Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve test coverage of the firewall command
Refactor and update the existing firewall command test. Add new tests to validate: --disable -- use-system-defaults Validate how additional options are processed with --disable and --use-system-defaults. Also extend function.sh with a utility function for checking if the installation journal contains a given regexp.
- Loading branch information
Showing
11 changed files
with
307 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
#version=DEVEL | ||
#test name: firewall-disable-with-options | ||
# | ||
# Test that firewall can be properly disabled & all the | ||
# firewall options are still set correctly on the target system. | ||
%ksappend repos/default.ks | ||
|
||
%ksappend common/common_no_payload.ks | ||
%ksappend payload/default_packages.ks | ||
|
||
# TEST: firewall | ||
firewall --disable --port=22001:tcp,6400:udp --service=tftp,smtp | ||
|
||
%post | ||
# The firewall --disable kickstart command gets translated into firewall-offline-cmd --disable, | ||
# which simply disables the firewalld systemd unit. So by checking if the unit is disabled, | ||
# we can check if the kickstart command works correctly. | ||
systemctl is-enabled firewalld | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** firewalld.service should be disabled" >> /root/RESULT | ||
fi | ||
|
||
# Even though we disable the firewall, we still forward the options | ||
# to firewall-offline-cmd & they should be set properly. | ||
|
||
# Test for 22001/TCP | ||
firewall-offline-cmd --list-ports | grep 22001/tcp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Port 22001/tcp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for 6400/UDP | ||
firewall-offline-cmd --list-ports | grep 6400/udp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Port 6400/udp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service tftp | ||
firewall-offline-cmd --list-services | grep tftp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Service tftp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service smtp | ||
firewall-offline-cmd --list-services | grep smtp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Service smtp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service sane (disabled) | ||
firewall-offline-cmd --list-services | grep sane | ||
if [[ $? -ne 1 ]]; then | ||
echo "*** Service sane is allowed through the firewall enabled, should be disabled" >> /root/RESULT | ||
fi | ||
|
||
%ksappend validation/success_if_result_empty.ks | ||
%end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# | ||
# Copyright (C) 2019 Red Hat, Inc. | ||
# | ||
# This copyrighted material is made available to anyone wishing to use, | ||
# modify, copy, or redistribute it subject to the terms and conditions of | ||
# the GNU General Public License v.2, or (at your option) any later version. | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY expressed or implied, including the implied warranties of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General | ||
# Public License for more details. You should have received a copy of the | ||
# GNU General Public License along with this program; if not, write to the | ||
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the | ||
# source code or documentation are not subject to the GNU General Public | ||
# License and may only be used or replicated with the express permission of | ||
# Red Hat, Inc. | ||
# | ||
# Red Hat Author(s): Martin Kolman <mkolman@redhat.com> | ||
|
||
TESTTYPE="network firewall" | ||
|
||
. ${KSTESTDIR}/functions.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
#version=DEVEL | ||
#test name: firewall-disable | ||
# | ||
# Test that firewall can be properly disabled. | ||
%ksappend repos/default.ks | ||
|
||
%ksappend common/common_no_payload.ks | ||
%ksappend payload/default_packages.ks | ||
|
||
# disable firewall | ||
firewall --disable | ||
|
||
%post | ||
# The firewall --disable kickstart command gets translated into firewall-offline-cmd --disable, | ||
# which simply disables the firewalld systemd unit. So by checking if the unit is disabled, | ||
# we can check if the kickstart command works correctly. | ||
systemctl is-enabled firewalld | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** firewalld.service should be disabled" >> /root/RESULT | ||
fi | ||
|
||
%ksappend validation/success_if_result_empty.ks | ||
%end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# | ||
# Copyright (C) 2019 Red Hat, Inc. | ||
# | ||
# This copyrighted material is made available to anyone wishing to use, | ||
# modify, copy, or redistribute it subject to the terms and conditions of | ||
# the GNU General Public License v.2, or (at your option) any later version. | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY expressed or implied, including the implied warranties of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General | ||
# Public License for more details. You should have received a copy of the | ||
# GNU General Public License along with this program; if not, write to the | ||
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the | ||
# source code or documentation are not subject to the GNU General Public | ||
# License and may only be used or replicated with the express permission of | ||
# Red Hat, Inc. | ||
# | ||
# Red Hat Author(s): Martin Kolman <mkolman@redhat.com> | ||
|
||
TESTTYPE="network firewall" | ||
|
||
. ${KSTESTDIR}/functions.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
|
||
#version=DEVEL | ||
#test name: firewall-use-system-defaults-ignore-options | ||
# | ||
# Test that firewall can be properly configured to use | ||
# system defaults. This basically means avoiding any | ||
# firewall-offline-cmd --enable/--disable calls and | ||
# simply leaving default distro provided firewall | ||
# configuration in place. | ||
%ksappend repos/default.ks | ||
|
||
%ksappend common/common_no_payload.ks | ||
%ksappend payload/default_packages.ks | ||
|
||
|
||
# Check no options are set to the target system when the | ||
# --use-system-defaults option is in place. | ||
firewall --use-system-defaults --port=22001:tcp,6400:udp --service=tftp,smtp | ||
|
||
%packages | ||
%end | ||
|
||
%post | ||
|
||
## TEST PROCEDURE | ||
# Test for 22001/TCP | ||
firewall-offline-cmd --list-ports | grep 22001/tcp | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** Port 22001/tcp should not be allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for 6400/UDP | ||
firewall-offline-cmd --list-ports | grep 6400/udp | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** Port 6400/udp should not be allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service tftp | ||
firewall-offline-cmd --list-services | grep tftp | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** Service tftp should not be allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service smtp | ||
firewall-offline-cmd --list-services | grep smtp | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** Service smtp should not be allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service sane (disabled) | ||
firewall-offline-cmd --list-services | grep sane | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** Service sane is allowed through the firewall, which is different from the default (disabled)" >> /root/RESULT | ||
fi | ||
|
||
%ksappend validation/success_if_result_empty.ks | ||
%end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# | ||
# Copyright (C) 2019 Red Hat, Inc. | ||
# | ||
# This copyrighted material is made available to anyone wishing to use, | ||
# modify, copy, or redistribute it subject to the terms and conditions of | ||
# the GNU General Public License v.2, or (at your option) any later version. | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY expressed or implied, including the implied warranties of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General | ||
# Public License for more details. You should have received a copy of the | ||
# GNU General Public License along with this program; if not, write to the | ||
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the | ||
# source code or documentation are not subject to the GNU General Public | ||
# License and may only be used or replicated with the express permission of | ||
# Red Hat, Inc. | ||
# | ||
# Red Hat Author(s): Martin Kolman <mkolman@redhat.com> | ||
|
||
TESTTYPE="network firewall" | ||
|
||
. ${KSTESTDIR}/functions.sh | ||
|
||
validate() { | ||
# check if installation journal contains the expected | ||
# "using system defaults" log message | ||
regexp="ks file instructs to use system defaults for firewall, skipping configuration" | ||
error="*** expected skipping-configuration message not found in installation journal" | ||
validate_journal_contains $1 "${regexp}" "${error}" | ||
if [[ $? != 0 ]]; then | ||
cat ${1}/RESULT | ||
return 1 | ||
fi | ||
|
||
return $(validate_RESULT ${disksdir}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#version=DEVEL | ||
#test name: firewall-use-system-defaults | ||
# | ||
# Test that firewall can be properly configured to use | ||
# system defaults. This basically means avoiding any | ||
# firewall-offline-cmd --enable/--disable calls and | ||
# simply leaving default distro provided firewall | ||
# configuration in place. | ||
%ksappend repos/default.ks | ||
|
||
%ksappend common/common_no_payload.ks | ||
%ksappend payload/default_packages.ks | ||
|
||
# disable firewall | ||
firewall --use-system-defaults | ||
|
||
%post | ||
# On Fedora firewall is enabled by default. | ||
systemctl is-enabled firewalld | ||
if [[ $? -eq 0 ]]; then | ||
echo "*** firewall should be enabled" >> /root/RESULT | ||
fi | ||
|
||
%ksappend validation/success_if_result_empty.ks | ||
%end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# | ||
# Copyright (C) 2019 Red Hat, Inc. | ||
# | ||
# This copyrighted material is made available to anyone wishing to use, | ||
# modify, copy, or redistribute it subject to the terms and conditions of | ||
# the GNU General Public License v.2, or (at your option) any later version. | ||
# This program is distributed in the hope that it will be useful, but WITHOUT | ||
# ANY WARRANTY expressed or implied, including the implied warranties of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General | ||
# Public License for more details. You should have received a copy of the | ||
# GNU General Public License along with this program; if not, write to the | ||
# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | ||
# 02110-1301, USA. Any Red Hat trademarks that are incorporated in the | ||
# source code or documentation are not subject to the GNU General Public | ||
# License and may only be used or replicated with the express permission of | ||
# Red Hat, Inc. | ||
# | ||
# Red Hat Author(s): Martin Kolman <mkolman@redhat.com> | ||
|
||
TESTTYPE="network firewall" | ||
|
||
. ${KSTESTDIR}/functions.sh | ||
|
||
validate() { | ||
# check if installation journal contains the expected | ||
# "using system defaults" log message | ||
regexp="ks file instructs to use system defaults for firewall, skipping configuration" | ||
error="*** expected skipping-configuration message not found in installation journal" | ||
validate_journal_contains $1 "${regexp}" "${error}" | ||
if [[ $? != 0 ]]; then | ||
cat ${1}/RESULT | ||
return 1 | ||
fi | ||
|
||
return $(validate_RESULT ${disksdir}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,60 +1,45 @@ | ||
#version=DEVEL | ||
#test name: firewall | ||
%ksappend repos/default.ks | ||
install | ||
network --bootproto=dhcp | ||
|
||
bootloader --timeout=1 | ||
zerombr | ||
clearpart --all --initlabel | ||
autopart | ||
%ksappend common/common_no_payload.ks | ||
%ksappend payload/default_packages.ks | ||
|
||
keyboard us | ||
lang en | ||
timezone America/New_York --utc | ||
rootpw testcase | ||
shutdown | ||
|
||
# TEST: firewall | ||
# test the firewall command | ||
firewall --enable --port=22001:tcp,6400:udp --service=tftp,smtp | ||
|
||
%packages | ||
%end | ||
|
||
%post | ||
|
||
## TEST PROCEDURE | ||
# Test for 22001/TCP | ||
firewall-offline-cmd --list-ports | grep 22001/tcp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Firewall config for 22001/tcp" >> /root/RESULT | ||
echo "*** Port 22001/tcp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for 6400/UDP | ||
firewall-offline-cmd --list-ports | grep 6400/udp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Firewall config for 6400/udp failed" >> /root/RESULT | ||
echo "*** Port 6400/udp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service tftp | ||
firewall-offline-cmd --list-services | grep tftp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Firewall service tftp not assigned" >> /root/RESULT | ||
echo "*** Service tftp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service smtp | ||
firewall-offline-cmd --list-services | grep smtp | ||
if [[ $? -ne 0 ]]; then | ||
echo "*** Firewall service smtp not assigned" >> /root/RESULT | ||
echo "*** Service smtp not allowed through the firewall" >> /root/RESULT | ||
fi | ||
|
||
# Test for service sane (disabled) | ||
firewall-offline-cmd --list-services | grep sane | ||
if [[ $? -ne 1 ]]; then | ||
echo "*** Firewall service sane enabled, should be disabled" >> /root/RESULT | ||
echo "*** Service sane allowed through the firewall, should be disabled" >> /root/RESULT | ||
fi | ||
|
||
if [[ ! -e /root/RESULT ]]; then | ||
echo SUCCESS > /root/RESULT | ||
fi | ||
%ksappend validation/success_if_result_empty.ks | ||
%end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters