From 53522910fbdd773b4a295ab07d91d138ef1caaa8 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Tue, 14 Dec 2021 15:28:31 -0800
Subject: [PATCH] Add firewall behavior assertions to testinfra testing

This attempts to exercise our firewall rules externally via the bridge
host in our testinfra testing. If we like this style of rule we can add
a number of tests for various firewall behaviors that we want to ensure.

Change-Id: I4ee63bc6f15af9b68fc1c690c5d92f4bf9c756c3
---
 testinfra/test_zookeeper.py | 21 +++++++++++++++++++++
 testinfra/util.py           | 13 +++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/testinfra/test_zookeeper.py b/testinfra/test_zookeeper.py
index efe1148610..4b638d2fdc 100644
--- a/testinfra/test_zookeeper.py
+++ b/testinfra/test_zookeeper.py
@@ -13,6 +13,7 @@
 # under the License.
 
 import json
+import util
 
 
 testinfra_hosts = ['zk04.opendev.org']
@@ -53,3 +54,23 @@ def test_zookeeper_statsd_running(host):
     out = json.loads(cmd.stdout)
     assert out[0]["State"]["Status"] == "running"
     assert out[0]["RestartCount"] == 0
+
+def test_zk_2181_accessibility(host):
+    # Ask the host to report its own IP addresses. This will use our test
+    # local /etc/hosts values and not DNS.
+    zk = host.addr("zk04.opendev.org")
+    # Verify it is using our local /etc/hosts values
+    print(zk.ipv4_addresses)
+    print(zk.ipv6_addresses)
+
+    for addr in zk.ipv4_addresses + zk.ipv6_addresses:
+        if addr.startswith("::ffff:"):
+            # This is an ipv4 address mapped to ipv6 and is covered by
+            # the ipv4_addresses list
+            continue
+        if addr.startswith("127.") or addr == "::1":
+            # We don't want to talk to localhost as we are connecting
+            # from our test bridge instance.
+            continue
+        util.check_unreachable(addr, 2181)
+        util.check_unreachable(addr, 2281)
diff --git a/testinfra/util.py b/testinfra/util.py
index 1bc81b0070..f5f5bb75bc 100644
--- a/testinfra/util.py
+++ b/testinfra/util.py
@@ -121,3 +121,16 @@ def verify_iptables(host):
         assert snmp in ip6rules
 
     return rules
+
+
+def check_unreachable(addr, port, errno=113):
+    # errno 113 is no route to host
+    try:
+        s = socket.create_connection((addr, port), timeout=10)
+    except OSError as e:
+        # No route to host
+        assert e.errno == errno
+    else:
+        s.close()
+        # We should always error.
+        assert False