firewalld resource: prepend rule string only when necessary (#2430)

* adding control statement to add rule in front of string as long as it doesn't already contain rule. Correcting resource name in firewalld from etc_hosts_deny adding tests for both branches of the statement created in firewalld Signed-off-by: Vern Burton <me@vernburton.com> * moving to unless with a start_with Signed-off-by: Vern Burton <me@vernburton.com> * adding documentation that states that it is not needed to add `rule` string Signed-off-by: Vern Burton <me@vernburton.com>
2024-11-26 22:50:36 +00:00 · 2018-01-16 16:20:58 -06:00 · 2018-01-16 16:20:58 -06:00 · 9b4a276e9f
commit 9b4a276e9f
parent 9b2f9f6d4c
3 changed files with 10 additions and 4 deletions
--- a/docs/resources/firewalld.md.erb
+++ b/docs/resources/firewalld.md.erb
@ -102,3 +102,5 @@ The `be_running` matcher tests if the firewalld service is running:
 `have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.

    it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
+
+It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action
--- a/lib/resources/firewalld.rb
+++ b/lib/resources/firewalld.rb
@ -38,7 +38,7 @@ module Inspec::Resources
    filter.connect(self, :params)

    def initialize
-      return skip_resource 'The `etc_hosts_deny` resource is not supported on your OS.' unless inspec.os.linux?
+      return skip_resource 'The `firewalld` resource is not supported on your OS.' unless inspec.os.linux?
      @params = parse_active_zones(active_zones)
    end

@ -85,8 +85,8 @@ module Inspec::Resources
    end

    def has_rule_enabled?(rule, query_zone = default_zone)
-      rule = 'rule ' + rule
-      firewalld_command("--zone=#{query_zone} --query-rich-rule=#{rule}") == 'yes'
+      rule = "rule #{rule}" unless rule.start_with?('rule')
+      firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == 'yes'
    end

    private
--- a/test/unit/resources/firewalld_test.rb
+++ b/test/unit/resources/firewalld_test.rb
@ -58,7 +58,11 @@ describe 'Inspec::Resources::FirewallD' do
    _(centResource.has_port_enabled_in_zone?('22/udp', 'public')).must_equal true
  end

-  it 'verify firewalld detects a whether or not a rule is enabled in a zone' do
+  it 'verify firewalld detects a whether or not a rule is enabled in a zone included rule text' do
+    _(centResource.has_rule_enabled?('rule family=ipv4 source address=192.168.0.14 accept', 'public')).must_equal true
+  end
+
+  it 'verify firewalld detects a whether or not a rule is enabled in a zone exluding rule text' do
    _(centResource.has_rule_enabled?('family=ipv4 source address=192.168.0.14 accept', 'public')).must_equal true
  end
 end