diff --git a/.editorconfig b/.editorconfig index d77700e3..ecb10a80 100644 --- a/.editorconfig +++ b/.editorconfig @@ -1,6 +1,7 @@ # editorconfig.org -# MANAGED BY MODULESYNC +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ root = true diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index cace33e6..6aaa603f 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -25,7 +25,7 @@ By participating in this project you agree to abide by its terms. * Fork the repo. * Create a separate branch for your change. -* We only take pull requests with passing tests, and documentation. [travis-ci](http://travis-ci.org) runs the tests for us. You can also execute them locally. This is explained [in a later section](#the-test-matrix). +* We only take pull requests with passing tests, and documentation. [GitHub Actions](https://docs.github.com/en/actions) run the tests for us. You can also execute them locally. This is explained [in a later section](#the-test-matrix). * Checkout [our docs](https://voxpupuli.org/docs/reviewing_pr/) we use to review a module and the [official styleguide](https://puppet.com/docs/puppet/6.0/style_guide.html). They provide some guidance for new code that might help you before you submit a pull request. * Add a test for your change. Only refactoring and documentation changes require no new tests. If you are adding functionality or fixing a bug, please add a test. * Squash your commits down into logical components. Make sure to rebase against our current master. @@ -124,7 +124,7 @@ If you have Ruby 2.x or want a specific version of Puppet, you must set an environment variable such as: ```sh -export PUPPET_VERSION="~> 5.5.6" +export PUPPET_GEM_VERSION="~> 6.1.0" ``` You can install all needed gems for spec tests into the modules directory by @@ -232,52 +232,23 @@ simple tests against it after applying the module. You can run this with: ```sh -bundle exec rake acceptance +BEAKER_PUPPET_COLLECTION=puppet7 BEAKER_setfile=debian11-64 bundle exec rake beaker ``` -This will run the tests on the module's default nodeset. You can override the -nodeset used, e.g., - -```sh -BEAKER_set=centos-7-x64 bundle exec rake acceptance -``` - -There are default rake tasks for the various acceptance test modules, e.g., - -```sh -bundle exec rake beaker:centos-7-x64 -bundle exec rake beaker:ssh:centos-7-x64 -``` - -If you don't want to have to recreate the virtual machine every time you can -use `BEAKER_destroy=no` and `BEAKER_provision=no`. On the first run you will at -least need `BEAKER_provision` set to yes (the default). The Vagrantfile for the -created virtual machines will be in `.vagrant/beaker_vagrant_files`. - -Beaker also supports docker containers. We also use that in our automated CI -pipeline at [travis-ci](http://travis-ci.org). To use that instead of Vagrant: - -```sh -PUPPET_INSTALL_TYPE=agent BEAKER_IS_PE=no BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_debug=true BEAKER_setfile=debian10-64{hypervisor=docker} BEAKER_destroy=yes bundle exec rake beaker -``` - -You can replace the string `debian10` with any common operating system. +You can replace the string `debian11` with any common operating system. The following strings are known to work: -* ubuntu1604 -* ubuntu1804 * ubuntu2004 -* debian9 -* debian10 -* centos6 +* ubuntu2204 +* debian11 * centos7 * centos8 +* centos9 +* almalinux8 +* almalinux9 +* fedora36 -The easiest way to debug in a docker container is to open a shell: - -```sh -docker exec -it -u root ${container_id_or_name} bash -``` +For more information and tips & tricks, see [voxpupuli-acceptance's documentation](https://github.com/voxpupuli/voxpupuli-acceptance#running-tests). The source of this file is in our [modulesync_config](https://github.com/voxpupuli/modulesync_config/blob/master/moduleroot/.github/CONTRIBUTING.md.erb) repository. diff --git a/.github/SECURITY.md b/.github/SECURITY.md deleted file mode 100644 index cacadf22..00000000 --- a/.github/SECURITY.md +++ /dev/null @@ -1,3 +0,0 @@ -# Vox Pupuli Security Policy - -Our vulnerabilities reporting process is at https://voxpupuli.org/security/ diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..8a077911 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,18 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: CI + +on: pull_request + +concurrency: + group: ${{ github.ref_name }} + cancel-in-progress: true + +jobs: + puppet: + name: Puppet + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v1 + with: + pidfile_workaround: 'false' diff --git a/.gitignore b/.gitignore index e9b3cf4b..84fd904c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,20 +1,23 @@ -pkg/ -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/fixtures/manifests/ -spec/fixtures/modules/ -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.librarian/ -Puppetfile.lock +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +/pkg/ +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.librarian/ +/Puppetfile.lock *.iml .*.sw? -.yardoc/ -Guardfile +/.yardoc/ +/Guardfile diff --git a/.msync.yml b/.msync.yml index 5758aced..dd3e9572 100644 --- a/.msync.yml +++ b/.msync.yml @@ -1,2 +1,5 @@ --- -modulesync_config_version: '3.1.0' +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +modulesync_config_version: '7.0.0' diff --git a/.overcommit.yml b/.overcommit.yml index 0af0fdc0..d367adae 100644 --- a/.overcommit.yml +++ b/.overcommit.yml @@ -1,4 +1,5 @@ -# Managed by https://github.com/voxpupuli/modulesync_configs +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ # # Hooks are only enabled if you take action. # diff --git a/.pmtignore b/.pmtignore index 4e6d54b8..58a04088 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,21 +1,37 @@ -docs/ -pkg/ -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/fixtures/manifests/ -spec/fixtures/modules/ -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.librarian/ -Puppetfile.lock +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +/docs/ +/pkg/ +/Gemfile +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/ +/Rakefile +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.github/ +/.librarian/ +/Puppetfile.lock *.iml +/.editorconfig +/.fixtures.yml +/.gitignore +/.msync.yml +/.overcommit.yml +/.pmtignore +/.rspec +/.rspec_parallel +/.rubocop.yml +/.sync.yml .*.sw? -.yardoc/ -Dockerfile +/.yardoc/ +/.yardopts +/Dockerfile diff --git a/.puppet-lint.rc b/.puppet-lint.rc new file mode 100644 index 00000000..dd8272c7 --- /dev/null +++ b/.puppet-lint.rc @@ -0,0 +1,3 @@ +--fail-on-warnings +--no-parameter_documentation-check +--no-parameter_types-check diff --git a/.rspec b/.rspec index 8c18f1ab..f634583d 100644 --- a/.rspec +++ b/.rspec @@ -1,2 +1,5 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --format documentation --color diff --git a/.rspec_parallel b/.rspec_parallel index e4d136b7..a9a84f85 100644 --- a/.rspec_parallel +++ b/.rspec_parallel @@ -1 +1,4 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --format progress diff --git a/.rubocop.yml b/.rubocop.yml index 198a3599..53ac1898 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,3 +1,6 @@ --- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + inherit_gem: voxpupuli-test: rubocop.yml diff --git a/.sync.yml b/.sync.yml index ecfaf514..a79557a9 100644 --- a/.sync.yml +++ b/.sync.yml @@ -3,28 +3,15 @@ secure: "S+FbvY0fDhzg5uPJZm/mkJCGTUuA2ps2Yay9pPrkjTuCqYcbhjm/NOhXPRWJDONo/3Zo7vQZey9PKcsdK3hznwlfkvB1Ghb/829655lZ2lwHZCoZfGURV/FB+ztjyVT2B/xOwisjz8OGQ8AECOX7l6SjUHzLZWZxpSUWYKTLOAyD+b08jR9eiQBshxjmhxzXl+shHXXRVnGo9TEjPMLXqKpwirNucKjHYdWcYcD+Z1Yfacu3O6Ry4PqCZ0VfRf+ahIbUcnriEke1IF6NU0VquyyaSw1nYrTAUW3bHeRTyAU3Uruh2O+lXRkt8UuxDhFs17JLbrb+0a8odr0mg6kdVowEuPYJSCMEUciyoi6ztHJiVceXK2rge5Yi0jw120wRK/cWxDImc8hUh9atGgE5VzMIzu3DJOcpslVSc+iffCPg3/EVol/Ekg9WVb4s1Vj7XFwjczXVaG7mJVF5HSg0JrP+xz1rTvVLvNaNVtZDvEYphscBBUt8ujqqmz4oICWSNa7wo1JLEd1qBwPk+tgmGr1EB3wvcU12KjKotswSjkG2uqNwKO7b9ETUMOzaIxo5dLOr5pUrV9LCDIBAzkeD8HqX6pNHJE1qhZJxLUWOVaDrQNBbJp6yY5xmkg5oNwykPAGKJXAuzTYlBjYBs7ss9RO/Wpn73ExnHEI9DX43rfo=" spec/spec_helper.rb: mock_with: ':mocha' -spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml: - delete: true -spec/acceptance/nodesets/ec2/image_templates.yaml: - delete: true -spec/acceptance/nodesets/ec2/rhel-73-x64.yml: - delete: true -spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml: - delete: true -spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml: - delete: true -spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml: - delete: true -spec/acceptance/nodesets/archlinux-2-x64.yml: - delete: true + +spec/spec_helper_acceptance.rb: + unmanaged: false Gemfile: optional: ':test': - gem: 'mocha' version: '~> 1.10.0' - ':system_tests': - - gem: 'simp-beaker-helpers' .rubocop.yml: default_configs: diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 5ed3feaf..00000000 --- a/.travis.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -# yamllint disable rule:line-length rule:truthy -os: linux -dist: focal -language: ruby -cache: bundler -before_install: - - yes | gem update --system - - bundle --version -script: - - 'bundle exec rake $CHECK' -jobs: - fast_finish: true - include: - - rvm: 2.4.4 - bundler_args: --without system_tests development release - env: PUPPET_VERSION="~> 5.0" CHECK=test - - rvm: 2.5.3 - bundler_args: --without system_tests development release - env: PUPPET_VERSION="~> 6.0" CHECK=test_with_coveralls - - rvm: 2.5.3 - bundler_args: --without system_tests development release - env: PUPPET_VERSION="~> 6.0" CHECK=rubocop - - rvm: 2.4.4 - bundler_args: --without system_tests development release - env: PUPPET_VERSION="~> 5.0" CHECK=build DEPLOY_TO_FORGE=yes -branches: - only: - - master - - /^v\d/ -notifications: - email: false - webhooks: https://voxpupu.li/incoming/travis - irc: - on_success: always - on_failure: always - channels: - - "chat.freenode.org#voxpupuli-notifications" -deploy: - provider: puppetforge - username: puppet - password: - secure: "S+FbvY0fDhzg5uPJZm/mkJCGTUuA2ps2Yay9pPrkjTuCqYcbhjm/NOhXPRWJDONo/3Zo7vQZey9PKcsdK3hznwlfkvB1Ghb/829655lZ2lwHZCoZfGURV/FB+ztjyVT2B/xOwisjz8OGQ8AECOX7l6SjUHzLZWZxpSUWYKTLOAyD+b08jR9eiQBshxjmhxzXl+shHXXRVnGo9TEjPMLXqKpwirNucKjHYdWcYcD+Z1Yfacu3O6Ry4PqCZ0VfRf+ahIbUcnriEke1IF6NU0VquyyaSw1nYrTAUW3bHeRTyAU3Uruh2O+lXRkt8UuxDhFs17JLbrb+0a8odr0mg6kdVowEuPYJSCMEUciyoi6ztHJiVceXK2rge5Yi0jw120wRK/cWxDImc8hUh9atGgE5VzMIzu3DJOcpslVSc+iffCPg3/EVol/Ekg9WVb4s1Vj7XFwjczXVaG7mJVF5HSg0JrP+xz1rTvVLvNaNVtZDvEYphscBBUt8ujqqmz4oICWSNa7wo1JLEd1qBwPk+tgmGr1EB3wvcU12KjKotswSjkG2uqNwKO7b9ETUMOzaIxo5dLOr5pUrV9LCDIBAzkeD8HqX6pNHJE1qhZJxLUWOVaDrQNBbJp6yY5xmkg5oNwykPAGKJXAuzTYlBjYBs7ss9RO/Wpn73ExnHEI9DX43rfo=" - on: - tags: true - # all_branches is required to use tags - all_branches: true - # Only publish the build marked with "DEPLOY_TO_FORGE" - condition: "$DEPLOY_TO_FORGE = yes" diff --git a/.yardopts b/.yardopts deleted file mode 100644 index 3687f518..00000000 --- a/.yardopts +++ /dev/null @@ -1,2 +0,0 @@ ---markup markdown ---output-dir docs/ diff --git a/Gemfile b/Gemfile index 2936879e..096575c4 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,10 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 5.4', :require => false + gem 'voxpupuli-test', '~> 7.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 1.0', :require => false + gem 'puppet_metadata', '~> 3.0', :require => false gem 'mocha', '~> 1.10.0', :require => false end @@ -17,20 +17,19 @@ group :development do end group :system_tests do - gem 'voxpupuli-acceptance', '~> 1.0', :require => false - gem 'simp-beaker-helpers', :require => false + gem 'voxpupuli-acceptance', '~> 2.0', :require => false end group :release do - gem 'github_changelog_generator', '>= 1.16.1', :require => false if RUBY_VERSION >= '2.5' - gem 'voxpupuli-release', '>= 1.2.0', :require => false - gem 'puppet-strings', '>= 2.2', :require => false + gem 'github_changelog_generator', '>= 1.16.1', :require => false + gem 'voxpupuli-release', '~> 3.0', :require => false + gem 'faraday-retry', '~> 2.1', :require => false end gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_GEM_VERSION'] || '>= 6.0' +puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24' gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/README.md b/README.md index e4e6094d..1c2e2716 100644 --- a/README.md +++ b/README.md @@ -17,11 +17,8 @@ policies, ports, and rich rules. ## Compatibility -Latest versions of this module (3.0+) are only supported on Puppet -4.0+. 2.2.0 is the latest version to run on Puppet 3.x, important -patches (security bugs..etc) will be accepted in the 2.x until Puppet -3.x is offically end-of-life, but new features will only be accepted -in 3.x. +Latest versions of this module are only supported on Puppet +7.0+. ## Usage diff --git a/Rakefile b/Rakefile index f92f0516..0e599eb9 100644 --- a/Rakefile +++ b/Rakefile @@ -24,6 +24,10 @@ end begin require 'voxpupuli/release/rake_tasks' rescue LoadError + # voxpupuli-release not present +else + GCGConfig.user = 'voxpupuli' + GCGConfig.project = 'puppet-firewalld' end desc "Run main 'test' task and report merged results to coveralls" @@ -37,36 +41,4 @@ task test_with_coveralls: [:test] do end end -desc 'Generate REFERENCE.md' -task :reference, [:debug, :backtrace] do |t, args| - patterns = '' - Rake::Task['strings:generate:reference'].invoke(patterns, args[:debug], args[:backtrace]) -end - -begin - require 'github_changelog_generator/task' - require 'puppet_blacksmith' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - metadata = Blacksmith::Modulefile.new - config.future_release = "v#{metadata.version}" if metadata.version =~ /^\d+\.\d+.\d+$/ - config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." - config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} - config.user = 'voxpupuli' - config.project = metadata.metadata['name'] - end - - # Workaround for https://github.com/github-changelog-generator/github-changelog-generator/issues/715 - require 'rbconfig' - if RbConfig::CONFIG['host_os'] =~ /linux/ - task :changelog do - puts 'Fixing line endings...' - changelog_file = File.join(__dir__, 'CHANGELOG.md') - changelog_txt = File.read(changelog_file) - new_contents = changelog_txt.gsub(%r{\r\n}, "\n") - File.open(changelog_file, "w") {|file| file.puts new_contents } - end - end - -rescue LoadError -end # vim: syntax=ruby diff --git a/lib/puppet/provider/firewalld_custom_service/firewall_cmd.rb b/lib/puppet/provider/firewalld_custom_service/firewall_cmd.rb index f2ea1a9b..77bea5f3 100644 --- a/lib/puppet/provider/firewalld_custom_service/firewall_cmd.rb +++ b/lib/puppet/provider/firewalld_custom_service/firewall_cmd.rb @@ -218,7 +218,7 @@ def destinations return @destinations if @destinations @destinations = execute_firewall_cmd(['--service', @resource[:name], '--get-destinations'], nil).strip.split(%r{\s+}) - @destinations = @destinations.map { |x| x.split(':', 2) }.to_h + @destinations = @destinations.to_h { |x| x.split(':', 2) } @destinations end diff --git a/lib/puppet/provider/firewalld_policy/firewall_cmd.rb b/lib/puppet/provider/firewalld_policy/firewall_cmd.rb index 7d488701..3a8bb53f 100644 --- a/lib/puppet/provider/firewalld_policy/firewall_cmd.rb +++ b/lib/puppet/provider/firewalld_policy/firewall_cmd.rb @@ -43,7 +43,7 @@ def target policy_target end - def target=(_t) + def target=(__target) debug("Setting target for policy #{@resource[:name]} to #{@resource[:target]}") execute_firewall_cmd_policy(['--set-target', @resource[:target]]) end diff --git a/lib/puppet/provider/firewalld_zone/firewall_cmd.rb b/lib/puppet/provider/firewalld_zone/firewall_cmd.rb index ac871c6b..a9548cf6 100644 --- a/lib/puppet/provider/firewalld_zone/firewall_cmd.rb +++ b/lib/puppet/provider/firewalld_zone/firewall_cmd.rb @@ -23,6 +23,7 @@ def create self.sources = (@resource[:sources]) if @resource[:sources] self.interfaces = @resource[:interfaces] self.icmp_blocks = (@resource[:icmp_blocks]) if @resource[:icmp_blocks] + self.icmp_block_inversion = (@resource[:icmp_block_inversion]) if @resource[:icmp_block_inversion] self.description = (@resource[:description]) if @resource[:description] self.short = (@resource[:short]) if @resource[:short] end @@ -42,7 +43,7 @@ def target zone_target end - def target=(_t) + def target=(__target) debug("Setting target for zone #{@resource[:name]} to #{@resource[:target]}") execute_firewall_cmd(['--set-target', @resource[:target]]) end @@ -143,7 +144,7 @@ def icmp_blocks=(new_icmp_blocks) else raise Puppet::Error, 'parameter icmp_blocks must be a string or array of strings!' end - unless remove_blocks.empty? + unless remove_blocks.empty? # should this list the zone explicitly remove_blocks.each do |block| execute_firewall_cmd(['--remove-icmp-block', block]) end @@ -156,7 +157,7 @@ def icmp_blocks=(new_icmp_blocks) end def icmp_block_inversion - if execute_firewall_cmd(['--query-icmp-block-inversion'], @resource[:name], true, false).chomp == 'no' + if execute_firewall_cmd(['--query-icmp-block-inversion'], @resource[:name]).chomp == 'no' :false else :true @@ -166,9 +167,11 @@ def icmp_block_inversion def icmp_block_inversion=(bool) case bool when :true - execute_firewall_cmd(['--add-icmp-block-inversion'], @resource[:name], true, false) + debug("adding icmp block inversion for zone #{@resource[:name]}") + execute_firewall_cmd(['--add-icmp-block-inversion'], @resource[:name]) when :false - execute_firewall_cmd(['--remove-icmp-block-inversion'], @resource[:name], true, false) + debug("removing icmp block inversion for zone #{@resource[:name]}") + execute_firewall_cmd(['--remove-icmp-block-inversion'], @resource[:name]) end end diff --git a/lib/puppet/type/firewalld_direct_purge.rb b/lib/puppet/type/firewalld_direct_purge.rb index e47f4219..ba5781a1 100644 --- a/lib/puppet/type/firewalld_direct_purge.rb +++ b/lib/puppet/type/firewalld_direct_purge.rb @@ -22,8 +22,7 @@ ensurable do defaultto(:purged) - newvalue(:purgable) do - end + newvalue(:purgable) newvalue(:purged) do true end diff --git a/lib/puppet/type/firewalld_ipset.rb b/lib/puppet/type/firewalld_ipset.rb index 71fa63fb..ee0c972b 100644 --- a/lib/puppet/type/firewalld_ipset.rb +++ b/lib/puppet/type/firewalld_ipset.rb @@ -13,10 +13,10 @@ } " - def po2?(n) + def po2?(num) # A power of two value in binary representation only has one "1" in it. # ie. 01 10, 100 etc. are all power of 2. - n.to_s(2).count('1') == 1 + num.to_s(2).count('1') == 1 end ensurable do diff --git a/lib/puppet/type/firewalld_policy.rb b/lib/puppet/type/firewalld_policy.rb index e09568c6..0ef7defa 100644 --- a/lib/puppet/type/firewalld_policy.rb +++ b/lib/puppet/type/firewalld_policy.rb @@ -204,7 +204,7 @@ def validate_zone_list(attr) raise Puppet::Error, "parameter #{attr} must be an array of strings!" unless self[attr].is_a?(Array) - raise Puppet::Error, "parameter #{attr} must contain at least one zone!" if self[attr].length.zero? + raise Puppet::Error, "parameter #{attr} must contain at least one zone!" if self[attr].empty? self[attr].each do |element| case element diff --git a/manifests/init.pp b/manifests/init.pp index 6dcd4b74..38ad5a3c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -175,20 +175,45 @@ if $default_zone { exec { 'firewalld::set_default_zone': - command => "firewall-cmd --set-default-zone ${default_zone} || firewall-offline-cmd --set-default-zone ${default_zone}", - unless => "[ $(firewall-cmd --get-default-zone || firewall-offline-cmd --get-default-zone) = ${default_zone} ]", + command => 'true', + unless => 'true', + require => [Exec['firewalld::set_default_zone_active'], Exec['firewalld::set_default_zone_offline'], Service['firewalld']], + } + + exec { 'firewalld::set_default_zone_active': + command => ['firewall-cmd', '--set-default-zone', $default_zone], + unless => "[ $(firewall-cmd --get-default-zone) = ${default_zone} ]", + onlyif => 'firewall-cmd --state', require => Service['firewalld'], } + exec { 'firewalld::set_default_zone_offline': + command => ['firewall-offline-cmd', '--set-default-zone', $default_zone], + unless => ["[ $(firewall-offline-cmd --get-default-zone) = ${default_zone} ]", 'firewall-cmd --state',], + } + Firewalld_zone <||> -> Exec['firewalld::set_default_zone'] + Firewalld_zone <||> -> Exec['firewalld::set_default_zone_active'] + Firewalld_zone <||> -> Exec['firewalld::set_default_zone_offline'] } if $log_denied { exec { 'firewalld::set_log_denied': - command => "firewall-cmd --set-log-denied ${log_denied} || firewall-offline-cmd --set-log-denied ${log_denied}", - unless => "[ $(firewall-cmd --get-log-denied || firewall-offline-cmd --get-log-denied) = ${log_denied} ]", + command => 'true', + unless => 'true', + require => [Exec['firewalld::set_log_denied_active'], Exec['firewalld::set_log_denied_offline'], Service['firewalld']], + } + + exec { 'firewalld::set_log_denied_active': + command => ['firewall-cmd', '--set-log-denied', $log_denied], + unless => "[ $(firewall-cmd --get-log-denied) = ${log_denied} ]", + onlyif => 'firewall-cmd --state', require => Service['firewalld'], } + exec { 'firewalld::set_log_denied_offline': + command => ['firewall-offline-cmd', '--set-log-denied', $log_denied], + unless => ["[ $(firewall-offline-cmd --get-log-denied) = ${log_denied} ]", 'firewall-cmd --state'], + } } Augeas { diff --git a/metadata.json b/metadata.json index a94d2b62..03d827a7 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "puppet-firewalld", - "version": "4.5.2-rc0", + "version": "5.0.0-rc0", "author": "Vox Pupuli", "summary": "Configure firewalld zones, services, and rich rules and direct config", "license": "Apache-2.0", @@ -23,21 +23,30 @@ "operatingsystem": "RedHat", "operatingsystemrelease": [ "7", - "8" + "8", + "9" + ] + }, + { + "operatingsystem": "AlmaLinux", + "operatingsystemrelease": [ + "8", + "9" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ "7", - "8" + "8", + "9" ] }, { - "operatingsystem": "OracleLinux", + "operatingsystem": "Rocky", "operatingsystemrelease": [ - "7", - "8" + "8", + "9" ] }, { diff --git a/rakelib/simp.rake b/rakelib/simp.rake deleted file mode 100644 index c1c667c2..00000000 --- a/rakelib/simp.rake +++ /dev/null @@ -1,7 +0,0 @@ -begin - require 'simp/rake/beaker' - - Simp::Rake::Beaker.new(File.join(File.dirname(__FILE__), '..')) -rescue LoadError - $stderr.puts('simp-beaker-helpers not loaded, some acceptance test functionality may be missing') -end diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/00_default_spec.rb similarity index 89% rename from spec/acceptance/suites/default/00_default_spec.rb rename to spec/acceptance/00_default_spec.rb index 39aff73e..47106468 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/00_default_spec.rb @@ -2,6 +2,8 @@ require 'spec_helper_acceptance' +UNSUPPORTED_PLATFORMS = %w[windows Darwin].freeze + describe 'firewalld', unless: UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do # This is a VERY MINIMAL test # @@ -20,19 +22,19 @@ class { 'firewalld': class ssh_test { firewalld_service{ 'test_sshd': zone => 'test' } - # TODO: Switch this when the defined type gets deprecated - firewalld::custom_service{ 'test_sshd': + firewalld_custom_service{ 'test_sshd': description => 'Test SSH Access', - port => [{ 'port' => '22', 'protocol' => 'tcp' }] + ports => [{ 'port' => '22', 'protocol' => 'tcp' }] } } firewalld_zone{ 'test': - ensure => 'present', - purge_rich_rules => true, - purge_services => true, - purge_ports => true, - target => 'DROP' + ensure => 'present', + purge_rich_rules => true, + purge_services => true, + purge_ports => true, + target => 'DROP', + icmp_block_inversion => true, } class other_service { @@ -54,7 +56,7 @@ class other_service { <<-EOM firewalld_custom_service{ 'test_thing': description => 'Random service test', - ports => ['1234/tcp', { 'port' => '1234', 'protocol' => 'udp' }], + ports => [{ 'port' => '1234', 'protocol' => 'tcp' }, { 'port' => '1234', 'protocol' => 'udp' }], protocols => ['ip', 'smp'], modules => ['nf_conntrack_tftp', 'nf_conntrack_snmp'], ipv4_destination => '1.2.3.4/23', @@ -122,7 +124,7 @@ class other_service { <<-EOM firewalld_custom_service{ 'test_thing': short => 'Short test', - ports => ['1235/tcp', { 'port' => '1236', 'protocol' => 'tcp' }], + ports => [{ 'port' => '1236', 'protocol' => 'tcp' }], } EOM end @@ -149,7 +151,7 @@ class other_service { end it 'has the proper ports' do - expect(on(host, 'firewall-cmd --permanent --service=test_thing --get-ports').output.strip).to eq('1235/tcp 1236/tcp') + expect(on(host, 'firewall-cmd --permanent --service=test_thing --get-ports').output.strip).to eq('1236/tcp') end it 'has no protocols' do @@ -173,7 +175,7 @@ class other_service { firewalld_custom_service{ 'dhcp': short => 'DHCP Override', description => 'The DHCP Defaults are Silly', - ports => ['1234/tcp', { 'port' => '1234', 'protocol' => 'udp' }], + ports => [{ 'port' => '1234', 'protocol' => 'udp' }], protocols => ['ip', 'smp'], modules => ['nf_conntrack_tftp', 'nf_conntrack_snmp'], ipv4_destination => '1.2.3.4/23', @@ -190,6 +192,7 @@ class other_service { end it 'is idempotent' do + apply_manifest_on(host, manifest, catch_failures: true) apply_manifest_on(host, manifest, catch_changes: true) end @@ -199,6 +202,7 @@ class other_service { end it 'is idempotent' do + apply_manifest_on(host, cleanup_manifest, catch_failures: true) apply_manifest_on(host, cleanup_manifest, catch_changes: true) end end @@ -243,12 +247,5 @@ class other_service { end end end - - context 'disable firewalld' do - it 'returns a fact when firewalld is not running' do - on(host, 'puppet resource service firewalld ensure=stopped') - expect(pfact_on(host, 'firewalld_version')).to match(%r{^\d}) - end - end end end diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml deleted file mode 100644 index 1eb8ecb8..00000000 --- a/spec/acceptance/nodesets/default.yml +++ /dev/null @@ -1,19 +0,0 @@ -HOSTS: - centos-7-x64: - roles: - - default - platform: el-7-x86_64 - box: centos/7 - hypervisor: vagrant - - centos-8-x64: - platform: el-8-x86_64 - box: centos/8 - hypervisor: vagrant - -CONFIG: - type: aio - vagrant_memsize: 256 - log_level: verbose - synced_folder: disabled - puppet_collection: puppet6 diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 57b81911..72af323c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -17,21 +17,29 @@ # it { pp catalogue.resources } context 'with defaults for all parameters' do - it { is_expected.to contain_class('firewalld') } + context 'supported operating systems' do + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) { facts.merge({ firewalld_version: '0.5.0' }) } - it { - is_expected.to contain_package('firewalld'). - with_ensure('installed'). - that_notifies('Service[firewalld]') - } + it { is_expected.to contain_class('firewalld') } - it { - is_expected.to contain_service('firewalld'). - with_ensure('running'). - with_enable(true) - } + it { + is_expected.to contain_package('firewalld'). + with_ensure('installed'). + that_notifies('Service[firewalld]') + } + + it { + is_expected.to contain_service('firewalld'). + with_ensure('running'). + with_enable(true) + } - it { is_expected.not_to contain_augeas('firewalld::firewallbackend') } + it { is_expected.not_to contain_augeas('firewalld::firewallbackend') } + end + end + end end context 'when defining a default zone' do @@ -42,10 +50,16 @@ end it do - is_expected.to contain_exec('firewalld::set_default_zone').with( - command: 'firewall-cmd --set-default-zone restricted || firewall-offline-cmd --set-default-zone restricted', - unless: '[ $(firewall-cmd --get-default-zone || firewall-offline-cmd --get-default-zone) = restricted ]' + is_expected.to contain_exec('firewalld::set_default_zone').that_requires('Service[firewalld]') + is_expected.to contain_exec('firewalld::set_default_zone_active').with( + command: ['firewall-cmd', '--set-default-zone', 'restricted'], + unless: '[ $(firewall-cmd --get-default-zone) = restricted ]', + onlyif: 'firewall-cmd --state' ).that_requires('Service[firewalld]') + is_expected.to contain_exec('firewalld::set_default_zone_offline').with( + command: ['firewall-offline-cmd', '--set-default-zone', 'restricted'], + unless: ['[ $(firewall-offline-cmd --get-default-zone) = restricted ]', 'firewall-cmd --state'] + ) end end @@ -242,10 +256,16 @@ end it do - is_expected.to contain_exec('firewalld::set_default_zone').with( - command: 'firewall-cmd --set-default-zone public || firewall-offline-cmd --set-default-zone public', - unless: '[ $(firewall-cmd --get-default-zone || firewall-offline-cmd --get-default-zone) = public ]' + is_expected.to contain_exec('firewalld::set_default_zone').that_requires('Service[firewalld]') + is_expected.to contain_exec('firewalld::set_default_zone_active').with( + command: ['firewall-cmd', '--set-default-zone', 'public'], + unless: '[ $(firewall-cmd --get-default-zone) = public ]', + onlyif: 'firewall-cmd --state' ).that_requires('Service[firewalld]') + is_expected.to contain_exec('firewalld::set_default_zone_offline').with( + command: ['firewall-offline-cmd', '--set-default-zone', 'public'], + unless: ['[ $(firewall-offline-cmd --get-default-zone) = public ]', 'firewall-cmd --state'] + ) end end @@ -258,10 +278,16 @@ end it do - is_expected.to contain_exec('firewalld::set_log_denied').with( - command: "firewall-cmd --set-log-denied #{cond} || firewall-offline-cmd --set-log-denied #{cond}", - unless: "[ \$\(firewall-cmd --get-log-denied || firewall-offline-cmd --get-log-denied) = #{cond} ]" + is_expected.to contain_exec('firewalld::set_log_denied').that_requires('Service[firewalld]') + is_expected.to contain_exec('firewalld::set_log_denied_active').with( + command: ['firewall-cmd', '--set-log-denied', cond], + unless: "[ $(firewall-cmd --get-log-denied) = #{cond} ]", + onlyif: 'firewall-cmd --state' ).that_requires('Service[firewalld]') + is_expected.to contain_exec('firewalld::set_log_denied_offline').with( + command: ['firewall-offline-cmd', '--set-log-denied', cond], + unless: ["[ $(firewall-offline-cmd --get-log-denied) = #{cond} ]", 'firewall-cmd --state'] + ) end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index e911dbef..3b8712f9 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,8 +1,7 @@ # frozen_string_literal: true -# This file is managed via modulesync -# https://github.com/voxpupuli/modulesync -# https://github.com/voxpupuli/modulesync_config +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ RSpec.configure do |c| c.mock_with :mocha @@ -14,9 +13,12 @@ require 'voxpupuli/test/spec_helper' +add_mocked_facts! + if File.exist?(File.join(__dir__, 'default_module_facts.yml')) facts = YAML.safe_load(File.read(File.join(__dir__, 'default_module_facts.yml'))) facts&.each do |name, value| add_custom_fact name.to_sym, value end end +Dir['./spec/support/spec/**/*.rb'].sort.each { |f| require f } diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 09bdbdf9..2681792e 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,34 +1,10 @@ # frozen_string_literal: true -require 'beaker-rspec' -require 'tmpdir' -require 'yaml' -require 'simp/beaker_helpers' -include Simp::BeakerHelpers +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -UNSUPPORTED_PLATFORMS = %w[windows Darwin].freeze +require 'voxpupuli/acceptance/spec_helper_acceptance' -unless ENV['BEAKER_provision'] == 'no' - hosts.each do |host| - # Install Puppet - if host.is_pe? - install_pe - else - install_puppet - end - end -end +configure_beaker(modules: :metadata) -RSpec.configure do |c| - # ensure that environment OS is ready on each host - fix_errata_on hosts - - # Readable test descriptions - c.formatter = :documentation - - # Configure all nodes in nodeset - c.before :suite do - # Install modules and dependencies from spec/fixtures/modules - copy_fixture_modules_to(hosts) - end -end +Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f } diff --git a/spec/unit/facter/firewalld_version_spec.rb b/spec/unit/facter/firewalld_version_spec.rb index bb943e13..4deea93a 100644 --- a/spec/unit/facter/firewalld_version_spec.rb +++ b/spec/unit/facter/firewalld_version_spec.rb @@ -9,7 +9,7 @@ Process.stubs(:uid).returns(0) Facter::Core::Execution.stubs(:exec).with('uname -s').returns('Linux') Facter::Util::Resolution.stubs(:which).with('firewall-offline-cmd').returns('/usr/bin/firewall-offline-cmd') - Facter::Core::Execution.stubs(:execute).with('/usr/bin/firewall-offline-cmd --version', on_fail: :failed).returns(firewalld_version) + Facter::Core::Execution.stubs(:execute).with('/usr/bin/firewall-offline-cmd --version', on_fail: :failed).returns(firewalld_version.dup) end let(:python_args) do diff --git a/spec/unit/puppet/provider/firewalld_custom_service_spec.rb b/spec/unit/puppet/provider/firewalld_custom_service_spec.rb index 98576d95..cbd389d8 100644 --- a/spec/unit/puppet/provider/firewalld_custom_service_spec.rb +++ b/spec/unit/puppet/provider/firewalld_custom_service_spec.rb @@ -55,13 +55,13 @@ provider.expects(:execute_firewall_cmd).with(['--get-services'], nil).returns("#{resource[:name]} foo bar baz") provider.expects(:execute_firewall_cmd).with(['--path-service', resource[:name]], nil).returns('/etc/foo_bar_baz.xml') - expect(provider.exists?).to eq true + expect(provider.exists?).to be true end it 'does not exist when not returned by the system' do provider.expects(:execute_firewall_cmd).with(['--get-services'], nil).returns('foo bar baz') - expect(provider.exists?).to eq false + expect(provider.exists?).to be false end end diff --git a/spec/unit/puppet/provider/firewalld_zone_spec.rb b/spec/unit/puppet/provider/firewalld_zone_spec.rb index 4bf2bac6..6fa7850f 100644 --- a/spec/unit/puppet/provider/firewalld_zone_spec.rb +++ b/spec/unit/puppet/provider/firewalld_zone_spec.rb @@ -31,6 +31,7 @@ resource.expects(:[]).with(:sources).returns(nil).at_least_once resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once + resource.expects(:[]).with(:icmp_block_inversion).returns(false).at_least_once resource.expects(:[]).with(:description).returns(nil).at_least_once resource.expects(:[]).with(:short).returns('little description').at_least_once provider.expects(:execute_firewall_cmd).with(['--list-interfaces']) @@ -50,6 +51,7 @@ resource.expects(:[]).with(:sources).returns(nil).at_least_once resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once + resource.expects(:[]).with(:icmp_block_inversion).returns(false).at_least_once resource.expects(:[]).with(:description).returns(nil).at_least_once resource.expects(:[]).with(:short).returns('little description').at_least_once provider.expects(:execute_firewall_cmd).with(['--list-interfaces']) diff --git a/spec/unit/puppet/type/firewalld_policy_spec.rb b/spec/unit/puppet/type/firewalld_policy_spec.rb index 56a1f461..8fb7cddd 100644 --- a/spec/unit/puppet/type/firewalld_policy_spec.rb +++ b/spec/unit/puppet/type/firewalld_policy_spec.rb @@ -78,8 +78,8 @@ described_class.new(name: 'bad ingress_zones', ingress_zones: [symbolic_zone, 'public'], egress_zones: ['restricted']) - end.to raise_error(%r{parameter ingress_zones must contain a single symbolic zone or one or more regular zones}) - end + end + end.to raise_error(%r{parameter ingress_zones must contain a single symbolic zone or one or more regular zones}) end it 'rejects bad egress_zones combinations' do @@ -88,8 +88,8 @@ described_class.new(name: 'bad egress_zones', ingress_zones: ['public'], egress_zones: [symbolic_zone, 'restricted']) - end.to raise_error(%r{parameter egress_zones must contain a single symbolic zone or one or more regular zones}) - end + end + end.to raise_error(%r{parameter egress_zones must contain a single symbolic zone or one or more regular zones}) end it 'accepts lone symbolic ingress_zones' do diff --git a/spec/unit/puppet/type/firewalld_zone_spec.rb b/spec/unit/puppet/type/firewalld_zone_spec.rb index dd6dd0b2..0d895abd 100644 --- a/spec/unit/puppet/type/firewalld_zone_spec.rb +++ b/spec/unit/puppet/type/firewalld_zone_spec.rb @@ -70,6 +70,7 @@ provider.expects(:execute_firewall_cmd).with(['--set-target', '%%REJECT%%']) provider.expects(:icmp_blocks=).with(%w[redirect router-advertisment]) + provider.expects(:icmp_block_inversion=).with(:true) provider.expects(:sources).returns([]) provider.expects(:execute_firewall_cmd).with(['--add-source', '192.168.2.2']) @@ -120,16 +121,21 @@ end it 'sets icmp_block_inversion' do - provider.expects(:execute_firewall_cmd).with(['--query-icmp-block-inversion'], 'restricted', true, false).returns('no') - provider.expects(:execute_firewall_cmd).with(['--add-icmp-block-inversion'], 'restricted', true, false) - expect(provider.icmp_block_inversion).to eq(:false) + provider.expects(:execute_firewall_cmd).with(['--query-icmp-block-inversion'], 'restricted').returns('no') + provider.expects(:execute_firewall_cmd).with(['--add-icmp-block-inversion'], 'restricted') end it 'gets icmp_blocks' do + # shouldn't this list the zone? provider.expects(:execute_firewall_cmd).with(['--list-icmp-blocks']).returns('val') expect(provider.icmp_blocks).to eq(['val']) end + it 'sets icmp_blocks' do + # shouldn't this list the zone? + provider.expects(:execute_firewall_cmd).with(['--add-icmp-blocks', 'redirect,router-advertisment']) + end + it 'lists icmp types' do provider.expects(:execute_firewall_cmd).with(['--get-icmptypes'], nil).returns('echo-reply echo-request') expect(provider.get_icmp_types).to eq(%w[echo-reply echo-request])