From d213d8408ce97463bec0073abbe19d0135fdb9cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Mon, 29 Apr 2013 13:41:22 -0300 Subject: [PATCH] Rewrite jail.local handling through source/content. Add tests --- .fixtures.yml | 6 +-- manifests/file.pp | 29 ----------- manifests/init.pp | 69 ++++++++++++++++--------- manifests/jail.pp | 14 +++-- manifests/{concat.pp => jailsconcat.pp} | 2 +- manifests/params.pp | 4 +- spec/classes/fail2ban_spec.rb | 25 +++++++++ templates/jail.local.erb | 5 +- 8 files changed, 86 insertions(+), 68 deletions(-) delete mode 100644 manifests/file.pp rename manifests/{concat.pp => jailsconcat.pp} (97%) diff --git a/.fixtures.yml b/.fixtures.yml index daca73c..c4fb849 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,9 @@ fixtures: repositories: - "puppi": "git://github.com/example42/puppi.git" - "monitor": "git://github.com/example42/puppet-monitor.git" + "puppi": "git://github.com/example42/puppi.git" + "monitor": "git://github.com/example42/puppet-monitor.git" "iptables": "git://github.com/example42/puppet-iptables.git" - "concat": "git://github.com/example42/puppet-concat.git" + "concat": "https://github.com/ripienaar/puppet-concat.git" symlinks: "fail2ban": "#{source_dir}" diff --git a/manifests/file.pp b/manifests/file.pp deleted file mode 100644 index 0c383b1..0000000 --- a/manifests/file.pp +++ /dev/null @@ -1,29 +0,0 @@ -# -# Class fail2ban::file -# -# This class configures fail2ban via a base rule file -# The file itselt is not provided. Use this class (or, better, -# your custom $my_project class that inherits this) to -# manage the fail2ban file in the way you want -# -# It's used if $fail2ban_config = "file" -# -class fail2ban::file inherits fail2ban { - - if $fail2ban::manage_file_jails_source or $fail2ban::manage_file_jails_template { - file { 'jail.local': - ensure => $fail2ban::manage_file, - path => $fail2ban::jails_file, - mode => $fail2ban::jails_file_mode, - owner => $fail2ban::jails_file_owner, - group => $fail2ban::jails_file_group, - require => Package[$fail2ban::package], - notify => $fail2ban::manage_service_autorestart, - source => $fail2ban::manage_file_jails_source, - content => $fail2ban::manage_file_jails_content, - replace => $fail2ban::manage_file_replace, - audit => $fail2ban::manage_audit, - noop => $fail2ban::bool_noops, - } - } -} diff --git a/manifests/init.pp b/manifests/init.pp index dbc9a6d..b5c7763 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,29 +77,24 @@ # to conventional 'mail'. # Default: sendmail # -# [*jails_protocol*] -# Default: tcp -# -# [*jails_chain*] -# Specify chain where jumps would need to be added in iptables-* actions -# Default: INPUT +# [*jails_file*] +# Path to 'jail.local' file # # [*jails_config*] # Define how you want to manage jails configuration: -# "file" - To provide jails.local as a normal file +# "file" - To provide jail.local as a normal file. If you choose this option, +# set ONE of [*jails_source*] or [*jails_template*] # "concat" - To build it up using different fragments # - This option, set as default, permits the use of the fail2ban::jail define # # [*jails_source*] -# Sets the content of source parameter for the jails.local configuration file -# Note that single stanzas of jails.local file can be managed also (and alternatively) -# by fail2ban::jails +# Sets the content of source parameter for the jail.local configuration file +# Note that single stanzas of jail.local can be managed by fail2ban::jails # # [*jails_template*] -# Sets the path to the template to use as content for the jails.local configuration file +# Sets the path to the template to use as content for the jail.local configuration file # If defined, fail2ban jails config file has: content => content("$jails_template") # Note source and template parameters are mutually exclusive: don't use both -# Can be defined also by the (top scope) variable $fail2ban_jails_template # # [*jails_template_header*] # Path to the template to use as header with concat @@ -109,6 +104,13 @@ # Path to the template to use as footer with concat # Used by fail2ban::jails # +# [*jails_protocol*] +# Default: tcp +# +# [*jails_chain*] +# Specify chain where jumps would need to be added in iptables-* actions +# Default: INPUT +# # [*options*] # An hash of custom options to be used in templates for arbitrary settings. # Can be defined also by the (top scope) variable $fail2ban_options @@ -386,16 +388,6 @@ class fail2ban ( default => template($fail2ban::template), } - $manage_file_jails_source = $fail2ban::jails_source ? { - '' => undef, - default => $fail2ban::jails_source, - } - - $manage_file_jails_content = $fail2ban::jails_template ? { - '' => undef, - default => template($fail2ban::jails_template), - } - ### Managed resources package { $fail2ban::package: ensure => $fail2ban::manage_package, @@ -427,10 +419,37 @@ class fail2ban ( noop => $fail2ban::bool_noops, } - # How to manage fail2ban configuration + # How to manage fail2ban jail.local configuration case $fail2ban::jails_config { - 'file': { include fail2ban::file } - 'concat': { include fail2ban::concat } + 'file': { + $manage_file_jails_source = $fail2ban::jails_source ? { + '' => undef, + default => $fail2ban::jails_source, + } + + $manage_file_jails_content = $fail2ban::jails_template ? { + '' => undef, + default => template($fail2ban::jails_template), + } + + file { 'jail.local': + ensure => $fail2ban::manage_file, + path => $fail2ban::jails_file, + mode => $fail2ban::jails_file_mode, + owner => $fail2ban::jails_file_owner, + group => $fail2ban::jails_file_group, + require => Package[$fail2ban::package], + notify => $fail2ban::manage_service_autorestart, + source => $fail2ban::manage_file_jails_source, + content => $fail2ban::manage_file_jails_content, + replace => $fail2ban::manage_file_replace, + audit => $fail2ban::manage_audit, + noop => $fail2ban::bool_noops, + } + } + 'concat': { include fail2ban::jailsconcat + + } default: { } } diff --git a/manifests/jail.pp b/manifests/jail.pp index 8ef697e..f61087f 100644 --- a/manifests/jail.pp +++ b/manifests/jail.pp @@ -2,16 +2,22 @@ # # Adds a custom fail2ban jail # Supported arguments: -# $jailname - The name you want to give the jail. If not set, defaults to == $title -# $order - The order in the jail.local file. Default 50. Generally you don't need to change it +# $jailname - The name you want to give the jail. +# If not set, defaults to == $title +# $order - The order in the jail.local file. +# Default 50. Generally you don't need to change it # $status - enabled / disabled. If disabled, the rule _IS ADDED_ to the jail.local file # but it will not be active. Compare with the next one. +# Defaults to enabled # $enable - true / false. If false, the rule _IS NOT ADDED_ to the jail.local file -# $filter - The filter rule to use. If empty, defaults to == $jailname. +# Defaults to true +# $filter - The filter rule to use. +# If empty, defaults to == $jailname. # $port - The port to filter. It can be an array of ports. -# $action - The action to take when # $logpath - The log file to monitor # $maxretry - How many fails are acceptable +# $action - The action to take when fail2ban finds $maxretry $filter-matching records in +# $logpath # $bantime - How much time to apply the ban, in seconds define fail2ban::jail ( diff --git a/manifests/concat.pp b/manifests/jailsconcat.pp similarity index 97% rename from manifests/concat.pp rename to manifests/jailsconcat.pp index 59af864..59ed874 100644 --- a/manifests/concat.pp +++ b/manifests/jailsconcat.pp @@ -8,7 +8,7 @@ # Note that the fail2ban::jail define # inserts (by default) its rules with priority 50. # -class fail2ban::concat { +class fail2ban::jailsconcat { include fail2ban include concat::setup diff --git a/manifests/params.pp b/manifests/params.pp index fbf1a08..dc426a3 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -63,8 +63,8 @@ class fail2ban::params { # Define how you want to manage jails configuration: # "file" - To provide jails stanzas as a normal file # "concat" - To build them up using different fragments - # - This option, set as default, permits the use of the fail2ban::jail define - $jails_config = 'concat' + # - This option, preferred, permits the use of the fail2ban::jail define + $jails_config = '' $jails_file = $::operatingsystem ? { default => '/etc/fail2ban/jail.local', diff --git a/spec/classes/fail2ban_spec.rb b/spec/classes/fail2ban_spec.rb index 5d0afd7..01be081 100644 --- a/spec/classes/fail2ban_spec.rb +++ b/spec/classes/fail2ban_spec.rb @@ -13,6 +13,31 @@ describe 'fail2ban' do it { should contain_file('fail2ban.conf').with_ensure('present') } end + describe 'Test jails config undefined' do + let(:params) { {:jails_config => '' } } + it { should_not contain_file('jail.local') } + end + + describe 'Test jails managed throuh file - source' do + let(:params) { {:jails_config => 'file', :jails_source => 'puppet:///modules/fail2ban/spec' } } + it { should contain_file('jail.local').with_source('puppet:///modules/fail2ban/spec') } + it { should contain_file('jail.local').without_content } + end + + describe 'Test jails managed throuh file - template' do + let(:params) { {:jails_config => 'file', :jails_template => 'fail2ban/spec.erb', :options => { 'opt_a' => 'value_a' } } } + it { should contain_file('jail.local').with_content(/fqdn: rspec.example42.com/) } + it { should contain_file('jail.local').without_source } + it { should contain_file('jail.local').with_content(/value_a/) } + end + +# describe 'Test jails managed throuh concat' do +# let(:params) { {:jails_config => 'concat' } } +# it { should include_class('fail2ban::jailsconcat') } +# it { should contain_fail2ban__jailsconcat() } +# +# end + describe 'Test installation of a specific version' do let(:params) { {:version => '1.0.42' } } it { should contain_package('fail2ban').with_ensure('1.0.42') } diff --git a/templates/jail.local.erb b/templates/jail.local.erb index 4bd6a92..30f5a6e 100644 --- a/templates/jail.local.erb +++ b/templates/jail.local.erb @@ -1,7 +1,4 @@ -################## -# Puppet Managed # -################## - +# This file is managed by Puppet. DO NOT EDIT. [DEFAULT] ignoreip = 127.0.0.1 bantime = 600