test: Add Linode Cloud Firewall for all test linode instances (#616)

Author: ykim-akamai

tests/integration/conftest.py

@@ -1,5 +1,6 @@
 # Use random integer as the start point here to avoid
 # id conflicts when multiple testings are running.
+import ipaddress
 import json
 import logging
 import os
@@ -13,6 +14,7 @@
 from typing import Callable, Optional
 
 import pytest
+import requests
 
 from linodecli import ENV_TOKEN_NAME
 from tests.integration.helpers import (
@@ -33,6 +35,83 @@
 NODEBALANCER_BASE_CMD = ["linode-cli", "nodebalancers"]
 
 
+@pytest.fixture(autouse=True, scope="session")
+def linode_cloud_firewall():
+    def is_valid_ipv4(address):
+        try:
+            ipaddress.IPv4Address(address)
+            return True
+        except ipaddress.AddressValueError:
+            return False
+
+    def is_valid_ipv6(address):
+        try:
+            ipaddress.IPv6Address(address)
+            return True
+        except ipaddress.AddressValueError:
+            return False
+
+    def get_public_ip(ip_version="ipv4"):
+        url = (
+            f"https://api64.ipify.org?format=json"
+            if ip_version == "ipv6"
+            else f"https://api.ipify.org?format=json"
+        )
+        response = requests.get(url)
+        return str(response.json()["ip"])
+
+    def create_inbound_rule(ipv4_address, ipv6_address):
+        rule = [
+            {
+                "protocol": "TCP",
+                "ports": "22",
+                "addresses": {},
+                "action": "ACCEPT",
+            }
+        ]
+        if is_valid_ipv4(ipv4_address):
+            rule[0]["addresses"]["ipv4"] = [f"{ipv4_address}/32"]
+
+        if is_valid_ipv6(ipv6_address):
+            rule[0]["addresses"]["ipv6"] = [f"{ipv6_address}/128"]
+
+        return json.dumps(rule, indent=4)
+
+    # Fetch the public IP addresses
+    ipv4_address = get_public_ip("ipv4")
+    ipv6_address = get_public_ip("ipv6")
+
+    inbound_rule = create_inbound_rule(ipv4_address, ipv6_address)
+
+    label = "cloud_firewall_" + str(int(time.time()))
+
+    # Base command list
+    command = [
+        "linode-cli",
+        "firewalls",
+        "create",
+        "--label",
+        label,
+        "--rules.outbound_policy",
+        "ACCEPT",
+        "--rules.inbound_policy",
+        "DROP",
+        "--text",
+        "--no-headers",
+        "--format",
+        "id",
+    ]
+
+    if is_valid_ipv4(ipv4_address) or is_valid_ipv6(ipv6_address):
+        command.extend(["--rules.inbound", inbound_rule])
+
+    firewall_id = exec_test_command(command).stdout.decode().rstrip()
+
+    yield firewall_id
+
+    delete_target_id(target="firewalls", id=firewall_id)
+
+
 @pytest.fixture(scope="session")
 def _id_generators():
     return defaultdict(lambda: count(randint(0, 1000000)))
@@ -185,7 +264,7 @@ def slave_domain():
 
 # Test helpers specific to Linodes test suite
 @pytest.fixture
-def linode_with_label():
+def linode_with_label(linode_cloud_firewall):
     timestamp = str(time.time_ns())
     label = "cli" + timestamp
     result = (
@@ -203,6 +282,8 @@ def linode_with_label():
                 label,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--text",
                 "--delimiter",
                 ",",
@@ -223,7 +304,7 @@ def linode_with_label():
 
 
 @pytest.fixture
-def linode_min_req():
+def linode_min_req(linode_cloud_firewall):
     result = (
         exec_test_command(
             LINODE_BASE_CMD
@@ -235,6 +316,8 @@ def linode_min_req():
                 "us-ord",
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--no-defaults",
                 "--text",
                 "--delimiter",
@@ -256,7 +339,7 @@ def linode_min_req():
 
 
 @pytest.fixture
-def linode_wo_image():
+def linode_wo_image(linode_cloud_firewall):
     label = "cli" + str(int(time.time()) + randint(10, 1000))
     linode_id = (
         exec_test_command(
@@ -272,6 +355,8 @@ def linode_wo_image():
                 DEFAULT_REGION,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--format",
                 "id",
                 "--no-headers",
@@ -288,7 +373,7 @@ def linode_wo_image():
 
 
 @pytest.fixture
-def linode_backup_enabled():
+def linode_backup_enabled(linode_cloud_firewall):
     # create linode with backups enabled
     linode_id = (
         exec_test_command(
@@ -306,6 +391,8 @@ def linode_backup_enabled():
                 DEFAULT_TEST_IMAGE,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--text",
                 "--no-headers",
                 "--format=id",
@@ -348,14 +435,16 @@ def snapshot_of_linode():
 
 # Test helpers specific to Nodebalancers test suite
 @pytest.fixture
-def nodebalancer_with_default_conf():
+def nodebalancer_with_default_conf(linode_cloud_firewall):
     result = (
         exec_test_command(
             NODEBALANCER_BASE_CMD
             + [
                 "create",
                 "--region",
                 "us-ord",
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--text",
                 "--delimiter",
                 ",",
@@ -452,10 +541,11 @@ def pytest_configure(config):
 
 
 @pytest.fixture
-def created_linode_id():
+def support_test_linode_id(linode_cloud_firewall):
     timestamp = str(time.time_ns())
     label = "cli" + timestamp
-    result = (
+
+    res = (
         exec_test_command(
             LINODE_BASE_CMD
             + [
@@ -470,20 +560,23 @@ def created_linode_id():
                 label,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--text",
                 "--delimiter",
                 ",",
                 "--no-headers",
                 "--format",
-                "label,region,type,image,id",
+                "id",
                 "--no-defaults",
             ]
         )
         .stdout.decode()
         .rstrip()
     )
 
-    res_arr = result.split(",")
-    linode_id = res_arr[4]
+    linode_id = res
+
     yield linode_id
+
     delete_target_id(target="linodes", id=linode_id)

tests/integration/firewalls/test_firewalls.py

@@ -15,7 +15,6 @@
 
 @pytest.fixture
 def test_firewall_id():
-    # Create one domain for some tests in this suite
     firewall_id = (
         exec_test_command(
             BASE_CMD
@@ -38,7 +37,7 @@ def test_firewall_id():
     )
 
     yield firewall_id
-    # teardown - delete all firewalls
+
     delete_target_id(target="firewalls", id=firewall_id)
 
 

tests/integration/linodes/helpers_linodes.py

@@ -71,7 +71,7 @@ def wait_until(linode_id: "str", timeout, status: "str", period=5):
     return False
 
 
-def create_linode(test_region=DEFAULT_REGION):
+def create_linode(firewall_id: "str", test_region=DEFAULT_REGION):
     # create linode
     linode_id = (
         exec_test_command(
@@ -87,6 +87,8 @@ def create_linode(test_region=DEFAULT_REGION):
                 DEFAULT_TEST_IMAGE,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                firewall_id,
                 "--format=id",
                 "--text",
                 "--no-headers",
@@ -99,7 +101,9 @@ def create_linode(test_region=DEFAULT_REGION):
     return linode_id
 
 
-def create_linode_backup_disabled(test_region=DEFAULT_REGION):
+def create_linode_backup_disabled(
+    firewall_id: "str", test_region=DEFAULT_REGION
+):
     result = set_backups_enabled_in_account_settings(toggle=False)
 
     # create linode
@@ -117,6 +121,8 @@ def create_linode_backup_disabled(test_region=DEFAULT_REGION):
                 DEFAULT_TEST_IMAGE,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                firewall_id,
                 "--format=id",
                 "--text",
                 "--no-headers",
@@ -172,9 +178,10 @@ def remove_linodes():
 
 
 def create_linode_and_wait(
+    firewall_id: "str",
+    ssh_key="",
     test_plan=DEFAULT_LINODE_TYPE,
     test_image=DEFAULT_TEST_IMAGE,
-    ssh_key="",
     test_region=DEFAULT_REGION,
 ):
     linode_type = test_plan
@@ -200,6 +207,8 @@ def create_linode_and_wait(
                     DEFAULT_RANDOM_PASS,
                     "--authorized_keys",
                     ssh_key,
+                    "--firewall_id",
+                    firewall_id,
                     "--format=id",
                     "--backups_enabled",
                     "true",
@@ -225,6 +234,8 @@ def create_linode_and_wait(
                     test_image,
                     "--root_pass",
                     DEFAULT_RANDOM_PASS,
+                    "--firewall_id",
+                    firewall_id,
                     "--format=id",
                     "--backups_enabled",
                     "true",

tests/integration/linodes/test_backups.py

@@ -20,24 +20,24 @@
 
 
 @pytest.fixture
-def create_linode_setup():
-    linode_id = create_linode()
+def create_linode_setup(linode_cloud_firewall):
+    linode_id = create_linode(firewall_id=linode_cloud_firewall)
 
     yield linode_id
 
     delete_target_id("linodes", linode_id)
 
 
 @pytest.fixture
-def create_linode_backup_disabled_setup():
+def create_linode_backup_disabled_setup(linode_cloud_firewall):
     res = set_backups_enabled_in_account_settings(toggle=False)
 
     if res == "True":
         raise ValueError(
             "Backups are unexpectedly enabled before setting up the test."
         )
 
-    linode_id = create_linode_backup_disabled()
+    linode_id = create_linode_backup_disabled(firewall_id=linode_cloud_firewall)
 
     yield linode_id
 

tests/integration/linodes/test_interfaces.py

@@ -18,7 +18,7 @@
 
 
 @pytest.fixture
-def linode_with_vpc_interface():
+def linode_with_vpc_interface(linode_cloud_firewall):
     vpc_json = create_vpc_w_subnet()
 
     vpc_region = vpc_json["region"]
@@ -38,6 +38,8 @@ def linode_with_vpc_interface():
                 DEFAULT_TEST_IMAGE,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--interfaces.purpose",
                 "vpc",
                 "--interfaces.primary",
@@ -67,7 +69,7 @@ def linode_with_vpc_interface():
 
 
 @pytest.fixture
-def linode_with_vpc_interface_as_json():
+def linode_with_vpc_interface_as_json(linode_cloud_firewall):
     vpc_json = create_vpc_w_subnet()
 
     vpc_region = vpc_json["region"]
@@ -87,6 +89,8 @@ def linode_with_vpc_interface_as_json():
                 DEFAULT_TEST_IMAGE,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--interfaces",
                 json.dumps(
                     [

tests/integration/linodes/test_linodes.py

@@ -21,7 +21,7 @@
 
 
 @pytest.fixture(scope="package", autouse=True)
-def setup_linodes():
+def setup_linodes(linode_cloud_firewall):
     linode_id = (
         exec_test_command(
             BASE_CMD
@@ -37,6 +37,8 @@ def setup_linodes():
                 linode_label,
                 "--root_pass",
                 DEFAULT_RANDOM_PASS,
+                "--firewall_id",
+                linode_cloud_firewall,
                 "--text",
                 "--delimiter",
                 ",",