archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
stable-2.17
devel
stable-2.14
stable-2.15
stable-2.16
stable-2.12
milestone
stable-2.13
stable-2.9
stable-2.11
stable-2.3
stable-2.10
stable-2.8
stable-2.4
stable-2.5
stable-2.6
stable-2.7
temp-2.10-devel
mazer_role_loader
stable-2.2
threading_plus_forking
threading_instead_of_forking
stable-2.1
stable-1.9
stable-2.0
stable-2.0.0.1
stable-2.0-network
release1.8.4
release1.8.3
release1.8.2
release1.8.1
release1.8.0
release1.7.2
release1.7.1
release1.7.0
release1.6.8
release1.6.10
release1.6.9
release1.6.7
release1.6.6
release1.6.5
release1.6.4
release1.6.3
release1.6.2
release1.6.1
release1.6.0
release1.5.5
release1.5.4
release1.5.3
release1.5.2
release1.5.1
release1.5.0
v2.14.3
v2.13.8
v2.14.3rc1
v2.13.8rc1
v2.14.2
v2.14.2rc1
v2.14.1
v2.13.7
v2.13.7rc1
v2.14.1rc1
v2.13.6
v2.14.0
v2.14.0rc2
v2.13.6rc1
v2.14.0rc1
v2.14.0b3
v2.13.5
v2.12.10
v2.14.0b2
v2.13.5rc1
v2.12.10rc1
v2.14.0b1
v2.12.9
v2.13.4
v2.13.4rc1
v2.12.9rc1
v2.13.3
v2.12.8
v2.12.8rc1
v2.13.3rc1
v2.13.2
v2.13.2rc1
v2.12.7
v2.13.1
v2.12.7rc1
v2.13.1rc1
v2.12.6
v2.11.12
v2.12.6rc1
v2.11.12rc1
v2.13.0
v2.13.0rc1
v2.13.0b1
v2.12.5
v2.11.11
v2.12.5rc1
v2.11.11rc1
v2.13.0b0
v2.12.4
v2.11.10
v2.12.4rc1
v2.11.10rc1
v2.11.9
v2.12.3
v2.12.3rc1
v2.11.9rc1
v2.12.2
v2.11.8
v2.10.17
v2.12.2rc1
v2.11.8rc1
v2.10.17rc1
v2.12.1
v2.11.7
v2.10.16
v2.10.16rc1
v2.11.7rc1
v2.12.1rc1
v2.12.0
v2.12.0rc1
v2.12.0b2
v2.11.6
v2.10.15
v2.9.27
v2.9.27rc1
v2.10.15rc1
v2.11.6rc1
v2.12.0b1
v2.11.5
v2.10.14
v2.9.26
v2.11.5rc1
v2.10.14rc1
v2.9.26rc1
v2.11.4
v2.10.13
v2.9.25
v2.9.25rc1
v2.10.13rc1
v2.11.4rc1
v2.11.3
v2.10.12
v2.9.24
v2.11.3rc1
v2.10.12rc1
v2.9.24rc1
v2.9.23
v2.10.11
v2.11.2
v2.11.2rc1
v2.10.11rc1
v2.9.23rc1
v2.11.1
v2.10.10
v2.9.22
v2.9.22rc1
v2.10.10rc1
v2.11.1rc1
v2.10.9
v2.9.21
v2.10.9rc1
v2.9.21rc1
v2.11.0
v2.8.20
v2.9.20
v2.10.8
v2.11.0rc2
v2.8.20rc1
v2.9.20rc1
v2.10.8rc1
v2.11.0rc1
stable-2.11-branchpoint
v2.11.0b4
v2.11.0b3
v2.11.0b2
v2.10.7
v2.9.19
v2.10.7rc1
v2.9.19rc1
v2.11.0b1
v2.8.19
v2.9.18
v2.10.6
v2.8.19rc1
v2.9.18rc1
v2.10.6rc1
v2.9.17
v2.10.5
v2.10.5rc1
v2.9.17rc1
v2.8.18
v2.9.16
v2.10.4
v2.8.18rc1
v2.9.16rc1
v2.10.4rc1
v2.8.17
v2.9.15
v2.10.3
v2.8.17rc1
v2.9.15rc1
v2.10.3rc1
v2.10.2
v2.9.14
v2.8.16
v2.8.16rc1
v2.9.14rc1
v2.10.2rc1
v2.10.1
v2.10.1rc3
v2.10.1rc2
v2.8.15
v2.9.13
v2.10.0
v2.9.12
v2.8.14
v2.10.0rc4
v2.10.0rc3
v2.10.0rc2
v2.10.0rc1
v2.9.11
v2.8.13
v2.9.10
v2.10.0b1
stable-2.10-branchpoint
v2.9.9
v2.7.18
v2.8.12
v2.9.8
v2.9.7
v2.8.11
v2.7.17
pre-ansible-base
v2.8.10
v2.8.9
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.8.8
v2.7.16
v2.9.2
v2.9.1
v2.8.7
v2.7.15
v2.9.0
v2.9.0rc5
v2.8.6
v2.7.14
v2.9.0rc4
v2.6.20
v2.9.0rc3
v2.9.0rc2
v2.9.0rc1
v2.8.5
v2.9.0b1
stable-2.9-branchpoint
v2.6.19
v2.7.13
v2.8.4
v2.8.3
v2.6.18
v2.7.12
v2.8.2
v2.8.1
v2.7.11
v2.6.17
v2.8.0
v2.8.0rc3
v2.8.0rc2
v2.8.0rc1
v2.8.0b1
v2.8.0a1
v2.6.16
v2.7.10
v2.6.15
v2.7.9
v2.7.8
v2.6.14
v2.5.15
v2.7.7
v2.6.13
v2.6.12
v2.7.6
v2.5.14
v2.7.5
v2.6.11
v2.6.10
v2.7.4
v2.5.13
v2.7.3
v2.6.9
v2.5.12
v2.6.8
v2.7.2
v2.6.7
v2.5.11
v2.7.1
v2.6.6
v2.7.0
v2.6.5
v2.7.0rc4
v2.5.10
v2.7.0rc3
v2.7.0rc2
v2.5.9
v2.6.4
v2.7.0rc1
v2.7.0b1
v2.7.0.a1
v2.6.3
v2.5.8
v2.6.2
v2.5.7
v2.6.1
v2.5.6
v2.4.6.0-1
v2.6.0
v2.6.0rc5
v2.6.0rc4
v2.4.5.0-1
v2.6.0rc3
v2.5.5
v2.4.5.0-0.1.rc1
v2.6.0rc2
v2.6.0rc1
v2.5.4
v2.6.0a2
v2.6.0a1
v2.5.3
v2.5.2
v2.5.1
v2.4.4.0-1
v2.4.4.0-0.3.rc2
v2.5.0
v2.5.0rc3
v2.5.0rc2
v2.4.4-0.2.rc1
v2.3.4.0-0.1.rc1
v2.5.0rc1
v2.4.4-0.1.beta1
v2.5.0b1
v2.5.0a1
v2.4.3.0-1
v2.4.3.0-0.6.rc3
v2.4.3.0-0.5.rc2
v2.4.3.0-0.4.rc1
v2.4.3-0.3.beta3
v2.4.3.0-0.2.beta2
v2.3.3.0-1
v2.4.3.0-0.1.beta1
v2.4.2.0-1
v2.4.2.0-0.5.rc1
v2.4.2.0-0.4.beta4
v2.3.3.0-0.3.rc3
v2.4.2.0-0.3.beta3
v2.4.2.0-0.2.beta2
v2.4.2.0-0.1.beta1
v2.4.1.0-1
v2.4.1.0-0.4.rc2
v2.3.3.0-0.2.rc2
v2.4.1.0-0.3.rc1
v2.4.1.0-0.2.beta2
v2.3.3.0-0.1.rc1
v2.4.1.0-0.1.beta1
v2.4.0.0-1
v2.4.0.0-0.5.rc5
v2.4.0.0-0.4.rc4
v2.4.0.0-0.3.rc3
v2.4.0.0-0.2.rc2
v2.4.0.0-0.1.rc1
v2.3.2.0-1
v2.3.2.0-0.5.rc5
v2.3.2.0-0.4.rc4
v2.3.2.0-0.3.rc3
v2.3.2.0-0.2.rc2
v2.3.2.0-0.1.rc1
v2.1.6.0-1
v2.3.1.0-1
v2.3.1.0-0.2.rc2
v2.2.3.0-1
v2.1.6.0-0.1.rc1
v2.3.1.0-0.1.rc1
v2.3.0.0-1
v2.3.0.0-0.6.rc6
v2.3.0.0-0.5.rc5
v2.3.0.0-0.4.rc4
v2.2.3.0-0.1.rc1
v2.3.0.0-0.3.rc3
v2.3.0.0-0.2.rc2
v2.2.2.0-1
v2.1.5.0-1
v2.3.0.0-0.1.rc1
v2.1.5.0-0.2.rc2
v2.2.2.0-0.2.rc2
v2.1.5.0-0.1.rc1
v2.2.2.0-0.1.rc1
v2.1.4.0-1
v2.2.1.0-1
v2.1.4.0-0.3.rc3
v2.2.1.0-0.5.rc5
v2.1.4.0-0.2.rc2
v2.2.1.0-0.4.rc4
v2.1.4.0-0.1.rc1
v2.2.1.0-0.3.rc3
v2.2.1.0-0.2.rc2
v2.2.1.0-0.1.rc1
v2.1.3.0-1
v2.2.0.0-1
v2.2.0.0-0.4.rc4
v2.1.3.0-0.3.rc3
v2.1.3.0-0.2.rc2
v2.2.0.0-0.3.rc3
v2.1.3.0-0.1.rc1
v2.2.0.0-0.2.rc2
v2.2.0.0-0.1.rc1
v2.1.2.0-1
v2.1.2.0-0.5.rc5
v2.1.2.0-0.4.rc4
v2.1.2.0-0.3.rc3
v2.1.2.0-0.2.rc2
v2.1.2.0-0.1.rc1
v2.1.1.0-1
v2.1.1.0-0.5.rc5
v2.1.1.0-0.4.rc4
v2.1.1.0-0.3.rc3
v2.1.1.0-0.2.rc2
v2.1.1.0-0.1.rc1
v2.1.0.0-1
v2.1.0.0-0.4.rc4
v2.1.0.0-0.2.rc2
v2.1.0.0-0.3.rc3
v2.1.0.0-0.1.rc1
v2.0.2.0-1
v1.9.6-1
v2.0.2.0-0.4.rc4
v2.0.2.0-0.3.rc3
v1.9.6-0.1.rc1
v2.0.2.0-0.2.rc2
v2.0.2.0-0.1.rc1
v1.9.5-1
v1.9.5-0.1.rc1
v2.0.1.0-1
v2.0.1.0-0.2.rc2
v2.0.1.0-0.1.rc1
v2.0.0.2-1
v2.0.0.1-1
v2.0.0.0-1
v2.0.0-0.9.rc4
v2.0.0-0.8.rc3
v2.0.0-0.7.rc2
v2.0.0-0.6.rc1
v2.0.0-0.5.beta3
v2.0.0-0.4.beta2
v1.9.4-1
v2.0.0-0.3.beta1
v1.9.4-0.3.rc3
v1.9.4-0.2.rc2
v1.9.4-0.1.rc1
v2.0.0-0.2.alpha2
v1.9.3-1
v2.0.0-0.1.alpha1
v1.9.3-0.3.rc3
v1.9.3-0.2.rc2
v1.9.3-0.1.rc1
v1.9.2-1
v1.9.2-0.2.rc2
v1_last
v1.9.2-0.1.rc1
v1.9.1-1
v1.9.1-0.4.rc4
v1.9.1-0.3.rc3
v1.9.1-0.2.rc2
v1.9.1-0.1.rc1
v1.9.0.1-1
v1.9.0-2
v1.9.0-1
v1.9.0-0.2.rc2
v1.9.0-0.1.rc1
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.2
v1.7.1
v1.7.0
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.3
v1.2.2
v1.2.1
v1.2
v1.1
v1.0
0.8
0.7.2
0.7
0.6
0.5
0.4.1
0.4
0.3.1
0.3
0.01
0.0.1
0.0.2
0.7.1
v0.9
v2.13.10
v2.13.10rc1
v2.13.11
v2.13.11rc1
v2.13.12
v2.13.12rc1
v2.13.13
v2.13.13rc1
v2.13.9
v2.13.9rc1
v2.14.10
v2.14.10rc1
v2.14.11
v2.14.11rc1
v2.14.12
v2.14.12rc1
v2.14.13
v2.14.14
v2.14.14rc1
v2.14.15
v2.14.15rc1
v2.14.16
v2.14.16rc1
v2.14.17
v2.14.17rc1
v2.14.4
v2.14.4rc1
v2.14.5
v2.14.5rc1
v2.14.6
v2.14.6rc1
v2.14.7
v2.14.7rc1
v2.14.8
v2.14.8rc1
v2.14.9
v2.14.9rc1
v2.15.0
v2.15.0b1
v2.15.0b2
v2.15.0b3
v2.15.0rc1
v2.15.0rc2
v2.15.1
v2.15.10
v2.15.10rc1
v2.15.11
v2.15.11rc1
v2.15.12
v2.15.12rc1
v2.15.1rc1
v2.15.2
v2.15.2rc1
v2.15.3
v2.15.3rc1
v2.15.4
v2.15.4rc1
v2.15.5
v2.15.5rc1
v2.15.6
v2.15.6rc1
v2.15.7
v2.15.7rc1
v2.15.8
v2.15.9
v2.15.9rc1
v2.16.0
v2.16.0b1
v2.16.0b2
v2.16.0rc1
v2.16.1
v2.16.1rc1
v2.16.2
v2.16.3
v2.16.3rc1
v2.16.4
v2.16.4rc1
v2.16.5
v2.16.5rc1
v2.16.6
v2.16.7
v2.16.7rc1
v2.17.0
v2.17.0b1
v2.17.0rc1
v2.17.0rc2
v2.5.0b2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cdd303101e'
${ noResults }
ansible/test/units/modules/test_iptables.py

1431 lines
35 KiB
Python
Raw Blame History

# Copyright: Contributors to the Ansible project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import annotations
from units.modules.utils import AnsibleExitJson, AnsibleFailJson, set_module_args, fail_json, exit_json
import pytest
from ansible.modules import iptables
IPTABLES_CMD = "/sbin/iptables"
IPTABLES_VERSION = "1.8.2"
CONST_INPUT_FILTER = [IPTABLES_CMD, "-t", "filter", "-L", "INPUT",]
@pytest.fixture
def _mock_basic_commands(mocker):
"""Mock basic commands like get_bin_path and get_iptables_version."""
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.get_bin_path",
return_value=IPTABLES_CMD,
)
mocker.patch("ansible.modules.iptables.get_iptables_version", return_value=IPTABLES_VERSION)
def test_without_required_parameters(mocker):
"""Test module without any parameters."""
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.fail_json",
side_effect=fail_json,
)
set_module_args({})
with pytest.raises(AnsibleFailJson) as exc:
iptables.main()
assert exc.value.args[0]["failed"]
assert "Failed to find required executable" in exc.value.args[0]["msg"]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_flush_table_without_chain(mocker):
"""Test flush without chain, flush the table."""
set_module_args(
{
"flush": True,
}
)
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command", return_value=(0, "", "")
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args[0][0]
assert first_cmd_args_list[0], IPTABLES_CMD
assert first_cmd_args_list[1], "-t"
assert first_cmd_args_list[2], "filter"
assert first_cmd_args_list[3], "-F"
@pytest.mark.usefixtures('_mock_basic_commands')
def test_flush_table_check_true(mocker):
"""Test flush without parameters and check == true."""
set_module_args(
{
"flush": True,
"_ansible_check_mode": True,
}
)
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command", return_value=(0, "", "")
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 0
@pytest.mark.usefixtures('_mock_basic_commands')
def test_policy_table(mocker):
"""Test change policy of a chain."""
set_module_args(
{
"policy": "ACCEPT",
"chain": "INPUT",
}
)
commands_results = [(0, "Chain INPUT (policy DROP)\n", ""), (0, "", "")]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 2
first_cmd_args_list = run_command.call_args_list[0]
second_cmd_args_list = run_command.call_args_list[1]
assert first_cmd_args_list[0][0] == CONST_INPUT_FILTER
assert second_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-P",
"INPUT",
"ACCEPT",
]
@pytest.mark.usefixtures('_mock_basic_commands')
@pytest.mark.parametrize(
("test_input", "commands_results"),
[
pytest.param(
{
"policy": "ACCEPT",
"chain": "INPUT",
"_ansible_check_mode": True,
},
[
(0, "Chain INPUT (policy DROP)\n", ""),
],
id="policy-table-no-change",
),
pytest.param(
{
"policy": "ACCEPT",
"chain": "INPUT",
},
[
(0, "Chain INPUT (policy ACCEPT)\n", ""),
(0, "", ""),
],
id="policy-table-change-false",
)
]
)
def test_policy_table_flush(mocker, test_input, commands_results):
"""Test flush without parameters and change == false."""
set_module_args(test_input)
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == CONST_INPUT_FILTER
# TODO ADD test policy without chain fail
# TODO ADD test policy with chain don't exists
# TODO ADD test policy with wrong choice fail
@pytest.mark.usefixtures('_mock_basic_commands')
def test_insert_rule_change_false(mocker):
"""Test flush without parameters."""
set_module_args(
{
"chain": "OUTPUT",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "ACCEPT",
"action": "insert",
"_ansible_check_mode": True,
}
)
commands_results = [
(1, "", ""), # check_rule_present
(0, "", ""), # check_chain_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"OUTPUT",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"ACCEPT",
]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_insert_rule(mocker):
"""Test flush without parameters."""
set_module_args(
{
"chain": "OUTPUT",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "ACCEPT",
"action": "insert",
}
)
commands_results = [
(1, "", ""), # check_rule_present
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 2
first_cmd_args_list = run_command.call_args_list[0]
second_cmd_args_list = run_command.call_args_list[1]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"OUTPUT",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"ACCEPT",
]
assert second_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-I",
"OUTPUT",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"ACCEPT",
]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_append_rule_check_mode(mocker):
"""Test append a redirection rule in check mode."""
set_module_args(
{
"chain": "PREROUTING",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "REDIRECT",
"table": "nat",
"to_destination": "5.5.5.5/32",
"protocol": "udp",
"destination_port": "22",
"to_ports": "8600",
"_ansible_check_mode": True,
}
)
commands_results = [
(1, "", ""), # check_rule_present
(0, "", ""), # check_chain_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"nat",
"-C",
"PREROUTING",
"-p",
"udp",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"REDIRECT",
"--to-destination",
"5.5.5.5/32",
"--destination-port",
"22",
"--to-ports",
"8600",
]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_append_rule(mocker):
"""Test append a redirection rule."""
set_module_args(
{
"chain": "PREROUTING",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "REDIRECT",
"table": "nat",
"to_destination": "5.5.5.5/32",
"protocol": "udp",
"destination_port": "22",
"to_ports": "8600",
}
)
commands_results = [
(1, "", ""), # check_rule_present
(0, "", ""), # check_chain_present
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 2
first_cmd_args_list = run_command.call_args_list[0]
second_cmd_args_list = run_command.call_args_list[1]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"nat",
"-C",
"PREROUTING",
"-p",
"udp",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"REDIRECT",
"--to-destination",
"5.5.5.5/32",
"--destination-port",
"22",
"--to-ports",
"8600",
]
assert second_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"nat",
"-A",
"PREROUTING",
"-p",
"udp",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"REDIRECT",
"--to-destination",
"5.5.5.5/32",
"--destination-port",
"22",
"--to-ports",
"8600",
]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_remove_rule(mocker):
"""Test flush without parameters."""
set_module_args(
{
"chain": "PREROUTING",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "SNAT",
"table": "nat",
"to_source": "5.5.5.5/32",
"protocol": "udp",
"source_port": "22",
"to_ports": "8600",
"state": "absent",
"in_interface": "eth0",
"out_interface": "eth1",
"comment": "this is a comment",
}
)
commands_results = [
(0, "", ""),
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 2
first_cmd_args_list = run_command.call_args_list[0]
second_cmd_args_list = run_command.call_args_list[1]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"nat",
"-C",
"PREROUTING",
"-p",
"udp",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"SNAT",
"--to-source",
"5.5.5.5/32",
"-i",
"eth0",
"-o",
"eth1",
"--source-port",
"22",
"--to-ports",
"8600",
"-m",
"comment",
"--comment",
"this is a comment",
]
assert second_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"nat",
"-D",
"PREROUTING",
"-p",
"udp",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"SNAT",
"--to-source",
"5.5.5.5/32",
"-i",
"eth0",
"-o",
"eth1",
"--source-port",
"22",
"--to-ports",
"8600",
"-m",
"comment",
"--comment",
"this is a comment",
]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_remove_rule_check_mode(mocker):
"""Test flush without parameters check mode."""
set_module_args(
{
"chain": "PREROUTING",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "SNAT",
"table": "nat",
"to_source": "5.5.5.5/32",
"protocol": "udp",
"source_port": "22",
"to_ports": "8600",
"state": "absent",
"in_interface": "eth0",
"out_interface": "eth1",
"comment": "this is a comment",
"_ansible_check_mode": True,
}
)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"nat",
"-C",
"PREROUTING",
"-p",
"udp",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"SNAT",
"--to-source",
"5.5.5.5/32",
"-i",
"eth0",
"-o",
"eth1",
"--source-port",
"22",
"--to-ports",
"8600",
"-m",
"comment",
"--comment",
"this is a comment",
]
@pytest.mark.usefixtures('_mock_basic_commands')
@pytest.mark.parametrize(
("test_input", "expected"),
[
pytest.param(
{
"chain": "INPUT",
"protocol": "tcp",
"reject_with": "tcp-reset",
"ip_version": "ipv4",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"tcp",
"-j",
"REJECT",
"--reject-with",
"tcp-reset",
],
id="insert-reject-with",
),
pytest.param(
{
"chain": "INPUT",
"protocol": "tcp",
"jump": "REJECT",
"reject_with": "tcp-reset",
"ip_version": "ipv4",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"tcp",
"-j",
"REJECT",
"--reject-with",
"tcp-reset",
],
id="update-reject-with",
),
]
)
def test_insert_with_reject(mocker, test_input, expected):
"""Using reject_with with a previously defined jump: REJECT results in two Jump statements #18988."""
set_module_args(test_input)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == expected
@pytest.mark.usefixtures('_mock_basic_commands')
def test_jump_tee_gateway_negative(mocker):
"""Missing gateway when JUMP is set to TEE."""
set_module_args(
{
"table": "mangle",
"chain": "PREROUTING",
"in_interface": "eth0",
"protocol": "udp",
"match": "state",
"jump": "TEE",
"ctstate": ["NEW"],
"destination_port": "9521",
"destination": "127.0.0.1",
}
)
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.fail_json",
side_effect=fail_json,
)
jump_err_msg = "jump is TEE but all of the following are missing: gateway"
with pytest.raises(AnsibleFailJson, match=jump_err_msg) as exc:
iptables.main()
assert exc.value.args[0]["failed"]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_jump_tee_gateway(mocker):
"""Using gateway when JUMP is set to TEE."""
set_module_args(
{
"table": "mangle",
"chain": "PREROUTING",
"in_interface": "eth0",
"protocol": "udp",
"match": "state",
"jump": "TEE",
"ctstate": ["NEW"],
"destination_port": "9521",
"gateway": "192.168.10.1",
"destination": "127.0.0.1",
}
)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"mangle",
"-C",
"PREROUTING",
"-p",
"udp",
"-d",
"127.0.0.1",
"-m",
"state",
"-j",
"TEE",
"--gateway",
"192.168.10.1",
"-i",
"eth0",
"--destination-port",
"9521",
"--state",
"NEW",
]
@pytest.mark.usefixtures('_mock_basic_commands')
@pytest.mark.parametrize(
("test_input"),
[
pytest.param(
'flags=ALL flags_set="ACK,RST,SYN,FIN"',
id="tcp-flags-str"
),
pytest.param(
{
"flags": "ALL", "flags_set": "ACK,RST,SYN,FIN"
},
id="tcp-flags-dict"
),
pytest.param(
{
"flags": ["ALL"], "flags_set": ["ACK", "RST", "SYN", "FIN"]
},
id="tcp-flags-list"
),
],
)
def test_tcp_flags(mocker, test_input):
"""Test various ways of inputting tcp_flags."""
rule_data = {
"chain": "OUTPUT",
"protocol": "tcp",
"jump": "DROP",
"tcp_flags": test_input,
}
set_module_args(rule_data)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"OUTPUT",
"-p",
"tcp",
"--tcp-flags",
"ALL",
"ACK,RST,SYN,FIN",
"-j",
"DROP",
]
@pytest.mark.usefixtures('_mock_basic_commands')
@pytest.mark.parametrize(
"log_level",
[
"0",
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"emerg",
"alert",
"crit",
"error",
"warning",
"notice",
"info",
"debug",
],
)
def test_log_level(mocker, log_level):
"""Test various ways of log level flag."""
set_module_args(
{
"chain": "INPUT",
"jump": "LOG",
"log_level": log_level,
"source": "1.2.3.4/32",
"log_prefix": "** DROP-this_ip **",
}
)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-s",
"1.2.3.4/32",
"-j",
"LOG",
"--log-prefix",
"** DROP-this_ip **",
"--log-level",
log_level,
]
@pytest.mark.usefixtures('_mock_basic_commands')
@pytest.mark.parametrize(
("test_input", "expected"),
[
pytest.param(
{
"chain": "INPUT",
"match": ["iprange"],
"src_range": "192.168.1.100-192.168.1.199",
"jump": "ACCEPT",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-m",
"iprange",
"-j",
"ACCEPT",
"--src-range",
"192.168.1.100-192.168.1.199",
],
id="src-range",
),
pytest.param(
{
"chain": "INPUT",
"src_range": "192.168.1.100-192.168.1.199",
"dst_range": "10.0.0.50-10.0.0.100",
"jump": "ACCEPT",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-j",
"ACCEPT",
"-m",
"iprange",
"--src-range",
"192.168.1.100-192.168.1.199",
"--dst-range",
"10.0.0.50-10.0.0.100",
],
id="src-range-dst-range",
),
pytest.param(
{
"chain": "INPUT",
"dst_range": "10.0.0.50-10.0.0.100",
"jump": "ACCEPT"
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-j",
"ACCEPT",
"-m",
"iprange",
"--dst-range",
"10.0.0.50-10.0.0.100",
],
id="dst-range"
),
],
)
def test_iprange(mocker, test_input, expected):
"""Test iprange module with its flags src_range and dst_range."""
set_module_args(test_input)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == expected
@pytest.mark.usefixtures('_mock_basic_commands')
def test_insert_rule_with_wait(mocker):
"""Test flush without parameters."""
set_module_args(
{
"chain": "OUTPUT",
"source": "1.2.3.4/32",
"destination": "7.8.9.10/42",
"jump": "ACCEPT",
"action": "insert",
"wait": "10",
}
)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"OUTPUT",
"-w",
"10",
"-s",
"1.2.3.4/32",
"-d",
"7.8.9.10/42",
"-j",
"ACCEPT",
]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_comment_position_at_end(mocker):
"""Test comment position to make sure it is at the end of command."""
set_module_args(
{
"chain": "INPUT",
"jump": "ACCEPT",
"action": "insert",
"ctstate": ["NEW"],
"comment": "this is a comment",
"_ansible_check_mode": True,
}
)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-j",
"ACCEPT",
"-m",
"conntrack",
"--ctstate",
"NEW",
"-m",
"comment",
"--comment",
"this is a comment",
]
assert run_command.call_args[0][0][14] == "this is a comment"
@pytest.mark.usefixtures('_mock_basic_commands')
def test_destination_ports(mocker):
"""Test multiport module usage with multiple ports."""
set_module_args(
{
"chain": "INPUT",
"protocol": "tcp",
"in_interface": "eth0",
"source": "192.168.0.1/32",
"destination_ports": ["80", "443", "8081:8085"],
"jump": "ACCEPT",
"comment": "this is a comment",
}
)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"tcp",
"-s",
"192.168.0.1/32",
"-j",
"ACCEPT",
"-m",
"multiport",
"--dports",
"80,443,8081:8085",
"-i",
"eth0",
"-m",
"comment",
"--comment",
"this is a comment",
]
@pytest.mark.usefixtures('_mock_basic_commands')
@pytest.mark.parametrize(
("test_input", "expected"),
[
pytest.param(
{
"chain": "INPUT",
"protocol": "tcp",
"match_set": "admin_hosts",
"match_set_flags": "src",
"destination_port": "22",
"jump": "ACCEPT",
"comment": "this is a comment",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"tcp",
"-j",
"ACCEPT",
"--destination-port",
"22",
"-m",
"set",
"--match-set",
"admin_hosts",
"src",
"-m",
"comment",
"--comment",
"this is a comment",
],
id="match-set-src",
),
pytest.param(
{
"chain": "INPUT",
"protocol": "udp",
"match_set": "banned_hosts",
"match_set_flags": "src,dst",
"jump": "REJECT",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"udp",
"-j",
"REJECT",
"-m",
"set",
"--match-set",
"banned_hosts",
"src,dst",
],
id="match-set-src-dst",
),
pytest.param(
{
"chain": "INPUT",
"protocol": "udp",
"match_set": "banned_hosts_dst",
"match_set_flags": "dst,dst",
"jump": "REJECT",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"udp",
"-j",
"REJECT",
"-m",
"set",
"--match-set",
"banned_hosts_dst",
"dst,dst",
],
id="match-set-dst-dst",
),
pytest.param(
{
"chain": "INPUT",
"protocol": "udp",
"match_set": "banned_hosts",
"match_set_flags": "src,src",
"jump": "REJECT",
},
[
IPTABLES_CMD,
"-t",
"filter",
"-C",
"INPUT",
"-p",
"udp",
"-j",
"REJECT",
"-m",
"set",
"--match-set",
"banned_hosts",
"src,src",
],
id="match-set-src-src",
),
],
)
def test_match_set(mocker, test_input, expected):
"""Test match_set together with match_set_flags."""
set_module_args(test_input)
commands_results = [
(0, "", ""),
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(SystemExit):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == expected
@pytest.mark.usefixtures('_mock_basic_commands')
def test_chain_creation(mocker):
"""Test chain creation when absent."""
set_module_args(
{
"chain": "FOOBAR",
"state": "present",
"chain_management": True,
}
)
commands_results = [
(1, "", ""), # check_chain_present
(0, "", ""), # create_chain
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.exit_json",
side_effect=exit_json,
)
with pytest.raises(AnsibleExitJson):
iptables.main()
assert run_command.call_count == 2
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-L",
"FOOBAR",
]
second_cmd_args_list = run_command.call_args_list[1]
assert second_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-N",
"FOOBAR",
]
commands_results = [
(0, "", ""), # check_rule_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(AnsibleExitJson) as exc:
iptables.main()
assert not exc.value.args[0]["changed"]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_chain_creation_check_mode(mocker):
"""Test chain creation when absent in check mode."""
set_module_args(
{
"chain": "FOOBAR",
"state": "present",
"chain_management": True,
"_ansible_check_mode": True,
}
)
commands_results = [
(1, "", ""), # check_rule_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.exit_json",
side_effect=exit_json,
)
with pytest.raises(AnsibleExitJson):
iptables.main()
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-L",
"FOOBAR",
]
commands_results = [
(0, "", ""), # check_rule_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(AnsibleExitJson) as exc:
iptables.main()
assert not exc.value.args[0]["changed"]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_chain_deletion(mocker):
"""Test chain deletion when present."""
set_module_args(
{
"chain": "FOOBAR",
"state": "absent",
"chain_management": True,
}
)
commands_results = [
(0, "", ""), # check_chain_present
(0, "", ""), # delete_chain
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.exit_json",
side_effect=exit_json,
)
with pytest.raises(AnsibleExitJson) as exc:
iptables.main()
assert exc.value.args[0]["changed"]
assert run_command.call_count == 2
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-L",
"FOOBAR",
]
second_cmd_args_list = run_command.call_args_list[1]
assert second_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-X",
"FOOBAR",
]
commands_results = [
(1, "", ""), # check_rule_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(AnsibleExitJson) as exc:
iptables.main()
assert not exc.value.args[0]["changed"]
@pytest.mark.usefixtures('_mock_basic_commands')
def test_chain_deletion_check_mode(mocker):
"""Test chain deletion when present in check mode."""
set_module_args(
{
"chain": "FOOBAR",
"state": "absent",
"chain_management": True,
"_ansible_check_mode": True,
}
)
commands_results = [
(0, "", ""), # check_chain_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
mocker.patch(
"ansible.module_utils.basic.AnsibleModule.exit_json",
side_effect=exit_json,
)
with pytest.raises(AnsibleExitJson) as exc:
iptables.main()
assert exc.value.args[0]["changed"]
assert run_command.call_count == 1
first_cmd_args_list = run_command.call_args_list[0]
assert first_cmd_args_list[0][0] == [
IPTABLES_CMD,
"-t",
"filter",
"-L",
"FOOBAR",
]
commands_results = [
(1, "", ""), # check_rule_present
]
run_command = mocker.patch(
"ansible.module_utils.basic.AnsibleModule.run_command",
side_effect=commands_results,
)
with pytest.raises(AnsibleExitJson) as exc:
iptables.main()
assert not exc.value.args[0]["changed"]
Reference in New Issue View Git Blame Copy Permalink