CHANGELOG.md

@@ -4,6 +4,29 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
+## [v4.1.0](https://github.com/voxpupuli/puppet-firewalld/tree/v4.1.0) (2019-10-22)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-firewalld/compare/v4.0.0...v4.1.0)
+
+**Implemented enhancements:**
+
+- Make native types `autorequire` the `firewalld` service [\#234](https://github.com/voxpupuli/puppet-firewalld/pull/234) ([trevor-vaughan](https://github.com/trevor-vaughan))
+
+**Fixed bugs:**
+
+- Fix firewall commands being run on compiler [\#232](https://github.com/voxpupuli/puppet-firewalld/pull/232) ([trevor-vaughan](https://github.com/trevor-vaughan))
+
+**Closed issues:**
+
+- README has invalid `'family' =\> 'ipv6'` example for `firewalld\_ipset` `options`. [\#231](https://github.com/voxpupuli/puppet-firewalld/issues/231)
+- All native firewalld providers are attempting to access the firewall on the compiler [\#225](https://github.com/voxpupuli/puppet-firewalld/issues/225)
+- The native types should all autorequire the firewalld service [\#224](https://github.com/voxpupuli/puppet-firewalld/issues/224)
+- Adding a 'firewalld\_direct\_purge' resource to the catalog hangs rspec-puppet [\#205](https://github.com/voxpupuli/puppet-firewalld/issues/205)
+
+**Merged pull requests:**
+
+- Update README with correct ipset ipv6 example [\#233](https://github.com/voxpupuli/puppet-firewalld/pull/233) ([Phurion](https://github.com/Phurion))
+
 ## [v4.0.0](https://github.com/voxpupuli/puppet-firewalld/tree/v4.0.0) (2019-10-14)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-firewalld/compare/3.4.0...v4.0.0)

README.md

@@ -377,7 +377,7 @@ firewalld::ipsets:
 
 * `entries`: An array of entries for the IPset
 * `type`: Type of ipset (default: `hash:ip`)
-* `options`: A hash of options for the IPset (eg: `{ "family" => "ipv6"}`)
+* `options`: A hash of options for the IPset (eg: `{ "family" => "inet6"}`)
 
 Note that `type` and `options` are parameters used when creating the IPset and are not managed after creation - to change the type or options of an ipset you must delete the existing ipset first.
 

lib/puppet/provider/firewalld.rb

@@ -10,17 +10,13 @@ class << self
     attr_accessor :runstate
   end
 
-  def initialize(*args)
-    check_running_state if state.nil?
-    super
-  end
-
   def state
     self.class.state
   end
 
   def self.state
     Puppet::Provider::Firewalld.runstate
+    check_running_state
   end
 
   def check_running_state

lib/puppet/type/firewalld_direct_chain.rb

@@ -45,4 +45,8 @@ def self.title_patterns
     desc 'Name of the table type to add (e.g: filter, nat, mangle, raw)'
     isnamevar
   end
+
+  autorequire(:service) do
+    ['firewalld']
+  end
 end

lib/puppet/type/firewalld_direct_passthrough.rb

@@ -32,4 +32,8 @@
     isnamevar
     desc 'Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)'
   end
+
+  autorequire(:service) do
+    ['firewalld']
+  end
 end

lib/puppet/type/firewalld_direct_purge.rb

@@ -51,6 +51,10 @@ def generate
     newvalues('chain', 'passthrough', 'rule')
   end
 
+  autorequire(:service) do
+    ['firewalld']
+  end
+
   def purge?
     !@purge_resources.empty?
   end

lib/puppet/type/firewalld_direct_rule.rb

@@ -44,4 +44,8 @@
   newparam(:args) do
     desc '<args> can be all iptables, ip6tables and ebtables command line arguments'
   end
+
+  autorequire(:service) do
+    ['firewalld']
+  end
 end

lib/puppet/type/firewalld_ipset.rb

@@ -93,4 +93,8 @@ def change_to_s(current, desire)
       raise(Puppet::Error, "Ipset should not declare entries if it doesn't manage entries")
     end
   end
+
+  autorequire(:service) do
+    ['firewalld']
+  end
 end

lib/puppet/type/firewalld_port.rb

@@ -47,4 +47,8 @@
   autorequire(:firewalld_zone) do
     self[:zone]
   end
+
+  autorequire(:service) do
+    ['firewalld']
+  end
 end

lib/puppet/type/firewalld_rich_rule.rb

@@ -127,4 +127,8 @@ def elements
   autorequire(:ipset) do
     self[:source]['ipset'] if self[:source].is_a?(Hash)
   end
+
+  autorequire(:service) do
+    ['firewalld']
+  end
 end

lib/puppet/type/firewalld_service.rb

@@ -45,8 +45,9 @@
   end
 
   autorequire(:service) do
-    catalog.resources.select do |res|
-      res.title == "Firewalld::Custom_service[#{self[:service]}]"
-    end
+    ['firewalld'] +
+      catalog.resources.select do |res|
+        res.title == "Firewalld::Custom_service[#{self[:service]}]"
+      end
   end
 end

lib/puppet/type/firewalld_zone.rb

@@ -52,6 +52,14 @@ def generate
     desc 'Name of the zone'
   end
 
+  newparam(:description) do
+    desc 'Description of the zone to add'
+  end
+
+  newparam(:short) do
+    desc 'Short description of the zone to add'
+  end
+
   newproperty(:target) do
     desc 'Specify the target for the zone'
   end
@@ -151,6 +159,10 @@ def retrieve
     end
   end
 
+  autorequire(:service) do
+    ['firewalld']
+  end
+
   def purge_resource(res_type)
     if Puppet.settings[:noop] || self[:noop]
       Puppet.debug "Would have purged #{res_type.ref}, (noop)"
@@ -233,12 +245,4 @@ def purge_ports
       @ports_purgable = true
     end
   end
-
-  newparam(:description) do
-    desc 'Description of the zone to add'
-  end
-
-  newparam(:short) do
-    desc 'Short description of the zone to add'
-  end
 end

metadata.json

@@ -1,26 +1,37 @@
 {
   "name": "puppet-firewalld",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "author": "Vox Pupuli",
   "summary": "Configure firewalld zones, services, and rich rules and direct config",
   "license": "Apache-2.0",
-  "tags": [ "firewalld", "firewall", "rhel", "security" ],
+  "tags": [
+    "firewalld",
+    "firewall",
+    "rhel",
+    "security",
+    "iptables",
+    "nftables"
+  ],
   "requirements": [
-   {
+    {
       "name": "puppet",
       "version_requirement": ">= 5.10.0 < 7.0.0"
     }
   ],
   "operatingsystem_support": [
     {
-      "operatingsystem":"RedHat",
-      "operatingsystemrelease":[ "7" ]
+      "operatingsystem": "RedHat",
+      "operatingsystemrelease": [
+        "7"
+      ]
     },
     {
-      "operatingsystem":"CentOS",
-      "operatingsystemrelease":[ "7" ]
+      "operatingsystem": "CentOS",
+      "operatingsystemrelease": [
+        "7"
+      ]
     }
-   ],
+  ],
   "source": "https://github.com/voxpupuli/puppet-firewalld",
   "project_page": "https://github.com/voxpupuli/puppet-firewalld",
   "issues_url": "https://github.com/voxpupuli/puppet-firewalld/issues",

spec/unit/puppet/type/firewalld_direct_chain_spec.rb

@@ -48,4 +48,21 @@
       end
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(name: 'ipv4:filter:LOG_DROPS')
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end

spec/unit/puppet/type/firewalld_direct_passthrough_spec.rb

@@ -51,4 +51,21 @@
       provider.destroy
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(name: '-A OUTPUT -j OUTPUT_filter')
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end

spec/unit/puppet/type/firewalld_direct_rule_spec.rb

@@ -78,4 +78,32 @@
       end
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    let(:attrs) do
+      {
+        title: 'Allow SSH',
+        ensure: 'present',
+        table: 'filter',
+        chain: 'OUTPUT',
+        priority: 1,
+        args: '-p tcp ---dport=22 -j ACCEPT'
+      }
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(attrs)
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end

spec/unit/puppet/type/firewalld_ipset_spec.rb

@@ -155,4 +155,21 @@
       end.to raise_error(%r{Ipset should not declare entries if it doesn't manage entries})
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(name: 'test', hashsize: 128)
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end

spec/unit/puppet/type/firewalld_port_spec.rb

@@ -20,4 +20,21 @@
       end
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(name: 'test', port: 1234)
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end

spec/unit/puppet/type/firewalld_rich_rule_spec.rb

@@ -204,4 +204,33 @@
       end
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    let(:attrs) do
+      {
+        title: 'SSH from barny',
+        ensure: 'present',
+        zone: 'restricted',
+        source: '192.168.1.2/32',
+        dest: '192.168.99.2/32',
+        service: 'ssh',
+        action: 'accept'
+      }
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(attrs)
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end

spec/unit/puppet/type/firewalld_service_spec.rb

@@ -20,4 +20,21 @@
       end
     end
   end
+
+  context 'autorequires' do
+    # rubocop:disable RSpec/InstanceVariable
+    before do
+      @firewalld_service = Puppet::Type.type(:service).new(name: 'firewalld')
+      @catalog = Puppet::Resource::Catalog.new
+      @catalog.add_resource(@firewalld_service)
+    end
+
+    it 'autorequires the firewalld service' do
+      @resource = described_class.new(name: 'test', service: 'test')
+      @catalog.add_resource(@resource)
+
+      expect(@resource.autorequire.map { |rp| rp.source.to_s }).to include('Service[firewalld]')
+    end
+    # rubocop:enable RSpec/InstanceVariable
+  end
 end