summaryrefslogtreecommitdiffstats
path: root/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
diff options
context:
space:
mode:
Diffstat (limited to 'node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java')
-rw-r--r--node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java92
1 files changed, 16 insertions, 76 deletions
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
index 17e5637c0eb..9ce48dac55b 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
@@ -116,83 +116,23 @@ public class AclMaintainerTest {
private void assertAclsApplied(ContainerName containerName, List<ContainerAclSpec> containerAclSpecs,
VerificationMode verificationMode) {
+ StringBuilder expectedCommand = new StringBuilder()
+ .append("ip6tables -F INPUT; ")
+ .append("ip6tables -P INPUT DROP; ")
+ .append("ip6tables -P FORWARD DROP; ")
+ .append("ip6tables -P OUTPUT ACCEPT; ")
+ .append("ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; ")
+ .append("ip6tables -A INPUT -i lo -j ACCEPT; ")
+ .append("ip6tables -A INPUT -p ipv6-icmp -j ACCEPT; ");
+
+ containerAclSpecs.forEach(aclSpec ->
+ expectedCommand.append("ip6tables -A INPUT -s " + aclSpec.ipAddress() + "/128 -j ACCEPT; "));
+
+ expectedCommand.append("ip6tables -A INPUT -j REJECT");
+
+
verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-F"),
- eq("INPUT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-P"),
- eq("INPUT"),
- eq("DROP")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-P"),
- eq("FORWARD"),
- eq("DROP")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-P"),
- eq("OUTPUT"),
- eq("ACCEPT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-m"),
- eq("state"),
- eq("--state"),
- eq("RELATED,ESTABLISHED"),
- eq("-j"),
- eq("ACCEPT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-i"),
- eq("lo"),
- eq("-j"),
- eq("ACCEPT")
- );
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-p"),
- eq("ipv6-icmp"),
- eq("-j"),
- eq("ACCEPT")
- );
- containerAclSpecs.forEach(aclSpec -> verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-s"),
- eq(aclSpec.ipAddress() + "/128"),
- eq("-j"),
- eq("ACCEPT")
- ));
- verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
- eq(containerName),
- eq("ip6tables"),
- eq("-A"),
- eq("INPUT"),
- eq("-j"),
- eq("REJECT")
- );
+ eq(containerName), eq("/bin/sh"), eq("-c"), eq(expectedCommand.toString()));
}
private Container makeContainer(String hostname) {