From 6ebfcbd0c4c700759d6942a129dd8a943be66f77 Mon Sep 17 00:00:00 2001
From: Paul Smith <paul.j.smith@ucl.ac.uk>
Date: Fri, 5 Jan 2024 17:13:18 +0000
Subject: [PATCH] Add correct prepare, converge, and verify playbook for
 testing firewalld

---
 .../firewalld/molecule/resources/converge.yml |  5 +-
 .../firewalld/molecule/resources/prepare.yml  | 15 ++++
 roles/firewalld/molecule/resources/verify.yml | 88 +++++++++++++++++++
 3 files changed, 105 insertions(+), 3 deletions(-)
 create mode 100644 roles/firewalld/molecule/resources/prepare.yml
 create mode 100644 roles/firewalld/molecule/resources/verify.yml

diff --git a/roles/firewalld/molecule/resources/converge.yml b/roles/firewalld/molecule/resources/converge.yml
index 806d5414..48d22ed6 100644
--- a/roles/firewalld/molecule/resources/converge.yml
+++ b/roles/firewalld/molecule/resources/converge.yml
@@ -1,8 +1,7 @@
 ---
-- name: Provision infrastructure
+- name: Setup firewall
   hosts: all
   become: true
   gather_facts: true
   roles:
-    - role: mirsg.infrastructure.provision
-      tags: provision
+    - role: mirsg.infrastructure.firewalld
diff --git a/roles/firewalld/molecule/resources/prepare.yml b/roles/firewalld/molecule/resources/prepare.yml
new file mode 100644
index 00000000..99e9a3a7
--- /dev/null
+++ b/roles/firewalld/molecule/resources/prepare.yml
@@ -0,0 +1,15 @@
+---
+- name: Setup for firewalld role
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Install firewalld
+      ansible.builtin.package:
+        name: firewalld
+        state: present
+
+    - name: Change firewalld backend to iptables
+      ansible.builtin.lineinfile:
+        path: /etc/firewalld/firewalld.conf
+        regexp: "^FirewallBackend="
+        line: FirewallBackend=iptables
diff --git a/roles/firewalld/molecule/resources/verify.yml b/roles/firewalld/molecule/resources/verify.yml
new file mode 100644
index 00000000..e739937a
--- /dev/null
+++ b/roles/firewalld/molecule/resources/verify.yml
@@ -0,0 +1,88 @@
+---
+- name: Get services in internal zone
+  become: true
+  ansible.builtin.shell: |
+    set -o pipefail
+    firewall-cmd --list-services --zone=internal
+  register: internal_zone_services
+  changed_when: false
+  failed_when: false
+
+- name: Get services in public zone
+  become: true
+  ansible.builtin.shell: |
+    set -o pipefail
+    firewall-cmd --list-services --zone=public
+  register: public_zone_services
+  changed_when: false
+  failed_when: false
+
+- name: Get services in work zone
+  become: true
+  ansible.builtin.shell: |
+    set -o pipefail
+    firewall-cmd --list-services --zone=work
+  register: work_zone_services
+  changed_when: false
+  failed_when: false
+
+- name: Test that correct services are in internal zone
+  ansible.builtin.assert:
+    that:
+      - "'{{ item }}' in internal_zone_services.stdout"
+  loop: "{{ firewalld_internal_zone_open_services }}"
+  when: firewalld_internal_zone_open_services is defined
+
+- name: Test that correct services are in public zone
+  ansible.builtin.assert:
+    that:
+      - "'{{ item }}' in public_zone_services.stdout"
+  loop: "{{ firewalld_public_zone_open_services }}"
+  when: firewalld_public_zone_open_services is defined
+
+- name: Test that correct services are in work zone
+  ansible.builtin.assert:
+    that:
+      - "'{{ item }}' in work_zone_services.stdout"
+  loop: "{{ firewalld_work_zone_open_services }}"
+  when: firewalld_work_zone_open_services is defined
+
+- name: Test that internal zone is closed to the correct services
+  ansible.builtin.assert:
+    that:
+      - "'{{ item }}' not in internal_zone_services.stdout"
+  loop: "{{ firewalld_internal_zone_closed_services }}"
+  when: firewalld_internal_zone_closed_services is defined
+
+- name: Test that public zone is closed to the correct services
+  ansible.builtin.assert:
+    that:
+      - "'{{ item }}' not in public_zone_services.stdout"
+  loop: "{{ firewalld_public_zone_closed_services }}"
+  when: public_zone_closed_services is defined
+
+- name: Test that work zone is closed to the correct services
+  ansible.builtin.assert:
+    that:
+      - "'{{ item }}' not in work_zone_services.stdout"
+  loop: "{{ firewalld_work_zone_closed_services }}"
+  when: firewalld_work_zone_closed_services is defined
+
+- name: Get firewall default zone
+  become: true
+  ansible.builtin.shell: |
+    set -o pipefail
+    firewall-cmd --get-default-zone
+  register: firewall_default_zone
+  changed_when: false
+  failed_when: false
+
+- name: Assert that public is the default zone
+  ansible.builtin.assert:
+    that: "'public' in firewall_default_zone.stdout"
+  when: firewalld_allow_public_access
+
+- name: Assert that drop is the default zone
+  ansible.builtin.assert:
+    that: "'drop' in firewall_default_zone.stdout"
+  when: not firewalld_allow_public_access