Improve test coverage of the firewall command

Refactor and update the existing firewall command test.

Add new tests to validate:
--disable
-- use-system-defaults

Validate how additional options are processed with --disable and
--use-system-defaults.

Also extend function.sh with a utility function for checking if
the installation journal contains a given regexp.

firewall-disable-with-options.ks.in

@@ -0,0 +1,57 @@
+#version=DEVEL
+#test name: firewall-disable-with-options
+#
+# Test that firewall can be properly disabled & all the
+# firewall options are still set correctly on the target system.
+%ksappend repos/default.ks
+
+%ksappend common/common_no_payload.ks
+%ksappend payload/default_packages.ks
+
+# TEST: firewall
+firewall --disable --port=22001:tcp,6400:udp --service=tftp,smtp
+
+%post
+# The firewall --disable kickstart command gets translated into firewall-offline-cmd --disable,
+# which simply disables the firewalld systemd unit. So by checking if the unit is disabled,
+# we can check if the kickstart command works correctly.
+systemctl is-enabled firewalld
+if [[ $? -eq 0 ]]; then
+    echo "*** firewalld.service should be disabled" >> /root/RESULT
+fi
+
+# Even though we disable the firewall, we still forward the options
+# to firewall-offline-cmd & they should be set properly.
+
+# Test for 22001/TCP
+firewall-offline-cmd --list-ports | grep 22001/tcp
+if [[ $? -ne 0 ]]; then
+    echo "*** Port 22001/tcp not allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for 6400/UDP
+firewall-offline-cmd --list-ports | grep 6400/udp
+if [[ $? -ne 0 ]]; then
+    echo "*** Port 6400/udp not allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for service tftp
+firewall-offline-cmd --list-services | grep tftp
+if [[ $? -ne 0 ]]; then
+    echo "*** Service tftp not allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for service smtp
+firewall-offline-cmd --list-services | grep smtp
+if [[ $? -ne 0 ]]; then
+    echo "*** Service smtp not allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for service sane (disabled)
+firewall-offline-cmd --list-services | grep sane
+if [[ $? -ne 1 ]]; then
+    echo "*** Service sane is allowed through the firewall enabled, should be disabled" >> /root/RESULT
+fi
+
+%ksappend validation/success_if_result_empty.ks
+%end

firewall-disable-with-options.sh

@@ -0,0 +1,22 @@
+#
+# Copyright (C) 2019  Red Hat, Inc.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# the GNU General Public License v.2, or (at your option) any later version.
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY expressed or implied, including the implied warranties of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.  You should have received a copy of the
+# GNU General Public License along with this program; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.  Any Red Hat trademarks that are incorporated in the
+# source code or documentation are not subject to the GNU General Public
+# License and may only be used or replicated with the express permission of
+# Red Hat, Inc.
+#
+# Red Hat Author(s): Martin Kolman <mkolman@redhat.com>
+
+TESTTYPE="network firewall"
+
+. ${KSTESTDIR}/functions.sh

firewall-disable.ks.in

@@ -0,0 +1,23 @@
+#version=DEVEL
+#test name: firewall-disable
+#
+# Test that firewall can be properly disabled.
+%ksappend repos/default.ks
+
+%ksappend common/common_no_payload.ks
+%ksappend payload/default_packages.ks
+
+# disable firewall
+firewall --disable
+
+%post
+# The firewall --disable kickstart command gets translated into firewall-offline-cmd --disable,
+# which simply disables the firewalld systemd unit. So by checking if the unit is disabled,
+# we can check if the kickstart command works correctly.
+systemctl is-enabled firewalld
+if [[ $? -eq 0 ]]; then
+    echo "*** firewalld.service should be disabled" >> /root/RESULT
+fi
+
+%ksappend validation/success_if_result_empty.ks
+%end

firewall-disable.sh

@@ -0,0 +1,22 @@
+#
+# Copyright (C) 2019  Red Hat, Inc.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# the GNU General Public License v.2, or (at your option) any later version.
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY expressed or implied, including the implied warranties of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.  You should have received a copy of the
+# GNU General Public License along with this program; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.  Any Red Hat trademarks that are incorporated in the
+# source code or documentation are not subject to the GNU General Public
+# License and may only be used or replicated with the express permission of
+# Red Hat, Inc.
+#
+# Red Hat Author(s): Martin Kolman <mkolman@redhat.com>
+
+TESTTYPE="network firewall"
+
+. ${KSTESTDIR}/functions.sh

firewall-use-system-defaults-ignore-options.ks.in

@@ -0,0 +1,57 @@
+
+#version=DEVEL
+#test name: firewall-use-system-defaults-ignore-options
+#
+# Test that firewall can be properly configured to use
+# system defaults. This basically means avoiding any
+# firewall-offline-cmd --enable/--disable calls and
+# simply leaving default distro provided firewall
+# configuration in place.
+%ksappend repos/default.ks
+
+%ksappend common/common_no_payload.ks
+%ksappend payload/default_packages.ks
+
+
+# Check no options are set to the target system when the
+# --use-system-defaults option is in place.
+firewall --use-system-defaults --port=22001:tcp,6400:udp --service=tftp,smtp
+
+%packages
+%end
+
+%post
+
+## TEST PROCEDURE
+# Test for 22001/TCP
+firewall-offline-cmd --list-ports | grep 22001/tcp
+if [[ $? -eq 0 ]]; then
+    echo "*** Port 22001/tcp should not be allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for 6400/UDP
+firewall-offline-cmd --list-ports | grep 6400/udp
+if [[ $? -eq 0 ]]; then
+    echo "*** Port 6400/udp should not be allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for service tftp
+firewall-offline-cmd --list-services | grep tftp
+if [[ $? -eq 0 ]]; then
+    echo "*** Service tftp should not be allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for service smtp
+firewall-offline-cmd --list-services | grep smtp
+if [[ $? -eq 0 ]]; then
+    echo "*** Service smtp should not be allowed through the firewall" >> /root/RESULT
+fi
+
+# Test for service sane (disabled)
+firewall-offline-cmd --list-services | grep sane
+if [[ $? -eq 0 ]]; then
+    echo "*** Service sane is allowed through the firewall, which is different from the default (disabled)" >> /root/RESULT
+fi
+
+%ksappend validation/success_if_result_empty.ks
+%end

firewall-use-system-defaults-ignore-options.sh

@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2019  Red Hat, Inc.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# the GNU General Public License v.2, or (at your option) any later version.
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY expressed or implied, including the implied warranties of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.  You should have received a copy of the
+# GNU General Public License along with this program; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.  Any Red Hat trademarks that are incorporated in the
+# source code or documentation are not subject to the GNU General Public
+# License and may only be used or replicated with the express permission of
+# Red Hat, Inc.
+#
+# Red Hat Author(s): Martin Kolman <mkolman@redhat.com>
+
+TESTTYPE="network firewall"
+
+. ${KSTESTDIR}/functions.sh
+
+validate() {
+    # check if installation journal contains the expected
+    # "using system defaults" log message
+    regexp="ks file instructs to use system defaults for firewall, skipping configuration"
+    error="*** expected skipping-configuration message not found in installation journal"
+    validate_journal_contains $1 "${regexp}" "${error}"
+    if [[ $? != 0 ]]; then
+        cat ${1}/RESULT
+        return 1
+    fi
+
+    return $(validate_RESULT ${disksdir})
+}

firewall-use-system-defaults.ks.in

@@ -0,0 +1,25 @@
+#version=DEVEL
+#test name: firewall-use-system-defaults
+#
+# Test that firewall can be properly configured to use
+# system defaults. This basically means avoiding any
+# firewall-offline-cmd --enable/--disable calls and
+# simply leaving default distro provided firewall
+# configuration in place.
+%ksappend repos/default.ks
+
+%ksappend common/common_no_payload.ks
+%ksappend payload/default_packages.ks
+
+# disable firewall
+firewall --use-system-defaults
+
+%post
+# On Fedora firewall is enabled by default.
+systemctl is-enabled firewalld
+if [[ $? -eq 0 ]]; then
+    echo "*** firewall should be enabled" >> /root/RESULT
+fi
+
+%ksappend validation/success_if_result_empty.ks
+%end

firewall-use-system-defaults.sh

@@ -0,0 +1,36 @@
+#
+# Copyright (C) 2019  Red Hat, Inc.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# the GNU General Public License v.2, or (at your option) any later version.
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY expressed or implied, including the implied warranties of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.  You should have received a copy of the
+# GNU General Public License along with this program; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.  Any Red Hat trademarks that are incorporated in the
+# source code or documentation are not subject to the GNU General Public
+# License and may only be used or replicated with the express permission of
+# Red Hat, Inc.
+#
+# Red Hat Author(s): Martin Kolman <mkolman@redhat.com>
+
+TESTTYPE="network firewall"
+
+. ${KSTESTDIR}/functions.sh
+
+validate() {
+    # check if installation journal contains the expected
+    # "using system defaults" log message
+    regexp="ks file instructs to use system defaults for firewall, skipping configuration"
+    error="*** expected skipping-configuration message not found in installation journal"
+    validate_journal_contains $1 "${regexp}" "${error}"
+    if [[ $? != 0 ]]; then
+        cat ${1}/RESULT
+        return 1
+    fi
+
+    return $(validate_RESULT ${disksdir})
+}

firewall.ks.in

@@ -1,60 +1,45 @@
 #version=DEVEL
 #test name: firewall
 %ksappend repos/default.ks
-install
-network --bootproto=dhcp
 
-bootloader --timeout=1
-zerombr
-clearpart --all --initlabel
-autopart
+%ksappend common/common_no_payload.ks
+%ksappend payload/default_packages.ks
 
-keyboard us
-lang en
-timezone America/New_York --utc
-rootpw testcase
-shutdown
-
-# TEST: firewall
+# test the firewall command
 firewall --enable --port=22001:tcp,6400:udp --service=tftp,smtp
 
-%packages
-%end
-
 %post
 
 ## TEST PROCEDURE
 # Test for 22001/TCP
 firewall-offline-cmd --list-ports | grep 22001/tcp
 if [[ $? -ne 0 ]]; then
-    echo "*** Firewall config for 22001/tcp" >> /root/RESULT
+    echo "*** Port 22001/tcp not allowed through the firewall" >> /root/RESULT
 fi
 
 # Test for 6400/UDP
 firewall-offline-cmd --list-ports | grep 6400/udp
 if [[ $? -ne 0 ]]; then
-    echo "*** Firewall config for 6400/udp failed" >> /root/RESULT
+    echo "*** Port 6400/udp not allowed through the firewall" >> /root/RESULT
 fi
 
 # Test for service tftp
 firewall-offline-cmd --list-services | grep tftp
 if [[ $? -ne 0 ]]; then
-    echo "*** Firewall service tftp not assigned" >> /root/RESULT
+    echo "*** Service tftp not allowed through the firewall" >> /root/RESULT
 fi
 
 # Test for service smtp
 firewall-offline-cmd --list-services | grep smtp
 if [[ $? -ne 0 ]]; then
-    echo "*** Firewall service smtp not assigned" >> /root/RESULT
+    echo "*** Service smtp not allowed through the firewall" >> /root/RESULT
 fi
 
 # Test for service sane (disabled)
 firewall-offline-cmd --list-services | grep sane
 if [[ $? -ne 1 ]]; then
-    echo "*** Firewall service sane enabled, should be disabled" >> /root/RESULT
+    echo "*** Service sane allowed through the firewall, should be disabled" >> /root/RESULT
 fi
 
-if [[ ! -e /root/RESULT ]]; then
-    echo SUCCESS > /root/RESULT
-fi
+%ksappend validation/success_if_result_empty.ks
 %end

firewall.sh

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2015  Red Hat, Inc.
+# Copyright (C) 2019  Red Hat, Inc.
 #
 # This copyrighted material is made available to anyone wishing to use,
 # modify, copy, or redistribute it subject to the terms and conditions of
@@ -16,7 +16,8 @@
 # Red Hat, Inc.
 #
 # Red Hat Author(s): Chris Lumens <clumens@redhat.com>
+#                    Martin Kolman <mkolman@redhat.com>
 
-TESTTYPE="network"
+TESTTYPE="network firewall"
 
 . ${KSTESTDIR}/functions.sh

functions.sh

@@ -128,6 +128,23 @@ validate() {
     return $?
 }
 
+validate_journal_contains() {
+    # Check if journal from the installation contains a regexp,
+    # write error message and return with 1 if the message has
+    # not been found.
+    disksdir=$1
+    regexp=$2
+    error=$3
+    args=$(for d in ${disksdir}/disk-*img; do echo -a ${d}; done)
+    # Copy the journal.log file
+    run_with_timeout 1000s "virt-copy-out ${args} /var/log/anaconda/journal.log ${disksdir}"
+    egrep -i "${regexp}" ${disksdir}/journal.log
+    if [[ $? != 0 ]]; then
+        echo "${error}" >> ${disksdir}/RESULT
+        return 1
+    fi
+}
+
 cleanup() {
     tmpdir=$1
 }