test(map): verify map.jinja dump using _mapdata state

* Semi-automated using https://github.com/myii/ssf-formula/pull/286
This commit is contained in:
Imran Iqbal 2020-12-26 08:00:04 +00:00
parent a615af103e
commit 22869e0c7f
No known key found for this signature in database
GPG Key ID: 6D8629439D2B7819
12 changed files with 222 additions and 190 deletions

View File

@ -10,7 +10,6 @@
# SECTION: Owner(s) for specific directories # SECTION: Owner(s) for specific directories
# FILE PATTERN OWNER(S) # FILE PATTERN OWNER(S)
/test/ @myii
# SECTION: Owner(s) for files/directories related to `semantic-release` # SECTION: Owner(s) for files/directories related to `semantic-release`
# FILE PATTERN OWNER(S) # FILE PATTERN OWNER(S)
@ -20,8 +19,11 @@
/docs/AUTHORS.rst @saltstack-formulas/ssf /docs/AUTHORS.rst @saltstack-formulas/ssf
/docs/CHANGELOG.rst @saltstack-formulas/ssf /docs/CHANGELOG.rst @saltstack-formulas/ssf
/docs/TOFS_pattern.rst @saltstack-formulas/ssf /docs/TOFS_pattern.rst @saltstack-formulas/ssf
/*/_mapdata/ @saltstack-formulas/ssf
/*/libsaltcli.jinja @saltstack-formulas/ssf /*/libsaltcli.jinja @saltstack-formulas/ssf
/*/libtofs.jinja @saltstack-formulas/ssf /*/libtofs.jinja @saltstack-formulas/ssf
/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf
/test/integration/**/libraries/system.rb @saltstack-formulas/ssf
/test/integration/**/inspec.yml @saltstack-formulas/ssf /test/integration/**/inspec.yml @saltstack-formulas/ssf
/test/integration/**/README.md @saltstack-formulas/ssf /test/integration/**/README.md @saltstack-formulas/ssf
/.gitignore @saltstack-formulas/ssf /.gitignore @saltstack-formulas/ssf

View File

@ -0,0 +1,13 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get("osfinger", grains.os) }}
---
{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
{{ salt["slsutil.serialize"](
"yaml",
map,
default_flow_style=False,
allow_unicode=True,
)
| regex_replace("^\s+'$", "'", multiline=True)
| trim
}}

View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split("/")[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld with context %}
{%- set _mapdata = {
"values": {
"firewalld": firewalld,
}
} %}
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}
{{ tplroot }}-mapdata-dump:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
- template: jinja
- context:
map: {{ _mapdata | yaml }}

View File

@ -1,16 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
---
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}
{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}
yaml-dump-{{ tplroot }}:
file.managed:
- name: {{ output_file }}
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
- template: jinja
- context:
map: {{ map | yaml }}

View File

@ -1,4 +0,0 @@
# yamllint disable rule:indentation rule:line-length
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
---
{{ map|yaml(False)|trim }}

View File

@ -156,7 +156,7 @@ suites:
state_top: state_top:
base: base:
'*': '*':
- firewalld.yaml_dump - firewalld._mapdata
- firewalld - firewalld
pillars: pillars:
top.sls: top.sls:

View File

@ -0,0 +1,47 @@
# frozen_string_literal: true
require 'yaml'
control '`map.jinja` YAML dump' do
title 'should match the comparison file'
### Method
# The steps below for each file appear convoluted but they are both required
# and similar in nature:
# 1. The earliest method was to simply compare the files textually but this often
# led to false positives due to inconsistencies (e.g. spacing, ordering)
# 2. The next method was to load the files back into YAML structures and then
# compare but InSpec provided block diffs this way, unusable by end users
# 3. The final step was to dump the YAML structures back into a string to use
# for the comparison; this both worked and provided human-friendly diffs
### Comparison file for the specific platform
### Static, adjusted as part of code contributions, as map data is changed
# Strip the `platform[:finger]` version number down to the "OS major release"
platform_finger = system.platform[:finger].split('.').first.to_s
# Use that to set the path to the file (relative to the InSpec suite directory)
mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
# Load the mapdata from profile, into a YAML structure
# https://docs.chef.io/inspec/profiles/#profile-files
mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
# Dump the YAML back into a string for comparison
mapdata_file_dump = YAML.dump(mapdata_file_yaml)
### Output file produced by running the `_mapdata` state
### Dynamic, generated during Kitchen's `converge` phase
# Derive the location of the dumped mapdata (differs for Windows)
output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
# Use that to set the path to the file (absolute path, i.e. within the container)
output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
# Load the output into a YAML structure using InSpec's `yaml` resource
# https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
output_file_yaml = yaml(output_file_path).params
# Dump the YAML back into a string for comparison
output_file_dump = YAML.dump(output_file_yaml)
describe 'File content' do
it 'should match profile map data exactly' do
expect(output_file_dump).to eq(mapdata_file_dump)
end
end
end

View File

@ -1,168 +0,0 @@
# frozen_string_literal: true
control 'firewalld `map.jinja` YAML dump' do
title 'should contain the lines'
yaml_dump = "---\n"
yaml_dump += <<~YAML_DUMP.chomp
AllowZoneDrifting: 'no'
AutomaticHelpers: system
FirewallBackend: nftables
FlushAllOnReload: 'yes'
IndividualCalls: 'no'
LogDenied: 'off'
RFC3964_IPv4: 'yes'
arch: amd64
backend:
manage: true
pkg: nftables
config: /etc/firewalld.conf
default_zone: public
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: '0'
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-j ACCEPT
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: -t raw -A MYCHAIN -j DROP
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh ipset
type: hash:ip
options:
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 10.0.0.1
fail2ban-ssh-ipv6:
short: fail2ban-ssh-ipv6
description: fail2ban-ssh-ipv6 ipset
type: hash:ip
options:
family:
- inet6
maxelem:
- 65536
timeout:
- 300
hashsize:
- 1024
entries:
- 2a01::1
package: firewalld
service: firewalld
services:
sshcustom:
short: sshcustom
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
into and executing commands on remote machines. It provides secure encrypted
communications. If you plan on accessing your machine remotely via SSH over
a firewalled interface, enable this option. You need the openssh-server package
installed for this option to be useful.
ports:
tcp:
- 3232
- 5252
modules:
- some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations:
ipv4:
- 224.0.0.251
- 224.0.0.252
ipv6:
- ff02::fb
- ff02::fc
zabbixcustom:
short: Zabbixcustom
description: zabbix custom rule
ports:
tcp:
- '10051'
salt-minion:
short: salt-minion
description: salt-minion
ports:
tcp:
- '8000'
zones:
public:
short: Public
description: For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections are accepted.
services:
- http
- https
- ssh
- salt-minion
other_services:
- zabbixcustom
protocols:
- igmp
rich_rules:
- family: ipv4
source:
address: 8.8.8.8/24
accept: true
- family: ipv4
ipset:
name: fail2ban-ssh
reject:
type: icmp-port-unreachable
ports:
- comment: zabbix-agent
port: 10050
protocol: tcp
- comment: bacula-client
port: 9102
protocol: tcp
- comment: vsftpd
port: 21
protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
rich_public:
short: rich_public
description: Example
rich_rules:
ssh-csg:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
YAML_DUMP
describe file('/tmp/salt_yaml_dump.yaml') do
its('content') { should include yaml_dump }
end
end

View File

@ -6,6 +6,9 @@ title: firewalld formula
maintainer: SaltStack Formulas maintainer: SaltStack Formulas
license: Apache-2.0 license: Apache-2.0
summary: Verify that the firewalld formula is setup and configured correctly summary: Verify that the firewalld formula is setup and configured correctly
depends:
- name: share
path: test/integration/share
supports: supports:
- platform-name: debian - platform-name: debian
- platform-name: ubuntu - platform-name: ubuntu

View File

@ -0,0 +1,21 @@
# InSpec Profile: `share`
This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
Its goal is to share the libraries between all profiles.
## Libraries
### `system`
The `system` library provides easy access to system dependent information:
- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
- `system.platform[:family]` provide a family name for Arch and Gentoo
- `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
- `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
- `Arch` is always `base-latest`
- `Amazon Linux` release `2018` is resolved as `1`
- `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
- `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
- `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)

View File

@ -0,0 +1,21 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
name: share
title: InSpec shared resources
maintainer: SaltStack Formulas
license: Apache-2.0
summary: shared resources
supports:
- platform-name: debian
- platform-name: ubuntu
- platform-name: centos
- platform-name: fedora
- platform-name: opensuse
- platform-name: suse
- platform-name: freebsd
- platform-name: amazon
- platform-name: oracle
- platform-name: arch
- platform-name: gentoo
- platform: windows

View File

@ -0,0 +1,89 @@
# frozen_string_literal: true
# system.rb -- InSpec resources for system values
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
class SystemResource < Inspec.resource(1)
name 'system'
attr_reader :platform
def initialize
super
@platform = build_platform
end
private
def build_platform
{
family: build_platform_family,
name: build_platform_name,
release: build_platform_release,
finger: build_platform_finger
}
end
def build_platform_family
case inspec.platform[:name]
when 'arch', 'gentoo'
inspec.platform[:name]
else
inspec.platform[:family]
end
end
def build_platform_name
case inspec.platform[:name]
when 'amazon', 'oracle'
"#{inspec.platform[:name]}linux"
when 'windows_8.1_pro', 'windows_server_2019_datacenter'
'windows'
else
inspec.platform[:name]
end
end
# rubocop:disable Metrics/MethodLength
def build_platform_release
case inspec.platform[:name]
when 'amazon'
# `2018` relase is named `1` in kitchen.yaml
inspec.platform[:release].gsub(/2018.*/, '1')
when 'arch'
'base-latest'
when 'gentoo'
"#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
when 'windows_8.1_pro'
'8.1'
when 'windows_server_2019_datacenter'
'2019-server'
else
inspec.platform[:release]
end
end
# rubocop:enable Metrics/MethodLength
def derive_gentoo_init_system
case inspec.command('systemctl').exist?
when true
'sysd'
else
'sysv'
end
end
def build_platform_finger
"#{build_platform_name}-#{build_finger_release}"
end
def build_finger_release
case inspec.platform[:name]
when 'ubuntu'
build_platform_release.split('.').slice(0, 2).join('.')
else
build_platform_release.split('.')[0]
end
end
end