Firewall Integration tests (#777)

Author: vshanthe

tests/integration/firewalls/conftest.py

@@ -0,0 +1,69 @@
+import json
+
+import pytest
+
+from tests.integration.helpers import (
+    delete_target_id,
+    exec_test_command,
+    get_random_text,
+)
+
+BASE_CMD = ["linode-cli", "firewalls"]
+
+
+@pytest.fixture(scope="function")
+def _firewall_id_and_label():
+    # generate a unique label
+    label = "fw-" + get_random_text(5)
+    # create it and capture the ID
+    result = exec_test_command(
+        BASE_CMD
+        + [
+            "create",
+            "--label",
+            label,
+            "--rules.outbound_policy",
+            "ACCEPT",
+            "--rules.inbound_policy",
+            "DROP",
+            "--text",
+            "--no-headers",
+            "--format",
+            "id",
+        ]
+    )
+    fw_id = result.stdout.decode().strip()
+    yield fw_id, label
+    # cleanup
+    delete_target_id(target="firewalls", id=fw_id)
+
+
+@pytest.fixture(scope="function")
+def test_firewall_id(_firewall_id_and_label):
+    """Only the ID, so old tests keep working."""
+    return _firewall_id_and_label[0]
+
+
+@pytest.fixture(scope="function")
+def test_firewall_label(_firewall_id_and_label):
+    """Only the label, for tests that need it explicitly."""
+    return _firewall_id_and_label[1]
+
+
+@pytest.fixture
+def restore_firewall_defaults():
+    # Fetch and store current default firewall settings
+    result = exec_test_command(BASE_CMD + ["firewall-settings-list", "--json"])
+    settings = json.loads(result.stdout.decode())
+    original_defaults = settings[0]["default_firewall_ids"]
+
+    yield original_defaults
+
+    # Restore the original defaults after test
+    args = []
+    for key, val in original_defaults.items():
+        if val is not None:
+            args.extend([f"--default_firewall_ids.{key}", str(val)])
+
+    if args:
+        exec_test_command(BASE_CMD + ["firewall-settings-update"] + args)

tests/integration/firewalls/test_firewall_settings.py

@@ -0,0 +1,135 @@
+import json
+
+import pytest
+
+from tests.integration.helpers import (
+    exec_test_command,
+)
+
+BASE_CMD = ["linode-cli", "firewalls"]
+
+
+def test_firewall_settings_defaults(test_firewall_id, test_firewall_label):
+    # list all firewalls and extract the IDs
+    list_result = (
+        exec_test_command(
+            BASE_CMD + ["list", "--no-headers", "--text", "--delimiter", ","]
+        )
+        .stdout.decode()
+        .strip()
+    )
+
+    firewall_lines = list_result.splitlines()
+    firewall_ids = [
+        line.split(",")[0].strip() for line in firewall_lines if line
+    ]
+
+    assert (
+        test_firewall_id in firewall_ids
+    ), f"{test_firewall_id} not found in firewall list"
+
+    # get the default firewall settings
+    settings_result = exec_test_command(
+        BASE_CMD + ["firewall-settings-list", "--json"]
+    ).stdout.decode()
+
+    settings = json.loads(settings_result)
+    assert (
+        isinstance(settings, list) and len(settings) > 0
+    ), "Unexpected settings format"
+
+    default_ids = settings[0]["default_firewall_ids"]
+
+    # Validate all expected keys exist and map to a valid firewall ID
+    expected_keys = [
+        "linode",
+        "nodebalancer",
+        "public_interface",
+        "vpc_interface",
+    ]
+
+    for key in expected_keys:
+        assert key in default_ids, f"Missing default_firewall_ids key: {key}"
+        val = default_ids[key]
+        assert val is None or isinstance(
+            val, int
+        ), f"{key} value is not None or int: {val}"
+        if isinstance(val, int):
+            assert val > 0, f"{key} should be a non-zero firewall ID"
+            assert (
+                str(val) in firewall_ids
+            ), f"{key} ID ({val}) not found in firewall list"
+
+
+def test_update_firewall_defaults(test_firewall_id, restore_firewall_defaults):
+    # Fetch current default firewall settings
+    settings = json.loads(
+        exec_test_command(
+            BASE_CMD + ["firewall-settings-list", "--json"]
+        ).stdout.decode()
+    )
+    default_ids_before = settings[0]["default_firewall_ids"]
+
+    # Skip if no default firewall configured at all
+    if all(v is None for v in default_ids_before.values()):
+        pytest.skip("Skipping: no default firewall configured for the account.")
+
+    old_default_id = (
+        str(default_ids_before["linode"])
+        if default_ids_before["linode"]
+        else None
+    )
+
+    # List all firewalls
+    firewall_list = (
+        exec_test_command(
+            BASE_CMD + ["list", "--no-headers", "--text", "--delimiter", ","]
+        )
+        .stdout.decode()
+        .strip()
+    )
+
+    firewall_ids = [
+        line.split(",")[0].strip()
+        for line in firewall_list.splitlines()
+        if line
+    ]
+
+    assert (
+        test_firewall_id in firewall_ids
+    ), f"{test_firewall_id} not found in firewall list"
+
+    new_id = next(
+        fid
+        for fid in firewall_ids
+        if old_default_id is None or fid != old_default_id
+    )
+
+    # Update all default firewall IDs to the new one
+    exec_test_command(
+        BASE_CMD
+        + [
+            "firewall-settings-update",
+            "--default_firewall_ids.linode",
+            new_id,
+            "--default_firewall_ids.nodebalancer",
+            new_id,
+            "--default_firewall_ids.public_interface",
+            new_id,
+            "--default_firewall_ids.vpc_interface",
+            new_id,
+            "--json",
+        ]
+    )
+
+    # Verify update
+    updated_settings = json.loads(
+        exec_test_command(
+            BASE_CMD + ["firewall-settings-list", "--json"]
+        ).stdout.decode()
+    )[0]["default_firewall_ids"]
+
+    for key, val in updated_settings.items():
+        assert (
+            str(val) == new_id
+        ), f"{key} was not updated (expected {new_id}, got {val})"

tests/integration/firewalls/test_firewalls.py

@@ -10,51 +10,22 @@
     delete_target_id,
     exec_failing_test_command,
     exec_test_command,
-    get_random_text,
 )
 
 BASE_CMD = ["linode-cli", "firewalls"]
-FIREWALL_LABEL = "fw-" + get_random_text(5)
-
-
-@pytest.fixture
-def test_firewall_id():
-    firewall_id = (
-        exec_test_command(
-            BASE_CMD
-            + [
-                "create",
-                "--label",
-                FIREWALL_LABEL,
-                "--rules.outbound_policy",
-                "ACCEPT",
-                "--rules.inbound_policy",
-                "DROP",
-                "--text",
-                "--no-headers",
-                "--format",
-                "id",
-            ]
-        )
-        .stdout.decode()
-        .rstrip()
-    )
-
-    yield firewall_id
-
-    delete_target_id(target="firewalls", id=firewall_id)
 
 
 @pytest.mark.smoke
-def test_view_firewall(test_firewall_id):
-    firewall_id = test_firewall_id
+def test_view_firewall(test_firewall_id, test_firewall_label):
+    fw_id = test_firewall_id
+    fw_label = test_firewall_label
 
     result = (
         exec_test_command(
             BASE_CMD
             + [
                 "view",
-                firewall_id,
+                fw_id,
                 "--no-headers",
                 "--text",
                 "--delimiter",
@@ -65,12 +36,12 @@ def test_view_firewall(test_firewall_id):
         .rstrip()
     )
 
-    assert re.search(firewall_id + "," + FIREWALL_LABEL + ",enabled", result)
+    assert f"{fw_id},{fw_label},enabled" in result
 
 
-def test_list_firewall(test_firewall_id):
-    firewall_id = test_firewall_id
-
+def test_list_firewall(test_firewall_id, test_firewall_label):
+    fw_id = test_firewall_id
+    fw_label = test_firewall_label
     result = (
         exec_test_command(
             BASE_CMD + ["list", "--no-headers", "--text", "--delimiter", ","]
@@ -79,7 +50,7 @@ def test_list_firewall(test_firewall_id):
         .rstrip()
     )
 
-    assert re.search(firewall_id + "," + FIREWALL_LABEL + ",enabled", result)
+    assert f"{fw_id},{fw_label},enabled" in result
 
 
 @pytest.mark.smoke
@@ -166,14 +137,15 @@ def test_fails_to_create_firewall_without_outbound_policy():
     assert "outbound_policy is required" in result
 
 
-def test_firewall_label_must_be_unique_upon_creation(test_firewall_id):
+def test_firewall_label_must_be_unique_upon_creation(test_firewall_label):
+    fw_label = test_firewall_label
     result = (
         exec_failing_test_command(
             BASE_CMD
             + [
                 "create",
                 "--label",
-                FIREWALL_LABEL,
+                fw_label,
                 "--rules.outbound_policy",
                 "ACCEPT",
                 "--rules.inbound_policy",
@@ -258,39 +230,6 @@ def test_update_firewall(test_firewall_id):
     assert re.search(firewall_id + "," + updated_label + ",enabled", result)
 
 
-@pytest.mark.skip("skip until there is a way to delete default firewall")
-def test_firewall_settings_update_and_list(test_firewall_id):
-    for cmd in [
-        BASE_CMD
-        + [
-            "firewall-settings-update",
-            "--default_firewall_ids.vpc_interfac",
-            test_firewall_id,
-            "--default_firewall_ids.public_interface",
-            test_firewall_id,
-            "--default_firewall_ids.nodebalancer",
-            test_firewall_id,
-            "--default_firewall_ids.linode",
-            test_firewall_id,
-            "--json",
-        ],
-        BASE_CMD
-        + [
-            "firewall-settings-list",
-            "--json",
-        ],
-    ]:
-        data = json.loads(exec_test_command(cmd).stdout.decode().rstrip())
-        firewall_ids = data[0]["default_firewall_ids"]
-        for key in [
-            "linode",
-            "nodebalancer",
-            "public_interface",
-            "vpc_interface",
-        ]:
-            assert firewall_ids[key] == int(test_firewall_id)
-
-
 def test_firewall_templates_list(monkeypatch: MonkeyPatch):
     monkeypatch.setenv("LINODE_CLI_API_VERSION", "v4beta")
     data = json.loads(