ufw: extend integration tests (#50400)
* Improve cleanup. * Add check mode tests. Failing tests commented out; will be fixed in #49948. * Add reload and reset tests. * Add tests for other global state. * Work around ufw bugs.
This commit is contained in:
parent
1400d161c0
commit
fe4fa519d7
4 changed files with 322 additions and 12 deletions
|
@ -12,12 +12,15 @@
|
|||
- name: Install ufw
|
||||
package:
|
||||
name: ufw
|
||||
# Make sure ufw is not enabled
|
||||
- name: Disable ufw in case it is running
|
||||
ufw:
|
||||
state: disabled
|
||||
|
||||
# Run the tests
|
||||
- block:
|
||||
- include_tasks: run-test.yml
|
||||
with_fileglob:
|
||||
- "tests/*.yml"
|
||||
|
||||
# Cleanup
|
||||
always:
|
||||
- name: Reset ufw to factory defaults and disable
|
||||
ufw:
|
||||
state: reset
|
||||
|
|
|
@ -1,3 +1,12 @@
|
|||
---
|
||||
- name: Reset ufw to factory defaults
|
||||
ufw:
|
||||
state: reset
|
||||
- name: Disable ufw
|
||||
ufw:
|
||||
# Some versions of ufw have a bug which won't disable on reset.
|
||||
# That's why we explicitly deactivate here. See
|
||||
# https://bugs.launchpad.net/ufw/+bug/1810082
|
||||
state: disabled
|
||||
- name: "Loading tasks from {{ item }}"
|
||||
include_tasks: "{{ item }}"
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
# ############################################
|
||||
- name: Enable (check mode)
|
||||
ufw:
|
||||
state: enabled
|
||||
check_mode: yes
|
||||
register: enable_check
|
||||
- name: Enable
|
||||
ufw:
|
||||
state: enabled
|
||||
|
@ -8,12 +13,26 @@
|
|||
ufw:
|
||||
state: enabled
|
||||
register: enable_idem
|
||||
- name: Enable (idempotency, check mode)
|
||||
ufw:
|
||||
state: enabled
|
||||
check_mode: yes
|
||||
register: enable_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - enable_check is changed
|
||||
- enable is changed
|
||||
- enable_idem is not changed
|
||||
- enable_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: ipv4 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
check_mode: yes
|
||||
register: ipv4_allow_check
|
||||
- name: ipv4 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -25,14 +44,30 @@
|
|||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
become: yes
|
||||
register: ipv4_allow_idem
|
||||
- name: ipv4 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
check_mode: yes
|
||||
register: ipv4_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - ipv4_allow_check is changed
|
||||
- ipv4_allow is changed
|
||||
- ipv4_allow_idem is not changed
|
||||
- ipv4_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: delete ipv4 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv4_allow_check
|
||||
- name: delete ipv4 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -46,14 +81,30 @@
|
|||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
delete: yes
|
||||
become: yes
|
||||
register: delete_ipv4_allow_idem
|
||||
- name: delete ipv4 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv4_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - delete_ipv4_allow_check is changed
|
||||
- delete_ipv4_allow is changed
|
||||
- delete_ipv4_allow_idem is not changed
|
||||
- delete_ipv4_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: ipv6 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
check_mode: yes
|
||||
register: ipv6_allow_check
|
||||
- name: ipv6 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -65,14 +116,30 @@
|
|||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
become: yes
|
||||
register: ipv6_allow_idem
|
||||
- name: ipv6 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
check_mode: yes
|
||||
register: ipv6_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - ipv6_allow_check is changed
|
||||
- ipv6_allow is changed
|
||||
- ipv6_allow_idem is not changed
|
||||
- ipv6_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: delete ipv6 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv6_allow_check
|
||||
- name: delete ipv6 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -86,15 +153,31 @@
|
|||
port: 23
|
||||
to_ip: "::"
|
||||
delete: yes
|
||||
become: yes
|
||||
register: delete_ipv6_allow_idem
|
||||
- name: delete ipv6 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv6_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - delete_ipv6_allow_check is changed
|
||||
- delete_ipv6_allow is changed
|
||||
- delete_ipv6_allow_idem is not changed
|
||||
- delete_ipv6_allow_idem_check is not changed
|
||||
|
||||
|
||||
# ############################################
|
||||
- name: ipv4 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
check_mode: yes
|
||||
register: ipv4_allow_check
|
||||
- name: ipv4 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -106,14 +189,30 @@
|
|||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
become: yes
|
||||
register: ipv4_allow_idem
|
||||
- name: ipv4 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
check_mode: yes
|
||||
register: ipv4_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - ipv4_allow_check is changed
|
||||
- ipv4_allow is changed
|
||||
- ipv4_allow_idem is not changed
|
||||
- ipv4_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: delete ipv4 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv4_allow_check
|
||||
- name: delete ipv4 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -127,14 +226,30 @@
|
|||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
delete: yes
|
||||
become: yes
|
||||
register: delete_ipv4_allow_idem
|
||||
- name: delete ipv4 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: 0.0.0.0
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv4_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - delete_ipv4_allow_check is changed
|
||||
- delete_ipv4_allow is changed
|
||||
- delete_ipv4_allow_idem is not changed
|
||||
- delete_ipv4_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: ipv6 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
check_mode: yes
|
||||
register: ipv6_allow_check
|
||||
- name: ipv6 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -146,14 +261,30 @@
|
|||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
become: yes
|
||||
register: ipv6_allow_idem
|
||||
- name: ipv6 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
check_mode: yes
|
||||
register: ipv6_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - ipv6_allow is_check changed
|
||||
- ipv6_allow is changed
|
||||
- ipv6_allow_idem is not changed
|
||||
- ipv6_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: delete ipv6 allow (check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv6_allow_check
|
||||
- name: delete ipv6 allow
|
||||
ufw:
|
||||
rule: allow
|
||||
|
@ -167,14 +298,43 @@
|
|||
port: 23
|
||||
to_ip: "::"
|
||||
delete: yes
|
||||
become: yes
|
||||
register: delete_ipv6_allow_idem
|
||||
- name: delete ipv6 allow (idempotency, check mode)
|
||||
ufw:
|
||||
rule: allow
|
||||
port: 23
|
||||
to_ip: "::"
|
||||
delete: yes
|
||||
check_mode: yes
|
||||
register: delete_ipv6_allow_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - delete_ipv6_allow_check is changed
|
||||
- delete_ipv6_allow is changed
|
||||
- delete_ipv6_allow_idem is not changed
|
||||
- delete_ipv6_allow_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: Reload ufw
|
||||
ufw:
|
||||
state: reloaded
|
||||
register: reload
|
||||
- name: Reload ufw (check mode)
|
||||
ufw:
|
||||
state: reloaded
|
||||
check_mode: yes
|
||||
register: reload_check
|
||||
- assert:
|
||||
that:
|
||||
- reload is not changed # NOT as expected!
|
||||
- reload_check is not changed # NOT as expected!
|
||||
|
||||
# ############################################
|
||||
- name: Disable (check mode)
|
||||
ufw:
|
||||
state: disabled
|
||||
check_mode: yes
|
||||
register: disable_check
|
||||
- name: Disable
|
||||
ufw:
|
||||
state: disabled
|
||||
|
@ -183,7 +343,57 @@
|
|||
ufw:
|
||||
state: disabled
|
||||
register: disable_idem
|
||||
- name: Disable (idempotency, check mode)
|
||||
ufw:
|
||||
state: disabled
|
||||
check_mode: yes
|
||||
register: disable_idem_check
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - disable_check is changed
|
||||
- disable is changed
|
||||
- disable_idem is not changed
|
||||
- disable_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: Re-enable
|
||||
ufw:
|
||||
state: enabled
|
||||
- name: Reset (check mode)
|
||||
ufw:
|
||||
state: reset
|
||||
check_mode: yes
|
||||
register: reset_check
|
||||
- pause:
|
||||
# Should not be needed, but since ufw is ignoring --dry-run for reset
|
||||
# (https://bugs.launchpad.net/ufw/+bug/1810082) we have to wait here as well.
|
||||
seconds: 1
|
||||
- name: Reset
|
||||
ufw:
|
||||
state: reset
|
||||
register: reset
|
||||
- pause:
|
||||
# ufw creates backups of the rule files with a timestamp; if reset is called
|
||||
# twice in a row fast enough (so that both timestamps are taken in the same second),
|
||||
# the second call will notice that the backup files are already there and fail.
|
||||
# Waiting one second fixes this problem.
|
||||
seconds: 1
|
||||
- name: Reset (idempotency)
|
||||
ufw:
|
||||
state: reset
|
||||
register: reset_idem
|
||||
- pause:
|
||||
# Should not be needed, but since ufw is ignoring --dry-run for reset
|
||||
# (https://bugs.launchpad.net/ufw/+bug/1810082) we have to wait here as well.
|
||||
seconds: 1
|
||||
- name: Reset (idempotency, check mode)
|
||||
ufw:
|
||||
state: reset
|
||||
check_mode: yes
|
||||
register: reset_idem_check
|
||||
- assert:
|
||||
that:
|
||||
- reset_check is not changed # NOT as expected!
|
||||
- reset is not changed # NOT as expected!
|
||||
- reset_idem is not changed
|
||||
- reset_idem_check is not changed
|
||||
|
|
88
test/integration/targets/ufw/tasks/tests/global-state.yml
Normal file
88
test/integration/targets/ufw/tasks/tests/global-state.yml
Normal file
|
@ -0,0 +1,88 @@
|
|||
---
|
||||
- name: Enable ufw
|
||||
ufw:
|
||||
state: enabled
|
||||
|
||||
# ############################################
|
||||
- name: Logging (check mode)
|
||||
ufw:
|
||||
logging: yes
|
||||
check_mode: yes
|
||||
register: logging_check
|
||||
- name: Logging
|
||||
ufw:
|
||||
logging: yes
|
||||
register: logging
|
||||
- name: Get logging
|
||||
shell: |
|
||||
ufw status verbose | grep "^Logging:"
|
||||
register: ufw_logging
|
||||
- name: Logging (idempotency)
|
||||
ufw:
|
||||
logging: yes
|
||||
register: logging_idem
|
||||
- name: Logging (idempotency, check mode)
|
||||
ufw:
|
||||
logging: yes
|
||||
check_mode: yes
|
||||
register: logging_idem_check
|
||||
- assert:
|
||||
that:
|
||||
- logging_check is not changed # NOT as expected!
|
||||
- logging is not changed # NOT as expected!
|
||||
- "ufw_logging.stdout == 'Logging: on (low)'"
|
||||
- logging_idem is not changed
|
||||
- logging_idem_check is not changed
|
||||
|
||||
# ############################################
|
||||
- name: Default (check mode)
|
||||
ufw:
|
||||
default: reject
|
||||
direction: incoming
|
||||
check_mode: yes
|
||||
register: default_check
|
||||
- name: Default
|
||||
ufw:
|
||||
default: reject
|
||||
direction: incoming
|
||||
register: default
|
||||
- name: Get defaults
|
||||
shell: |
|
||||
ufw status verbose | grep "^Default:"
|
||||
register: ufw_defaults
|
||||
- name: Default (idempotency)
|
||||
ufw:
|
||||
default: reject
|
||||
direction: incoming
|
||||
register: default_idem
|
||||
- name: Default (idempotency, check mode)
|
||||
ufw:
|
||||
default: reject
|
||||
direction: incoming
|
||||
check_mode: yes
|
||||
register: default_idem_check
|
||||
- name: Default (change, check mode)
|
||||
ufw:
|
||||
default: allow
|
||||
direction: incoming
|
||||
check_mode: yes
|
||||
register: default_change_check
|
||||
- name: Default (change)
|
||||
ufw:
|
||||
default: allow
|
||||
direction: incoming
|
||||
register: default_change
|
||||
- name: Get defaults
|
||||
shell: |
|
||||
ufw status verbose | grep "^Default:"
|
||||
register: ufw_defaults_change
|
||||
- assert:
|
||||
that:
|
||||
# FIXME - default_check is changed
|
||||
- default is changed
|
||||
- "'reject (incoming)' in ufw_defaults.stdout"
|
||||
- default_idem is not changed
|
||||
- default_idem_check is not changed
|
||||
# FIXME - default_change_check is changed
|
||||
- default_change is changed
|
||||
- "'allow (incoming)' in ufw_defaults_change.stdout"
|
Loading…
Reference in a new issue