File: task.yaml

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (78 lines) | stat: -rw-r--r-- 2,857 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
 
summary: Ensure that the firewall-control interface works.

details: |
    The firewall-control interface allows a snap to configure the firewall.

    A snap which defines the firewall-control plug must be shown in the
    interfaces list. The plug must not be auto-connected on install and, as
    usual, must be able to be reconnected.

    For this test we use a snap that declares a plug on this interface and that
    adds and removes iptables entries. With the plug connected the test checks
    that a rule to map localhost to a given IP can be added by the snap,
    ensuring that a generic client can access a generic service listening on
    localhost through the IP set up in the firewall rule.

# ubuntu-14.04: systemd-run not supported
systems: [-fedora-*, -opensuse-*, -arch-*, -ubuntu-14.04*]

environment:
    PORT: 8081
    SERVICE_NAME: "test-service"
    REQUEST_FILE: "./request.txt"
    DESTINATION_IP: "172.26.0.15"

prepare: |
    echo "Given a snap declaring a plug on the firewall-control interface is installed"
    "$TESTSTOOLS"/snaps-state install-local firewall-control-consumer

    echo "And a service is listening"
    # shellcheck source=tests/lib/network.sh
    . "$TESTSLIB"/network.sh
    make_network_service "$SERVICE_NAME" "$PORT"

    echo "And we store a basic HTTP request"
    cat > "$REQUEST_FILE" <<EOF
    GET / HTTP/1.0

    EOF

restore: |
    # In case the service is not active, the restore fails stopping the service
    if systemctl is-active "$SERVICE_NAME"; then
        systemctl stop "$SERVICE_NAME"
    fi
    rm -f "$REQUEST_FILE"

execute: |
    echo "Then the plug is disconnected by default"
    snap interfaces -i firewall-control | MATCH '^- +firewall-control-consumer:firewall-control'

    echo "When the plug is connected"
    snap connect firewall-control-consumer:firewall-control

    echo "And the snap creates a firewall rule"
    firewall-control-consumer.create

    echo "Then the service listening on localhost is accessible through the destination IP in the rule"
    nc -w 2 "$DESTINATION_IP" "$PORT" < "$REQUEST_FILE" | MATCH 'ok$'

    echo "When the snap deletes the firewall rule"
    firewall-control-consumer.delete

    echo "Then the service listening on localhost is no longer accessible through the destination IP in the rule"
    not nc -w 2 "$DESTINATION_IP" "$PORT" < "$REQUEST_FILE"

    if [ "$(snap debug confinement)" = partial ] ; then
        exit 0
    fi

    echo "When the plug is disconnected"
    snap disconnect firewall-control-consumer:firewall-control

    echo "Then the snap is not able to configure the firewall"
    if firewall-control-consumer.create 2>firewall-create.error; then
        echo "Expected permission error creating firewall rules with disconnected plug"
        exit 1
    fi
    MATCH "Permission denied" < firewall-create.error