remove redundant iptables comparison

testinfra/mon/test_network.py

@@ -1,48 +1,8 @@
 import os
-import difflib
-import pytest
-from jinja2 import Template
-
 
 securedrop_test_vars = pytest.securedrop_test_vars
 
 
-def test_mon_iptables_rules(SystemInfo, Command, Sudo):
-
-    # Build a dict of variables to pass to jinja for iptables comparison
-    kwargs = dict(
-        app_ip=os.environ.get('APP_IP', securedrop_test_vars.app_ip),
-        default_interface=Command.check_output(
-            "ip r | head -n 1 | awk '{ print $5 }'"),
-        tor_user_id=Command.check_output("id -u debian-tor"),
-        ssh_group_gid=Command.check_output("getent group ssh | cut -d: -f3"),
-        postfix_user_id=Command.check_output("id -u postfix"),
-        dns_server=securedrop_test_vars.dns_server)
-
-    # Build iptables scrape cmd, purge comments + counters
-    iptables = "iptables-save | sed 's/ \[[0-9]*\:[0-9]*\]//g' | egrep -v '^#'"
-    environment = os.environ.get("CI_SD_ENV", "staging")
-    iptables_file = "{}/iptables-mon-{}.j2".format(
-        os.path.dirname(os.path.abspath(__file__)),
-        environment)
-
-    # template out a local iptables jinja file
-    jinja_iptables = Template(open(iptables_file, 'r').read())
-    iptables_expected = jinja_iptables.render(**kwargs)
-
-    with Sudo():
-        # Actually run the iptables scrape command
-        iptables = Command.check_output(iptables)
-        # print diff comparison (only shows up in pytests if test fails or
-        # verbosity turned way up)
-        for iptablesdiff in difflib.context_diff(iptables_expected.split('\n'),
-                                                 iptables.split('\n')):
-            print(iptablesdiff)
-        # Conduct the string comparison of the expected and actual iptables
-        # ruleset
-        assert iptables_expected == iptables
-
-
 @pytest.mark.parametrize('ossec_service', [
     dict(host="0.0.0.0", proto="tcp", port=22, listening=True),
     dict(host="0.0.0.0", proto="udp", port=1514, listening=True),

testinfra/vars/app-prod.yml

@@ -40,42 +40,3 @@ allowed_apache_logfiles:
   - /var/log/apache2/journalist-access.log
   - /var/log/apache2/journalist-error.log
   - /var/log/apache2/other_vhosts_access.log
-
-iptables_complete_ruleset: |-
-  -P INPUT DROP
-  -P FORWARD DROP
-  -P OUTPUT DROP
-  -N LOGNDROP
-  -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
-  -A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT
-  -A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT
-  -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
-  -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
-  -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
-  -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
-  -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
-  -A INPUT -s 10.0.1.5/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
-  -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
-  -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
-  -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
-  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT
-  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP
-  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT
-  -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT
-  -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP
-  -A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
-  -A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
-  -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
-  -A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP
-  -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
-  -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
-  -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
-  -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
-  -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
-  -A OUTPUT -d 10.0.1.5/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
-  -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
-  -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
-  -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
-  -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
-  -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
-  -A LOGNDROP -j DROP