Update interface so that interface can only be applied to one zone.

vrindle · vrindle · commit 3d3e7261d77c · 2021-10-15T16:19:26.000-04:00
diff --git a/library/firewall_lib.py b/library/firewall_lib.py
@@ -179,6 +179,41 @@
     HAS_FIREWALLD = False
 
 
+def handle_interface_permanent(
+    zone, item, fw_zone, fw_settings, fw, fw_offline, module
+):
+    if fw_offline:
+        iface_zone_objs = []
+        for zone in fw.config.get_zones():
+            old_zone_obj = fw.config.get_zone(zone)
+            if item in old_zone_obj.interfaces:
+                iface_zone_objs.append(old_zone_obj)
+        if len(iface_zone_objs) > 1:
+            module.fail_json(
+                msg="ERROR: interface {0} is in {1} zone XML files, can only be in one".format(
+                    item, len(iface_zone_objs)
+                )
+            )
+        old_zone_obj = iface_zone_objs[0]
+        if old_zone_obj.name != zone:
+            old_zone_settings = FirewallClientZoneSettings(
+                fw.config.get_zone_config(old_zone_obj)
+            )
+            old_zone_settings.removeInterface(item)
+            fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
+            fw_settings.addInterface(item)
+            fw.config.set_zone_config(fw_zone, fw_settings.settings)
+    else:
+        old_zone_name = fw.config().getZoneOfInterface(item)
+        if old_zone_name != zone:
+            if old_zone_name:
+                old_zone_obj = fw.config().getZoneByName(old_zone_name)
+                old_zone_settings = old_zone_obj.getSettings()
+                old_zone_settings.removeInterface(item)
+                old_zone_obj.update(old_zone_settings)
+            fw_settings.addInterface(item)
+
+
 def parse_port(module, item):
     _port, _protocol = item.split("/")
     if _protocol is None:
@@ -683,7 +718,9 @@ def exception_handler(exception_message):
                 changed = True
             if permanent and not fw_settings.queryInterface(item):
                 if not module.check_mode:
-                    fw_settings.addInterface(item)
+                    handle_interface_permanent(
+                        zone, item, fw_zone, fw_settings, fw, fw_offline, module
+                    )
                 changed = True
         elif state == "disabled":
             if runtime and fw.queryInterface(zone, item):
diff --git a/tests/unit/test_firewall_lib.py b/tests/unit/test_firewall_lib.py
@@ -179,7 +179,6 @@
         "enabled": {
             "expected": {
                 "runtime": [call("default", "eth2")],
-                "permanent": [call("eth2")],
             }
         },
         "disabled": {
@@ -263,6 +262,64 @@ def __call__(self, **kwargs):
         return am
 
 
+class FirewallInterfaceTests(unittest.TestCase):
+    """class to test Firewall interface tests"""
+
+    @patch("firewall_lib.FirewallClientZoneSettings", create=True)
+    @patch("firewall_lib.FirewallClient", create=True)
+    @patch("firewall_lib.HAS_FIREWALLD", True)
+    @patch("firewall_lib.FW_VERSION", "0.3.8", create=True)
+    def test_handle_interface_offline_true(self, zone_settings, firewall_class):
+        module = Mock()
+        zone = "dmz"
+        item = "eth2"
+        fw = firewall_class.return_value
+        fw_config = Mock()
+        fw.config.return_value = fw_config
+        fw_zone = Mock()
+        fw.config.getZoneByName.return_value = fw_zone
+        fw_settings = Mock()
+        fw.config.getZoneByName.getSettings.return_value = fw_settings
+        fw_offline = True
+        fw.config.get_zones.return_value = ["dmz"]
+        fw_zone_two = Mock()
+        fw.config.get_zone.return_value = fw_zone_two
+        fw_zone_two.interfaces = ["eth2"]
+
+        firewall_lib.handle_interface_permanent(
+            zone, item, fw_zone, fw_settings, fw, fw_offline, module
+        )
+        called_mock = getattr(fw_settings, "addInterface")
+        assert [call("eth2")] == called_mock.call_args_list
+
+    @patch("firewall_lib.FirewallClientZoneSettings", create=True)
+    @patch("firewall_lib.FirewallClient", create=True)
+    @patch("firewall_lib.HAS_FIREWALLD", True)
+    @patch("firewall_lib.FW_VERSION", "0.3.8", create=True)
+    def test_handle_interface_offline_false(self, zone_settings, firewall_class):
+        module = Mock()
+        zone = "dmz"
+        item = "eth2"
+        fw = firewall_class.return_value
+        fw_config = Mock()
+        fw.config.return_value = fw_config
+        fw_zone = Mock()
+        fw.config.getZoneByName.return_value = fw_zone
+        fw_settings = Mock()
+        fw.config.getZoneByName.getSettings.return_value = fw_settings
+        fw_offline = False
+        fw.config.get_zones.return_value = ["dmz"]
+        fw_zone_two = Mock()
+        fw.config.get_zone.return_value = fw_zone_two
+        fw_zone_two.interfaces = ["eth2"]
+
+        firewall_lib.handle_interface_permanent(
+            zone, item, fw_zone, fw_settings, fw, fw_offline, module
+        )
+        called_mock = getattr(fw_settings, "addInterface")
+        assert [call("eth2")] == called_mock.call_args_list
+
+
 class FirewallLibParsers(unittest.TestCase):
     """test param to profile conversion and vice versa"""
 
