Switch icmp_type from string to array of strings (#32)

* Switch icmp_type from string to array of strings

.github/workflows/ci.yml

@@ -11,8 +11,7 @@ jobs:
     uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main"
     secrets: "inherit"
 
-# Acceptance tests to enable in the future
-#  Acceptance:
-#    needs: Spec
-#    uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main"
-#    secrets: "inherit"
+  Acceptance:
+    needs: Spec
+    uses: "puppetlabs/cat-github-actions/.github/workflows/module_acceptance.yml@main"
+    secrets: "inherit"

.github/workflows/release.yml

@@ -2,9 +2,8 @@ name: "Publish module"
 
 on:
   workflow_dispatch:
-  
+
 jobs:
-  release:
-    name: "Release"
+  release: 
     uses: "puppetlabs/cat-github-actions/.github/workflows/module_release.yml@main"
     secrets: "inherit"

.rubocop.yml

@@ -5,7 +5,7 @@ require:
 AllCops:
   NewCops: enable
   DisplayCopNames: true
-  TargetRubyVersion: '2.7'
+  TargetRubyVersion: '2.6'
   Include:
   - "**/*.rb"
   Exclude:
@@ -19,6 +19,7 @@ AllCops:
   - "**/Puppetfile"
   - "**/Vagrantfile"
   - "**/Guardfile"
+inherit_from: ".rubocop_todo.yml"
 Layout/LineLength:
   Description: People have wide screens, use them.
   Max: 200
@@ -528,6 +529,8 @@ Lint/DuplicateBranch:
   Enabled: false
 Lint/DuplicateMagicComment:
   Enabled: false
+Lint/DuplicateMatchPattern:
+  Enabled: false
 Lint/DuplicateRegexpCharacterClassElement:
   Enabled: false
 Lint/EmptyBlock:
@@ -644,6 +647,8 @@ Style/ComparableClamp:
   Enabled: false
 Style/ConcatArrayLiterals:
   Enabled: false
+Style/DataInheritance:
+  Enabled: false
 Style/DirEmpty:
   Enabled: false
 Style/DocumentDynamicEvalDefinition:
@@ -712,6 +717,8 @@ Style/RedundantHeredocDelimiterQuotes:
   Enabled: false
 Style/RedundantInitialize:
   Enabled: false
+Style/RedundantLineContinuation:
+  Enabled: false
 Style/RedundantSelfAssignmentBranch:
   Enabled: false
 Style/RedundantStringEscape:
@@ -722,6 +729,3 @@ Style/StringChars:
   Enabled: false
 Style/SwapValues:
   Enabled: false
-# Discard multi-line chains of blocks
-Style/MultilineBlockChain:
-  Enabled: false

.rubocop_todo.yml

@@ -0,0 +1,14 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2024-08-24 16:06:05 UTC using RuboCop version 1.50.2.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 12
+Style/MultilineBlockChain:
+  Exclude:
+    - 'lib/puppet/provider/windows_firewall_global/ruby.rb'
+    - 'lib/puppet_x/windows_firewall.rb'
+    - 'lib/puppet_x/windows_firewall_ipsec.rb'

.vscode/extensions.json

@@ -1,6 +1,6 @@
 {
   "recommendations": [
     "puppet.puppet-vscode",
-    "rebornix.Ruby"
+    "Shopify.ruby-lsp"
   ]
 }

CHANGELOG.md

@@ -2,6 +2,18 @@
 
 All notable changes to this project will be documented in this file.
 
+## Release 1.5.1 (2024-08-24)
+
+[Full Changelog](https://github.com/webalexeu/puppet-windows_firewall/compare/v1.5.0...v1.5.1)
+
+**Features**
+
+**Bugfixes**
+
+- [Cannot define mutlitple icmp_type](https://github.com/webalexeu/puppet-windows_firewall/issues/31)
+
+**Known Issues**
+
 ## Release 1.5.0 (2024-06-07)
 
 [Full Changelog](https://github.com/webalexeu/puppet-windows_firewall/compare/v1.4.2...v1.5.0)
@@ -20,6 +32,8 @@ All notable changes to this project will be documented in this file.
 
 **Known Issues**
 
+- Cannot define mutliple icmp_type
+
 ## Release 1.4.2 (2023-01-22)
 
 [Full Changelog](https://github.com/webalexeu/puppet-windows_firewall/compare/v1.4.1...v1.4.2)

Gemfile

@@ -20,30 +20,29 @@ group :development do
   gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "deep_merge", '~> 1.0',                    require: false
   gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
   gem "facterdb", '~> 1.18',                     require: false
-  gem "metadata-json-lint", '~> 3.0',            require: false
-  gem "puppetlabs_spec_helper", '~> 6.0',        require: false
-  gem "rspec-puppet-facts", '~> 2.0',            require: false
-  gem "codecov", '~> 0.2',                       require: false
+  gem "metadata-json-lint", '~> 4.0',            require: false
+  gem "rspec-puppet-facts", '~> 3.0',            require: false
   gem "dependency_checker", '~> 1.0.0',          require: false
   gem "parallel_tests", '= 3.12.1',              require: false
   gem "pry", '~> 0.10',                          require: false
-  gem "simplecov-console", '~> 0.5',             require: false
+  gem "simplecov-console", '~> 0.9',             require: false
   gem "puppet-debugger", '~> 1.0',               require: false
-  gem "rubocop", '= 1.48.1',                     require: false
+  gem "rubocop", '~> 1.50.0',                    require: false
   gem "rubocop-performance", '= 1.16.0',         require: false
   gem "rubocop-rspec", '= 2.19.0',               require: false
-  gem "puppet-strings", '~> 4.0',                require: false
   gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
 end
-group :system_tests do
-  gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw]
-  gem "serverspec", '~> 2.41',   require: false
-end
-group :release_prep do
+group :development, :release_prep do
   gem "puppet-strings", '~> 4.0',         require: false
-  gem "puppetlabs_spec_helper", '~> 6.0', require: false
+  gem "puppetlabs_spec_helper", '~> 7.0', require: false
+end
+group :system_tests do
+  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw]
+  gem "CFPropertyList", '< 3.0.7', require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "serverspec", '~> 2.41',     require: false
 end
 
 puppet_version = ENV['PUPPET_GEM_VERSION']

README.md

@@ -41,7 +41,7 @@ windows_firewall_rule { '{FCC26AEB-5C68-481A-96DA-8A404F73714C}':
   display_name          => 'Mail and Calendar',
   edge_traversal_policy => 'allow',
   enabled               => 'true',
-  icmp_type             => 'any',
+  icmp_type             => ['any'],
   interface_type        => ['any'],
   local_address         => 'any',
   local_port            => 'any',
@@ -101,15 +101,21 @@ windows_firewall_rule { "puppet - all icmpv4":
 
 You can also create a rule that only allows a specific ICMP type and code:
 ```puppet
-windows_firewall_rule { "puppet - allow icmp echo":
+windows_firewall_rule { 'puppet - allow icmp echo':
   ensure    => present,
-  direction => "inbound",
-  action    => "allow",
-  protocol  => "icmpv4",
-  icmp_type => "8:10",
+  direction => 'inbound',
+  action    => 'allow',
+  protocol  => 'icmpv4',
+  icmp_type => ['8'],
+}
+windows_firewall_rule { 'puppet - allow icmp protocol/port unreachable message':
+  ensure    => present,
+  direction => 'inbound',
+  action    => 'allow',
+  protocol  => 'icmpv4',
+  icmp_type => ['3:2','3:3'],
 }
 ```
-You need to create one rule for each `icmp_type` value (see limitations).
 
 #### Managing Ports
 
@@ -445,11 +451,8 @@ windows_firewall_profile { ['domain', 'private']:
   (obtained from: `netsh advfirewall set private`)
 
 ## Limitations
-* `netsh` is used to enumerate most rules and is very fast. In some cases 
-  `netsh` will be unable to resolve names for some rules so we fallback to
-  PowerShell instead. This is handled by the `ps-bridge.ps1`
-* Enumerate rules using PowerShell API is very slow. There's not much more that
-  can be done about this short of deleting the offending rules.
+* Enumerate rules using PowerShell API is very slow (handled by the `ps-bridge.ps1`). 
+  There's not much more that can be done about this short of deleting the offending rules.
 * Deleting (purging) rules is very slow (~5-10 minutes) This is because deleting
   these rules with PowerShell is slow. There's not much that can be done about
   this but once unwanted rules are deleted (Windows 10 ships with ~300 rules)
@@ -463,27 +466,7 @@ windows_firewall_profile { ['domain', 'private']:
 * It is not possible to edit the `grouping` for rules (netsh does not support 
   this)
 * It is not possible to edit the `localfirewallrules` or `localconsecrules` for
-  profiles (this needs corresponding group policy)
-* The Windows Advanced Firewall GUI allows multiple individual types to be set 
-  for ICMPv4 and ICMPv6 however this does not seem to be possible through the 
-  `netsh` CLI. Therefore you must create individual rules if for each type you 
-  wish to allow if you want to limit a rule in this way, eg:
-  
-  ```puppet
-  windows_firewall_rule { "allow icmp echo":
-    ensure    => present,
-    protocol  => "icmpv4",
-    icmp_type => "8",
-    action    => "allow",
-  }
-
-  windows_firewall_rule { "allow icmp time exceeded":
-    ensure    => present,
-    protocol  => "icmpv4",
-    icmp_type => "11",
-    action    => "allow",
-  }
-  ```   
+  profiles (this needs corresponding group policy)  
 
 ## Development
 

REFERENCE.md

@@ -256,7 +256,7 @@ Default value: `any`
 
 ##### `protocol`
 
-Valid values: `tcp`, `udp`, `icmpv4`, `icmpv6`, `/^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/`
+Valid values: `tcp`, `udp`, `icmpv4`, `icmpv6`, `%r{^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$}`
 
 This parameter specifies the protocol for an IPsec rule
 
@@ -499,7 +499,7 @@ Default value: `any`
 
 ##### `protocol`
 
-Valid values: `any`, `tcp`, `udp`, `icmpv4`, `icmpv6`, `/^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/`
+Valid values: `any`, `tcp`, `udp`, `icmpv4`, `icmpv6`, `%r{^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$}`
 
 the protocol the rule targets
 

Rakefile

@@ -4,85 +4,6 @@ require 'bundler'
 require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus'
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-syntax/tasks/puppet-syntax'
-require 'github_changelog_generator/task' if Gem.loaded_specs.key? 'github_changelog_generator'
 require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings'
 
-def changelog_user
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = nil || JSON.load(File.read('metadata.json'))['author']
-  raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator user:#{returnVal}"
-  returnVal
-end
-
-def changelog_project
-  return unless Rake.application.top_level_tasks.include? "changelog"
-
-  returnVal = nil
-  returnVal ||= begin
-    metadata_source = JSON.load(File.read('metadata.json'))['source']
-    metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z})
-
-    metadata_source_match && metadata_source_match[1]
-  end
-
-  raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil?
-
-  puts "GitHubChangelogGenerator project:#{returnVal}"
-  returnVal
-end
-
-def changelog_future_release
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version']
-  raise "unable to find the future_release (version) in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator future_release:#{returnVal}"
-  returnVal
-end
-
 PuppetLint.configuration.send('disable_relative')
-
-
-if Gem.loaded_specs.key? 'github_changelog_generator'
-  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
-    raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
-    config.user = "#{changelog_user}"
-    config.project = "#{changelog_project}"
-    config.future_release = "#{changelog_future_release}"
-    config.exclude_labels = ['maintenance']
-    config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
-    config.add_pr_wo_labels = true
-    config.issues = false
-    config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB"
-    config.configure_sections = {
-      "Changed" => {
-        "prefix" => "### Changed",
-        "labels" => ["backwards-incompatible"],
-      },
-      "Added" => {
-        "prefix" => "### Added",
-        "labels" => ["enhancement", "feature"],
-      },
-      "Fixed" => {
-        "prefix" => "### Fixed",
-        "labels" => ["bug", "documentation", "bugfix"],
-      },
-    }
-  end
-else
-  desc 'Generate a Changelog from GitHub'
-  task :changelog do
-    raise <<EOM
-The changelog tasks depends on recent features of the github_changelog_generator gem.
-Please manually add it to your .sync.yml for now, and run `pdk update`:
----
-Gemfile:
-  optional:
-    ':development':
-      - gem: 'github_changelog_generator'
-        version: '~> 1.15'
-        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')"
-EOM
-  end
-end
-

lib/ps/windows_firewall/ps-bridge.ps1

@@ -97,7 +97,8 @@ function Show {
                 LocalPort           = if ($pf.LocalPort -is [object]) { $pf.LocalPort | Sort-Object } else { $pf.LocalPort.toString() }
                 RemotePort          = if ($pf.RemotePort -is [object]) { $pf.RemotePort | Sort-Object } else { $pf.RemotePort.toString() }
                 Protocol            = $pf.Protocol
-                IcmpType            = $pf.IcmpType
+                # Do not sort as sorting is already done in the object provided
+                IcmpType            = if ($pf.IcmpType -is [object]) { $pf.IcmpType } else { $pf.IcmpType.toString() }
                 # Application Filter
                 Program             = $appf.Program
                 # Interface Filter
@@ -268,7 +269,7 @@ function update {
         $params.Add("ProtocolCode", $ProtocolCode)
     }
     if ($IcmpType) {
-        $params.Add("IcmpType", $IcmpType)
+        $params.Add("IcmpType", ($IcmpType -split ','))
     }
     # `$LocalPort` and `$RemotePort` will always be strings since we were
     # invoked with `powershell -File`, rather then refactor the loader to use