add integration tests (kitchen)

policy_create
rule_create

.kitchen.yml

@@ -0,0 +1,46 @@
+---
+driver_plugin: vagrant
+driver_config:
+  require_chef_omnibus: true
+
+platforms:
+- name: ubuntu-13.04
+  driver_config:
+    box: opscode-ubuntu-13.04
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_ubuntu-13.04_provisionerless.box
+
+- name: ubuntu-12.10
+  driver_config:
+    box: opscode-ubuntu-12.10
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_ubuntu-12.10_provisionerless.box
+
+- name: ubuntu-12.04
+  driver_config:
+    box: opscode-ubuntu-12.04
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_ubuntu-12.04_provisionerless.box
+
+- name: debian-7.1.0
+  driver_config:
+    box: opscode-debian-7.1.0
+    box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_debian-7.1.0_provisionerless.box
+
+- name: centos-6.4
+  driver_config:
+    box: opscode-centos-6.4
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
+
+- name: centos-5.9
+  driver_config:
+    box: opscode-centos-5.9
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_centos-5.9_provisionerless.box
+
+suites:
+- name: policy_create
+  run_list:
+  - recipe[minitest-handler]
+  - recipe[iptables_ng_test::policy_create]
+
+- name: rule_create
+  run_list:
+  - recipe[minitest-handler]
+  - recipe[iptables_ng_test::rule_create]

Berksfile

@@ -0,0 +1,8 @@
+site :opscode
+
+metadata
+
+group :integration do
+  cookbook 'minitest-handler'
+  cookbook 'iptables_ng_test', path: 'test/cookbooks/iptables_ng_test'
+end

test/cookbooks/iptables_ng_test/files/default/tests/minitest/policy_create_test.rb

@@ -0,0 +1,22 @@
+require File.expand_path('../support/helpers', __FILE__)
+
+describe 'iptables-ng::policy-create' do
+  include Helpers::TestHelpers
+
+  it 'should set default FORWARD policy to DROP' do
+    file('/etc/iptables.d/filter/FORWARD/default').must_include('DROP [0:0]')
+  end
+
+  it 'should enable iptables serices' do
+    service(node['iptables-ng']['service_ipv4']).must_be_enabled if node['iptables-ng']['service_ipv4']
+    service(node['iptables-ng']['service_ipv6']).must_be_enabled if node['iptables-ng']['service_ipv6']
+  end
+
+  it 'should apply the specified iptables rules' do
+    ipv4 = shell_out('iptables -L -n')
+    ipv4.stdout.must_include('Chain FORWARD (policy DROP)')
+
+    ipv6 = shell_out('ip6tables -L -n')
+    ipv6.stdout.must_include('Chain FORWARD (policy DROP)')
+  end
+end

test/cookbooks/iptables_ng_test/files/default/tests/minitest/rule_create_test.rb

@@ -0,0 +1,26 @@
+require File.expand_path('../support/helpers', __FILE__)
+
+describe 'iptables-ng::policy-create' do
+  include Helpers::TestHelpers
+
+  it 'should set SSH iptables rule' do
+    file('/etc/iptables.d/filter/INPUT/ssh.rule_v4').must_include('--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT')
+  end
+
+  it 'should set SSH ip6tables rule' do
+    file('/etc/iptables.d/filter/INPUT/ssh.rule_v6').must_include('--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT')
+  end
+
+  it 'should enable iptables serices' do
+    service(node['iptables-ng']['service_ipv4']).must_be_enabled if node['iptables-ng']['service_ipv4']
+    service(node['iptables-ng']['service_ipv6']).must_be_enabled if node['iptables-ng']['service_ipv6']
+  end
+
+  it 'should apply the specified iptables rules' do
+    ipv4 = shell_out('iptables -L -n')
+    ipv4.stdout.must_include('tcp dpt:22 state NEW')
+
+    ipv6 = shell_out('ip6tables -L -n')
+    ipv6.stdout.must_include('tcp dpt:22 state NEW')
+  end
+end

test/cookbooks/iptables_ng_test/files/default/tests/minitest/support/helpers.rb

@@ -0,0 +1,29 @@
+#
+# Cookbook Name:: iptables-ng
+# Recipe:: default
+#
+# Copyright 2012, Chris Aumann
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+module Helpers
+  module TestHelpers
+    require 'chef/mixin/shell_out'
+    include Chef::Mixin::ShellOut
+    include MiniTest::Chef::Assertions
+    include MiniTest::Chef::Context
+    include MiniTest::Chef::Resources
+  end
+end

test/cookbooks/iptables_ng_test/metadata.rb

@@ -0,0 +1,7 @@
+name             'iptables_ng_test'
+maintainer       'Chris Aumann'
+maintainer_email 'me@chr4.org'
+license          'GNU Public License 3.0'
+description       "This cookbook is used with test-kitchen to test the parent, iptables cookbook"
+version          '0.1.0'
+depends          'iptables-ng'

test/cookbooks/iptables_ng_test/recipes/policy_create.rb

@@ -0,0 +1,4 @@
+iptables_ng_policy 'FORWARD' do
+  policy 'DROP [0:0]'
+  action :create
+end

test/cookbooks/iptables_ng_test/recipes/rule_create.rb

@@ -0,0 +1,4 @@
+iptables_ng_rule 'ssh' do
+  rule   '--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT'
+  action :create
+end