index f3937232c..494e8ed09 100644 --- a/lib/resources/iptables.rb +++ b/lib/resources/iptables.rb @@ -59,7 +59,7 @@ class IpTables < Inspec.resource(1) return [] if cmd.exit_status.to_i != 0 # split rules, returns array or rules - @iptables_cache = cmd.stdout.chomp.split("\n") + @iptables_cache = cmd.stdout.split("\n").map(&:strip) end def to_s From 7815cefdedf79185be9bb3ae060130a4bf122478 Mon Sep 17 00:00:00 2001 From: Stephan Renatus Date: Tue, 9 Feb 2016 19:18:48 +0100 Subject: [PATCH 6/6] iptables: adapt integration tests _Only_ CentOS 6 does not strip the quotes from comments. --- .../test/integration/default/iptables_spec.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/test/integration/test/integration/default/iptables_spec.rb b/test/integration/test/integration/default/iptables_spec.rb index 741061844..1bf0008da 100644 --- a/test/integration/test/integration/default/iptables_spec.rb +++ b/test/integration/test/integration/default/iptables_spec.rb @@ -13,6 +13,13 @@ when 'rhel', 'centos' describe iptables do it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') } it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') } end + + describe iptables do + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') } + end if os[:release] == 6 + + describe iptables do + it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') } + end if os[:release] == 7 end