test(map): verify map.jinja dump using _mapdata state

* Semi-automated using https://github.com/myii/ssf-formula/pull/286

CODEOWNERS

@@ -10,7 +10,6 @@
 
 # SECTION: Owner(s) for specific directories
 # FILE PATTERN                              OWNER(S)
-/test/                                      @myii
 
 # SECTION: Owner(s) for files/directories related to `semantic-release`
 # FILE PATTERN                              OWNER(S)
@@ -20,8 +19,11 @@
 /docs/AUTHORS.rst                           @saltstack-formulas/ssf
 /docs/CHANGELOG.rst                         @saltstack-formulas/ssf
 /docs/TOFS_pattern.rst                      @saltstack-formulas/ssf
+/*/_mapdata/                                @saltstack-formulas/ssf
 /*/libsaltcli.jinja                         @saltstack-formulas/ssf
 /*/libtofs.jinja                            @saltstack-formulas/ssf
+/test/integration/**/_mapdata_spec.rb       @saltstack-formulas/ssf
+/test/integration/**/libraries/system.rb    @saltstack-formulas/ssf
 /test/integration/**/inspec.yml             @saltstack-formulas/ssf
 /test/integration/**/README.md              @saltstack-formulas/ssf
 /.gitignore                                 @saltstack-formulas/ssf

firewalld/_mapdata/_mapdata.jinja

@@ -0,0 +1,13 @@
+# yamllint disable rule:indentation rule:line-length
+# {{ grains.get("osfinger", grains.os) }}
+---
+{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
+{{ salt["slsutil.serialize"](
+     "yaml",
+     map,
+     default_flow_style=False,
+     allow_unicode=True,
+   )
+   | regex_replace("^\s+'$", "'", multiline=True)
+   | trim
+}}

firewalld/_mapdata/init.sls

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+---
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split("/")[0] %}
+{%- from tplroot ~ "/map.jinja" import firewalld with context %}
+
+{%- set _mapdata = {
+      "values": {
+        "firewalld": firewalld,
+      }
+    } %}
+{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
+
+{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
+{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}
+
+{{ tplroot }}-mapdata-dump:
+  file.managed:
+    - name: {{ output_file }}
+    - source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
+    - template: jinja
+    - context:
+        map: {{ _mapdata | yaml }}

firewalld/yaml_dump/init.sls

@@ -1,16 +0,0 @@
-# -*- coding: utf-8 -*-
-# vim: ft=sls
----
-{#- Get the `tplroot` from `tpldir` #}
-{%- set tplroot = tpldir.split('/')[0] %}
-{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}
-
-{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}
-
-yaml-dump-{{ tplroot }}:
-  file.managed:
-    - name: {{ output_file }}
-    - source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
-    - template: jinja
-    - context:
-        map: {{ map | yaml }}

firewalld/yaml_dump/yaml_dump.jinja

@@ -1,4 +0,0 @@
-# yamllint disable rule:indentation rule:line-length
-# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
----
-{{ map|yaml(False)|trim }}

kitchen.yml

@@ -156,7 +156,7 @@ suites:
       state_top:
         base:
           '*':
-            - firewalld.yaml_dump
+            - firewalld._mapdata
             - firewalld
       pillars:
         top.sls:

test/integration/default/controls/_mapdata_spec.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+control '`map.jinja` YAML dump' do
+  title 'should match the comparison file'
+
+  ### Method
+  # The steps below for each file appear convoluted but they are both required
+  # and similar in nature:
+  # 1. The earliest method was to simply compare the files textually but this often
+  #    led to false positives due to inconsistencies (e.g. spacing, ordering)
+  # 2. The next method was to load the files back into YAML structures and then
+  #    compare but InSpec provided block diffs this way, unusable by end users
+  # 3. The final step was to dump the YAML structures back into a string to use
+  #    for the comparison; this both worked and provided human-friendly diffs
+
+  ### Comparison file for the specific platform
+  ### Static, adjusted as part of code contributions, as map data is changed
+  # Strip the `platform[:finger]` version number down to the "OS major release"
+  platform_finger = system.platform[:finger].split('.').first.to_s
+  # Use that to set the path to the file (relative to the InSpec suite directory)
+  mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
+  # Load the mapdata from profile, into a YAML structure
+  # https://docs.chef.io/inspec/profiles/#profile-files
+  mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
+  # Dump the YAML back into a string for comparison
+  mapdata_file_dump = YAML.dump(mapdata_file_yaml)
+
+  ### Output file produced by running the `_mapdata` state
+  ### Dynamic, generated during Kitchen's `converge` phase
+  # Derive the location of the dumped mapdata (differs for Windows)
+  output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
+  # Use that to set the path to the file (absolute path, i.e. within the container)
+  output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
+  # Load the output into a YAML structure using InSpec's `yaml` resource
+  # https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
+  output_file_yaml = yaml(output_file_path).params
+  # Dump the YAML back into a string for comparison
+  output_file_dump = YAML.dump(output_file_yaml)
+
+  describe 'File content' do
+    it 'should match profile map data exactly' do
+      expect(output_file_dump).to eq(mapdata_file_dump)
+    end
+  end
+end

test/integration/default/controls/yaml_dump_spec.rb

@@ -1,168 +0,0 @@
-# frozen_string_literal: true
-
-control 'firewalld `map.jinja` YAML dump' do
-  title 'should contain the lines'
-
-  yaml_dump = "---\n"
-  yaml_dump += <<~YAML_DUMP.chomp
-    AllowZoneDrifting: 'no'
-    AutomaticHelpers: system
-    FirewallBackend: nftables
-    FlushAllOnReload: 'yes'
-    IndividualCalls: 'no'
-    LogDenied: 'off'
-    RFC3964_IPv4: 'yes'
-    arch: amd64
-    backend:
-      manage: true
-      pkg: nftables
-    config: /etc/firewalld.conf
-    default_zone: public
-    direct:
-      chain:
-        MYCHAIN:
-          ipv: ipv4
-          table: raw
-      rule:
-        INTERNETACCESS:
-          ipv: ipv4
-          table: filter
-          chain: FORWARD
-          priority: '0'
-          args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
-            -j ACCEPT
-      passthrough:
-        MYPASSTHROUGH:
-          ipv: ipv4
-          args: -t raw -A MYCHAIN -j DROP
-    enabled: true
-    ipset:
-      manage: true
-      pkg: ipset
-    ipsets:
-      fail2ban-ssh:
-        short: fail2ban-ssh
-        description: fail2ban-ssh ipset
-        type: hash:ip
-        options:
-          maxelem:
-          - 65536
-          timeout:
-          - 300
-          hashsize:
-          - 1024
-        entries:
-        - 10.0.0.1
-      fail2ban-ssh-ipv6:
-        short: fail2ban-ssh-ipv6
-        description: fail2ban-ssh-ipv6 ipset
-        type: hash:ip
-        options:
-          family:
-          - inet6
-          maxelem:
-          - 65536
-          timeout:
-          - 300
-          hashsize:
-          - 1024
-        entries:
-        - 2a01::1
-    package: firewalld
-    service: firewalld
-    services:
-      sshcustom:
-        short: sshcustom
-        description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
-          into and executing commands on remote machines. It provides secure encrypted
-          communications. If you plan on accessing your machine remotely via SSH over
-          a firewalled interface, enable this option. You need the openssh-server package
-          installed for this option to be useful.
-        ports:
-          tcp:
-          - 3232
-          - 5252
-        modules:
-        - some_module_to_load
-        protocols:
-        - igmp
-        source_ports:
-          tcp:
-          - 21
-        destinations:
-          ipv4:
-          - 224.0.0.251
-          - 224.0.0.252
-          ipv6:
-          - ff02::fb
-          - ff02::fc
-      zabbixcustom:
-        short: Zabbixcustom
-        description: zabbix custom rule
-        ports:
-          tcp:
-          - '10051'
-      salt-minion:
-        short: salt-minion
-        description: salt-minion
-        ports:
-          tcp:
-          - '8000'
-    zones:
-      public:
-        short: Public
-        description: For use in public areas. You do not trust the other computers on
-          networks to not harm your computer. Only selected incoming connections are accepted.
-        services:
-        - http
-        - https
-        - ssh
-        - salt-minion
-        other_services:
-        - zabbixcustom
-        protocols:
-        - igmp
-        rich_rules:
-        - family: ipv4
-          source:
-            address: 8.8.8.8/24
-          accept: true
-        - family: ipv4
-          ipset:
-            name: fail2ban-ssh
-          reject:
-            type: icmp-port-unreachable
-        ports:
-        - comment: zabbix-agent
-          port: 10050
-          protocol: tcp
-        - comment: bacula-client
-          port: 9102
-          protocol: tcp
-        - comment: vsftpd
-          port: 21
-          protocol: tcp
-        source_ports:
-        - comment: something
-          port: 2222
-          protocol: tcp
-        - comment: something_else
-          port: 4444
-          protocol: tcp
-      rich_public:
-        short: rich_public
-        description: Example
-        rich_rules:
-          ssh-csg:
-            accept: true
-            ipsets:
-            - fail2ban-ssh
-            - other-ipset
-            services:
-            - ssh
-  YAML_DUMP
-
-  describe file('/tmp/salt_yaml_dump.yaml') do
-    its('content') { should include yaml_dump }
-  end
-end

test/integration/default/inspec.yml

@@ -6,6 +6,9 @@ title: firewalld formula
 maintainer: SaltStack Formulas
 license: Apache-2.0
 summary: Verify that the firewalld formula is setup and configured correctly
+depends:
+  - name: share
+    path: test/integration/share
 supports:
   - platform-name: debian
   - platform-name: ubuntu

test/integration/share/README.md

@@ -0,0 +1,21 @@
+# InSpec Profile: `share`
+
+This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
+
+Its goal is to share the libraries between all profiles.
+
+## Libraries
+
+### `system`
+
+The `system` library provides easy access to system dependent information:
+
+- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
+  - `system.platform[:family]` provide a family name for Arch and Gentoo
+  - `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
+  - `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
+    - `Arch` is always `base-latest`
+    - `Amazon Linux` release `2018` is resolved as `1`
+    - `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
+    - `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
+  - `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)

test/integration/share/inspec.yml

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+name: share
+title: InSpec shared resources
+maintainer: SaltStack Formulas
+license: Apache-2.0
+summary: shared resources
+supports:
+  - platform-name: debian
+  - platform-name: ubuntu
+  - platform-name: centos
+  - platform-name: fedora
+  - platform-name: opensuse
+  - platform-name: suse
+  - platform-name: freebsd
+  - platform-name: amazon
+  - platform-name: oracle
+  - platform-name: arch
+  - platform-name: gentoo
+  - platform: windows

test/integration/share/libraries/system.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+# system.rb -- InSpec resources for system values
+# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
+# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
+
+class SystemResource < Inspec.resource(1)
+  name 'system'
+
+  attr_reader :platform
+
+  def initialize
+    super
+    @platform = build_platform
+  end
+
+  private
+
+  def build_platform
+    {
+      family: build_platform_family,
+      name: build_platform_name,
+      release: build_platform_release,
+      finger: build_platform_finger
+    }
+  end
+
+  def build_platform_family
+    case inspec.platform[:name]
+    when 'arch', 'gentoo'
+      inspec.platform[:name]
+    else
+      inspec.platform[:family]
+    end
+  end
+
+  def build_platform_name
+    case inspec.platform[:name]
+    when 'amazon', 'oracle'
+      "#{inspec.platform[:name]}linux"
+    when 'windows_8.1_pro', 'windows_server_2019_datacenter'
+      'windows'
+    else
+      inspec.platform[:name]
+    end
+  end
+
+  # rubocop:disable Metrics/MethodLength
+  def build_platform_release
+    case inspec.platform[:name]
+    when 'amazon'
+      # `2018` relase is named `1` in kitchen.yaml
+      inspec.platform[:release].gsub(/2018.*/, '1')
+    when 'arch'
+      'base-latest'
+    when 'gentoo'
+      "#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
+    when 'windows_8.1_pro'
+      '8.1'
+    when 'windows_server_2019_datacenter'
+      '2019-server'
+    else
+      inspec.platform[:release]
+    end
+  end
+  # rubocop:enable Metrics/MethodLength
+
+  def derive_gentoo_init_system
+    case inspec.command('systemctl').exist?
+    when true
+      'sysd'
+    else
+      'sysv'
+    end
+  end
+
+  def build_platform_finger
+    "#{build_platform_name}-#{build_finger_release}"
+  end
+
+  def build_finger_release
+    case inspec.platform[:name]
+    when 'ubuntu'
+      build_platform_release.split('.').slice(0, 2).join('.')
+    else
+      build_platform_release.split('.')[0]
+    end
+  end
+end