wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-05 19:43:22 +02:00
Code Issues Projects Releases Wiki Activity

Fix Python linting issues in iptables test file

Browse source 
Fixed all ruff linting issues:
- Removed unused yaml import
- Fixed import sorting (pathlib before third-party imports)
- Removed trailing whitespace from blank lines
- Added newline at end of file

All tests still pass after formatting fixes.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Dan Guido 2025-08-17 16:29:54 -04:00
parent c81665d422
commit 18c41da6ad
1 changed files with 16 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
tests/unit/test_iptables_rules.py
View file

@ -6,9 +6,9 @@ These tests verify that the iptables rules templates generate correct
NAT rules for both WireGuard and IPsec VPN traffic. NAT rules for both WireGuard and IPsec VPN traffic.
""" """
import pytest
import yaml
from pathlib import Path from pathlib import Path
import pytest
from jinja2 import Environment, FileSystemLoader from jinja2 import Environment, FileSystemLoader
@ -22,7 +22,7 @@ def load_template(template_name):
def test_wireguard_nat_rules_ipv4(): def test_wireguard_nat_rules_ipv4():
"""Test that WireGuard traffic gets proper NAT rules without policy matching.""" """Test that WireGuard traffic gets proper NAT rules without policy matching."""
template = load_template('rules.v4.j2') template = load_template('rules.v4.j2')
# Test with WireGuard enabled # Test with WireGuard enabled
result = template.render( result = template.render(
ipsec_enabled=False, ipsec_enabled=False,
@ -40,7 +40,7 @@ def test_wireguard_nat_rules_ipv4():
ansible_ssh_port=22, ansible_ssh_port=22,
reduce_mtu=0 reduce_mtu=0
) )
# Verify NAT rule exists without policy matching # Verify NAT rule exists without policy matching
assert '-A POSTROUTING -s 10.49.0.0/16 -j MASQUERADE' in result assert '-A POSTROUTING -s 10.49.0.0/16 -j MASQUERADE' in result
# Verify no policy matching in WireGuard NAT rules # Verify no policy matching in WireGuard NAT rules
@ -50,7 +50,7 @@ def test_wireguard_nat_rules_ipv4():
def test_ipsec_nat_rules_ipv4(): def test_ipsec_nat_rules_ipv4():
"""Test that IPsec traffic gets proper NAT rules without policy matching.""" """Test that IPsec traffic gets proper NAT rules without policy matching."""
template = load_template('rules.v4.j2') template = load_template('rules.v4.j2')
# Test with IPsec enabled # Test with IPsec enabled
result = template.render( result = template.render(
ipsec_enabled=True, ipsec_enabled=True,
@ -66,7 +66,7 @@ def test_ipsec_nat_rules_ipv4():
ansible_ssh_port=22, ansible_ssh_port=22,
reduce_mtu=0 reduce_mtu=0
) )
# Verify NAT rule exists without policy matching # Verify NAT rule exists without policy matching
assert '-A POSTROUTING -s 10.48.0.0/16 -j MASQUERADE' in result assert '-A POSTROUTING -s 10.48.0.0/16 -j MASQUERADE' in result
# Verify no policy matching in IPsec NAT rules (this was the bug) # Verify no policy matching in IPsec NAT rules (this was the bug)
@ -76,7 +76,7 @@ def test_ipsec_nat_rules_ipv4():
def test_both_vpns_nat_rules_ipv4(): def test_both_vpns_nat_rules_ipv4():
"""Test NAT rules when both VPN types are enabled.""" """Test NAT rules when both VPN types are enabled."""
template = load_template('rules.v4.j2') template = load_template('rules.v4.j2')
result = template.render( result = template.render(
ipsec_enabled=True, ipsec_enabled=True,
wireguard_enabled=True, wireguard_enabled=True,
@ -96,11 +96,11 @@ def test_both_vpns_nat_rules_ipv4():
ansible_ssh_port=22, ansible_ssh_port=22,
reduce_mtu=0 reduce_mtu=0
) )
# Both should have NAT rules # Both should have NAT rules
assert '-A POSTROUTING -s 10.48.0.0/16 -j MASQUERADE' in result assert '-A POSTROUTING -s 10.48.0.0/16 -j MASQUERADE' in result
assert '-A POSTROUTING -s 10.49.0.0/16 -j MASQUERADE' in result assert '-A POSTROUTING -s 10.49.0.0/16 -j MASQUERADE' in result
# Neither should have policy matching # Neither should have policy matching
assert '-m policy --pol none' not in result assert '-m policy --pol none' not in result
@ -108,7 +108,7 @@ def test_both_vpns_nat_rules_ipv4():
def test_alternative_ingress_snat(): def test_alternative_ingress_snat():
"""Test that alternative ingress IP uses SNAT instead of MASQUERADE.""" """Test that alternative ingress IP uses SNAT instead of MASQUERADE."""
template = load_template('rules.v4.j2') template = load_template('rules.v4.j2')
result = template.render( result = template.render(
ipsec_enabled=True, ipsec_enabled=True,
wireguard_enabled=True, wireguard_enabled=True,
@ -128,7 +128,7 @@ def test_alternative_ingress_snat():
ansible_ssh_port=22, ansible_ssh_port=22,
reduce_mtu=0 reduce_mtu=0
) )
# Should use SNAT with specific IP instead of MASQUERADE # Should use SNAT with specific IP instead of MASQUERADE
assert '-A POSTROUTING -s 10.48.0.0/16 -j SNAT --to 192.168.1.100' in result assert '-A POSTROUTING -s 10.48.0.0/16 -j SNAT --to 192.168.1.100' in result
assert '-A POSTROUTING -s 10.49.0.0/16 -j SNAT --to 192.168.1.100' in result assert '-A POSTROUTING -s 10.49.0.0/16 -j SNAT --to 192.168.1.100' in result
@ -138,7 +138,7 @@ def test_alternative_ingress_snat():
def test_ipsec_forward_rule_has_policy_match(): def test_ipsec_forward_rule_has_policy_match():
"""Test that IPsec FORWARD rules still use policy matching (this is correct).""" """Test that IPsec FORWARD rules still use policy matching (this is correct)."""
template = load_template('rules.v4.j2') template = load_template('rules.v4.j2')
result = template.render( result = template.render(
ipsec_enabled=True, ipsec_enabled=True,
wireguard_enabled=False, wireguard_enabled=False,
@ -153,7 +153,7 @@ def test_ipsec_forward_rule_has_policy_match():
ansible_ssh_port=22, ansible_ssh_port=22,
reduce_mtu=0 reduce_mtu=0
) )
# FORWARD rule should have policy match (this is correct and should stay) # FORWARD rule should have policy match (this is correct and should stay)
assert '-A FORWARD -m conntrack --ctstate NEW -s 10.48.0.0/16 -m policy --pol ipsec --dir in -j ACCEPT' in result assert '-A FORWARD -m conntrack --ctstate NEW -s 10.48.0.0/16 -m policy --pol ipsec --dir in -j ACCEPT' in result
@ -161,7 +161,7 @@ def test_ipsec_forward_rule_has_policy_match():
def test_wireguard_forward_rule_no_policy_match(): def test_wireguard_forward_rule_no_policy_match():
"""Test that WireGuard FORWARD rules don't use policy matching.""" """Test that WireGuard FORWARD rules don't use policy matching."""
template = load_template('rules.v4.j2') template = load_template('rules.v4.j2')
result = template.render( result = template.render(
ipsec_enabled=False, ipsec_enabled=False,
wireguard_enabled=True, wireguard_enabled=True,
@ -178,11 +178,11 @@ def test_wireguard_forward_rule_no_policy_match():
ansible_ssh_port=22, ansible_ssh_port=22,
reduce_mtu=0 reduce_mtu=0
) )
# WireGuard FORWARD rule should NOT have any policy match # WireGuard FORWARD rule should NOT have any policy match
assert '-A FORWARD -m conntrack --ctstate NEW -s 10.49.0.0/16 -j ACCEPT' in result assert '-A FORWARD -m conntrack --ctstate NEW -s 10.49.0.0/16 -j ACCEPT' in result
assert '-A FORWARD -m conntrack --ctstate NEW -s 10.49.0.0/16 -m policy' not in result assert '-A FORWARD -m conntrack --ctstate NEW -s 10.49.0.0/16 -m policy' not in result
if __name__ == '__main__': if __name__ == '__main__':
pytest.main([__file__, '-v']) pytest.main([__file__, '-v'])