From d6371ccccdc03e0c67c470799c7960f26d4e0469 Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Fri, 19 Jun 2026 20:18:19 +1000 Subject: [PATCH] Fixes for ensuring /etc/enroll exists if /etc/enroll/firewall is to be created --- enroll/puppet.py | 17 +++++++------- enroll/salt.py | 17 +++++++------- tests/test_manifest_puppet.py | 43 +++++++++++++++++++++++++++++++++++ tests/test_manifest_salt.py | 41 +++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 18 deletions(-) diff --git a/enroll/puppet.py b/enroll/puppet.py index 55a8288..d8a1179 100644 --- a/enroll/puppet.py +++ b/enroll/puppet.py @@ -832,15 +832,14 @@ def _collect_puppet_roles( str(p).strip() for p in (fw.get("packages") or []) if str(p).strip() ] if has_fw or packages or fw.get("notes"): - if has_fw: - runtime_role = ensure_role("enroll_runtime") - runtime_role.add_managed_dir( - "/etc/enroll", - owner="root", - group="root", - mode="0750", - reason="enroll_runtime", - ) + runtime_role = ensure_role("enroll_runtime") + runtime_role.add_managed_dir( + "/etc/enroll", + owner="root", + group="root", + mode="0750", + reason="enroll_runtime", + ) role_name = str(fw.get("role_name") or "firewall_runtime") prole = ensure_role(role_name) prole.add_firewall_runtime_snapshot( diff --git a/enroll/salt.py b/enroll/salt.py index 97fbe97..e407b78 100644 --- a/enroll/salt.py +++ b/enroll/salt.py @@ -888,15 +888,14 @@ def _collect_salt_roles( str(p).strip() for p in (fw.get("packages") or []) if str(p).strip() ] if has_fw or packages or fw.get("notes"): - if has_fw: - runtime_role = ensure_role("enroll_runtime") - runtime_role.add_managed_dir( - "/etc/enroll", - user="root", - group="root", - mode="0750", - reason="enroll_runtime", - ) + runtime_role = ensure_role("enroll_runtime") + runtime_role.add_managed_dir( + "/etc/enroll", + user="root", + group="root", + mode="0750", + reason="enroll_runtime", + ) role_name = str(fw.get("role_name") or "firewall_runtime") srole = ensure_role(role_name) srole.add_firewall_runtime_snapshot( diff --git a/tests/test_manifest_puppet.py b/tests/test_manifest_puppet.py index fd2fa7e..467dfb0 100644 --- a/tests/test_manifest_puppet.py +++ b/tests/test_manifest_puppet.py @@ -798,3 +798,46 @@ def test_manifest_puppet_renders_firewall_runtime_resources(tmp_path: Path): ).read_text(encoding="utf-8") assert "Hash $firewall_runtime = {}" in fqdn_pp assert "$firewall_runtime['ipset_restore_cmd']" in fqdn_pp + + +def test_manifest_puppet_includes_enroll_runtime_for_firewall_notes_only( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + "ipset_save": None, + "ipset_sets": [], + "iptables_v4_save": None, + "iptables_v6_save": None, + "notes": [ + "not running as root; live firewall runtime was not captured" + ], + } + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet") + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert "include enroll_runtime" in site_pp + assert "include firewall_runtime" in site_pp + assert site_pp.index("include enroll_runtime") < site_pp.index( + "include firewall_runtime" + ) + runtime_pp = ( + out / "modules" / "enroll_runtime" / "manifests" / "init.pp" + ).read_text(encoding="utf-8") + firewall_pp = ( + out / "modules" / "firewall_runtime" / "manifests" / "init.pp" + ).read_text(encoding="utf-8") + assert "file { '/etc/enroll':" in runtime_pp + assert "require => File['/etc/enroll']," in firewall_pp diff --git a/tests/test_manifest_salt.py b/tests/test_manifest_salt.py index 1fa6804..75b6942 100644 --- a/tests/test_manifest_salt.py +++ b/tests/test_manifest_salt.py @@ -624,3 +624,44 @@ def test_manifest_salt_renders_firewall_runtime_states(tmp_path: Path): fqdn_out / "states" / "roles" / "firewall_runtime" / "init.sls" ).read_text(encoding="utf-8") assert "firewall_runtime.get('ipset_restore_cmd')" in fqdn_sls + + +def test_manifest_salt_includes_enroll_runtime_for_firewall_notes_only(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + "ipset_save": None, + "ipset_sets": [], + "iptables_v4_save": None, + "iptables_v6_save": None, + "notes": [ + "not running as root; live firewall runtime was not captured" + ], + } + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt") + + top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8")) + assert "roles.enroll_runtime" in top["base"]["*"] + assert "roles.firewall_runtime" in top["base"]["*"] + assert top["base"]["*"].index("roles.enroll_runtime") < top["base"]["*"].index( + "roles.firewall_runtime" + ) + runtime_sls = (out / "states" / "roles" / "enroll_runtime" / "init.sls").read_text( + encoding="utf-8" + ) + firewall_sls = ( + out / "states" / "roles" / "firewall_runtime" / "init.sls" + ).read_text(encoding="utf-8") + assert '"/etc/enroll":' in runtime_sls + assert '- file: "/etc/enroll"' in firewall_sls