Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-14 17:07:09 +00:00
Code Issues Projects Releases Packages Wiki Activity
inspec/test/unit/resources/firewalld_test.rb
Will Dower 5a7f7b4b27 changed array style at chefstyle's request 
Signed-off-by: Will Dower <wdower@mitre.org>
2021-07-12 11:47:25 -04:00

111 lines
4.1 KiB
Ruby
Raw Blame History

require "helper"
require "inspec/resource"
require "inspec/resources/firewalld"
describe "Inspec::Resources::FirewallD" do
cent_resource = MockLoader.new(:centos7).load_resource("firewalld")
it "verify firewalld detects a zone" do
_(cent_resource.has_zone?("public")).must_equal true
_(cent_resource.has_zone?("zonenotinfirewalld")).must_equal false
end
it "verify firewalld is running" do
_(cent_resource.running?).must_equal true
end
it "verify firewalld detects a default_zone" do
_(cent_resource.default_zone).must_equal "public"
end
it "parses zones with multiple interfaces" do
entries = cent_resource.where { zone == "public" }
_(entries.interfaces).must_equal [%w{enp0s3 eno2}]
end
it "detects services in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.services).must_equal [%w{ssh icmp}]
end
it "detects multiple active zones" do
entries = cent_resource.where { zone == "public" }
_(entries.interfaces).must_equal [%w{enp0s3 eno2}]
entries = cent_resource.where { zone == "default" }
_(entries.interfaces).must_equal [["enp0s3"]]
end
it "detects sources in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.sources).must_equal [["192.168.1.0/24", "192.168.1.2"]]
end
it "detects target in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.target).must_equal ["default"]
end
it "detects whether ICMP block inversion is enabled in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.icmp_block_inversion?).must_equal false
end
it "detects ports in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.ports).must_equal [["80/tcp", "443/tcp"]]
end
it "detects protocols in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.protocols).must_equal [%w{icmp ipv4}]
end
it "detects whether IPv4 masquerading is enabled in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.masquerade?).must_equal false
end
it "detects IPv4 forward ports in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.forward_ports).must_equal [["port=80:proto=tcp:toport=88:toaddr=", "port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3"]]
end
it "detects source ports in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.source_ports).must_equal [["80/tcp", "8080/tcp"]]
end
it "detects ICMP blocks in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.icmp_blocks).must_equal [%w{echo-request echo-reply}]
end
it "detects rich rules in an active zone" do
entries = cent_resource.where { zone == "public" }
_(entries.rich_rules).must_equal [["rule protocol value=\"ah\" accept", "rule service name=\"ftp\" log limit value=\"1/m\" audit accept"]]
end
it "verify firewalld detects a whether or not a service is allowed in a zone" do
_(cent_resource.has_service_enabled_in_zone?("ssh", "public")).must_equal true
end
it "verify firewalld detects ports enabled for a service in a zone" do
_(cent_resource.service_ports_enabled_in_zone("ssh", "public")).must_equal ["22/tcp"]
end
it "verify firewalld detects protocols enabled for a service in a zone" do
_(cent_resource.service_protocols_enabled_in_zone("ssh", "public")).must_equal ["icmp"]
end
it "verify firewalld detects a whether or not a port is allowed in a zone" do
_(cent_resource.has_port_enabled_in_zone?("22/udp", "public")).must_equal true
end
it "verify firewalld detects a whether or not a rule is enabled in a zone included rule text" do
_(cent_resource.has_rule_enabled?("rule family=ipv4 source address=192.168.0.14 accept", "public")).must_equal true
end
it "verify firewalld detects a whether or not a rule is enabled in a zone exluding rule text" do
_(cent_resource.has_rule_enabled?("family=ipv4 source address=192.168.0.14 accept", "public")).must_equal true
end
end
Reference in a new issue View git blame Copy permalink