Merge pull request #301 from myii/ci/add-freebsd-vagrant-in-github-actions

ci: enable Vagrant-based testing using GitHub Actions
This commit is contained in:
Imran Iqbal 2021-04-03 23:29:09 +01:00 committed by GitHub
commit 0df537a2da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 425 additions and 16 deletions

36
.github/workflows/kitchen.vagrant.yml vendored Normal file
View File

@ -0,0 +1,36 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
name: 'Kitchen Vagrant (FreeBSD)'
'on': ['push', 'pull_request']
env:
KITCHEN_LOCAL_YAML: 'kitchen.vagrant.yml'
jobs:
test:
runs-on: 'macos-10.15'
strategy:
fail-fast: false
matrix:
instance:
# - default-freebsd-122-latest-py3
- freebsd-122-latest-py3
# - default-freebsd-114-latest-py3
- freebsd-114-latest-py3
steps:
- name: 'Check out code'
uses: 'actions/checkout@v2'
- name: 'Set up Bundler cache'
uses: 'actions/cache@v1'
with:
path: 'vendor/bundle'
key: "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}"
restore-keys: "${{ runner.os }}-gems-"
- name: 'Run Bundler'
run: |
ruby --version
bundle config path vendor/bundle
bundle install --jobs 4 --retry 3
- name: 'Run Test Kitchen'
run: 'bundle exec kitchen verify ${{ matrix.instance }}'

View File

@ -12,3 +12,7 @@ gem 'kitchen-docker', git: 'https://gitlab.com/saltstack-formulas/infrastructure
# rubocop:enable Layout/LineLength # rubocop:enable Layout/LineLength
gem 'kitchen-inspec', '>= 2.2.1' gem 'kitchen-inspec', '>= 2.2.1'
gem 'kitchen-salt', '>= 0.6.3' gem 'kitchen-salt', '>= 0.6.3'
group :vagrant do
gem 'kitchen-vagrant'
end

View File

@ -292,6 +292,8 @@ GEM
kitchen-salt (0.6.3) kitchen-salt (0.6.3)
hashie (>= 3.5) hashie (>= 3.5)
test-kitchen (>= 1.4) test-kitchen (>= 1.4)
kitchen-vagrant (1.7.0)
test-kitchen (>= 1.4, < 3)
libyajl2 (1.2.0) libyajl2 (1.2.0)
license-acceptance (1.0.19) license-acceptance (1.0.19)
pastel (~> 0.7) pastel (~> 0.7)
@ -525,6 +527,7 @@ DEPENDENCIES
kitchen-docker! kitchen-docker!
kitchen-inspec (>= 2.2.1) kitchen-inspec (>= 2.2.1)
kitchen-salt (>= 0.6.3) kitchen-salt (>= 0.6.3)
kitchen-vagrant
BUNDLED WITH BUNDLED WITH
2.1.2 2.1.2

View File

@ -1,3 +1,7 @@
#
# This file is managed by Salt! Do not edit by hand!
#
# #
# This is the main Apache HTTP server configuration file. It contains the # This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions. # configuration directives that give the server its instructions.

View File

@ -0,0 +1,241 @@
{%- set apache = pillar.get('apache', {}) %}
{%- set modsec = apache.get('mod_security', {}) %}
{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
#
# This file is managed by Salt! Do not edit by hand!
# Modify the salt pillar that generates this file instead
#
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine {{ sec_rule_engine }}
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess {{ sec_request_body_access }}
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit {{ sec_request_body_limit }}
SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
# Store up to 128 KB of request body data in memory. When the multipart
# parser reaches this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit {{ sec_pcre_match_limit }}
SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
SecDebugLogLevel {{ sec_debug_log_level }}
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127
# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On

View File

@ -23,3 +23,10 @@ Suse:
manage_config: false manage_config: false
package: apache2-mod_security2 package: apache2-mod_security2
config_file: /etc/apache2/conf.d/mod_security2.conf config_file: /etc/apache2/conf.d/mod_security2.conf
FreeBSD:
mod_security:
crs_install: false
manage_config: false
package: ap24-mod_security
config_file: /usr/local/etc/modsecurity/modsecurity.conf

View File

@ -202,7 +202,9 @@ FreeBSD:
confext: '' confext: ''
default_site: default default_site: default
default_site_ssl: default-ssl default_site_ssl: default-ssl
moddir: /usr/local/etc/apache24/modules.d
logdir: /var/log/ logdir: /var/log/
logrotatedir: /usr/local/etc/logrotate.d/apache2
wwwdir: /usr/local/www/apache24/ wwwdir: /usr/local/www/apache24/
OpenBSD: OpenBSD:

View File

@ -325,7 +325,7 @@ e.g. ``debian-9-2019-2-py3``.
``bin/kitchen converge`` ``bin/kitchen converge``
^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^
Creates the docker instance and runs the ``template`` main state, ready for testing. Creates the docker instance and runs the ``apache`` main states, ready for testing.
``bin/kitchen verify`` ``bin/kitchen verify``
^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^
@ -346,3 +346,65 @@ Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``veri
^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^
Gives you SSH access to the instance for manual testing. Gives you SSH access to the instance for manual testing.
Testing with Vagrant
--------------------
Windows/FreeBSD/OpenBSD testing is done with ``kitchen-salt``.
Requirements
^^^^^^^^^^^^
* Ruby
* Virtualbox
* Vagrant
Setup
^^^^^
.. code-block:: bash
$ gem install bundler
$ bundle install --with=vagrant
$ bin/kitchen test [platform]
Where ``[platform]`` is the platform name defined in ``kitchen.vagrant.yml``,
e.g. ``windows-81-latest-py3``.
Note
^^^^
When testing using Vagrant you must set the environment variable ``KITCHEN_LOCAL_YAML`` to ``kitchen.vagrant.yml``. For example:
.. code-block:: bash
$ KITCHEN_LOCAL_YAML=kitchen.vagrant.yml bin/kitchen test # Alternatively,
$ export KITCHEN_LOCAL_YAML=kitchen.vagrant.yml
$ bin/kitchen test
Then run the following commands as needed.
``bin/kitchen converge``
^^^^^^^^^^^^^^^^^^^^^^^^
Creates the Vagrant instance and runs the ``apache`` main states, ready for testing.
``bin/kitchen verify``
^^^^^^^^^^^^^^^^^^^^^^
Runs the ``inspec`` tests on the actual instance.
``bin/kitchen destroy``
^^^^^^^^^^^^^^^^^^^^^^^
Removes the Vagrant instance.
``bin/kitchen test``
^^^^^^^^^^^^^^^^^^^^
Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.
``bin/kitchen login``
^^^^^^^^^^^^^^^^^^^^^
Gives you RDP/SSH access to the instance for manual testing.

23
kitchen.vagrant.yml Normal file
View File

@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
driver:
name: vagrant
cache_directory: false
customize:
usbxhci: 'off'
gui: false
linked_clone: true
ssh:
shell: /bin/sh
platforms:
- name: freebsd-122-latest-py3
driver:
box: bento/freebsd-12.2
- name: freebsd-114-latest-py3
driver:
box: bento/freebsd-11.4
provisioner:
salt_install: bootstrap

View File

@ -28,9 +28,11 @@ control 'apache configuration' do
sitesdir = '/etc/httpd/sites-enabled' sitesdir = '/etc/httpd/sites-enabled'
when 'bsd' when 'bsd'
vhostdir = '/usr/local/etc/apache24/Includes' vhostdir = '/usr/local/etc/apache24/Includes'
# logrotatedir = ? logrotatedir = '/usr/local/etc/logrotate.d/apache2'
# moddir = '?' moddir = '/usr/local/etc/apache24/modules.d'
# sitesdir = '?' # https://docs.freebsd.org/en/books/handbook/network-servers/#_virtual_hosting
# All done under `/usr/local/etc/apache24/httpd.conf`
sitesdir = '/usr/local/etc/apache24'
end end
describe file(vhostdir) do describe file(vhostdir) do
it { should exist } it { should exist }
@ -56,6 +58,7 @@ end
control 'apache configuration (unique)' do control 'apache configuration (unique)' do
title 'should be valid' title 'should be valid'
config_file_group = 'root'
case platform[:family] case platform[:family]
when 'debian' when 'debian'
config_file = '/etc/apache2/apache2.conf' config_file = '/etc/apache2/apache2.conf'
@ -74,11 +77,12 @@ control 'apache configuration (unique)' do
wwwdir = '/srv/http' wwwdir = '/srv/http'
when 'bsd' when 'bsd'
config_file = '/usr/local/etc/apache24/httpd.conf' config_file = '/usr/local/etc/apache24/httpd.conf'
config_file_group = 'wheel'
wwwdir = '/usr/local/www/apache24/' wwwdir = '/usr/local/www/apache24/'
end end
describe file(config_file) do describe file(config_file) do
it { should be_file } it { should be_file }
it { should be_grouped_into 'root' } it { should be_grouped_into config_file_group }
its('mode') { should cmp '0644' } its('mode') { should cmp '0644' }
its('content') do its('content') do
should include( should include(

View File

@ -34,9 +34,11 @@ control 'apache configuration' do
when 'bsd' when 'bsd'
vhostdir = '/usr/local/etc/apache24/Includes' vhostdir = '/usr/local/etc/apache24/Includes'
logdir = '/var/log' logdir = '/var/log'
# logrotatedir = ? logrotatedir = '/usr/local/etc/logrotate.d/apache2'
# moddir = '?' moddir = '/usr/local/etc/apache24/modules.d'
# sitesdir = '?' # https://docs.freebsd.org/en/books/handbook/network-servers/#_virtual_hosting
# All done under `/usr/local/etc/apache24/httpd.conf`
sitesdir = '/usr/local/etc/apache24'
end end
describe command(apachectl) do describe command(apachectl) do
its('stdout') { should eq '' } its('stdout') { should eq '' }
@ -72,6 +74,7 @@ end
control 'apache configuration (unique)' do control 'apache configuration (unique)' do
title 'should match desired lines' title 'should match desired lines'
config_file_group = 'root'
case platform[:family] case platform[:family]
when 'debian' when 'debian'
config_file = '/etc/apache2/apache2.conf' config_file = '/etc/apache2/apache2.conf'
@ -90,11 +93,12 @@ control 'apache configuration (unique)' do
wwwdir = '/srv/http' wwwdir = '/srv/http'
when 'bsd' when 'bsd'
config_file = '/usr/local/etc/apache24/httpd.conf' config_file = '/usr/local/etc/apache24/httpd.conf'
config_file_group = 'wheel'
wwwdir = '/usr/local/www/apache24/' wwwdir = '/usr/local/www/apache24/'
end end
describe file(config_file) do describe file(config_file) do
it { should be_file } it { should be_file }
it { should be_grouped_into 'root' } it { should be_grouped_into config_file_group }
its('mode') { should cmp '0644' } its('mode') { should cmp '0644' }
its('content') do its('content') do
should include( should include(

View File

@ -8,20 +8,30 @@ control 'apache mod_security configuration' do
end end
modspec_file = modspec_file =
case platform[:family] case system.platform[:family]
when 'redhat', 'fedora' when 'redhat', 'fedora'
'/etc/httpd/conf.d/mod_security.conf' '/etc/httpd/conf.d/mod_security.conf'
when 'debian' when 'debian'
'/etc/modsecurity/modsecurity.conf-recommended' '/etc/modsecurity/modsecurity.conf-recommended'
when 'suse' when 'suse'
'/etc/apache2/conf.d/mod_security2.conf' '/etc/apache2/conf.d/mod_security2.conf'
when 'bsd'
'/usr/local/etc/modsecurity/modsecurity.conf'
end
modspec_file_group =
case system.platform[:family]
when 'bsd'
'wheel'
else
'root'
end end
describe file(modspec_file) do describe file(modspec_file) do
it { should be_file } it { should be_file }
its('mode') { should cmp '0644' } its('mode') { should cmp '0644' }
its('owner') { should eq 'root' } its('owner') { should eq 'root' }
its('group') { should eq 'root' } its('group') { should eq modspec_file_group }
its('content') { should match(/SecRuleEngine On/) } its('content') { should match(/SecRuleEngine On/) }
its('content') { should match(/SecRequestBodyAccess On/) } its('content') { should match(/SecRequestBodyAccess On/) }
its('content') { should match(/SecRequestBodyLimit 14000000/) } its('content') { should match(/SecRequestBodyLimit 14000000/) }

View File

@ -13,22 +13,31 @@ control 'apache server_status configuration' do
SS_STANZA SS_STANZA
confdir = confdir =
case platform[:family] case system.platform[:family]
when 'debian' when 'debian'
'/etc/apache2/conf-available' '/etc/apache2/conf-available'
when 'redhat', 'fedora' when 'redhat', 'fedora'
'/etc/httpd/conf.d' '/etc/httpd/conf.d'
when 'suse' when 'suse'
'/etc/apache2/conf.d' '/etc/apache2/conf.d'
# `linux` here is sufficient for `arch` when 'arch'
when 'linux'
'/etc/httpd/conf/extra' '/etc/httpd/conf/extra'
when 'bsd'
'/usr/local/etc/apache24/extra'
end end
describe file("#{confdir}/server-status.conf") do conffile, conffile_group =
case system.platform[:family]
when 'bsd'
%W[#{confdir}/server-status wheel]
else
%W[#{confdir}/server-status.conf root]
end
describe file(conffile) do
it { should be_file } it { should be_file }
it { should be_owned_by 'root' } it { should be_owned_by 'root' }
it { should be_grouped_into 'root' } it { should be_grouped_into conffile_group }
its('mode') { should cmp '0644' } its('mode') { should cmp '0644' }
its('content') { should include '# File managed by Salt' } its('content') { should include '# File managed by Salt' }
its('content') { should include server_status_stanza } its('content') { should include server_status_stanza }