Implement firewalling in tripleo::firewall

Currently firewalling is implemented in tripleo/init.pp this commit moves it to its own scope tripleo/firewall.pp. This is done so that in tripleo-heat-templates we can have a simple and generic `include tripleo::firewall` in every manifest - unconditional. The rest of the behavior will all be managed by hiera. If a user wants to enable firewalling: ``` tripleo::firewall::manage_firewall: true ``` If a user wants to specify firewall rules: ``` tripleo::firewall::firewall_rules: '103 mongod': port: 27017 ``` Change-Id: I144c60db2a568a94dce5b51257f1d10980173325
author: Yanis Guenane <yguenane@redhat.com> 2015-07-15 11:58:46 +0200
committer: Yanis Guenane <yguenane@redhat.com> 2015-07-15 11:58:46 +0200
commit: c59650772c8d7d2e84a19782ef8d53cec02deb9b (patch)
tree: aec45b9a2d425ee6bac3815a60a5171cc0d25d3b /spec
parent: 9b22f9f4ddfd511d19f3e34d7be70092a79d18d7 (diff)
2 files changed, 114 insertions, 91 deletions
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
new file mode 100644
index 0000000..c1249b9
--- /dev/null
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -0,0 +1,114 @@
+#
+# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::firewall' do
+
+  let :params do
+    { }
+  end
+
+  shared_examples_for 'tripleo node' do
+
+    context 'with firewall enabled' do
+      before :each do
+        params.merge!(
+          :manage_firewall => true,
+        )
+      end
+
+      it 'configure basic pre firewall rules' do
+        is_expected.to contain_firewall('000 accept related established rules').with(
+          :proto  => 'all',
+          :state  => ['RELATED', 'ESTABLISHED'],
+          :action => 'accept',
+        )
+        is_expected.to contain_firewall('001 accept all icmp').with(
+          :proto  => 'icmp',
+          :action => 'accept',
+          :state  => ['NEW'],
+        )
+        is_expected.to contain_firewall('002 accept all to lo interface').with(
+          :proto   => 'all',
+          :iniface => 'lo',
+          :action  => 'accept',
+          :state   => ['NEW'],
+        )
+        is_expected.to contain_firewall('003 accept ssh').with(
+          :port   => '22',
+          :proto  => 'tcp',
+          :action => 'accept',
+          :state  => ['NEW'],
+        )
+      end
+
+      it 'configure basic post firewall rules' do
+        is_expected.to contain_firewall('999 drop all').with(
+          :proto  => 'all',
+          :action => 'drop',
+          :source => '0.0.0.0/0',
+        )
+      end
+    end
+
+    context 'with custom firewall rules' do
+      before :each do
+        params.merge!(
+          :manage_firewall     => true,
+          :firewall_rules => {
+            '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
+            '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
+          }
+        )
+      end
+      it 'configure custom firewall rules' do
+        is_expected.to contain_firewall('300 add custom application 1').with(
+          :port   => '999',
+          :proto  => 'udp',
+          :action => 'accept',
+          :state  => ['NEW'],
+        )
+        is_expected.to contain_firewall('301 add custom application 2').with(
+          :port   => '8081',
+          :proto  => 'tcp',
+          :action => 'accept',
+          :state  => ['NEW'],
+        )
+      end
+    end
+
+  end
+
+  context 'on Debian platforms' do
+    let :facts do
+      { :osfamily => 'Debian' }
+    end
+
+    it_configures 'tripleo node'
+  end
+
+  context 'on RedHat platforms' do
+    let :facts do
+      { :osfamily => 'RedHat' }
+    end
+
+    it_configures 'tripleo node'
+  end
+
+end
diff --git a/spec/classes/tripleo_init_spec.rb b/spec/classes/tripleo_init_spec.rb
index 9f01857..57b45e2 100644
--- a/spec/classes/tripleo_init_spec.rb
+++ b/spec/classes/tripleo_init_spec.rb
@@ -20,95 +20,4 @@ require 'spec_helper'
 
 describe 'tripleo' do
 
-  let :params do
-    { }
-  end
-
-  shared_examples_for 'tripleo node' do
-
-    context 'with firewall enabled' do
-      before :each do
-        params.merge!(
-          :manage_firewall => true,
-        )
-      end
-
-      it 'configure basic pre firewall rules' do
-        is_expected.to contain_firewall('000 accept related established rules').with(
-          :proto  => 'all',
-          :state  => ['RELATED', 'ESTABLISHED'],
-          :action => 'accept',
-        )
-        is_expected.to contain_firewall('001 accept all icmp').with(
-          :proto  => 'icmp',
-          :action => 'accept',
-          :state  => ['NEW'],
-        )
-        is_expected.to contain_firewall('002 accept all to lo interface').with(
-          :proto   => 'all',
-          :iniface => 'lo',
-          :action  => 'accept',
-          :state   => ['NEW'],
-        )
-        is_expected.to contain_firewall('003 accept ssh').with(
-          :port   => '22',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
-        )
-      end
-
-      it 'configure basic post firewall rules' do
-        is_expected.to contain_firewall('999 drop all').with(
-          :proto  => 'all',
-          :action => 'drop',
-          :source => '0.0.0.0/0',
-        )
-      end
-    end
-
-    context 'with custom firewall rules' do
-      before :each do
-        params.merge!(
-          :manage_firewall     => true,
-          :firewall_rules => {
-            '300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
-            '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
-          }
-        )
-      end
-      it 'configure custom firewall rules' do
-        is_expected.to contain_firewall('300 add custom application 1').with(
-          :port   => '999',
-          :proto  => 'udp',
-          :action => 'accept',
-          :state  => ['NEW'],
-        )
-        is_expected.to contain_firewall('301 add custom application 2').with(
-          :port   => '8081',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
-        )
-      end
-    end
-
-  end
-
-  context 'on Debian platforms' do
-    let :facts do
-      { :osfamily => 'Debian' }
-    end
-
-    it_configures 'tripleo node'
-  end
-
-  context 'on RedHat platforms' do
-    let :facts do
-      { :osfamily => 'RedHat' }
-    end
-
-    it_configures 'tripleo node'
-  end
-
 end
author	Yanis Guenane <yguenane@redhat.com>	2015-07-15 11:58:46 +0200
committer	Yanis Guenane <yguenane@redhat.com>	2015-07-15 11:58:46 +0200
commit	c59650772c8d7d2e84a19782ef8d53cec02deb9b (patch)
tree	aec45b9a2d425ee6bac3815a60a5171cc0d25d3b /spec
parent	9b22f9f4ddfd511d19f3e34d7be70092a79d18d7 (diff)