diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index c5797dc3..b1077c84 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -21,272 +21,242 @@ shell("touch #{ssh_log_file}") describe 'fail2ban' do - it 'is_expected.to work with no errors' do + context 'with defaults' do pp = <<-EOS class { 'fail2ban': } EOS - apply_manifest(pp, catch_failures: true) - apply_manifest(pp, catch_changes: true) - end - - describe 'fail2ban::install' do - context 'defaults' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': } - EOS + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) + end - apply_manifest(pp, catch_failures: true) - end + describe package(package_name) do + it { is_expected.to be_installed } + end - describe package(package_name) do - it { is_expected.to be_installed } - end + describe file(config_file_path) do + it { is_expected.to be_file } end - context 'when package latest' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': - package_ensure => 'latest', - } - EOS + describe service(service_name) do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + it 'is expected.to have sshd and sshd-ddos enabled by default' do + fail2ban_status = shell('fail2ban-client status') + expect(fail2ban_status.output).to contain ssh_jail + end + end - apply_manifest(pp, catch_failures: true) - end + context 'when package absent' do + pp = <<-EOS + class { 'fail2ban': + package_ensure => 'absent', + service_ensure => 'stopped', + service_enable => false, + } + EOS - describe package(package_name) do - it { is_expected.to be_installed } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) end - context 'when package absent' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': - package_ensure => 'absent', - service_ensure => 'stopped', - service_enable => false, - } - EOS + describe package(package_name) do + it { is_expected.not_to be_installed } + end - apply_manifest(pp, catch_failures: true) - end + describe file(config_file_path) do + it { is_expected.to be_file } + end - describe package(package_name) do - it { is_expected.not_to be_installed } - end + describe service(service_name) do + it { is_expected.not_to be_running } + it { is_expected.not_to be_enabled } + end + end - describe file(config_file_path) do - it { is_expected.to be_file } - end + context 'when package purged' do + pp = <<-EOS + class { 'fail2ban': + package_ensure => 'purged', + service_ensure => 'stopped', + service_enable => false, + } + EOS - describe service(service_name) do - it { is_expected.not_to be_running } - # The docker images of Debian do not use systemd, the following test - # cannot be performed on these images. + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) + end - it { is_expected.not_to be_enabled } if fact('osfamily') != 'Debian' - end + describe package(package_name) do + it { is_expected.not_to be_installed } end - context 'when package purged' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': - package_ensure => 'purged', - service_ensure => 'stopped', - service_enable => false, - } - EOS + describe file(config_file_path) do + it { is_expected.not_to be_file } + end - apply_manifest(pp, expect_failures: false) - end + describe service(service_name) do + it { is_expected.not_to be_running } + it { is_expected.not_to be_enabled } + end + end - describe package(package_name) do - it { is_expected.not_to be_installed } - end + context 'when content template' do + pp = <<-EOS + $_config_file_template = $facts['os']['family'] ? { + 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", + default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", + } + class { 'fail2ban': + config_file_template => $_config_file_template, + } + EOS - describe file(config_file_path) do - it { is_expected.not_to be_file } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) + end - describe service(service_name) do - it { is_expected.not_to be_running } - it { is_expected.not_to be_enabled } - end + describe file(config_file_path) do + it { is_expected.to be_file } + it { is_expected.to contain 'THIS FILE IS MANAGED BY PUPPET' } + it { is_expected.to contain %r{^chain = INPUT$} } end end - describe 'fail2ban::config' do - context 'defaults' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': } - EOS - - apply_manifest(pp, catch_failures: true) - end + context 'when content template and custom chain' do + pp = <<-EOS + $_config_file_template = $facts['os']['family'] ? { + 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", + default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", + } + class { 'fail2ban': + config_file_template => $_config_file_template, + iptables_chain => 'TEST', + } + EOS - describe file(config_file_path) do - it { is_expected.to be_file } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) end - context 'when content template' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - $_config_file_template = $facts['os']['family'] ? { - 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", - default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", - } - class { 'fail2ban': - config_file_template => $_config_file_template, - } - EOS + describe file(config_file_path) do + it { is_expected.to be_file } + it { is_expected.to contain 'THIS FILE IS MANAGED BY PUPPET' } + it { is_expected.to contain %r{^chain = TEST$} } + end + end - apply_manifest(pp, catch_failures: true) - end + context 'when content template and custom banaction' do + pp = <<-EOS + $_config_file_template = $facts['os']['family'] ? { + 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", + default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", + } + class { 'fail2ban': + config_file_template => $_config_file_template, + banaction => 'iptables' + } + EOS - describe file(config_file_path) do - it { is_expected.to be_file } - it { is_expected.to contain 'THIS FILE IS MANAGED BY PUPPET' } - it { is_expected.to contain %r{^chain = INPUT$} } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) end - context 'when content template and custom chain' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - $_config_file_template = $facts['os']['family'] ? { - 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", - default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", - } - class { 'fail2ban': - config_file_template => $_config_file_template, - iptables_chain => 'TEST', - } - EOS - - apply_manifest(pp, catch_failures: true) - end - - describe file(config_file_path) do - it { is_expected.to be_file } - it { is_expected.to contain 'THIS FILE IS MANAGED BY PUPPET' } - it { is_expected.to contain %r{^chain = TEST$} } - end + describe file(config_file_path) do + it { is_expected.to be_file } + it { is_expected.to contain %r{^banaction = iptables$} } end + end - context 'when content template and custom banaction' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - $_config_file_template = $facts['os']['family'] ? { - 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", - default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", - } - class { 'fail2ban': - config_file_template => $_config_file_template, - banaction => 'iptables' - } - EOS - - apply_manifest(pp, catch_failures: true) - end + context 'when content template and custom sender' do + pp = <<-EOS + $_config_file_template = $facts['os']['family'] ? { + 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", + default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", + } + class { 'fail2ban': + config_file_template => $_config_file_template, + sender => 'custom-sender@example.com', + } + EOS - describe file(config_file_path) do - it { is_expected.to be_file } - it { is_expected.to contain %r{^banaction = iptables$} } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) end - context 'when content template and custom sender' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - $_config_file_template = $facts['os']['family'] ? { - 'RedHat' => "fail2ban/RedHat/#{fact('os.release.major')}/#{config_file_path}.epp", - default => "fail2ban/#{fact('os.name')}/#{fact('os.release.major')}/#{config_file_path}.epp", - } - class { 'fail2ban': - config_file_template => $_config_file_template, - sender => 'custom-sender@example.com', - } - EOS - - apply_manifest(pp, catch_failures: true) - end - - describe file(config_file_path) do - it { is_expected.to contain %r{^sender = custom-sender@example\.com$} } - end + describe file(config_file_path) do + it { is_expected.to contain %r{^sender = custom-sender@example\.com$} } end end - describe 'fail2ban::service' do - context 'defaults' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': } - EOS - - apply_manifest(pp, catch_failures: true) - end + context 'when service stopped' do + pp = <<-EOS + class { 'fail2ban': + service_ensure => 'stopped', + } + EOS - describe service(service_name) do - it { is_expected.to be_running } - it { is_expected.to be_enabled } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) + end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) end - context 'when service stopped' do - it 'is_expected.to work with no errors' do - pp = <<-EOS - class { 'fail2ban': - service_ensure => 'stopped', - } - EOS + describe service(service_name) do + it { is_expected.not_to be_running } + it { is_expected.to be_enabled } + end + end - apply_manifest(pp, catch_failures: true) - end + context 'when service start/stop notification are disabled' do + pp = <<-EOS + class { 'fail2ban': + sendmail_actions => { + actionstart => '', + actionstop => '', + } + } + EOS - describe service(service_name) do - it { is_expected.not_to be_running } - it { is_expected.to be_enabled } - end + it 'applies without error' do + apply_manifest(pp, catch_failures: true) end - - context 'when checking default running services' do - it 'is expected.to have sshd and sshd-ddos enabled by default' do - pp = <<-EOS - class { 'fail2ban': } - EOS - apply_manifest(pp, catch_failures: true) - fail2ban_status = shell('fail2ban-client status') - expect(fail2ban_status.output).to contain ssh_jail - end + it 'applies idempotently' do + apply_manifest(pp, catch_changes: true) end - context 'when service start/stop notification are disabled' do - it 'is expected.to have empty sshd actions' do - pp = <<-EOS - class { 'fail2ban': - sendmail_actions => { - actionstart => '', - actionstop => '', - } - } - EOS - apply_manifest(pp, catch_failures: true) - # fail2ban-client supports fetching config since version 0.9 - fail2ban_version = shell('fail2ban-server --version | head -n1 | awk \'{print $2}\' | cut -c 2- | tail -n1') - if Gem::Version.new(fail2ban_version.stdout) >= Gem::Version.new('0.9.0') - fail2ban_status = shell('fail2ban-client get sshd action sendmail-buffered actionstart') - expect(fail2ban_status.output).to contain %r{^\n$} - else - fail2ban_status = shell('cat /etc/fail2ban/action.d/sendmail-buffered.conf | grep "after ="') - expect(fail2ban_status.output).to contain %r{sendmail-common\.local$} - end + it 'is expected.to have empty sshd actions' do + # fail2ban-client supports fetching config since version 0.9 + fail2ban_version = shell('fail2ban-server --version | head -n1 | awk \'{print $2}\' | cut -c 2- | tail -n1') + if Gem::Version.new(fail2ban_version.stdout) >= Gem::Version.new('0.9.0') + fail2ban_status = shell('fail2ban-client get sshd action sendmail-buffered actionstart') + expect(fail2ban_status.output).to contain %r{^\n$} + else + fail2ban_status = shell('cat /etc/fail2ban/action.d/sendmail-buffered.conf | grep "after ="') + expect(fail2ban_status.output).to contain %r{sendmail-common\.local$} end end end