diff options
Diffstat (limited to 'node-admin/src/test')
-rw-r--r-- | node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java | 92 |
1 files changed, 16 insertions, 76 deletions
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 17e5637c0eb..9ce48dac55b 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -116,83 +116,23 @@ public class AclMaintainerTest { private void assertAclsApplied(ContainerName containerName, List<ContainerAclSpec> containerAclSpecs, VerificationMode verificationMode) { + StringBuilder expectedCommand = new StringBuilder() + .append("ip6tables -F INPUT; ") + .append("ip6tables -P INPUT DROP; ") + .append("ip6tables -P FORWARD DROP; ") + .append("ip6tables -P OUTPUT ACCEPT; ") + .append("ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; ") + .append("ip6tables -A INPUT -i lo -j ACCEPT; ") + .append("ip6tables -A INPUT -p ipv6-icmp -j ACCEPT; "); + + containerAclSpecs.forEach(aclSpec -> + expectedCommand.append("ip6tables -A INPUT -s " + aclSpec.ipAddress() + "/128 -j ACCEPT; ")); + + expectedCommand.append("ip6tables -A INPUT -j REJECT"); + + verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-F"), - eq("INPUT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-P"), - eq("INPUT"), - eq("DROP") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-P"), - eq("FORWARD"), - eq("DROP") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-P"), - eq("OUTPUT"), - eq("ACCEPT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-m"), - eq("state"), - eq("--state"), - eq("RELATED,ESTABLISHED"), - eq("-j"), - eq("ACCEPT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-i"), - eq("lo"), - eq("-j"), - eq("ACCEPT") - ); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-p"), - eq("ipv6-icmp"), - eq("-j"), - eq("ACCEPT") - ); - containerAclSpecs.forEach(aclSpec -> verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-s"), - eq(aclSpec.ipAddress() + "/128"), - eq("-j"), - eq("ACCEPT") - )); - verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( - eq(containerName), - eq("ip6tables"), - eq("-A"), - eq("INPUT"), - eq("-j"), - eq("REJECT") - ); + eq(containerName), eq("/bin/sh"), eq("-c"), eq(expectedCommand.toString())); } private Container makeContainer(String hostname) { |