From 9b4a276e9f107be63303e9a588428e2e8b877b8c Mon Sep 17 00:00:00 2001 From: Vern Burton Date: Tue, 16 Jan 2018 16:20:58 -0600 Subject: [PATCH] firewalld resource: prepend rule string only when necessary (#2430) * adding control statement to add rule in front of string as long as it doesn't already contain rule. Correcting resource name in firewalld from etc_hosts_deny adding tests for both branches of the statement created in firewalld Signed-off-by: Vern Burton * moving to unless with a start_with Signed-off-by: Vern Burton * adding documentation that states that it is not needed to add `rule` string Signed-off-by: Vern Burton --- docs/resources/firewalld.md.erb | 2 ++ lib/resources/firewalld.rb | 6 +++--- test/unit/resources/firewalld_test.rb | 6 +++++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/resources/firewalld.md.erb b/docs/resources/firewalld.md.erb index 83dc7bc84..9fffec0b3 100644 --- a/docs/resources/firewalld.md.erb +++ b/docs/resources/firewalld.md.erb @@ -102,3 +102,5 @@ The `be_running` matcher tests if the firewalld service is running: `have_rule_enabled` returns true or false if the rich-rule has been specified in the zone. it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } + +It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action \ No newline at end of file diff --git a/lib/resources/firewalld.rb b/lib/resources/firewalld.rb index 07f7ac468..7fcab07a5 100644 --- a/lib/resources/firewalld.rb +++ b/lib/resources/firewalld.rb @@ -38,7 +38,7 @@ module Inspec::Resources filter.connect(self, :params) def initialize - return skip_resource 'The `etc_hosts_deny` resource is not supported on your OS.' unless inspec.os.linux? + return skip_resource 'The `firewalld` resource is not supported on your OS.' unless inspec.os.linux? @params = parse_active_zones(active_zones) end @@ -85,8 +85,8 @@ module Inspec::Resources end def has_rule_enabled?(rule, query_zone = default_zone) - rule = 'rule ' + rule - firewalld_command("--zone=#{query_zone} --query-rich-rule=#{rule}") == 'yes' + rule = "rule #{rule}" unless rule.start_with?('rule') + firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == 'yes' end private diff --git a/test/unit/resources/firewalld_test.rb b/test/unit/resources/firewalld_test.rb index c064d6f2b..9e4bf47a9 100644 --- a/test/unit/resources/firewalld_test.rb +++ b/test/unit/resources/firewalld_test.rb @@ -58,7 +58,11 @@ describe 'Inspec::Resources::FirewallD' do _(centResource.has_port_enabled_in_zone?('22/udp', 'public')).must_equal true end - it 'verify firewalld detects a whether or not a rule is enabled in a zone' do + it 'verify firewalld detects a whether or not a rule is enabled in a zone included rule text' do + _(centResource.has_rule_enabled?('rule family=ipv4 source address=192.168.0.14 accept', 'public')).must_equal true + end + + it 'verify firewalld detects a whether or not a rule is enabled in a zone exluding rule text' do _(centResource.has_rule_enabled?('family=ipv4 source address=192.168.0.14 accept', 'public')).must_equal true end end