test(map): verify map.jinja
dump using _mapdata
state
* Semi-automated using https://github.com/myii/ssf-formula/pull/286
This commit is contained in:
parent
a615af103e
commit
22869e0c7f
@ -10,7 +10,6 @@
|
|||||||
|
|
||||||
# SECTION: Owner(s) for specific directories
|
# SECTION: Owner(s) for specific directories
|
||||||
# FILE PATTERN OWNER(S)
|
# FILE PATTERN OWNER(S)
|
||||||
/test/ @myii
|
|
||||||
|
|
||||||
# SECTION: Owner(s) for files/directories related to `semantic-release`
|
# SECTION: Owner(s) for files/directories related to `semantic-release`
|
||||||
# FILE PATTERN OWNER(S)
|
# FILE PATTERN OWNER(S)
|
||||||
@ -20,8 +19,11 @@
|
|||||||
/docs/AUTHORS.rst @saltstack-formulas/ssf
|
/docs/AUTHORS.rst @saltstack-formulas/ssf
|
||||||
/docs/CHANGELOG.rst @saltstack-formulas/ssf
|
/docs/CHANGELOG.rst @saltstack-formulas/ssf
|
||||||
/docs/TOFS_pattern.rst @saltstack-formulas/ssf
|
/docs/TOFS_pattern.rst @saltstack-formulas/ssf
|
||||||
|
/*/_mapdata/ @saltstack-formulas/ssf
|
||||||
/*/libsaltcli.jinja @saltstack-formulas/ssf
|
/*/libsaltcli.jinja @saltstack-formulas/ssf
|
||||||
/*/libtofs.jinja @saltstack-formulas/ssf
|
/*/libtofs.jinja @saltstack-formulas/ssf
|
||||||
|
/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf
|
||||||
|
/test/integration/**/libraries/system.rb @saltstack-formulas/ssf
|
||||||
/test/integration/**/inspec.yml @saltstack-formulas/ssf
|
/test/integration/**/inspec.yml @saltstack-formulas/ssf
|
||||||
/test/integration/**/README.md @saltstack-formulas/ssf
|
/test/integration/**/README.md @saltstack-formulas/ssf
|
||||||
/.gitignore @saltstack-formulas/ssf
|
/.gitignore @saltstack-formulas/ssf
|
||||||
|
13
firewalld/_mapdata/_mapdata.jinja
Normal file
13
firewalld/_mapdata/_mapdata.jinja
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# yamllint disable rule:indentation rule:line-length
|
||||||
|
# {{ grains.get("osfinger", grains.os) }}
|
||||||
|
---
|
||||||
|
{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
|
||||||
|
{{ salt["slsutil.serialize"](
|
||||||
|
"yaml",
|
||||||
|
map,
|
||||||
|
default_flow_style=False,
|
||||||
|
allow_unicode=True,
|
||||||
|
)
|
||||||
|
| regex_replace("^\s+'$", "'", multiline=True)
|
||||||
|
| trim
|
||||||
|
}}
|
24
firewalld/_mapdata/init.sls
Normal file
24
firewalld/_mapdata/init.sls
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# vim: ft=sls
|
||||||
|
---
|
||||||
|
{#- Get the `tplroot` from `tpldir` #}
|
||||||
|
{%- set tplroot = tpldir.split("/")[0] %}
|
||||||
|
{%- from tplroot ~ "/map.jinja" import firewalld with context %}
|
||||||
|
|
||||||
|
{%- set _mapdata = {
|
||||||
|
"values": {
|
||||||
|
"firewalld": firewalld,
|
||||||
|
}
|
||||||
|
} %}
|
||||||
|
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
|
||||||
|
|
||||||
|
{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
|
||||||
|
{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}
|
||||||
|
|
||||||
|
{{ tplroot }}-mapdata-dump:
|
||||||
|
file.managed:
|
||||||
|
- name: {{ output_file }}
|
||||||
|
- source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
|
||||||
|
- template: jinja
|
||||||
|
- context:
|
||||||
|
map: {{ _mapdata | yaml }}
|
@ -1,16 +0,0 @@
|
|||||||
# -*- coding: utf-8 -*-
|
|
||||||
# vim: ft=sls
|
|
||||||
---
|
|
||||||
{#- Get the `tplroot` from `tpldir` #}
|
|
||||||
{%- set tplroot = tpldir.split('/')[0] %}
|
|
||||||
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}
|
|
||||||
|
|
||||||
{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}
|
|
||||||
|
|
||||||
yaml-dump-{{ tplroot }}:
|
|
||||||
file.managed:
|
|
||||||
- name: {{ output_file }}
|
|
||||||
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
|
|
||||||
- template: jinja
|
|
||||||
- context:
|
|
||||||
map: {{ map | yaml }}
|
|
@ -1,4 +0,0 @@
|
|||||||
# yamllint disable rule:indentation rule:line-length
|
|
||||||
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
|
|
||||||
---
|
|
||||||
{{ map|yaml(False)|trim }}
|
|
@ -156,7 +156,7 @@ suites:
|
|||||||
state_top:
|
state_top:
|
||||||
base:
|
base:
|
||||||
'*':
|
'*':
|
||||||
- firewalld.yaml_dump
|
- firewalld._mapdata
|
||||||
- firewalld
|
- firewalld
|
||||||
pillars:
|
pillars:
|
||||||
top.sls:
|
top.sls:
|
||||||
|
47
test/integration/default/controls/_mapdata_spec.rb
Normal file
47
test/integration/default/controls/_mapdata_spec.rb
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'yaml'
|
||||||
|
|
||||||
|
control '`map.jinja` YAML dump' do
|
||||||
|
title 'should match the comparison file'
|
||||||
|
|
||||||
|
### Method
|
||||||
|
# The steps below for each file appear convoluted but they are both required
|
||||||
|
# and similar in nature:
|
||||||
|
# 1. The earliest method was to simply compare the files textually but this often
|
||||||
|
# led to false positives due to inconsistencies (e.g. spacing, ordering)
|
||||||
|
# 2. The next method was to load the files back into YAML structures and then
|
||||||
|
# compare but InSpec provided block diffs this way, unusable by end users
|
||||||
|
# 3. The final step was to dump the YAML structures back into a string to use
|
||||||
|
# for the comparison; this both worked and provided human-friendly diffs
|
||||||
|
|
||||||
|
### Comparison file for the specific platform
|
||||||
|
### Static, adjusted as part of code contributions, as map data is changed
|
||||||
|
# Strip the `platform[:finger]` version number down to the "OS major release"
|
||||||
|
platform_finger = system.platform[:finger].split('.').first.to_s
|
||||||
|
# Use that to set the path to the file (relative to the InSpec suite directory)
|
||||||
|
mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
|
||||||
|
# Load the mapdata from profile, into a YAML structure
|
||||||
|
# https://docs.chef.io/inspec/profiles/#profile-files
|
||||||
|
mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
|
||||||
|
# Dump the YAML back into a string for comparison
|
||||||
|
mapdata_file_dump = YAML.dump(mapdata_file_yaml)
|
||||||
|
|
||||||
|
### Output file produced by running the `_mapdata` state
|
||||||
|
### Dynamic, generated during Kitchen's `converge` phase
|
||||||
|
# Derive the location of the dumped mapdata (differs for Windows)
|
||||||
|
output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
|
||||||
|
# Use that to set the path to the file (absolute path, i.e. within the container)
|
||||||
|
output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
|
||||||
|
# Load the output into a YAML structure using InSpec's `yaml` resource
|
||||||
|
# https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
|
||||||
|
output_file_yaml = yaml(output_file_path).params
|
||||||
|
# Dump the YAML back into a string for comparison
|
||||||
|
output_file_dump = YAML.dump(output_file_yaml)
|
||||||
|
|
||||||
|
describe 'File content' do
|
||||||
|
it 'should match profile map data exactly' do
|
||||||
|
expect(output_file_dump).to eq(mapdata_file_dump)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -1,168 +0,0 @@
|
|||||||
# frozen_string_literal: true
|
|
||||||
|
|
||||||
control 'firewalld `map.jinja` YAML dump' do
|
|
||||||
title 'should contain the lines'
|
|
||||||
|
|
||||||
yaml_dump = "---\n"
|
|
||||||
yaml_dump += <<~YAML_DUMP.chomp
|
|
||||||
AllowZoneDrifting: 'no'
|
|
||||||
AutomaticHelpers: system
|
|
||||||
FirewallBackend: nftables
|
|
||||||
FlushAllOnReload: 'yes'
|
|
||||||
IndividualCalls: 'no'
|
|
||||||
LogDenied: 'off'
|
|
||||||
RFC3964_IPv4: 'yes'
|
|
||||||
arch: amd64
|
|
||||||
backend:
|
|
||||||
manage: true
|
|
||||||
pkg: nftables
|
|
||||||
config: /etc/firewalld.conf
|
|
||||||
default_zone: public
|
|
||||||
direct:
|
|
||||||
chain:
|
|
||||||
MYCHAIN:
|
|
||||||
ipv: ipv4
|
|
||||||
table: raw
|
|
||||||
rule:
|
|
||||||
INTERNETACCESS:
|
|
||||||
ipv: ipv4
|
|
||||||
table: filter
|
|
||||||
chain: FORWARD
|
|
||||||
priority: '0'
|
|
||||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
|
||||||
-j ACCEPT
|
|
||||||
passthrough:
|
|
||||||
MYPASSTHROUGH:
|
|
||||||
ipv: ipv4
|
|
||||||
args: -t raw -A MYCHAIN -j DROP
|
|
||||||
enabled: true
|
|
||||||
ipset:
|
|
||||||
manage: true
|
|
||||||
pkg: ipset
|
|
||||||
ipsets:
|
|
||||||
fail2ban-ssh:
|
|
||||||
short: fail2ban-ssh
|
|
||||||
description: fail2ban-ssh ipset
|
|
||||||
type: hash:ip
|
|
||||||
options:
|
|
||||||
maxelem:
|
|
||||||
- 65536
|
|
||||||
timeout:
|
|
||||||
- 300
|
|
||||||
hashsize:
|
|
||||||
- 1024
|
|
||||||
entries:
|
|
||||||
- 10.0.0.1
|
|
||||||
fail2ban-ssh-ipv6:
|
|
||||||
short: fail2ban-ssh-ipv6
|
|
||||||
description: fail2ban-ssh-ipv6 ipset
|
|
||||||
type: hash:ip
|
|
||||||
options:
|
|
||||||
family:
|
|
||||||
- inet6
|
|
||||||
maxelem:
|
|
||||||
- 65536
|
|
||||||
timeout:
|
|
||||||
- 300
|
|
||||||
hashsize:
|
|
||||||
- 1024
|
|
||||||
entries:
|
|
||||||
- 2a01::1
|
|
||||||
package: firewalld
|
|
||||||
service: firewalld
|
|
||||||
services:
|
|
||||||
sshcustom:
|
|
||||||
short: sshcustom
|
|
||||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
|
|
||||||
into and executing commands on remote machines. It provides secure encrypted
|
|
||||||
communications. If you plan on accessing your machine remotely via SSH over
|
|
||||||
a firewalled interface, enable this option. You need the openssh-server package
|
|
||||||
installed for this option to be useful.
|
|
||||||
ports:
|
|
||||||
tcp:
|
|
||||||
- 3232
|
|
||||||
- 5252
|
|
||||||
modules:
|
|
||||||
- some_module_to_load
|
|
||||||
protocols:
|
|
||||||
- igmp
|
|
||||||
source_ports:
|
|
||||||
tcp:
|
|
||||||
- 21
|
|
||||||
destinations:
|
|
||||||
ipv4:
|
|
||||||
- 224.0.0.251
|
|
||||||
- 224.0.0.252
|
|
||||||
ipv6:
|
|
||||||
- ff02::fb
|
|
||||||
- ff02::fc
|
|
||||||
zabbixcustom:
|
|
||||||
short: Zabbixcustom
|
|
||||||
description: zabbix custom rule
|
|
||||||
ports:
|
|
||||||
tcp:
|
|
||||||
- '10051'
|
|
||||||
salt-minion:
|
|
||||||
short: salt-minion
|
|
||||||
description: salt-minion
|
|
||||||
ports:
|
|
||||||
tcp:
|
|
||||||
- '8000'
|
|
||||||
zones:
|
|
||||||
public:
|
|
||||||
short: Public
|
|
||||||
description: For use in public areas. You do not trust the other computers on
|
|
||||||
networks to not harm your computer. Only selected incoming connections are accepted.
|
|
||||||
services:
|
|
||||||
- http
|
|
||||||
- https
|
|
||||||
- ssh
|
|
||||||
- salt-minion
|
|
||||||
other_services:
|
|
||||||
- zabbixcustom
|
|
||||||
protocols:
|
|
||||||
- igmp
|
|
||||||
rich_rules:
|
|
||||||
- family: ipv4
|
|
||||||
source:
|
|
||||||
address: 8.8.8.8/24
|
|
||||||
accept: true
|
|
||||||
- family: ipv4
|
|
||||||
ipset:
|
|
||||||
name: fail2ban-ssh
|
|
||||||
reject:
|
|
||||||
type: icmp-port-unreachable
|
|
||||||
ports:
|
|
||||||
- comment: zabbix-agent
|
|
||||||
port: 10050
|
|
||||||
protocol: tcp
|
|
||||||
- comment: bacula-client
|
|
||||||
port: 9102
|
|
||||||
protocol: tcp
|
|
||||||
- comment: vsftpd
|
|
||||||
port: 21
|
|
||||||
protocol: tcp
|
|
||||||
source_ports:
|
|
||||||
- comment: something
|
|
||||||
port: 2222
|
|
||||||
protocol: tcp
|
|
||||||
- comment: something_else
|
|
||||||
port: 4444
|
|
||||||
protocol: tcp
|
|
||||||
rich_public:
|
|
||||||
short: rich_public
|
|
||||||
description: Example
|
|
||||||
rich_rules:
|
|
||||||
ssh-csg:
|
|
||||||
accept: true
|
|
||||||
ipsets:
|
|
||||||
- fail2ban-ssh
|
|
||||||
- other-ipset
|
|
||||||
services:
|
|
||||||
- ssh
|
|
||||||
YAML_DUMP
|
|
||||||
|
|
||||||
describe file('/tmp/salt_yaml_dump.yaml') do
|
|
||||||
its('content') { should include yaml_dump }
|
|
||||||
end
|
|
||||||
end
|
|
@ -6,6 +6,9 @@ title: firewalld formula
|
|||||||
maintainer: SaltStack Formulas
|
maintainer: SaltStack Formulas
|
||||||
license: Apache-2.0
|
license: Apache-2.0
|
||||||
summary: Verify that the firewalld formula is setup and configured correctly
|
summary: Verify that the firewalld formula is setup and configured correctly
|
||||||
|
depends:
|
||||||
|
- name: share
|
||||||
|
path: test/integration/share
|
||||||
supports:
|
supports:
|
||||||
- platform-name: debian
|
- platform-name: debian
|
||||||
- platform-name: ubuntu
|
- platform-name: ubuntu
|
||||||
|
21
test/integration/share/README.md
Normal file
21
test/integration/share/README.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# InSpec Profile: `share`
|
||||||
|
|
||||||
|
This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
|
||||||
|
|
||||||
|
Its goal is to share the libraries between all profiles.
|
||||||
|
|
||||||
|
## Libraries
|
||||||
|
|
||||||
|
### `system`
|
||||||
|
|
||||||
|
The `system` library provides easy access to system dependent information:
|
||||||
|
|
||||||
|
- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
|
||||||
|
- `system.platform[:family]` provide a family name for Arch and Gentoo
|
||||||
|
- `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
|
||||||
|
- `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
|
||||||
|
- `Arch` is always `base-latest`
|
||||||
|
- `Amazon Linux` release `2018` is resolved as `1`
|
||||||
|
- `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
|
||||||
|
- `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
|
||||||
|
- `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)
|
21
test/integration/share/inspec.yml
Normal file
21
test/integration/share/inspec.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# vim: ft=yaml
|
||||||
|
---
|
||||||
|
name: share
|
||||||
|
title: InSpec shared resources
|
||||||
|
maintainer: SaltStack Formulas
|
||||||
|
license: Apache-2.0
|
||||||
|
summary: shared resources
|
||||||
|
supports:
|
||||||
|
- platform-name: debian
|
||||||
|
- platform-name: ubuntu
|
||||||
|
- platform-name: centos
|
||||||
|
- platform-name: fedora
|
||||||
|
- platform-name: opensuse
|
||||||
|
- platform-name: suse
|
||||||
|
- platform-name: freebsd
|
||||||
|
- platform-name: amazon
|
||||||
|
- platform-name: oracle
|
||||||
|
- platform-name: arch
|
||||||
|
- platform-name: gentoo
|
||||||
|
- platform: windows
|
89
test/integration/share/libraries/system.rb
Normal file
89
test/integration/share/libraries/system.rb
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
# system.rb -- InSpec resources for system values
|
||||||
|
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
|
||||||
|
# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
|
||||||
|
|
||||||
|
class SystemResource < Inspec.resource(1)
|
||||||
|
name 'system'
|
||||||
|
|
||||||
|
attr_reader :platform
|
||||||
|
|
||||||
|
def initialize
|
||||||
|
super
|
||||||
|
@platform = build_platform
|
||||||
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def build_platform
|
||||||
|
{
|
||||||
|
family: build_platform_family,
|
||||||
|
name: build_platform_name,
|
||||||
|
release: build_platform_release,
|
||||||
|
finger: build_platform_finger
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
def build_platform_family
|
||||||
|
case inspec.platform[:name]
|
||||||
|
when 'arch', 'gentoo'
|
||||||
|
inspec.platform[:name]
|
||||||
|
else
|
||||||
|
inspec.platform[:family]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def build_platform_name
|
||||||
|
case inspec.platform[:name]
|
||||||
|
when 'amazon', 'oracle'
|
||||||
|
"#{inspec.platform[:name]}linux"
|
||||||
|
when 'windows_8.1_pro', 'windows_server_2019_datacenter'
|
||||||
|
'windows'
|
||||||
|
else
|
||||||
|
inspec.platform[:name]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# rubocop:disable Metrics/MethodLength
|
||||||
|
def build_platform_release
|
||||||
|
case inspec.platform[:name]
|
||||||
|
when 'amazon'
|
||||||
|
# `2018` relase is named `1` in kitchen.yaml
|
||||||
|
inspec.platform[:release].gsub(/2018.*/, '1')
|
||||||
|
when 'arch'
|
||||||
|
'base-latest'
|
||||||
|
when 'gentoo'
|
||||||
|
"#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
|
||||||
|
when 'windows_8.1_pro'
|
||||||
|
'8.1'
|
||||||
|
when 'windows_server_2019_datacenter'
|
||||||
|
'2019-server'
|
||||||
|
else
|
||||||
|
inspec.platform[:release]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
# rubocop:enable Metrics/MethodLength
|
||||||
|
|
||||||
|
def derive_gentoo_init_system
|
||||||
|
case inspec.command('systemctl').exist?
|
||||||
|
when true
|
||||||
|
'sysd'
|
||||||
|
else
|
||||||
|
'sysv'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def build_platform_finger
|
||||||
|
"#{build_platform_name}-#{build_finger_release}"
|
||||||
|
end
|
||||||
|
|
||||||
|
def build_finger_release
|
||||||
|
case inspec.platform[:name]
|
||||||
|
when 'ubuntu'
|
||||||
|
build_platform_release.split('.').slice(0, 2).join('.')
|
||||||
|
else
|
||||||
|
build_platform_release.split('.')[0]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user