loooots of fixes.
This commit is contained in:
parent
b8926f9a5f
commit
de42e16510
GPG key ID:
03906B4110AAD3B8
12 changed files with 1579 additions and 116 deletions
|
|
@ -147,3 +147,87 @@ def test_openssh_paths_are_jinjaturtle_supported_and_forced_to_ssh() -> None:
|
|||
|
||||
assert can_jinjify_path("/etc/ssh/sshd_config")
|
||||
assert can_jinjify_path("/etc/ssh/ssh_config")
|
||||
|
||||
|
||||
def test_jinjify_managed_files_namespaces_multiple_templates(
|
||||
monkeypatch, tmp_path: Path
|
||||
):
|
||||
from enroll.jinjaturtle import jinjify_managed_files
|
||||
|
||||
bundle = tmp_path / "bundle"
|
||||
template_root = tmp_path / "templates"
|
||||
for rel in ("etc/foo/a.yaml", "etc/foo/b.yaml"):
|
||||
path = bundle / "artifacts" / "foo" / rel
|
||||
path.parent.mkdir(parents=True, exist_ok=True)
|
||||
path.write_text("ignore: []\n", encoding="utf-8")
|
||||
|
||||
calls = []
|
||||
|
||||
def fake_run_jinjaturtle(jt_exe, src_path, *, role_name, force_format=None):
|
||||
calls.append((Path(src_path).name, role_name))
|
||||
return JinjifyResult(
|
||||
template_text=f"ignore: {{{{ {role_name}_ignore }}}}\n",
|
||||
vars_text=f"{role_name}_ignore: []\n",
|
||||
)
|
||||
|
||||
monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle)
|
||||
|
||||
templated, vars_text = jinjify_managed_files(
|
||||
bundle,
|
||||
"foo",
|
||||
template_root,
|
||||
[
|
||||
{"path": "/etc/foo/a.yaml", "src_rel": "etc/foo/a.yaml"},
|
||||
{"path": "/etc/foo/b.yaml", "src_rel": "etc/foo/b.yaml"},
|
||||
],
|
||||
jt_exe="jinjaturtle",
|
||||
jt_enabled=True,
|
||||
overwrite_templates=True,
|
||||
role_name="foo",
|
||||
)
|
||||
|
||||
assert templated == {"etc/foo/a.yaml", "etc/foo/b.yaml"}
|
||||
assert calls == [
|
||||
("a.yaml", "foo_etc_foo_a_yaml"),
|
||||
("b.yaml", "foo_etc_foo_b_yaml"),
|
||||
]
|
||||
assert "foo_etc_foo_a_yaml_ignore: []" in vars_text
|
||||
assert "foo_etc_foo_b_yaml_ignore: []" in vars_text
|
||||
assert (template_root / "etc" / "foo" / "a.yaml.j2").read_text(
|
||||
encoding="utf-8"
|
||||
) == "ignore: {{ foo_etc_foo_a_yaml_ignore }}\n"
|
||||
|
||||
|
||||
def test_jinjify_managed_files_rejects_templates_with_missing_defaults(
|
||||
monkeypatch, tmp_path: Path
|
||||
):
|
||||
from enroll.jinjaturtle import jinjify_managed_files
|
||||
|
||||
bundle = tmp_path / "bundle"
|
||||
template_root = tmp_path / "templates"
|
||||
artifact = bundle / "artifacts" / "foo" / "etc" / "foo" / "pdk.yaml"
|
||||
artifact.parent.mkdir(parents=True, exist_ok=True)
|
||||
artifact.write_text("ignore: []\n", encoding="utf-8")
|
||||
|
||||
def fake_run_jinjaturtle(jt_exe, src_path, *, role_name, force_format=None):
|
||||
return JinjifyResult(
|
||||
template_text=f"ignore: {{{{ {role_name}_ignore }}}}\n",
|
||||
vars_text="--- {}\n",
|
||||
)
|
||||
|
||||
monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle)
|
||||
|
||||
templated, vars_text = jinjify_managed_files(
|
||||
bundle,
|
||||
"foo",
|
||||
template_root,
|
||||
[{"path": "/etc/foo/pdk.yaml", "src_rel": "etc/foo/pdk.yaml"}],
|
||||
jt_exe="jinjaturtle",
|
||||
jt_enabled=True,
|
||||
overwrite_templates=True,
|
||||
role_name="foo",
|
||||
)
|
||||
|
||||
assert templated == set()
|
||||
assert vars_text == ""
|
||||
assert not (template_root / "etc" / "foo" / "pdk.yaml.j2").exists()
|
||||
|
|
|
|||
|
|
@ -1308,9 +1308,14 @@ def test_manifest_writes_firewall_runtime_role(tmp_path: Path):
|
|||
tasks = (out / "roles" / "firewall_runtime" / "tasks" / "main.yml").read_text(
|
||||
encoding="utf-8"
|
||||
)
|
||||
assert "ipset restore -exist" in tasks
|
||||
assert "iptables-restore /etc/enroll/firewall/iptables.v4" in tasks
|
||||
assert "ipset flush {{ item }}" in tasks
|
||||
handlers = (out / "roles" / "firewall_runtime" / "handlers" / "main.yml").read_text(
|
||||
encoding="utf-8"
|
||||
)
|
||||
assert "notify: Restore captured ipsets" in tasks
|
||||
assert "notify: Restore captured IPv4 iptables rules" in tasks
|
||||
assert "ipset restore -exist" in handlers
|
||||
assert "iptables-restore /etc/enroll/firewall/iptables.v4" in handlers
|
||||
assert "ipset flush {{ item }}" in handlers
|
||||
|
||||
defaults = (out / "roles" / "firewall_runtime" / "defaults" / "main.yml").read_text(
|
||||
encoding="utf-8"
|
||||
|
|
@ -1320,7 +1325,13 @@ def test_manifest_writes_firewall_runtime_role(tmp_path: Path):
|
|||
assert "firewall_runtime_restore_iptables: true" in defaults
|
||||
|
||||
pb = (out / "playbook.yml").read_text(encoding="utf-8")
|
||||
assert "role: enroll_runtime" in pb
|
||||
assert "role: firewall_runtime" in pb
|
||||
assert pb.index("role: enroll_runtime") < pb.index("role: firewall_runtime")
|
||||
runtime_tasks = (out / "roles" / "enroll_runtime" / "tasks" / "main.yml").read_text(
|
||||
encoding="utf-8"
|
||||
)
|
||||
assert "path: /etc/enroll" in runtime_tasks
|
||||
assert (
|
||||
out / "roles" / "firewall_runtime" / "files" / "firewall" / "ipset.save"
|
||||
).exists()
|
||||
|
|
@ -2076,6 +2087,8 @@ def test_manifest_renders_container_image_role_for_ansible(tmp_path: Path):
|
|||
assert podman_digest in defaults
|
||||
assert "community.docker.docker_image_pull" in tasks
|
||||
assert "community.docker.docker_image_tag" in tasks
|
||||
assert "selectattr('pull_ref')" in tasks
|
||||
assert "item.pull_ref | default('', true) | length > 0" in tasks
|
||||
assert "containers.podman.podman_image" in tasks
|
||||
assert "containers.podman.podman_tag" in tasks
|
||||
assert "repository:" in tasks
|
||||
|
|
|
|||
|
|
@ -712,3 +712,89 @@ def test_manifest_puppet_renders_container_images_static_and_hiera(tmp_path: Pat
|
|||
assert "podman pull" in (
|
||||
fqdn_out / "data" / "nodes" / "node.example.yaml"
|
||||
).read_text(encoding="utf-8")
|
||||
|
||||
|
||||
def test_manifest_puppet_renders_firewall_runtime_resources(tmp_path: Path):
|
||||
bundle = tmp_path / "bundle"
|
||||
out = tmp_path / "puppet"
|
||||
fw_dir = bundle / "artifacts" / "firewall_runtime" / "firewall"
|
||||
fw_dir.mkdir(parents=True, exist_ok=True)
|
||||
(fw_dir / "ipset.save").write_text(
|
||||
"create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n",
|
||||
encoding="utf-8",
|
||||
)
|
||||
(fw_dir / "iptables.v4").write_text(
|
||||
"*filter\n:INPUT DROP [0:0]\n-A INPUT -m set --match-set blocklist src -j DROP\nCOMMIT\n",
|
||||
encoding="utf-8",
|
||||
)
|
||||
state = {
|
||||
"schema_version": 3,
|
||||
"host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"},
|
||||
"inventory": {"packages": {}},
|
||||
"roles": {
|
||||
"firewall_runtime": {
|
||||
"role_name": "firewall_runtime",
|
||||
"packages": ["ipset", "iptables"],
|
||||
"ipset_save": "firewall/ipset.save",
|
||||
"ipset_sets": ["blocklist"],
|
||||
"iptables_v4_save": "firewall/iptables.v4",
|
||||
"iptables_v6_save": None,
|
||||
"notes": [],
|
||||
}
|
||||
},
|
||||
}
|
||||
_write_state(bundle, state)
|
||||
|
||||
manifest.manifest(str(bundle), str(out), target="puppet")
|
||||
|
||||
pp = (out / "modules" / "firewall_runtime" / "manifests" / "init.pp").read_text(
|
||||
encoding="utf-8"
|
||||
)
|
||||
runtime_pp = (
|
||||
out / "modules" / "enroll_runtime" / "manifests" / "init.pp"
|
||||
).read_text(encoding="utf-8")
|
||||
assert "file { '/etc/enroll':" in runtime_pp
|
||||
assert "file { '/etc/enroll':" not in pp
|
||||
assert "file { '/etc/enroll/firewall':" in pp
|
||||
assert "require => File['/etc/enroll']," in pp
|
||||
assert "file { '/etc/enroll/firewall/ipset.save':" in pp
|
||||
assert "ipset restore -exist" in pp
|
||||
assert "ipset flush blocklist" in pp
|
||||
assert "iptables-restore /etc/enroll/firewall/iptables.v4" in pp
|
||||
assert "refreshonly => true" in pp
|
||||
assert "subscribe => File['/etc/enroll/firewall/iptables.v4']" in pp
|
||||
assert "iptables-save >" not in pp
|
||||
assert "Live firewall runtime snapshots were detected" not in pp
|
||||
assert (
|
||||
out / "modules" / "firewall_runtime" / "files" / "firewall" / "ipset.save"
|
||||
).exists()
|
||||
|
||||
fqdn_out = tmp_path / "puppet-fqdn"
|
||||
manifest.manifest(str(bundle), str(fqdn_out), target="puppet", fqdn="node.example")
|
||||
node_data = yaml.safe_load(
|
||||
(fqdn_out / "data" / "nodes" / "node.example.yaml").read_text(encoding="utf-8")
|
||||
)
|
||||
assert "enroll_runtime" in node_data["enroll::classes"]
|
||||
assert "firewall_runtime" in node_data["enroll::classes"]
|
||||
assert node_data["enroll::classes"].index("enroll_runtime") < node_data[
|
||||
"enroll::classes"
|
||||
].index("firewall_runtime")
|
||||
assert node_data["enroll_runtime::dirs"]["/etc/enroll"]["ensure"] == "directory"
|
||||
assert node_data["firewall_runtime::firewall_runtime"]["ipset_sets"] == [
|
||||
"blocklist"
|
||||
]
|
||||
assert (
|
||||
"ipset restore -exist"
|
||||
in node_data["firewall_runtime::firewall_runtime"]["ipset_restore_cmd"]
|
||||
)
|
||||
assert (
|
||||
node_data["firewall_runtime::files"]["/etc/enroll/firewall/ipset.save"][
|
||||
"source"
|
||||
]
|
||||
== "puppet:///modules/firewall_runtime/nodes/node.example/firewall/ipset.save"
|
||||
)
|
||||
fqdn_pp = (
|
||||
fqdn_out / "modules" / "firewall_runtime" / "manifests" / "init.pp"
|
||||
).read_text(encoding="utf-8")
|
||||
assert "Hash $firewall_runtime = {}" in fqdn_pp
|
||||
assert "$firewall_runtime['ipset_restore_cmd']" in fqdn_pp
|
||||
|
|
|
|||
|
|
@ -532,3 +532,95 @@ def test_manifest_salt_uses_jinjaturtle_templates(monkeypatch, tmp_path: Path):
|
|||
assert file_data["source"] == "salt://roles/foo/templates/etc/foo.conf.j2"
|
||||
assert file_data["template"] == "jinja"
|
||||
assert file_data["context"] == {"foo_setting": True}
|
||||
|
||||
|
||||
def test_manifest_salt_renders_firewall_runtime_states(tmp_path: Path):
|
||||
bundle = tmp_path / "bundle"
|
||||
out = tmp_path / "salt"
|
||||
fw_dir = bundle / "artifacts" / "firewall_runtime" / "firewall"
|
||||
fw_dir.mkdir(parents=True, exist_ok=True)
|
||||
(fw_dir / "ipset.save").write_text(
|
||||
"create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n",
|
||||
encoding="utf-8",
|
||||
)
|
||||
(fw_dir / "iptables.v4").write_text(
|
||||
"*filter\n:INPUT DROP [0:0]\n-A INPUT -m set --match-set blocklist src -j DROP\nCOMMIT\n",
|
||||
encoding="utf-8",
|
||||
)
|
||||
state = {
|
||||
"schema_version": 3,
|
||||
"host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"},
|
||||
"inventory": {"packages": {}},
|
||||
"roles": {
|
||||
"firewall_runtime": {
|
||||
"role_name": "firewall_runtime",
|
||||
"packages": ["ipset", "iptables"],
|
||||
"ipset_save": "firewall/ipset.save",
|
||||
"ipset_sets": ["blocklist"],
|
||||
"iptables_v4_save": "firewall/iptables.v4",
|
||||
"iptables_v6_save": None,
|
||||
"notes": [],
|
||||
}
|
||||
},
|
||||
}
|
||||
_write_state(bundle, state)
|
||||
|
||||
manifest.manifest(str(bundle), str(out), target="salt")
|
||||
|
||||
top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8"))
|
||||
assert "roles.enroll_runtime" in top["base"]["*"]
|
||||
assert top["base"]["*"].index("roles.enroll_runtime") < top["base"]["*"].index(
|
||||
"roles.firewall_runtime"
|
||||
)
|
||||
runtime_sls = (out / "states" / "roles" / "enroll_runtime" / "init.sls").read_text(
|
||||
encoding="utf-8"
|
||||
)
|
||||
assert '"/etc/enroll":' in runtime_sls
|
||||
sls = (out / "states" / "roles" / "firewall_runtime" / "init.sls").read_text(
|
||||
encoding="utf-8"
|
||||
)
|
||||
assert '"/etc/enroll":' not in sls
|
||||
assert '"/etc/enroll/firewall":' in sls
|
||||
assert '- file: "/etc/enroll"' in sls
|
||||
assert '"/etc/enroll/firewall/ipset.save":' in sls
|
||||
assert "ipset restore -exist" in sls
|
||||
assert "ipset flush blocklist" in sls
|
||||
assert "iptables-restore /etc/enroll/firewall/iptables.v4" in sls
|
||||
assert " - onchanges:" in sls
|
||||
assert ' - file: "/etc/enroll/firewall/iptables.v4"' in sls
|
||||
assert "iptables-save >" not in sls
|
||||
assert "Live firewall runtime snapshots were detected" not in sls
|
||||
assert (
|
||||
out
|
||||
/ "states"
|
||||
/ "roles"
|
||||
/ "firewall_runtime"
|
||||
/ "files"
|
||||
/ "firewall"
|
||||
/ "ipset.save"
|
||||
).exists()
|
||||
|
||||
fqdn_out = tmp_path / "salt-fqdn"
|
||||
manifest.manifest(str(bundle), str(fqdn_out), target="salt", fqdn="node.example")
|
||||
pillar_top = yaml.safe_load(
|
||||
(fqdn_out / "pillar" / "top.sls").read_text(encoding="utf-8")
|
||||
)
|
||||
node_sls = pillar_top["base"]["node.example"][0]
|
||||
pillar_path = fqdn_out / "pillar" / Path(*node_sls.split("."))
|
||||
pillar = yaml.safe_load(pillar_path.with_suffix(".sls").read_text(encoding="utf-8"))
|
||||
assert "roles.enroll_runtime" in pillar["enroll"]["classes"]
|
||||
assert "firewall_runtime" in pillar["enroll"]["roles"]
|
||||
assert (
|
||||
pillar["enroll"]["roles"]["enroll_runtime"]["dirs"]["/etc/enroll"]["mode"]
|
||||
== "0750"
|
||||
)
|
||||
role_data = pillar["enroll"]["roles"]["firewall_runtime"]
|
||||
assert role_data["firewall_runtime"]["ipset_sets"] == ["blocklist"]
|
||||
assert "ipset restore -exist" in role_data["firewall_runtime"]["ipset_restore_cmd"]
|
||||
assert role_data["files"]["/etc/enroll/firewall/ipset.save"]["source"] == (
|
||||
"salt://roles/firewall_runtime/files/nodes/node.example/firewall/ipset.save"
|
||||
)
|
||||
fqdn_sls = (
|
||||
fqdn_out / "states" / "roles" / "firewall_runtime" / "init.sls"
|
||||
).read_text(encoding="utf-8")
|
||||
assert "firewall_runtime.get('ipset_restore_cmd')" in fqdn_sls
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue