From 482046c5a265a9073c5cf26fe04a51c505849472 Mon Sep 17 00:00:00 2001
From: Joshua Hoblitt <josh@hoblitt.com>
Date: Fri, 10 Nov 2023 09:36:47 -0700
Subject: [PATCH] (profile::core::firewall) include ipset

As `ipset` won't be used unless profile::core::firewall is included, it
makes sense to include `ipset` from the profile instead of forcing roles
to directly include it.
---
 hieradata/role/perfsonar.yaml           |  1 -
 site/profile/manifests/core/firewall.pp |  1 +
 spec/classes/core/firewall_spec.rb      | 43 +++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 spec/classes/core/firewall_spec.rb

diff --git a/hieradata/role/perfsonar.yaml b/hieradata/role/perfsonar.yaml
index 2531d3e8a1..71d7938947 100644
--- a/hieradata/role/perfsonar.yaml
+++ b/hieradata/role/perfsonar.yaml
@@ -1,6 +1,5 @@
 ---
 classes:
-  - "ipset"
   - "ntp"
   - "profile::core::common"
   - "profile::core::debugutils"
diff --git a/site/profile/manifests/core/firewall.pp b/site/profile/manifests/core/firewall.pp
index 0c4e1b8e81..306dc0b47c 100644
--- a/site/profile/manifests/core/firewall.pp
+++ b/site/profile/manifests/core/firewall.pp
@@ -12,6 +12,7 @@
   Boolean $purge_firewall = false,
 ) {
   include firewall
+  include ipset
 
   if $purge_firewall {
     resources { 'firewall': purge => true }
diff --git a/spec/classes/core/firewall_spec.rb b/spec/classes/core/firewall_spec.rb
new file mode 100644
index 0000000000..1cf9c79696
--- /dev/null
+++ b/spec/classes/core/firewall_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'profile::core::firewall' do
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) { facts }
+
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_class('firewall') }
+      it { is_expected.to contain_class('ipset') }
+      it { is_expected.to have_resources_resource_count(0) }
+      it { is_expected.to have_firewall_resource_count(0) }
+
+      context 'with purge_firewall param' do
+        let(:params) { { purge_firewall: true } }
+
+        it { is_expected.to contain_resources('firewall').with_purge(true) }
+      end
+
+      context 'with firewall param' do
+        let(:params) do
+          {
+            firewall: {
+              '001 accept all icmp' => {
+                'proto' => 'icmp',
+                'action' => 'accept',
+              },
+            },
+          }
+        end
+
+        it do
+          is_expected.to contain_firewall('001 accept all icmp').with(
+            'proto' => 'icmp',
+            'action' => 'accept',
+          )
+        end
+      end
+    end
+  end
+end