feat(tofs): switch to tofs

saltstack-formulas · May 20, 2019 · c05019a · c05019a
1 parent 7d4a642
commit c05019a
Show file tree

Hide file tree

Showing 26 changed files with 589 additions and 300 deletions.
diff --git a/test/integration/ufw/controls/config_spec.rb b/test/integration/ufw/controls/config_spec.rb
@@ -0,0 +1,68 @@
+control 'UFW configuration' do
+
+  title 'Test UFW configuration'
+
+  describe directory('/etc/ufw') do
+    it { should exist }
+  end
+
+  describe file('/etc/ufw/ufw.conf') do
+    its('content') { should include 'ENABLED=' }
+    its('content') { should include 'LOGLEVEL=' }
+  end
+
+  describe command('ufw status verbose | grep Status') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /active/ }
+  end
+
+  describe command('ufw status verbose | grep Logging') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /low/ }
+  end
+
+  describe command('ufw status | grep MySQL') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /ALLOW/ }
+  end
+
+  describe command('ufw status | grep Postgresql') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /LIMIT/ }
+  end
+
+  describe command('ufw status | grep SSH223') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 10.0.0.0') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 22/tcp') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /LIMIT/ }
+  end
+
+  describe command('ufw status | grep 80/tcp') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 443/tcp') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /ALLOW/ }
+  end
+
+  describe command('ufw status | grep 10.0.0.1') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 10.0.0.2') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+end
diff --git a/test/integration/ufw/controls/package_spec.rb b/test/integration/ufw/controls/package_spec.rb
@@ -0,0 +1,7 @@
+control 'UFW package' do
+  title 'should be installed'
+
+  describe package('ufw') do
+    it { should be_installed }
+  end
+end
diff --git a/test/integration/ufw/controls/ufw.rb b/test/integration/ufw/controls/ufw.rb
diff --git a/ufw/config/applications.sls b/ufw/config/applications.sls
@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_enable_service  = tplroot ~ '.service.enable' %}
+{%- set sls_reload_service  = tplroot ~ '.service.reload' %}
+{%- from tplroot ~ "/map.jinja" import ufw with context %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_enable_service }}
+  - {{ sls_reload_service }}
+
+# Applications
+{%- for app_name, app_details in ufw.get('applications', {}).items() %}
+
+  {%- set from_addr_raw = app_details.get('from_addr', [None]) %}
+  {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}
+
+  {%- for from_addr in from_addrs %}
+    {%- set deny    = app_details.get('deny', None) %}
+    {%- set limit   = app_details.get('limit', None) %}
+    {%- set method  = 'deny' if deny else ('limit' if limit else 'allow') %}
+    {%- set to_addr = app_details.get('to_addr', None) %}
+    {%- set comment = app_details.get('comment', None) %}
+
+{%- if from_addr is not none %}
+ufw-app-{{method}}-{{app_name}}-{{from_addr}}:
+{%- else %}
+ufw-app-{{method}}-{{app_name}}:
+{%- endif %}
+  ufw.{{method}}:
+    - app: '"{{app_name}}"'
+    {%- if from_addr is not none %}
+    - from_addr: {{from_addr}}
+    {%- endif %}
+    {%- if to_addr is not none %}
+    - to_addr: {{to_addr}}
+    {%- endif %}
+    {%- if comment is not none %}
+    - comment: '"{{comment}}"'
+    {%- endif %}
+    - listen_in:
+      - cmd: reload-ufw
+
+  {%- endfor %}
+{%- endfor %}
diff --git a/ufw/config/file.sls b/ufw/config/file.sls
@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import ufw with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
+
+include:
+  - {{ sls_package_install }}
+
+ufw-default-file-file-managed:
+  file.managed:
+    - name:     {{ ufw.default_file }}
+    - user:     root
+    - group:    root
+    - template: jinja
+    - source: {{ files_switch(['ufw.default.tmpl', 'ufw.default.tmpl.jinja'],
+                              lookup='ufw-default-file-file-managed'
+                 )
+              }}
+    - require:
+      - sls: {{ sls_package_install }}
+    - context:
+        ufw_settings: {{ ufw.settings | json }}
+
+ufw-sysctl-file-file-managed:
+  file.managed:
+    - name:     {{ ufw.sysctl_file }}
+    - user:     root
+    - group:    root
+    - template: jinja
+    - source: {{ files_switch(['ufw.sysctl.tmpl', 'ufw.sysctl.tmpl.jinja'],
+                              lookup='ufw-sysctl-file-file-managed'
+                 )
+              }}
+    - require:
+      - sls: {{ sls_package_install }}
+    - context:
+        ufw_sysctl: {{ ufw.sysctl | json }}
+
+/etc/ufw/applications.d:
+  file.recurse:
+    - user: root
+    - group: root
+    - file_mode: 644
+    - clean: False
+    - source: salt://ufw/files/applications.d
diff --git a/ufw/config/init.sls b/ufw/config/init.sls
@@ -0,0 +1,9 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .file
+  - .services
+  - .applications
+  - .interfaces
+  - .open
diff --git a/ufw/config/interfaces.sls b/ufw/config/interfaces.sls
@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_enable_service  = tplroot ~ '.service.enable' %}
+{%- set sls_reload_service  = tplroot ~ '.service.reload' %}
+{%- from tplroot ~ "/map.jinja" import ufw with context %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_enable_service }}
+  - {{ sls_reload_service }}
+
+# Interfaces
+{%- for interface_name, interface_details in ufw.get('interfaces', {}).items() %}
+  {%- set comment = interface_details.get('comment', None) %}
+
+ufw-interface-{{interface_name}}:
+  ufw.allowed:
+    - interface: {{interface_name}}
+    {%- if comment is not none %}
+    - comment: '"{{comment}}"'
+    {%- endif %}
+    - listen_in:
+      - cmd: reload-ufw
+
+{%- endfor %}
diff --git a/ufw/config/open.sls b/ufw/config/open.sls
@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_enable_service  = tplroot ~ '.service.enable' %}
+{%- set sls_reload_service  = tplroot ~ '.service.reload' %}
+{%- from tplroot ~ "/map.jinja" import ufw with context %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_enable_service }}
+  - {{ sls_reload_service }}
+
+# Open
+{%- for open_addr, open_details in ufw.get('open', {}).items() %}
+  {%- set comment = open_details.get('comment', None) %}
+
+ufw-open-{{open_addr}}:
+  ufw.allowed:
+    - from_addr: {{open_addr}}
+    {%- if comment is not none %}
+    - comment: '"{{comment}}"'
+    {%- endif %}
+    - listen_in:
+      - cmd: reload-ufw
+
+{%- endfor %}
diff --git a/ufw/config/services.sls b/ufw/config/services.sls
@@ -0,0 +1,54 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_enable_service  = tplroot ~ '.service.enable' %}
+{%- set sls_reload_service  = tplroot ~ '.service.reload' %}
+{%- from tplroot ~ "/map.jinja" import ufw with context %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_enable_service }}
+  - {{ sls_reload_service }}
+
+# Services
+{%- for service_name, service_details in ufw.get('services', {}).items() %}
+
+  {%- set from_addr_raw = service_details.get('from_addr', [None]) %}
+  {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}
+
+  {%- for from_addr in from_addrs %}
+    {%- set protocol  = service_details.get('protocol', None) %}
+    {%- set deny      = service_details.get('deny', None) %}
+    {%- set limit     = service_details.get('limit', None) %}
+    {%- set method    = 'deny' if deny else ('limit' if limit else 'allow') %}
+    {%- set from_port = service_details.get('from_port', None) %}
+    {%- set to_addr   = service_details.get('to_addr', None) %}
+    {%- set to_port   = service_details.get('to_port', service_name) %}
+    {%- set comment   = service_details.get('comment', None) %}
+
+ufw-svc-{{method}}-{{service_name}}-{{from_addr}}:
+  ufw.{{method}}:
+    {%- if protocol is not none %}
+    - protocol: {{protocol}}
+    {%- endif %}
+    {%- if from_addr is not none %}
+    - from_addr: {{from_addr}}
+    {%- endif %}
+    {%- if from_port is not none %}
+    - from_port: "{{from_port}}"
+    {%- endif %}
+    {%- if to_addr is not none %}
+    - to_addr: {{to_addr}}
+    {%- endif %}
+    {%- if comment is not none %}
+    - comment: '"{{comment}}"'
+    {%- endif %}
+    - to_port: "{{to_port}}"
+    - listen_in:
+      - cmd: reload-ufw
+
+  {%- endfor %}
+{%- endfor %}
diff --git a/ufw/defaults.yaml b/ufw/defaults.yaml
@@ -1,2 +1,17 @@
-ufwmap:
-  pkg: ufw
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+ufw:
+  package: ufw
+  packages: []
+  service:
+    name: ufw
+  default_file: /etc/default/ufw
+  sysctl_file: /etc/ufw/sysctl.conf
+  enabled: false
+  settings: {}
+  sysctl: {}
+  services: {}
+  applications: {}
+  interfaces: {}
+  open: {}