migrated firewall resource to new interface

Author: krimdomu

lib/Rex/Resource/firewall.pm

@@ -75,76 +75,56 @@ my $__provider = { default => "Rex::Resource::firewall::Provider::iptables", };
 
 =cut
 
-resource "firewall", { export => 1 }, sub {
-  my $rule_name = resource_name;
-
-  my $rule_config = {
-    action      => param_lookup("action"),
-    ensure      => param_lookup( "ensure", "present" ),
-    proto       => param_lookup( "proto", undef ),
-    source      => param_lookup( "source", undef ),
-    destination => param_lookup( "destination", undef ),
-    port        => param_lookup( "port", undef ),
-    app         => param_lookup( "app", undef ),
-    sport       => param_lookup( "sport", undef ),
-    sapp        => param_lookup( "sapp", undef ),
-    dport       => param_lookup( "dport", undef ),
-    dapp        => param_lookup( "dapp", undef ),
-    tcp_flags   => param_lookup( "tcp_falgs", undef ),
-    chain       => param_lookup( "chain", "input" ),
-    table       => param_lookup( "table", "filter" ),
-    iniface     => param_lookup( "iniface", undef ),
-    outiface    => param_lookup( "outiface", undef ),
-    reject_with => param_lookup( "reject_with", undef ),
-    logging     => param_lookup( "logging", undef ),    # overall logging
-    log         => param_lookup( "log", undef ),        # logging for rule
-    log_level   => param_lookup( "log_level", undef ),  # logging for rule
-    log_prefix  => param_lookup( "log_prefix", undef ),
-    state       => param_lookup( "state", undef ),
-    ip_version  => param_lookup( "ip_version", -4 ),
-  };
-
-  my $provider =
-    param_lookup( "provider", case ( lc(operating_system), $__provider ) );
-
-  if ( $provider !~ m/::/ ) {
-    $provider = "Rex::Resource::firewall::Provider::$provider";
-  }
-
+resource "firewall", {
+  export      => 1,
+  params_list => [
+    name => {
+      isa     => 'Str',
+      default => sub { shift }
+    },
+    ensure => {
+      isa     => 'Str',
+      default => sub { "present" }
+    },
+    action      => { isa => 'Str | Undef', default => undef },
+    proto       => { isa => 'Str | Undef', default => "tcp" },
+    source      => { isa => 'Str | Undef', default => undef },
+    destination => { isa => 'Str | Undef', default => undef },
+    port        => { isa => 'Int | Undef', default => undef },
+    source      => { isa => 'Str | Undef', default => undef },
+    app         => { isa => 'Str | Undef', default => undef },
+    sport       => { isa => 'Int | Undef', default => undef },
+    dport       => {
+      isa     => 'Int | Undef',
+      default => sub { my ( $name, %p ) = @_; return $p{port}; },
+    },
+    dapp        => { isa => 'Str | Undef',      default => undef },
+    tcp_flags   => { isa => 'ArrayRef | Undef', default => undef },
+    chain       => { isa => 'Str | Undef',      default => "INPUT" },
+    table       => { isa => 'Str | Undef',      default => undef },
+    iniface     => { isa => 'Str | Undef',      default => undef },
+    outiface    => { isa => 'Str | Undef',      default => undef },
+    reject_with => { isa => 'Str | Undef',      default => undef },
+    logging     => { isa => 'Str | Undef',      default => undef },
+    log         => { isa => 'Str | Undef',      default => undef },
+    log_level   => { isa => 'Str | Undef',      default => undef },
+    log_prefix  => { isa => 'Str | Undef',      default => undef },
+    state       => { isa => 'Str | Undef',      default => undef },
+    ip_version  => { isa => 'Str | Undef',      default => "-4" },
+  ],
+  },
+  sub {
+  my ( $name, %args ) = @_;
+
+  my $provider = resolve_resource_provider( $args{provider}
+      || case ( lc(operating_system), $__provider ) );
+
+  # TODO define provider type automatically.
   $provider->require;
-  my $provider_o = $provider->new();
-
-  my $changed = 0;
-  if ( my $logging = $rule_config->{logging} ) {
-    if ( $provider_o->logging($logging) ) {
-      emit changed, "Firewall logging updated.";
-    }
-  }
-  elsif ( $rule_config->{ensure} eq "present" ) {
-    if ( $provider_o->present($rule_config) ) {
-      emit created, "Firewall rule created.";
-    }
-  }
-  elsif ( $rule_config->{ensure} eq "absent" ) {
-    if ( $provider_o->absent($rule_config) ) {
-      emit removed, "Firewall rule removed.";
-    }
-  }
-  elsif ( $rule_config->{ensure} eq "disabled" ) {
-    if ( $provider_o->disable($rule_config) ) {
-      emit changed, "Firewall disabled.";
-    }
-  }
-  elsif ( $rule_config->{ensure} eq "enabled" ) {
-    if ( $provider_o->enable($rule_config) ) {
-      emit changed, "Firewall enabled.";
-    }
-  }
-  else {
-    die "Error: $rule_config->{ensure} not a valid option for 'ensure'.";
-  }
-
-};
+  my $provider_o =
+    $provider->new( type => "firewall", name => $name, config => \%args );
+  $provider_o->process;
+  };
 
 =back
 

lib/Rex/Resource/firewall/Provider/base.pm

@@ -13,39 +13,8 @@ use warnings;
 
 use Data::Dumper;
 
-sub new {
-  my $that  = shift;
-  my $proto = ref($that) || $that;
-  my $self  = {@_};
+use Moose;
 
-  bless( $self, $proto );
-
-  return $self;
-}
-
-sub present {
-  my ( $self, $rule_config ) = @_;
-  die "Must be implemented by provider.";
-}
-
-sub absent {
-  my ( $self, $rule_config ) = @_;
-  die "Must be implemented by provider.";
-}
-
-sub enable {
-  my ( $self, $rule_config ) = @_;
-  Rex::Logger::debug("enable: Not implemented by provider.");
-}
-
-sub disable {
-  my ( $self, $rule_config ) = @_;
-  Rex::Logger::debug("disable: Not implemented by provider.");
-}
-
-sub logging {
-  my ( $self, $rule_config ) = @_;
-  Rex::Logger::debug("logging: Not implemented by provider.");
-}
+extends qw(Rex::Resource::Provider);
 
 1;

lib/Rex/Resource/firewall/Provider/iptables.pm

@@ -11,96 +11,97 @@ use warnings;
 
 # VERSION
 
+use Moose;
+
+extends qw(Rex::Resource::firewall::Provider::base);
+with qw(Rex::Resource::Role::Ensureable);
+
 use Rex::Commands::Iptables;
 use Rex::Helper::Run;
+use Rex::Resource::Common;
+
 use Data::Dumper;
-use base qw(Rex::Resource::firewall::Provider::base);
 
-sub new {
-  my $that  = shift;
-  my $proto = ref($that) || $that;
-  my $self  = $proto->SUPER::new(@_);
+sub test {
+  my ($self) = @_;
+
+  my $rule_config   = $self->config;
+  my @iptables_rule = $self->_build_iptables_array("A");
 
-  bless( $self, $proto );
+  my $exists =
+    Rex::Commands::Iptables::_rule_exists( $rule_config->{ip_version},
+    @iptables_rule );
 
-  return $self;
+  if ( $self->config->{ensure} eq "absent" && $exists ) {
+    return 0;
+  }
+  elsif ( $self->config->{ensure} eq "present" && !$exists ) {
+    return 0;
+  }
+
+  return 1;
 }
 
 sub present {
-  my ( $self, $rule_config ) = @_;
+  my ($self) = @_;
 
-  my @iptables_rule = ();
+  my @iptables_rule = $self->_build_iptables_array("A");
+  my $exit_code     = 0;
+  eval {
+    iptables( $self->config->{ip_version}, @iptables_rule );
+    1;
+  } or do {
+    $exit_code = 1;
+  };
+
+  return {
+    value     => "",
+    exit_code => $exit_code,
+    changed   => 1,
+    status    => ( $exit_code == 0 ? state_changed : state_failed ),
+  };
+}
 
-  $rule_config->{dport}      ||= $rule_config->{port};
-  $rule_config->{proto}      ||= 'tcp';
-  $rule_config->{chain}      ||= 'INPUT';
-  $rule_config->{ip_version} ||= -4;
+sub absent {
+  my ($self) = @_;
 
-  if ( $rule_config->{source}
-    && $rule_config->{source} !~ m/\/(\d+)$/
-    && $self->_version()->[0] >= 1
-    && $self->_version()->[1] >= 4 )
-  {
-    $rule_config->{source} .= "/32";
-  }
+  my @iptables_rule = $self->_build_iptables_array("D");
+  my $exit_code     = 0;
+  eval {
+    iptables( $self->config->{ip_version}, @iptables_rule );
+    1;
+  } or do {
+    $exit_code = 1;
+  };
+
+  return {
+    value     => "",
+    exit_code => $exit_code,
+    changed   => 1,
+    status    => ( $exit_code == 0 ? state_changed : state_failed ),
+  };
+}
 
-  push( @iptables_rule, t => $rule_config->{table} )
-    if ( defined $rule_config->{table} );
-  push( @iptables_rule, A => uc( $rule_config->{chain} ) )
-    if ( defined $rule_config->{chain} );
-  push( @iptables_rule, p => $rule_config->{proto} )
-    if ( defined $rule_config->{proto} );
-  push( @iptables_rule, m => $rule_config->{proto} )
-    if ( defined $rule_config->{proto} );
-  push( @iptables_rule, s => $rule_config->{source} )
-    if ( defined $rule_config->{source} );
-  push( @iptables_rule, d => $rule_config->{destination} )
-    if ( defined $rule_config->{destination} );
-  push( @iptables_rule, sport => $rule_config->{sport} )
-    if ( defined $rule_config->{sport} );
-  push( @iptables_rule, dport => $rule_config->{dport} )
-    if ( defined $rule_config->{dport} );
-  push( @iptables_rule, "tcp-flags" => $rule_config->{tcp_flags} )
-    if ( defined $rule_config->{tcp_flags} );
-  push( @iptables_rule, "i" => $rule_config->{iniface} )
-    if ( defined $rule_config->{iniface} );
-  push( @iptables_rule, "o" => $rule_config->{outiface} )
-    if ( defined $rule_config->{outiface} );
-  push( @iptables_rule, "reject-with" => $rule_config->{reject_with} )
-    if ( defined $rule_config->{reject_with} );
-  push( @iptables_rule, "log-level" => $rule_config->{log_level} )
-    if ( defined $rule_config->{log_level} );
-  push( @iptables_rule, "log-prefix" => $rule_config->{log_prefix} )
-    if ( defined $rule_config->{log_prefix} );
-  push( @iptables_rule, "state" => $rule_config->{state} )
-    if ( defined $rule_config->{state} );
-  push( @iptables_rule, j => uc( $rule_config->{action} ) )
-    if ( defined $rule_config->{action} );
+sub _version {
+  my ($self) = @_;
+  if ( exists $self->{__version__} ) { return $self->{__version__} }
 
-  if (
-    !Rex::Commands::Iptables::_rule_exists(
-      $rule_config->{ip_version},
-      @iptables_rule
-    )
-    )
-  {
-    iptables( $rule_config->{ip_version}, @iptables_rule );
-    return 1;
-  }
+  my $version = i_run "iptables --version";
+  $version =~ s/^.*\sv(\d+\.\d+\.\d+)/$1/;
 
-  return 0;
-}
+  $self->{__version__} = [ split( /\./, $version ) ];
 
-sub absent {
-  my ( $self, $rule_config ) = @_;
+  Rex::Logger::debug(
+    "Got iptables version: " . join( ", ", @{ $self->{__version__} } ) );
 
-  my @iptables_rule = ();
+  return $self->{__version__};
+}
 
-  $rule_config->{dport} ||= $rule_config->{port};
-  $rule_config->{proto} ||= 'tcp';
-  $rule_config->{chain} ||= 'INPUT';
+sub _build_iptables_array {
+  my ( $self, $type ) = @_;
+  my $rule_config = $self->config;
 
-  $rule_config->{ip_version} ||= -4;
+  my @iptables_rule = ();
 
   if ( $rule_config->{source}
     && $rule_config->{source} !~ m/\/(\d+)$/
@@ -112,14 +113,14 @@ sub absent {
 
   push( @iptables_rule, t => $rule_config->{table} )
     if ( defined $rule_config->{table} );
-  push( @iptables_rule, D => uc( $rule_config->{chain} ) )
+  push( @iptables_rule, $type => uc( $rule_config->{chain} ) )
     if ( defined $rule_config->{chain} );
-  push( @iptables_rule, s => $rule_config->{source} )
-    if ( defined $rule_config->{source} );
   push( @iptables_rule, p => $rule_config->{proto} )
     if ( defined $rule_config->{proto} );
   push( @iptables_rule, m => $rule_config->{proto} )
     if ( defined $rule_config->{proto} );
+  push( @iptables_rule, s => $rule_config->{source} )
+    if ( defined $rule_config->{source} );
   push( @iptables_rule, d => $rule_config->{destination} )
     if ( defined $rule_config->{destination} );
   push( @iptables_rule, sport => $rule_config->{sport} )
@@ -143,33 +144,7 @@ sub absent {
   push( @iptables_rule, j => uc( $rule_config->{action} ) )
     if ( defined $rule_config->{action} );
 
-  if (
-    Rex::Commands::Iptables::_rule_exists(
-      $rule_config->{ip_version},
-      @iptables_rule
-    )
-    )
-  {
-    iptables( $rule_config->{ip_version}, @iptables_rule );
-    return 1;
-  }
-
-  return 0;
-}
-
-sub _version {
-  my ($self) = @_;
-  if ( exists $self->{__version__} ) { return $self->{__version__} }
-
-  my $version = i_run "iptables --version", fail_ok => 1;
-  $version =~ s/^.*\sv(\d+\.\d+\.\d+)/$1/;
-
-  $self->{__version__} = [ split( /\./, $version ) ];
-
-  Rex::Logger::debug(
-    "Got iptables version: " . join( ", ", @{ $self->{__version__} } ) );
-
-  return $self->{__version__};
+  return @iptables_rule;
 }
 
 1;