(SEC-944) Add test cases

chelnak · chelnak · commit 30db99bee6b4 · 2022-02-28T13:37:09.000Z
Prior to this commit there we no test cases to validate our
changes to the module.

This commit adds test cases for each of the configurations for
onduplicaterulebehaviour.
diff --git a/spec/acceptance/firewall_duplicate_comment_spec.rb b/spec/acceptance/firewall_duplicate_comment_spec.rb
@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+def make_manifest(behaviour)
+  pp = <<-PUPPETCODE
+    class { 'firewall': }
+    resources { 'firewall':
+      purge => true,
+    }
+
+    firewall { '550 destination':
+      proto  => tcp,
+      dport   => '550',
+      action => accept,
+      destination => '192.168.2.0/24',
+      onduplicaterulebehaviour => #{behaviour}
+    }
+    PUPPETCODE
+
+  pp
+end
+
+describe 'firewall - duplicate comments' do
+  before(:all) do
+    if os[:family] == 'ubuntu' || os[:family] == 'debian'
+      update_profile_file
+    end
+  end
+
+  before(:each) do
+    run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+  end
+
+  after(:each) do
+    iptables_flush_all_tables
+  end
+
+  context 'when onduplicateerrorhevent is set to error' do
+    it 'raises an error' do
+      run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+      pp = make_manifest('error')
+
+      apply_manifest(pp) do |r|
+        expect(r.stderr).to include('Error: /Stage[main]/Main/Firewall[550 destination]: Could not evaluate: Duplicate rule found for 550 destination. Skipping update.')
+      end
+    end
+  end
+
+  context 'when onduplicateerrorhevent is set to warn' do
+    run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+
+    it 'warns and continues' do
+      run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+      pp = make_manifest('warn')
+
+      apply_manifest(pp) do |r|
+        expect(r.stderr).to include('Warning: Firewall[550 destination](provider=iptables): Duplicate rule found for 550 destination.. This may add an additional rule to the system.')
+      end
+    end
+  end
+
+  context 'when onduplicateerrorhevent is set to ignore' do
+    run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+
+    it 'continues silently' do
+      run_shell('iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 551 -j ACCEPT -m comment --comment "550 destination"')
+      pp = make_manifest('ignore')
+
+      apply_manifest(pp) do |r|
+        expect(r.stderr).to be_empty
+      end
+    end
+  end
+end
diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb
@@ -111,5 +111,12 @@ def fetch_os_name
       }
     PUPPETCODE
     LitmusHelper.instance.apply_manifest(pp)
+
+    # Ensure that policycoreutils is present. In the future we could probably refactor
+    # this so that policycoreutils is installed on platform where the os.family fact
+    # is set to 'redhat'
+    if ['almalinux-8', 'rocky-8'].include?("#{fetch_os_name}-#{os[:release].to_i}")
+      LitmusHelper.instance.run_shell('yum install policycoreutils -y')
+    end
   end
 end
