add firewall kickstart tests (disabled and configured)

Summary:
these together test QA:Testcase_kickstart_firewall from the
Server matrix. I'll have to come up with some kinda way to
handle reporting that, might be tricky.

Couple of tweaks to overall test flow: tests can now specify
a POSTINSTALL variable which will load a post-install test
following a naming convention, and tests can specify USER_LOGIN
as 'false' to disable the 'log in as a user' step entirely. We
could easily adjust the kickstarts to create a user so the test
could log in as one, but it seems like an unnecessary step and
I liked the idea of allowing the user login to be skipped.

Test Plan:
Schedule 'universal' tests, check the new tests run
and pass or fail as they should, check no other test is broken
by the logic flow changes.

Reviewers: jskladan, garretraziel

Reviewed By: garretraziel

Subscribers: tflink

Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D792

VARIABLES.md

@@ -67,8 +67,8 @@ it also means that `B` conflicts `A` even if not shown in the table).
 | `DESKTOP` | boolean | `false`/not set | nothing | set to indicate that Fedora is running with GUI (so for example OpenQA should expect graphical login screen) |
 | `ROOT_PASSWORD` | string | `weakpassword` | nothing | root password is set to this value |
 | `GRUB` | string | not set | nothing | when set, append this string to kernel line in GRUB |
-| `USER_LOGIN` | string | not set | should be used with `USER_PASSWORD` | when set, user login is set to this value |
-| `USER_PASSWORD` | string | not set | should be used with `USER_LOGIN` | when set, user password is set to this value |
+| `USER_LOGIN` | string | not set | should be used with `USER_PASSWORD` (unless `false`) | when set, user login is set to this value. If not set, default value `test` is used for console installs, no login is done for graphical installs. If set to `false`, no user login will be done |
+| `USER_PASSWORD` | string | not set | should be used with `USER_LOGIN` | when set, user password is set to this value. If not set, default value `weakpassword` is used for console installs, no login is done for graphical installs |
 | `BOOT_UPDATES_IMG_URL` | boolean | `false`/not set | set to indicate that path to updates.img was appended to kernel line |
 | `UEFI` | boolean | `false`/not set | nothing | whether to use UEFI, this variable isn't usually set in test suites but in machine definition |
 

main.pm

@@ -192,6 +192,12 @@ else
     if (get_var("UEFI")) {
         autotest::loadtest "tests/uefi_postinstall.pm";
     }
+
+    # generic post-install test load
+    if (get_var("POSTINSTALL")) {
+        autotest::loadtest "tests/".get_var('POSTINSTALL')."_postinstall.pm";
+    }
+
     # we should shut down before uploading disk images
     if (get_var("STORE_HDD_1") || get_var("PUBLISH_HDD_1")) {
         autotest::loadtest "tests/_console_shutdown.pm";

templates

@@ -721,6 +721,28 @@
                                     },
                       test_suite => { name => "install_european_language" },
                     },
+                    {
+                      machine    => { name => "64bit" },
+                      prio       => 40,
+                      product    => {
+                                      arch    => "x86_64",
+                                      distri  => "fedora",
+                                      flavor  => "universal",
+                                      version => "*",
+                                    },
+                      test_suite => { name => "install_kickstart_firewall_disabled" },
+                    },
+{
+                      machine    => { name => "64bit" },
+                      prio       => 40,
+                      product    => {
+                                      arch    => "x86_64",
+                                      distri  => "fedora",
+                                      flavor  => "universal",
+                                      version => "*",
+                                    },
+                      test_suite => { name => "install_kickstart_firewall_configured" },
+                    },
                     {
                       machine    => { name => "64bit" },
                       prio       => 11,
@@ -1361,5 +1383,25 @@
                         { key => "HDD_1", value => "disk_%FLAVOR%_%MACHINE%.qcow2" },
                       ],
                     },
+                    {
+                      name => "install_kickstart_firewall_disabled",
+                      settings => [
+                        { key => "KICKSTART", value => "1" },
+                        { key => "GRUB", value => "inst.ks=http://fedorapeople.org/groups/qa/kickstarts/firewall-disabled-net.ks" },
+                        { key => "POSTINSTALL", value => "firewall_disabled" },
+                        { key => "ROOT_PASSWORD", value => "anaconda" },
+                        { key => "USER_LOGIN", value => "false" },
+                      ],
+                    },
+                    {
+                      name => "install_kickstart_firewall_configured",
+                      settings => [
+                        { key => "KICKSTART", value => "1" },
+                        { key => "GRUB", value => "inst.ks=http://fedorapeople.org/groups/qa/kickstarts/firewall-configured-net.ks" },
+                        { key => "POSTINSTALL", value => "firewall_configured" },
+                        { key => "ROOT_PASSWORD", value => "anaconda" },
+                        { key => "USER_LOGIN", value => "false" },
+                      ],
+                    },
                   ],
 }

tests/_console_wait_login.pm

@@ -12,7 +12,10 @@ sub run {
     # Reboot and wait for the text login
     assert_screen "text_console_login", $wait_time;
 
-    $self->console_login(user=>get_var("USER_LOGIN", "test"), password=>get_var("USER_PASSWORD", "weakpassword"));
+    # do user login unless USER_LOGIN is set to string 'false'
+    unless (get_var("USER_LOGIN") eq "false") {
+        $self->console_login(user=>get_var("USER_LOGIN", "test"), password=>get_var("USER_PASSWORD", "weakpassword"));
+    }
     if (get_var("ROOT_PASSWORD")) {
         $self->console_login(user=>"root", password=>get_var("ROOT_PASSWORD"));
     }

tests/firewall_configured_postinstall.pm

@@ -0,0 +1,29 @@
+use base "installedtest";
+use strict;
+use testapi;
+
+sub run {
+    my $self=shift;
+    if (not( check_screen "root_console", 0)) {
+        $self->root_console(tty=>3);
+    }
+    # this only succeeds if the firewall is running
+    assert_script_run 'firewall-cmd --state';
+    # these succeed if the specified service/port is allowed
+    assert_script_run 'firewall-cmd --query-service ftp';
+    assert_script_run 'firewall-cmd --query-port imap/tcp';
+    assert_script_run 'firewall-cmd --query-port 1234/udp';
+    assert_script_run 'firewall-cmd --query-port 47/tcp';
+}
+
+sub test_flags {
+    # without anything - rollback to 'lastgood' snapshot if failed
+    # 'fatal' - whole test suite is in danger if this fails
+    # 'milestone' - after this test succeeds, update 'lastgood'
+    # 'important' - if this fails, set the overall state to 'fail'
+    return { fatal => 1 };
+}
+
+1;
+
+# vim: set sw=4 et:

tests/firewall_disabled_postinstall.pm

@@ -0,0 +1,26 @@
+use base "installedtest";
+use strict;
+use testapi;
+
+sub run {
+    my $self=shift;
+    if (not( check_screen "root_console", 0)) {
+        $self->root_console(tty=>3);
+    }
+    # this asserts that the command fails (which it does when fw is not running)
+    assert_script_run '! firewall-cmd --state';
+    # check there are no 'REJECT' rules in iptables
+    validate_script_output 'iptables -L -v', sub { $_ !~ m/.*REJECT.*/s };
+}
+
+sub test_flags {
+    # without anything - rollback to 'lastgood' snapshot if failed
+    # 'fatal' - whole test suite is in danger if this fails
+    # 'milestone' - after this test succeeds, update 'lastgood'
+    # 'important' - if this fails, set the overall state to 'fail'
+    return { fatal => 1 };
+}
+
+1;
+
+# vim: set sw=4 et: