#!/usr/bin/env bats # Comprehensive unit tests for firewall-setup.sh # Add bats library to BATS_LIB_PATH setup() { export TEST_ROOT="${TEST_TEMP_DIR}/firewall" mkdir -p "${TEST_ROOT}" } @test "firewall-setup.sh exists and is executable" { assert_file_exists "${PROJECT_ROOT}/src/firewall-setup.sh" assert [ -x "${PROJECT_ROOT}/src/firewall-setup.sh" ] } @test "firewall-setup.sh creates nftables rules" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local rules_file="${TEST_ROOT}/firewall.rules" configure_nftables "$rules_file" assert_file_exists "$rules_file" assert_file_contains "$rules_file" "table inet filter" } @test "firewall-setup.sh blocks inbound by default" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local rules_file="${TEST_ROOT}/firewall.rules" configure_nftables "$rules_file" assert_file_contains "$rules_file" "policy input drop" } @test "firewall-setup.sh allows outbound traffic" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local rules_file="${TEST_ROOT}/firewall.rules" configure_nftables "$rules_file" assert_file_contains "$rules_file" "policy output accept" } @test "firewall-setup.sh allows SSH inbound" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local rules_file="${TEST_ROOT}/firewall.rules" configure_nftables "$rules_file" assert_file_contains "$rules_file" "tcp dport 22" } @test "firewall-setup.sh allows WireGuard VPN" { source "${PROJECT_ROOT}/src/firewall-setup.sh" local rules_file="${TEST_ROOT}/firewall.rules" configure_nftables "$rules_file" assert_file_contains "$rules_file" "udp dport 51820" } @test "firewall-setup.sh enables firewall service" { source "${PROJECT_ROOT}/src/firewall-setup.sh" # Mock systemctl systemctl() { echo "systemctl $@" return 0 } export -f systemctl run enable_firewall_service assert_success } @test "firewall-setup.sh script is valid bash" { run bash -n "${PROJECT_ROOT}/src/firewall-setup.sh" assert_success }