Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-24 05:33:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #442 from chef/sr/fix-420

Browse source 
Fix iptables on CentOS6 + more tests for iptables (plus small code improvements)
This commit is contained in:
Dominik Richter 2016-02-10 10:02:45 +01:00
commit 575953b00c
6 changed files with 56 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
lib/resources/iptables.rb
View file

@ -31,8 +31,8 @@ class IpTables < Inspec.resource(1)
" "
def initialize(params = {}) def initialize(params = {})
@table = params[:table] || nil @table = params[:table]
@chain = params[:chain] || nil @chain = params[:chain]
# we're done if we are on linux # we're done if we are on linux
return if inspec.os.linux? return if inspec.os.linux?
@ -43,29 +43,26 @@ class IpTables < Inspec.resource(1)
end end
def has_rule?(rule = nil, _table = nil, _chain = nil) def has_rule?(rule = nil, _table = nil, _chain = nil)
found = false # checks if the rule is part of the ruleset
retrieve_rules.each { |line| # for now, we expect an exact match
# checks if the rule is part of the ruleset retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
# for now, we expect an excact match
found = true if line.casecmp(rule) == 0
}
found
end end
def retrieve_rules def retrieve_rules
return @iptables_cache if defined?(@iptables_cache) return @iptables_cache if defined?(@iptables_cache)
# construct iptables command to read all rules # construct iptables command to read all rules
@table.nil? ? table_cmd = '' : table_cmd = " -t #{@table} " table_cmd = "-t #{@table}" if @table
@chain.nil? ? chain_cmd = '' : chain_cmd = " #{@chain}" iptables_cmd = format('iptables %s -S %s', table_cmd, @chain).strip
cmd = inspec.command(format('iptables %s -S %s', table_cmd, chain_cmd).strip)
cmd = inspec.command(iptables_cmd)
return [] if cmd.exit_status.to_i != 0 return [] if cmd.exit_status.to_i != 0
# split rules, returns array or rules # split rules, returns array or rules
@iptables_cache = cmd.stdout.chomp.split("\n") @iptables_cache = cmd.stdout.split("\n").map(&:strip)
end end
def to_s def to_s
format('Iptables %s %s', @table.nil? ? '' : "table: #{@table}", @chain.nil? ? '' : "chain: #{@chain}").strip format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
end end
end end

1
test/integration/cookbooks/os_prepare/recipes/default.rb
View file

@ -11,6 +11,7 @@ include_recipe('os_prepare::mount')
include_recipe('os_prepare::service') include_recipe('os_prepare::service')
include_recipe('os_prepare::package') include_recipe('os_prepare::package')
include_recipe('os_prepare::registry_key') include_recipe('os_prepare::registry_key')
include_recipe('os_prepare::iptables')
# configure repos, eg. nginx # configure repos, eg. nginx
include_recipe('os_prepare::apt') include_recipe('os_prepare::apt')

13
test/integration/cookbooks/os_prepare/recipes/iptables.rb Normal file
View file

@ -0,0 +1,13 @@
# encoding: utf-8
# author: Stephan Renatus
case node['platform']
when 'ubuntu', 'rhel', 'centos', 'fedora'
execute 'iptables -A INPUT -i eth0 -p tcp -m tcp '\
'--dport 80 -m state --state NEW -m comment '\
'--comment "http on 80" -j ACCEPT'
execute 'iptables -N derby-cognos-web'
execute 'iptables -A INPUT -j derby-cognos-web'
execute 'iptables -A derby-cognos-web -p tcp -m tcp --dport 80 '\
'-m comment --comment "derby-cognos-web" -j ACCEPT'
end

25
test/integration/test/integration/default/iptables_spec.rb Normal file
View file

@ -0,0 +1,25 @@
# encoding: utf-8
case os[:family]
when 'ubuntu', 'fedora'
describe iptables do
it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') }
it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') }
# single-word comments have their quotes dropped
it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') }
end
when 'rhel', 'centos'
describe iptables do
it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') }
it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') }
end
describe iptables do
it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') }
end if os[:release] == 6
describe iptables do
it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') }
end if os[:release] == 7
end

2
test/unit/mock/cmd/iptables-s
View file

@ -3,4 +3,4 @@
-P OUTPUT ACCEPT -P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT

5
test/unit/resources/iptables_test.rb
View file

@ -14,6 +14,11 @@ describe 'Inspec::Resources::Iptables' do
_(resource.has_rule?('-P OUTPUT DROP')).must_equal false _(resource.has_rule?('-P OUTPUT DROP')).must_equal false
end end
it 'verify iptables with comments on ubuntu' do
resource = MockLoader.new(:ubuntu1404).load_resource('iptables')
_(resource.has_rule?('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT')).must_equal true
end
it 'verify iptables on windows' do it 'verify iptables on windows' do
resource = MockLoader.new(:windows).load_resource('iptables') resource = MockLoader.new(:windows).load_resource('iptables')
_(resource.has_rule?('-P OUTPUT ACCEPT')).must_equal false _(resource.has_rule?('-P OUTPUT ACCEPT')).must_equal false