#!/usr/bin/env bats # KNEL-Football Unit Tests - Firewall Setup # Reference: PRD.md FR-004 (Network Isolation) # Copyright © 2026 Known Element Enterprises LLC # License: GNU Affero General Public License v3.0 only # ============================================================================= # File Existence and Properties # ============================================================================= @test "firewall-setup.sh exists" { [ -f "/workspace/src/firewall-setup.sh" ] } @test "firewall-setup.sh is executable" { [ -x "/workspace/src/firewall-setup.sh" ] } @test "firewall-setup.sh is a valid bash script" { run bash -n /workspace/src/firewall-setup.sh [ "$status" -eq 0 ] } @test "firewall-setup.sh uses strict mode" { grep -q "set -euo pipefail" /workspace/src/firewall-setup.sh } # ============================================================================= # WireGuard Endpoint Parsing # ============================================================================= @test "firewall-setup.sh has parse_wg_endpoint function" { grep -q "parse_wg_endpoint()" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh parses Endpoint from WireGuard config" { grep -q "Endpoint" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh handles missing WireGuard config" { grep -q "WireGuard config not found" /workspace/src/firewall-setup.sh } # ============================================================================= # nftables Rule Generation # ============================================================================= @test "firewall-setup.sh has generate_nftables_rules function" { grep -q "generate_nftables_rules()" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh generates nftables rules" { grep -q "nft" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh creates inet filter table" { grep -q "table inet filter" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh sets default drop policy on input" { grep -q "chain input" /workspace/src/firewall-setup.sh grep -A 5 "chain input" /workspace/src/firewall-setup.sh | grep -q "policy drop" } @test "firewall-setup.sh sets default drop policy on forward" { grep -q "chain forward" /workspace/src/firewall-setup.sh grep -A 3 "chain forward" /workspace/src/firewall-setup.sh | grep -q "policy drop" } @test "firewall-setup.sh sets default drop policy on output" { grep -q "chain output" /workspace/src/firewall-setup.sh grep -A 5 "chain output" /workspace/src/firewall-setup.sh | grep -q "policy drop" } @test "firewall-setup.sh accepts loopback traffic" { grep -q "iif lo accept" /workspace/src/firewall-setup.sh grep -q "oif lo accept" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh accepts ICMP ping" { grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh allows WireGuard traffic" { grep -q "udp dport" /workspace/src/firewall-setup.sh grep -q "WireGuard" /workspace/src/firewall-setup.sh } # ============================================================================= # Apply Firewall Function # ============================================================================= @test "firewall-setup.sh has apply_firewall function" { grep -q "apply_firewall()" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh writes to /etc/nftables.conf" { grep -q "/etc/nftables.conf" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh enables nftables service" { grep -q "systemctl enable nftables" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh restarts nftables service" { grep -q "systemctl restart nftables" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh handles missing endpoint gracefully" { grep -q "default deny policy" /workspace/src/firewall-setup.sh } # ============================================================================= # Main Function # ============================================================================= @test "firewall-setup.sh has main function" { grep -q "main()" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh calls main when executed directly" { grep -q 'BASH_SOURCE\[0\]' /workspace/src/firewall-setup.sh } # ============================================================================= # Security Properties # ============================================================================= @test "firewall-setup.sh flushes existing ruleset" { grep -q "flush ruleset" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh uses WireGuard endpoint IP for allow rule" { grep -q "ip daddr" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh uses WireGuard endpoint port for allow rule" { grep -q "udp dport" /workspace/src/firewall-setup.sh }