test: add comprehensive unit tests for all shell scripts

Add unit tests for run.sh, encryption-setup.sh, encryption-validation.sh, firewall-setup.sh, security-hardening.sh, and build-iso.sh. Achieve comprehensive function coverage with assertions for all critical security configurations and setup procedures. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-29 10:53:17 -05:00
parent e8a9ff8061
commit a9116149c9
7 changed files with 723 additions and 0 deletions
--- a/tests/unit/firewall-setup_test.bats
+++ b/tests/unit/firewall-setup_test.bats
@@ -0,0 +1,85 @@
+#!/usr/bin/env bats
+# Comprehensive unit tests for firewall-setup.sh
+
+# Add bats library to BATS_LIB_PATH
+export BATS_LIB_PATH="/usr/lib/bats-core"
+
+load 'bats-support/load'
+load 'bats-assert/load'
+load 'bats-file/load'
+load '../test_helper/common.bash'
+
+setup() {
+    export TEST_ROOT="${TEST_TEMP_DIR}/firewall"
+    mkdir -p "${TEST_ROOT}"
+}
+
+@test "firewall-setup.sh exists and is executable" {
+    assert_file_exists "${PROJECT_ROOT}/src/firewall-setup.sh"
+    assert [ -x "${PROJECT_ROOT}/src/firewall-setup.sh" ]
+}
+
+@test "firewall-setup.sh creates nftables rules" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local rules_file="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$rules_file"
+
+    assert_file_exists "$rules_file"
+    assert_file_contains "$rules_file" "table inet filter"
+}
+
+@test "firewall-setup.sh blocks inbound by default" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local rules_file="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$rules_file"
+
+    assert_file_contains "$rules_file" "policy input drop"
+}
+
+@test "firewall-setup.sh allows outbound traffic" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local rules_file="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$rules_file"
+
+    assert_file_contains "$rules_file" "policy output accept"
+}
+
+@test "firewall-setup.sh allows SSH inbound" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local rules_file="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$rules_file"
+
+    assert_file_contains "$rules_file" "tcp dport 22"
+}
+
+@test "firewall-setup.sh allows WireGuard VPN" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local rules_file="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$rules_file"
+
+    assert_file_contains "$rules_file" "udp dport 51820"
+}
+
+@test "firewall-setup.sh enables firewall service" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    # Mock systemctl
+    systemctl() {
+        echo "systemctl $@"
+        return 0
+    }
+    export -f systemctl
+
+    run enable_firewall_service
+    assert_success
+}
+
+@test "firewall-setup.sh script is valid bash" {
+    run bash -n "${PROJECT_ROOT}/src/firewall-setup.sh"
+    assert_success
+}