fix: files: overwrite firewalld.conf on previous replaced (#176)

BrennanPaciorek · web-flow · commit b96f8ed363c8 · 2023-08-17T09:48:55.000-06:00
* fix: files: overwrite firewalld.conf on reset

on previous replaced, revert firewalld.conf to fallback configuration instead of deletion

Signed-off-by: Brennan Paciorek &lt;bpaciore@redhat.com&gt;

* files: remove pipefail for rpm verify block

* tests: purge_config: evaluate firewalld.conf checksums after purge

---------

Signed-off-by: Brennan Paciorek &lt;bpaciore@redhat.com&gt;
diff --git a/files/get_files_checksums.sh b/files/get_files_checksums.sh
@@ -30,6 +30,8 @@ find "$firewall_conf_root" -name \*.xml | while read -r file; do
     fi
 done > "$listfile"
 
+set +o pipefail
+
 orig_conf="$firewall_conf_root/firewalld.conf"
 remove_firewall_conf=true
 if [ -f "$orig_conf" ]; then
@@ -48,10 +50,21 @@ fc.write()
     fi
 fi
 
+set -o pipefail
+
 if [ "${remove:-false}" = true ]; then
     find "$firewall_conf_root" -name \*.xml -exec rm -f {} \;
     if [ "$remove_firewall_conf" = true ]; then
-        rm -f "$orig_conf"
+	"$python_cmd" -c 'import sys
+from firewall.core.io.firewalld_conf import firewalld_conf
+fc = firewalld_conf(None) # open(None, "r") throws an Exception in fc.read()
+try:
+    fc.read() # should populate fallback configuration
+except Exception:
+    pass
+fc.filename=sys.argv[1] # Change target firewalld.conf write target
+fc.write() # update firewalld.conf
+' "$orig_conf" 2>/dev/null
     fi
     if [ -s "$listfile" ] ; then
         firewall-cmd --reload > /dev/null
diff --git a/tests/tests_purge_config.yml b/tests/tests_purge_config.yml
@@ -143,6 +143,58 @@
           fail:
             msg: The role reported changes
           when: firewall_lib_result.changed  # noqa no-handler
+
+        ### Test firewalld.conf reset
+
+        - name: Change default zone (Change firewalld.conf)
+          include_role:
+            name: linux-system-roles.firewall
+          vars:
+            firewall:
+              - set_default_zone: internal
+
+        - name: Get stats for firewalld.conf
+          stat:
+            path: /etc/firewalld/firewalld.conf
+          register: __stat_before
+          failed_when: not __stat_before.stat.exists
+
+        - name: Purge config
+          include_role:
+            name: linux-system-roles.firewall
+          vars:
+            firewall:
+              - previous: replaced
+
+        - name: Fail if /etc/firewalld/firewalld.conf no longer exists
+          stat:
+            path: /etc/firewalld/firewalld.conf
+          register: __stat_after_a
+          failed_when: not __stat_after_a.stat.exists
+
+        - name: Assert that collected firewalld.conf checksums do not match
+          fail:
+            msg: firewalld.conf should have changed on reset
+          when: __stat_before.stat.checksum == __stat_after_a.stat.checksum
+
+        - name: Purge config (no changes made since last purge)
+          include_role:
+            name: linux-system-roles.firewall
+          vars:
+            firewall:
+              - previous: replaced
+
+        - name: Fail if /etc/firewalld/firewalld.conf no longer exists
+          stat:
+            path: /etc/firewalld/firewalld.conf
+          register: __stat_after_b
+          failed_when: not __stat_after_b.stat.exists
+
+        - name: Assert that collected firewalld.conf checksums match
+          fail:
+            msg: firewalld.conf should have changed on reset
+          when: __stat_after_a.stat.checksum != __stat_after_b.stat.checksum
+
       always:
         - name: Cleanup
           tags:
