chore(tests): test rich rules

gsanchietti · gsanchietti · commit 39f7dce73bee · 2025-12-03T11:33:48.000+01:00
diff --git a/core/tests/10__cluster_sanity/55__rich_rules.robot b/core/tests/10__cluster_sanity/55__rich_rules.robot
@@ -0,0 +1,65 @@
+*** Settings ***
+Library           SSHLibrary
+
+*** Test Cases ***
+Ensure role mapping exists for traefik1
+    ${rc} =    Execute Command    redis-cli HSET roles/module/traefik1 node/1 fwadm    return_rc=True    return_stdout=False
+    Should Be Equal As Integers    ${rc}    0
+
+Add rich rules via Python script
+    ${output} =    Execute Command    cat > /usr/local/bin/add_rich_rules <<'PY'
+    ...    #!/usr/local/bin/runagent python3
+    ...    import agent
+    ...    rules = [
+    ...        'rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 source address=192.168.1.1',
+    ...        'rule family=ipv4 source address=2.4.5.6 accept'
+    ...    ]
+    ...    result = agent.add_rich_rules(rules)
+    ...    print('SUCCESS' if result else 'FAILED')
+    ...    PY
+    Execute Command    chmod +x /usr/local/bin/add_rich_rules
+    ${output} =    Execute Command    runagent -m traefik1 add_rich_rules
+    Should Contain    ${output}    SUCCESS
+    Execute Command    rm -f /usr/local/bin/add_rich_rules
+
+Verify rich rules are present in firewall
+    ${output} =    Execute Command    firewall-cmd --list-rich-rules
+    Should Contain    ${output}    rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 source address=192.168.1.1
+    Should Contain    ${output}    rule family=ipv4 source address=2.4.5.6 accept
+
+Query individual rich rules
+    ${rc1} =    Execute Command    firewall-cmd --query-rich-rule='rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 source address=192.168.1.1'    return_rc=True    return_stdout=False
+    Should Be Equal As Integers    ${rc1}    0
+    ${rc2} =    Execute Command    firewall-cmd --query-rich-rule='rule family=ipv4 source address=2.4.5.6 accept'    return_rc=True    return_stdout=False
+    Should Be Equal As Integers    ${rc2}    0
+
+Remove rich rules via Python script
+    ${output} =    Execute Command    cat > /usr/local/bin/remove_rich_rules <<'PY'
+    ...    import sys
+    ...    import agent
+    ...    rules = [
+    ...        'rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 source address=192.168.1.1',
+    ...        'rule family=ipv4 source address=2.4.5.6 accept'
+    ...    ]
+    ...    result = agent.remove_rich_rules(rules)
+    ...    print('SUCCESS' if result else 'FAILED')
+    ...    PY
+    Execute Command    chmod +x /usr/local/bin/remove_rich_rules
+    ${output} =    Execute Command    runagent -m traefik1 remove_rich_rules
+    Should Contain    ${output}    SUCCESS
+    Execute Command    rm -f /usr/local/bin/remove_rich_rules
+
+Verify rich rules have been removed
+    ${output} =    Execute Command    firewall-cmd --list-rich-rules
+    Should Not Contain    ${output}    rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 source address=192.168.1.1
+    Should Not Contain    ${output}    rule family=ipv4 source address=2.4.5.6 accept
+
+Query removed rich rules return failure
+    ${rc1} =    Execute Command    firewall-cmd --query-rich-rule='rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 source address=192.168.1.1'    return_rc=True    return_stdout=False
+    Should Not Be Equal As Integers    ${rc1}    0
+    ${rc2} =    Execute Command    firewall-cmd --query-rich-rule='rule family=ipv4 source address=2.4.5.6 accept'    return_rc=True    return_stdout=False
+    Should Not Be Equal As Integers    ${rc2}    0
+
+Remove role mapping for traefik1
+    ${rc} =    Execute Command    redis-cli HDEL roles/module/traefik1 node/1    return_rc=True    return_stdout=False
+    Should Be Equal As Integers    ${rc}    0
