test(map): verify map.jinja
dump using _mapdata
state
* Semi-automated using https://github.com/myii/ssf-formula/pull/286
This commit is contained in:
parent
a615af103e
commit
22869e0c7f
@ -10,7 +10,6 @@
|
||||
|
||||
# SECTION: Owner(s) for specific directories
|
||||
# FILE PATTERN OWNER(S)
|
||||
/test/ @myii
|
||||
|
||||
# SECTION: Owner(s) for files/directories related to `semantic-release`
|
||||
# FILE PATTERN OWNER(S)
|
||||
@ -20,8 +19,11 @@
|
||||
/docs/AUTHORS.rst @saltstack-formulas/ssf
|
||||
/docs/CHANGELOG.rst @saltstack-formulas/ssf
|
||||
/docs/TOFS_pattern.rst @saltstack-formulas/ssf
|
||||
/*/_mapdata/ @saltstack-formulas/ssf
|
||||
/*/libsaltcli.jinja @saltstack-formulas/ssf
|
||||
/*/libtofs.jinja @saltstack-formulas/ssf
|
||||
/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf
|
||||
/test/integration/**/libraries/system.rb @saltstack-formulas/ssf
|
||||
/test/integration/**/inspec.yml @saltstack-formulas/ssf
|
||||
/test/integration/**/README.md @saltstack-formulas/ssf
|
||||
/.gitignore @saltstack-formulas/ssf
|
||||
|
13
firewalld/_mapdata/_mapdata.jinja
Normal file
13
firewalld/_mapdata/_mapdata.jinja
Normal file
@ -0,0 +1,13 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# {{ grains.get("osfinger", grains.os) }}
|
||||
---
|
||||
{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
|
||||
{{ salt["slsutil.serialize"](
|
||||
"yaml",
|
||||
map,
|
||||
default_flow_style=False,
|
||||
allow_unicode=True,
|
||||
)
|
||||
| regex_replace("^\s+'$", "'", multiline=True)
|
||||
| trim
|
||||
}}
|
24
firewalld/_mapdata/init.sls
Normal file
24
firewalld/_mapdata/init.sls
Normal file
@ -0,0 +1,24 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
---
|
||||
{#- Get the `tplroot` from `tpldir` #}
|
||||
{%- set tplroot = tpldir.split("/")[0] %}
|
||||
{%- from tplroot ~ "/map.jinja" import firewalld with context %}
|
||||
|
||||
{%- set _mapdata = {
|
||||
"values": {
|
||||
"firewalld": firewalld,
|
||||
}
|
||||
} %}
|
||||
{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
|
||||
|
||||
{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
|
||||
{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}
|
||||
|
||||
{{ tplroot }}-mapdata-dump:
|
||||
file.managed:
|
||||
- name: {{ output_file }}
|
||||
- source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
|
||||
- template: jinja
|
||||
- context:
|
||||
map: {{ _mapdata | yaml }}
|
@ -1,16 +0,0 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=sls
|
||||
---
|
||||
{#- Get the `tplroot` from `tpldir` #}
|
||||
{%- set tplroot = tpldir.split('/')[0] %}
|
||||
{%- from tplroot ~ "/map.jinja" import firewalld as map with context %}
|
||||
|
||||
{%- set output_file = '/tmp/salt_yaml_dump.yaml' %}
|
||||
|
||||
yaml-dump-{{ tplroot }}:
|
||||
file.managed:
|
||||
- name: {{ output_file }}
|
||||
- source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
|
||||
- template: jinja
|
||||
- context:
|
||||
map: {{ map | yaml }}
|
@ -1,4 +0,0 @@
|
||||
# yamllint disable rule:indentation rule:line-length
|
||||
# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
|
||||
---
|
||||
{{ map|yaml(False)|trim }}
|
@ -156,7 +156,7 @@ suites:
|
||||
state_top:
|
||||
base:
|
||||
'*':
|
||||
- firewalld.yaml_dump
|
||||
- firewalld._mapdata
|
||||
- firewalld
|
||||
pillars:
|
||||
top.sls:
|
||||
|
47
test/integration/default/controls/_mapdata_spec.rb
Normal file
47
test/integration/default/controls/_mapdata_spec.rb
Normal file
@ -0,0 +1,47 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require 'yaml'
|
||||
|
||||
control '`map.jinja` YAML dump' do
|
||||
title 'should match the comparison file'
|
||||
|
||||
### Method
|
||||
# The steps below for each file appear convoluted but they are both required
|
||||
# and similar in nature:
|
||||
# 1. The earliest method was to simply compare the files textually but this often
|
||||
# led to false positives due to inconsistencies (e.g. spacing, ordering)
|
||||
# 2. The next method was to load the files back into YAML structures and then
|
||||
# compare but InSpec provided block diffs this way, unusable by end users
|
||||
# 3. The final step was to dump the YAML structures back into a string to use
|
||||
# for the comparison; this both worked and provided human-friendly diffs
|
||||
|
||||
### Comparison file for the specific platform
|
||||
### Static, adjusted as part of code contributions, as map data is changed
|
||||
# Strip the `platform[:finger]` version number down to the "OS major release"
|
||||
platform_finger = system.platform[:finger].split('.').first.to_s
|
||||
# Use that to set the path to the file (relative to the InSpec suite directory)
|
||||
mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
|
||||
# Load the mapdata from profile, into a YAML structure
|
||||
# https://docs.chef.io/inspec/profiles/#profile-files
|
||||
mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
|
||||
# Dump the YAML back into a string for comparison
|
||||
mapdata_file_dump = YAML.dump(mapdata_file_yaml)
|
||||
|
||||
### Output file produced by running the `_mapdata` state
|
||||
### Dynamic, generated during Kitchen's `converge` phase
|
||||
# Derive the location of the dumped mapdata (differs for Windows)
|
||||
output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
|
||||
# Use that to set the path to the file (absolute path, i.e. within the container)
|
||||
output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
|
||||
# Load the output into a YAML structure using InSpec's `yaml` resource
|
||||
# https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
|
||||
output_file_yaml = yaml(output_file_path).params
|
||||
# Dump the YAML back into a string for comparison
|
||||
output_file_dump = YAML.dump(output_file_yaml)
|
||||
|
||||
describe 'File content' do
|
||||
it 'should match profile map data exactly' do
|
||||
expect(output_file_dump).to eq(mapdata_file_dump)
|
||||
end
|
||||
end
|
||||
end
|
@ -1,168 +0,0 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
control 'firewalld `map.jinja` YAML dump' do
|
||||
title 'should contain the lines'
|
||||
|
||||
yaml_dump = "---\n"
|
||||
yaml_dump += <<~YAML_DUMP.chomp
|
||||
AllowZoneDrifting: 'no'
|
||||
AutomaticHelpers: system
|
||||
FirewallBackend: nftables
|
||||
FlushAllOnReload: 'yes'
|
||||
IndividualCalls: 'no'
|
||||
LogDenied: 'off'
|
||||
RFC3964_IPv4: 'yes'
|
||||
arch: amd64
|
||||
backend:
|
||||
manage: true
|
||||
pkg: nftables
|
||||
config: /etc/firewalld.conf
|
||||
default_zone: public
|
||||
direct:
|
||||
chain:
|
||||
MYCHAIN:
|
||||
ipv: ipv4
|
||||
table: raw
|
||||
rule:
|
||||
INTERNETACCESS:
|
||||
ipv: ipv4
|
||||
table: filter
|
||||
chain: FORWARD
|
||||
priority: '0'
|
||||
args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
|
||||
-j ACCEPT
|
||||
passthrough:
|
||||
MYPASSTHROUGH:
|
||||
ipv: ipv4
|
||||
args: -t raw -A MYCHAIN -j DROP
|
||||
enabled: true
|
||||
ipset:
|
||||
manage: true
|
||||
pkg: ipset
|
||||
ipsets:
|
||||
fail2ban-ssh:
|
||||
short: fail2ban-ssh
|
||||
description: fail2ban-ssh ipset
|
||||
type: hash:ip
|
||||
options:
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
hashsize:
|
||||
- 1024
|
||||
entries:
|
||||
- 10.0.0.1
|
||||
fail2ban-ssh-ipv6:
|
||||
short: fail2ban-ssh-ipv6
|
||||
description: fail2ban-ssh-ipv6 ipset
|
||||
type: hash:ip
|
||||
options:
|
||||
family:
|
||||
- inet6
|
||||
maxelem:
|
||||
- 65536
|
||||
timeout:
|
||||
- 300
|
||||
hashsize:
|
||||
- 1024
|
||||
entries:
|
||||
- 2a01::1
|
||||
package: firewalld
|
||||
service: firewalld
|
||||
services:
|
||||
sshcustom:
|
||||
short: sshcustom
|
||||
description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
|
||||
into and executing commands on remote machines. It provides secure encrypted
|
||||
communications. If you plan on accessing your machine remotely via SSH over
|
||||
a firewalled interface, enable this option. You need the openssh-server package
|
||||
installed for this option to be useful.
|
||||
ports:
|
||||
tcp:
|
||||
- 3232
|
||||
- 5252
|
||||
modules:
|
||||
- some_module_to_load
|
||||
protocols:
|
||||
- igmp
|
||||
source_ports:
|
||||
tcp:
|
||||
- 21
|
||||
destinations:
|
||||
ipv4:
|
||||
- 224.0.0.251
|
||||
- 224.0.0.252
|
||||
ipv6:
|
||||
- ff02::fb
|
||||
- ff02::fc
|
||||
zabbixcustom:
|
||||
short: Zabbixcustom
|
||||
description: zabbix custom rule
|
||||
ports:
|
||||
tcp:
|
||||
- '10051'
|
||||
salt-minion:
|
||||
short: salt-minion
|
||||
description: salt-minion
|
||||
ports:
|
||||
tcp:
|
||||
- '8000'
|
||||
zones:
|
||||
public:
|
||||
short: Public
|
||||
description: For use in public areas. You do not trust the other computers on
|
||||
networks to not harm your computer. Only selected incoming connections are accepted.
|
||||
services:
|
||||
- http
|
||||
- https
|
||||
- ssh
|
||||
- salt-minion
|
||||
other_services:
|
||||
- zabbixcustom
|
||||
protocols:
|
||||
- igmp
|
||||
rich_rules:
|
||||
- family: ipv4
|
||||
source:
|
||||
address: 8.8.8.8/24
|
||||
accept: true
|
||||
- family: ipv4
|
||||
ipset:
|
||||
name: fail2ban-ssh
|
||||
reject:
|
||||
type: icmp-port-unreachable
|
||||
ports:
|
||||
- comment: zabbix-agent
|
||||
port: 10050
|
||||
protocol: tcp
|
||||
- comment: bacula-client
|
||||
port: 9102
|
||||
protocol: tcp
|
||||
- comment: vsftpd
|
||||
port: 21
|
||||
protocol: tcp
|
||||
source_ports:
|
||||
- comment: something
|
||||
port: 2222
|
||||
protocol: tcp
|
||||
- comment: something_else
|
||||
port: 4444
|
||||
protocol: tcp
|
||||
rich_public:
|
||||
short: rich_public
|
||||
description: Example
|
||||
rich_rules:
|
||||
ssh-csg:
|
||||
accept: true
|
||||
ipsets:
|
||||
- fail2ban-ssh
|
||||
- other-ipset
|
||||
services:
|
||||
- ssh
|
||||
YAML_DUMP
|
||||
|
||||
describe file('/tmp/salt_yaml_dump.yaml') do
|
||||
its('content') { should include yaml_dump }
|
||||
end
|
||||
end
|
@ -6,6 +6,9 @@ title: firewalld formula
|
||||
maintainer: SaltStack Formulas
|
||||
license: Apache-2.0
|
||||
summary: Verify that the firewalld formula is setup and configured correctly
|
||||
depends:
|
||||
- name: share
|
||||
path: test/integration/share
|
||||
supports:
|
||||
- platform-name: debian
|
||||
- platform-name: ubuntu
|
||||
|
21
test/integration/share/README.md
Normal file
21
test/integration/share/README.md
Normal file
@ -0,0 +1,21 @@
|
||||
# InSpec Profile: `share`
|
||||
|
||||
This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
|
||||
|
||||
Its goal is to share the libraries between all profiles.
|
||||
|
||||
## Libraries
|
||||
|
||||
### `system`
|
||||
|
||||
The `system` library provides easy access to system dependent information:
|
||||
|
||||
- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
|
||||
- `system.platform[:family]` provide a family name for Arch and Gentoo
|
||||
- `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
|
||||
- `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
|
||||
- `Arch` is always `base-latest`
|
||||
- `Amazon Linux` release `2018` is resolved as `1`
|
||||
- `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
|
||||
- `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
|
||||
- `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)
|
21
test/integration/share/inspec.yml
Normal file
21
test/integration/share/inspec.yml
Normal file
@ -0,0 +1,21 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=yaml
|
||||
---
|
||||
name: share
|
||||
title: InSpec shared resources
|
||||
maintainer: SaltStack Formulas
|
||||
license: Apache-2.0
|
||||
summary: shared resources
|
||||
supports:
|
||||
- platform-name: debian
|
||||
- platform-name: ubuntu
|
||||
- platform-name: centos
|
||||
- platform-name: fedora
|
||||
- platform-name: opensuse
|
||||
- platform-name: suse
|
||||
- platform-name: freebsd
|
||||
- platform-name: amazon
|
||||
- platform-name: oracle
|
||||
- platform-name: arch
|
||||
- platform-name: gentoo
|
||||
- platform: windows
|
89
test/integration/share/libraries/system.rb
Normal file
89
test/integration/share/libraries/system.rb
Normal file
@ -0,0 +1,89 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
# system.rb -- InSpec resources for system values
|
||||
# Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
|
||||
# Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
|
||||
|
||||
class SystemResource < Inspec.resource(1)
|
||||
name 'system'
|
||||
|
||||
attr_reader :platform
|
||||
|
||||
def initialize
|
||||
super
|
||||
@platform = build_platform
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def build_platform
|
||||
{
|
||||
family: build_platform_family,
|
||||
name: build_platform_name,
|
||||
release: build_platform_release,
|
||||
finger: build_platform_finger
|
||||
}
|
||||
end
|
||||
|
||||
def build_platform_family
|
||||
case inspec.platform[:name]
|
||||
when 'arch', 'gentoo'
|
||||
inspec.platform[:name]
|
||||
else
|
||||
inspec.platform[:family]
|
||||
end
|
||||
end
|
||||
|
||||
def build_platform_name
|
||||
case inspec.platform[:name]
|
||||
when 'amazon', 'oracle'
|
||||
"#{inspec.platform[:name]}linux"
|
||||
when 'windows_8.1_pro', 'windows_server_2019_datacenter'
|
||||
'windows'
|
||||
else
|
||||
inspec.platform[:name]
|
||||
end
|
||||
end
|
||||
|
||||
# rubocop:disable Metrics/MethodLength
|
||||
def build_platform_release
|
||||
case inspec.platform[:name]
|
||||
when 'amazon'
|
||||
# `2018` relase is named `1` in kitchen.yaml
|
||||
inspec.platform[:release].gsub(/2018.*/, '1')
|
||||
when 'arch'
|
||||
'base-latest'
|
||||
when 'gentoo'
|
||||
"#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
|
||||
when 'windows_8.1_pro'
|
||||
'8.1'
|
||||
when 'windows_server_2019_datacenter'
|
||||
'2019-server'
|
||||
else
|
||||
inspec.platform[:release]
|
||||
end
|
||||
end
|
||||
# rubocop:enable Metrics/MethodLength
|
||||
|
||||
def derive_gentoo_init_system
|
||||
case inspec.command('systemctl').exist?
|
||||
when true
|
||||
'sysd'
|
||||
else
|
||||
'sysv'
|
||||
end
|
||||
end
|
||||
|
||||
def build_platform_finger
|
||||
"#{build_platform_name}-#{build_finger_release}"
|
||||
end
|
||||
|
||||
def build_finger_release
|
||||
case inspec.platform[:name]
|
||||
when 'ubuntu'
|
||||
build_platform_release.split('.').slice(0, 2).join('.')
|
||||
else
|
||||
build_platform_release.split('.')[0]
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user