571 lines
16 KiB
Bash
Executable File
571 lines
16 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
working_dir="$(cd "$(dirname "$BASH_SOURCE")"; pwd -P)"
|
|
source "$working_dir"/bach/bach.sh
|
|
|
|
@setup {
|
|
set -euo pipefail
|
|
}
|
|
|
|
@setup-test {
|
|
@mocktrue ufw status
|
|
@mocktrue grep -Fq "Status: active"
|
|
|
|
@mock iptables --version
|
|
@mocktrue grep -F '(legacy)'
|
|
|
|
@mocktrue docker -v
|
|
@mock docker -v === @stdout Docker version 0.0.0, build dummy
|
|
|
|
@ignore remove_blank_lines
|
|
@ignore echo
|
|
@ignore err
|
|
|
|
DEFAULT_PROTO=tcp
|
|
GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+"
|
|
|
|
UFW_DOCKER_AGENT_IMAGE=chaifeng/ufw-docker-agent:090502-legacy
|
|
}
|
|
|
|
function ufw-docker() {
|
|
@source <(@sed -n '/^# __main__$/,$p' "$working_dir/../ufw-docker") "$@"
|
|
}
|
|
|
|
function load-ufw-docker-function() {
|
|
set -euo pipefail
|
|
|
|
@load_function "$working_dir/../ufw-docker" "$1"
|
|
}
|
|
|
|
test-ufw-docker-init-legacy() {
|
|
@mocktrue grep -F '(legacy)'
|
|
@source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help
|
|
}
|
|
test-ufw-docker-init-legacy-assert() {
|
|
iptables --version
|
|
test -n chaifeng/ufw-docker-agent:090502-legacy
|
|
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
|
@dryrun cat
|
|
}
|
|
|
|
|
|
test-ufw-docker-init-nf_tables() {
|
|
@mockfalse grep -F '(legacy)'
|
|
@source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help
|
|
}
|
|
test-ufw-docker-init-nf_tables-assert() {
|
|
iptables --version
|
|
test -n chaifeng/ufw-docker-agent:090502-nf_tables
|
|
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
|
@dryrun cat
|
|
}
|
|
|
|
|
|
test-ufw-docker-init() {
|
|
UFW_DOCKER_AGENT_IMAGE=chaifeng/ufw-docker-agent:100917
|
|
@source <(@sed '/PATH=/d' "$working_dir/../ufw-docker") help
|
|
}
|
|
test-ufw-docker-init-assert() {
|
|
test -n chaifeng/ufw-docker-agent:100917
|
|
trap on-exit EXIT INT TERM QUIT ABRT ERR
|
|
@dryrun cat
|
|
}
|
|
|
|
|
|
test-ufw-docker-help() {
|
|
ufw-docker help
|
|
}
|
|
test-ufw-docker-help-assert() {
|
|
ufw-docker--help
|
|
}
|
|
|
|
|
|
test-ufw-docker-without-parameters() {
|
|
ufw-docker
|
|
}
|
|
test-ufw-docker-without-parameters-assert() {
|
|
test-ufw-docker-help-assert
|
|
}
|
|
|
|
|
|
test-ufw-is-disabled() {
|
|
@mockfalse grep -Fq "Status: active"
|
|
@mock iptables --version === @stdout 'iptables v1.8.4 (legacy)'
|
|
|
|
ufw-docker
|
|
}
|
|
test-ufw-is-disabled-assert() {
|
|
die "UFW is disabled or you are not root user, or mismatched iptables legacy/nf_tables, current iptables v1.8.4 (legacy)"
|
|
ufw-docker--help
|
|
}
|
|
|
|
|
|
test-ufw-docker-status() {
|
|
ufw-docker status
|
|
}
|
|
test-ufw-docker-status-assert() {
|
|
ufw-docker--status
|
|
}
|
|
|
|
|
|
test-ufw-docker-install() {
|
|
ufw-docker install
|
|
}
|
|
test-ufw-docker-install-assert() {
|
|
ufw-docker--install
|
|
}
|
|
|
|
|
|
test-ufw-docker-check() {
|
|
ufw-docker check
|
|
}
|
|
test-ufw-docker-check-assert() {
|
|
ufw-docker--check
|
|
}
|
|
|
|
|
|
test-ufw-docker-service() {
|
|
ufw-docker service allow httpd
|
|
}
|
|
test-ufw-docker-service-assert() {
|
|
ufw-docker--service allow httpd
|
|
}
|
|
|
|
|
|
test-ufw-docker-raw-command() {
|
|
ufw-docker raw-command status
|
|
}
|
|
test-ufw-docker-raw-command-assert() {
|
|
ufw-docker--raw-command status
|
|
}
|
|
|
|
|
|
test-ufw-docker-add-service-rule() {
|
|
ufw-docker add-service-rule httpd 80/tcp
|
|
}
|
|
test-ufw-docker-add-service-rule-assert() {
|
|
ufw-docker--add-service-rule httpd 80/tcp
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-delete-must-have-parameters() {
|
|
ufw-docker delete
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-list-must-have-parameters() {
|
|
ufw-docker list
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-allow-must-have-parameters() {
|
|
ufw-docker allow
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-delete-httpd-but-it-doesnt-exist() {
|
|
@mockfalse ufw-docker--instance-name httpd
|
|
ufw-docker delete httpd
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-list-httpd-but-it-doesnt-exist() {
|
|
@mockfalse ufw-docker--instance-name httpd
|
|
ufw-docker list httpd
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-allow-httpd-but-it-doesnt-exist() {
|
|
@mockfalse ufw-docker--instance-name httpd
|
|
ufw-docker allow httpd
|
|
}
|
|
|
|
|
|
test-ufw-docker-list-httpd() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker list httpd
|
|
}
|
|
test-ufw-docker-list-httpd-assert() {
|
|
ufw-docker--list httpd-container-name "" tcp ""
|
|
}
|
|
|
|
|
|
test-ufw-docker-allow-httpd() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker allow httpd
|
|
}
|
|
test-ufw-docker-allow-httpd-assert() {
|
|
ufw-docker--allow httpd-container-name "" tcp ""
|
|
}
|
|
|
|
|
|
test-ufw-docker-allow-httpd-80() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker allow httpd 80
|
|
}
|
|
test-ufw-docker-allow-httpd-80-assert() {
|
|
ufw-docker--allow httpd-container-name 80 tcp ""
|
|
}
|
|
|
|
|
|
test-ufw-docker-allow-httpd-80tcp() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker allow httpd 80/tcp
|
|
}
|
|
test-ufw-docker-allow-httpd-80tcp-assert() {
|
|
ufw-docker--allow httpd-container-name 80 tcp ""
|
|
}
|
|
|
|
|
|
test-ufw-docker-allow-httpd-80udp() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker allow httpd 80/udp
|
|
}
|
|
test-ufw-docker-allow-httpd-80udp-assert() {
|
|
ufw-docker--allow httpd-container-name 80 udp ""
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-allow-httpd-INVALID-port() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
@mock die 'invalid port syntax: "invalid".' === exit 1
|
|
|
|
ufw-docker allow httpd invalid
|
|
}
|
|
|
|
|
|
test-ufw-docker-list-httpd() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker list httpd
|
|
}
|
|
test-ufw-docker-list-httpd-assert() {
|
|
ufw-docker--list httpd-container-name "" tcp ""
|
|
}
|
|
|
|
|
|
test-ufw-docker-delete-allow-httpd() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker delete allow httpd
|
|
}
|
|
test-ufw-docker-delete-allow-httpd-assert() {
|
|
ufw-docker--delete httpd-container-name "" tcp ""
|
|
}
|
|
|
|
|
|
test-ASSERT-FAIL-ufw-docker-delete-only-supports-allowed-rules() {
|
|
@mock ufw-docker--instance-name httpd === @stdout httpd-container-name
|
|
ufw-docker delete non-allow
|
|
}
|
|
test-ASSERT-FAIL-ufw-docker-delete-only-supports-allowed-rules-assert() {
|
|
die "\"delete\" command only support removing allowed rules"
|
|
}
|
|
|
|
|
|
function setup-ufw-docker--allow() {
|
|
load-ufw-docker-function ufw-docker--allow
|
|
|
|
@mocktrue docker inspect instance-name
|
|
@mock docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{"\n"}}{{end}}' instance-name === @stdout 172.18.0.3
|
|
@mock docker inspect --format='{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s\n" $k}}{{end}}' instance-name === @stdout default
|
|
@mock docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' instance-name === @stdout 5000/tcp 8080/tcp 5353/udp
|
|
}
|
|
|
|
function setup-ufw-docker--allow--multinetwork() {
|
|
load-ufw-docker-function ufw-docker--allow
|
|
|
|
@mocktrue docker inspect instance-name
|
|
@mock docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{"\n"}}{{end}}' instance-name === @stdout 172.18.0.3 172.19.0.7
|
|
@mock docker inspect --format='{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s\n" $k}}{{end}}' instance-name === @stdout default awesomenet
|
|
@mock docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' instance-name === @stdout 5000/tcp 8080/tcp 5353/udp
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-not-found() {
|
|
setup-ufw-docker--allow
|
|
|
|
@mockfalse docker inspect invalid-instance
|
|
@mockfalse die "Docker instance \"invalid-instance\" doesn't exist."
|
|
|
|
ufw-docker--allow invalid-instance 80 tcp
|
|
}
|
|
test-ufw-docker--allow-instance-not-found-assert() {
|
|
@do-nothing
|
|
@fail
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-but-the-port-not-match() {
|
|
setup-ufw-docker--allow
|
|
|
|
ufw-docker--allow instance-name 80 tcp
|
|
}
|
|
test-ufw-docker--allow-instance-but-the-port-not-match-assert() {
|
|
@do-nothing
|
|
@fail
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-but-the-proto-not-match() {
|
|
setup-ufw-docker--allow
|
|
|
|
ufw-docker--allow instance-name 5353 tcp
|
|
}
|
|
test-ufw-docker--allow-instance-but-the-proto-not-match-assert() {
|
|
@do-nothing
|
|
@fail
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-and-match-the-port() {
|
|
setup-ufw-docker--allow
|
|
|
|
ufw-docker--allow instance-name 5000 tcp
|
|
}
|
|
test-ufw-docker--allow-instance-and-match-the-port-assert() {
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-all-published-port() {
|
|
setup-ufw-docker--allow
|
|
|
|
ufw-docker--allow instance-name "" ""
|
|
}
|
|
test-ufw-docker--allow-instance-all-published-port-assert() {
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
|
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp default
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp default
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-all-published-tcp-port() {
|
|
setup-ufw-docker--allow
|
|
|
|
ufw-docker--allow instance-name "" tcp
|
|
}
|
|
test-ufw-docker--allow-instance-all-published-tcp-port-assert() {
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
|
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp default
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp default # FIXME
|
|
}
|
|
|
|
|
|
test-ufw-docker--allow-instance-all-published-port-multinetwork() {
|
|
setup-ufw-docker--allow--multinetwork
|
|
|
|
ufw-docker--allow instance-name "" ""
|
|
}
|
|
test-ufw-docker--allow-instance-all-published-port-multinetwork-assert() {
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
|
ufw-docker--add-rule instance-name 172.19.0.7 5000 tcp awesomenet
|
|
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp default
|
|
ufw-docker--add-rule instance-name 172.19.0.7 8080 tcp awesomenet
|
|
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp default
|
|
ufw-docker--add-rule instance-name 172.19.0.7 5353 udp awesomenet
|
|
}
|
|
|
|
test-ufw-docker--allow-instance-all-published-port-multinetwork-select-network() {
|
|
setup-ufw-docker--allow--multinetwork
|
|
|
|
ufw-docker--allow instance-name "" "" awesomenet
|
|
}
|
|
test-ufw-docker--allow-instance-all-published-port-multinetwork-select-network-assert() {
|
|
ufw-docker--add-rule instance-name 172.19.0.7 5000 tcp awesomenet
|
|
ufw-docker--add-rule instance-name 172.19.0.7 8080 tcp awesomenet
|
|
ufw-docker--add-rule instance-name 172.19.0.7 5353 udp awesomenet
|
|
}
|
|
|
|
test-ufw-docker--add-rule-a-non-existing-rule() {
|
|
@mockfalse ufw-docker--list webapp 5000 tcp ""
|
|
|
|
load-ufw-docker-function ufw-docker--add-rule
|
|
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp
|
|
}
|
|
test-ufw-docker--add-rule-a-non-existing-rule-assert() {
|
|
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp"
|
|
}
|
|
|
|
test-ufw-docker--add-rule-a-non-existing-rule-with-network() {
|
|
@mockfalse ufw-docker--list webapp 5000 tcp default
|
|
|
|
load-ufw-docker-function ufw-docker--add-rule
|
|
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp default
|
|
}
|
|
test-ufw-docker--add-rule-a-non-existing-rule-with-network-assert() {
|
|
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp default"
|
|
}
|
|
|
|
|
|
test-ufw-docker--add-rule-modify-an-existing-rule() {
|
|
@mocktrue ufw-docker--list webapp 5000 tcp default
|
|
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp default"
|
|
@mockfalse grep "^Skipping"
|
|
|
|
load-ufw-docker-function ufw-docker--add-rule
|
|
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp default
|
|
}
|
|
test-ufw-docker--add-rule-modify-an-existing-rule-assert() {
|
|
ufw-docker--delete webapp 5000 tcp default
|
|
|
|
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp default"
|
|
}
|
|
|
|
|
|
test-ufw-docker--add-rule-skip-an-existing-rule() {
|
|
@mocktrue ufw-docker--list webapp 5000 tcp ""
|
|
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp"
|
|
@mocktrue grep "^Skipping"
|
|
|
|
load-ufw-docker-function ufw-docker--add-rule
|
|
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp ""
|
|
}
|
|
test-ufw-docker--add-rule-skip-an-existing-rule-assert() {
|
|
@do-nothing
|
|
}
|
|
|
|
|
|
test-ufw-docker--add-rule-modify-an-existing-rule-without-port() {
|
|
@mocktrue ufw-docker--list webapp "" tcp ""
|
|
|
|
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 comment "allow webapp"
|
|
@mockfalse grep "^Skipping"
|
|
|
|
load-ufw-docker-function ufw-docker--add-rule
|
|
|
|
ufw-docker--add-rule webapp 172.18.0.4 "" tcp ""
|
|
}
|
|
test-ufw-docker--add-rule-modify-an-existing-rule-without-port-assert() {
|
|
ufw-docker--delete webapp "" tcp ""
|
|
|
|
ufw route allow proto tcp from any to 172.18.0.4 comment "allow webapp"
|
|
}
|
|
|
|
|
|
test-ufw-docker--instance-name-found-a-name() {
|
|
@mock docker inspect --format="{{.Name}}" foo
|
|
@mock sed -e 's,^/,,'
|
|
@mockfalse grep "^$GREP_REGEXP_INSTANCE_NAME\$"
|
|
|
|
@mock echo -n foo
|
|
|
|
load-ufw-docker-function ufw-docker--instance-name
|
|
ufw-docker--instance-name foo
|
|
}
|
|
test-ufw-docker--instance-name-found-a-name-assert() {
|
|
docker inspect --format="{{.Name}}" foo
|
|
echo -n foo
|
|
}
|
|
|
|
|
|
test-ufw-docker--instance-name-found-an-id() {
|
|
@mock docker inspect --format="{{.Name}}" fooid
|
|
@mock sed -e 's,^/,,'
|
|
@mockfalse grep "^$GREP_REGEXP_INSTANCE_NAME\$"
|
|
|
|
load-ufw-docker-function ufw-docker--instance-name
|
|
ufw-docker--instance-name fooid
|
|
}
|
|
test-ufw-docker--instance-name-found-an-id-assert() {
|
|
docker inspect --format="{{.Name}}" fooid
|
|
}
|
|
|
|
|
|
test-ufw-docker--list-name() {
|
|
@mocktrue ufw status numbered
|
|
load-ufw-docker-function ufw-docker--list
|
|
ufw-docker--list foo
|
|
}
|
|
test-ufw-docker--list-name-assert() {
|
|
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\( [[:graph:]]*\\)\$"
|
|
}
|
|
|
|
test-ufw-docker--list-name-udp() {
|
|
@mocktrue ufw status numbered
|
|
load-ufw-docker-function ufw-docker--list
|
|
ufw-docker--list foo "" udp
|
|
}
|
|
test-ufw-docker--list-name-udp-assert() {
|
|
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\( [[:graph:]]*\\)\$"
|
|
}
|
|
|
|
|
|
test-ufw-docker--list-name-80() {
|
|
@mocktrue ufw status numbered
|
|
load-ufw-docker-function ufw-docker--list
|
|
ufw-docker--list foo 80
|
|
}
|
|
test-ufw-docker--list-name-80-assert() {
|
|
grep "# allow foo\\( 80\\/tcp\\)\\( [[:graph:]]*\\)\$"
|
|
}
|
|
|
|
|
|
test-ufw-docker--list-name-80-udp() {
|
|
@mocktrue ufw status numbered
|
|
load-ufw-docker-function ufw-docker--list
|
|
ufw-docker--list foo 80 udp
|
|
}
|
|
test-ufw-docker--list-name-80-udp-assert() {
|
|
grep "# allow foo\\( 80\\/udp\\)\\( [[:graph:]]*\\)\$"
|
|
}
|
|
|
|
|
|
test-ufw-docker--list-grep-without-network() {
|
|
@mocktrue ufw status numbered
|
|
@mockfalse grep "# allow foo\\( 80\\/udp\\)\\( [[:graph:]]*\\)\$"
|
|
load-ufw-docker-function ufw-docker--list
|
|
ufw-docker--list foo 80 udp
|
|
}
|
|
test-ufw-docker--list-grep-without-network-assert() {
|
|
grep "# allow foo\\( 80\\/udp\\)\$"
|
|
}
|
|
|
|
|
|
test-ufw-docker--list-grep-without-network-and-port() {
|
|
@mocktrue ufw status numbered
|
|
@mockfalse grep "# allow foo\\( 80\\/udp\\)\\( [[:graph:]]*\\)\$"
|
|
@mockfalse grep "# allow foo\\( 80\\/udp\\)\$"
|
|
load-ufw-docker-function ufw-docker--list
|
|
ufw-docker--list foo 80 udp
|
|
}
|
|
test-ufw-docker--list-grep-without-network-and-port-assert() {
|
|
grep "# allow foo\$"
|
|
}
|
|
|
|
|
|
test-ufw-docker--list-number() {
|
|
@mocktrue ufw-docker--list foo 53 udp
|
|
|
|
load-ufw-docker-function ufw-docker--list-number
|
|
ufw-docker--list-number foo 53 udp
|
|
}
|
|
test-ufw-docker--list-number-assert() {
|
|
sed -e 's/^\[[[:blank:]]*\([[:digit:]]\+\)\].*/\1/'
|
|
}
|
|
|
|
|
|
test-ufw-docker--delete-empty-result() {
|
|
@mock ufw-docker--list-number webapp 80 tcp === @stdout ""
|
|
@mock sort -rn
|
|
|
|
load-ufw-docker-function ufw-docker--delete
|
|
ufw-docker--delete webapp 80 tcp
|
|
}
|
|
test-ufw-docker--delete-empty-result-assert() {
|
|
@do-nothing
|
|
}
|
|
|
|
|
|
test-ufw-docker--delete-all() {
|
|
@mock ufw-docker--list-number webapp 80 tcp === @stdout 5 8 9
|
|
@mock sort -rn
|
|
|
|
load-ufw-docker-function ufw-docker--delete
|
|
ufw-docker--delete webapp 80 tcp
|
|
}
|
|
test-ufw-docker--delete-all-assert() {
|
|
ufw delete 5
|
|
ufw delete 8
|
|
ufw delete 9
|
|
}
|