diff --git a/CODEOWNERS b/CODEOWNERS index 093bb85..91d6155 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -10,7 +10,6 @@ # SECTION: Owner(s) for specific directories # FILE PATTERN OWNER(S) -/test/ @myii # SECTION: Owner(s) for files/directories related to `semantic-release` # FILE PATTERN OWNER(S) @@ -20,8 +19,11 @@ /docs/AUTHORS.rst @saltstack-formulas/ssf /docs/CHANGELOG.rst @saltstack-formulas/ssf /docs/TOFS_pattern.rst @saltstack-formulas/ssf +/*/_mapdata/ @saltstack-formulas/ssf /*/libsaltcli.jinja @saltstack-formulas/ssf /*/libtofs.jinja @saltstack-formulas/ssf +/test/integration/**/_mapdata_spec.rb @saltstack-formulas/ssf +/test/integration/**/libraries/system.rb @saltstack-formulas/ssf /test/integration/**/inspec.yml @saltstack-formulas/ssf /test/integration/**/README.md @saltstack-formulas/ssf /.gitignore @saltstack-formulas/ssf diff --git a/firewalld/_mapdata/_mapdata.jinja b/firewalld/_mapdata/_mapdata.jinja new file mode 100644 index 0000000..aa9649c --- /dev/null +++ b/firewalld/_mapdata/_mapdata.jinja @@ -0,0 +1,13 @@ +# yamllint disable rule:indentation rule:line-length +# {{ grains.get("osfinger", grains.os) }} +--- +{#- use salt.slsutil.serialize to avoid encoding errors on some platforms #} +{{ salt["slsutil.serialize"]( + "yaml", + map, + default_flow_style=False, + allow_unicode=True, + ) + | regex_replace("^\s+'$", "'", multiline=True) + | trim +}} diff --git a/firewalld/_mapdata/init.sls b/firewalld/_mapdata/init.sls new file mode 100644 index 0000000..08931e7 --- /dev/null +++ b/firewalld/_mapdata/init.sls @@ -0,0 +1,24 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls +--- +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split("/")[0] %} +{%- from tplroot ~ "/map.jinja" import firewalld with context %} + +{%- set _mapdata = { + "values": { + "firewalld": firewalld, + } + } %} +{%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %} + +{%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %} +{%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %} + +{{ tplroot }}-mapdata-dump: + file.managed: + - name: {{ output_file }} + - source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja + - template: jinja + - context: + map: {{ _mapdata | yaml }} diff --git a/firewalld/yaml_dump/init.sls b/firewalld/yaml_dump/init.sls deleted file mode 100644 index dfa69a2..0000000 --- a/firewalld/yaml_dump/init.sls +++ /dev/null @@ -1,16 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=sls ---- -{#- Get the `tplroot` from `tpldir` #} -{%- set tplroot = tpldir.split('/')[0] %} -{%- from tplroot ~ "/map.jinja" import firewalld as map with context %} - -{%- set output_file = '/tmp/salt_yaml_dump.yaml' %} - -yaml-dump-{{ tplroot }}: - file.managed: - - name: {{ output_file }} - - source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja - - template: jinja - - context: - map: {{ map | yaml }} diff --git a/firewalld/yaml_dump/yaml_dump.jinja b/firewalld/yaml_dump/yaml_dump.jinja deleted file mode 100644 index 300b464..0000000 --- a/firewalld/yaml_dump/yaml_dump.jinja +++ /dev/null @@ -1,4 +0,0 @@ -# yamllint disable rule:indentation rule:line-length -# {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }} ---- -{{ map|yaml(False)|trim }} diff --git a/kitchen.yml b/kitchen.yml index 42ec749..0a3efe7 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -156,7 +156,7 @@ suites: state_top: base: '*': - - firewalld.yaml_dump + - firewalld._mapdata - firewalld pillars: top.sls: diff --git a/test/integration/default/controls/_mapdata_spec.rb b/test/integration/default/controls/_mapdata_spec.rb new file mode 100644 index 0000000..6463532 --- /dev/null +++ b/test/integration/default/controls/_mapdata_spec.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +require 'yaml' + +control '`map.jinja` YAML dump' do + title 'should match the comparison file' + + ### Method + # The steps below for each file appear convoluted but they are both required + # and similar in nature: + # 1. The earliest method was to simply compare the files textually but this often + # led to false positives due to inconsistencies (e.g. spacing, ordering) + # 2. The next method was to load the files back into YAML structures and then + # compare but InSpec provided block diffs this way, unusable by end users + # 3. The final step was to dump the YAML structures back into a string to use + # for the comparison; this both worked and provided human-friendly diffs + + ### Comparison file for the specific platform + ### Static, adjusted as part of code contributions, as map data is changed + # Strip the `platform[:finger]` version number down to the "OS major release" + platform_finger = system.platform[:finger].split('.').first.to_s + # Use that to set the path to the file (relative to the InSpec suite directory) + mapdata_file_path = "_mapdata/#{platform_finger}.yaml" + # Load the mapdata from profile, into a YAML structure + # https://docs.chef.io/inspec/profiles/#profile-files + mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path)) + # Dump the YAML back into a string for comparison + mapdata_file_dump = YAML.dump(mapdata_file_yaml) + + ### Output file produced by running the `_mapdata` state + ### Dynamic, generated during Kitchen's `converge` phase + # Derive the location of the dumped mapdata (differs for Windows) + output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp' + # Use that to set the path to the file (absolute path, i.e. within the container) + output_file_path = "#{output_dir}/salt_mapdata_dump.yaml" + # Load the output into a YAML structure using InSpec's `yaml` resource + # https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29 + output_file_yaml = yaml(output_file_path).params + # Dump the YAML back into a string for comparison + output_file_dump = YAML.dump(output_file_yaml) + + describe 'File content' do + it 'should match profile map data exactly' do + expect(output_file_dump).to eq(mapdata_file_dump) + end + end +end diff --git a/test/integration/default/controls/yaml_dump_spec.rb b/test/integration/default/controls/yaml_dump_spec.rb deleted file mode 100644 index 5c4b391..0000000 --- a/test/integration/default/controls/yaml_dump_spec.rb +++ /dev/null @@ -1,168 +0,0 @@ -# frozen_string_literal: true - -control 'firewalld `map.jinja` YAML dump' do - title 'should contain the lines' - - yaml_dump = "---\n" - yaml_dump += <<~YAML_DUMP.chomp - AllowZoneDrifting: 'no' - AutomaticHelpers: system - FirewallBackend: nftables - FlushAllOnReload: 'yes' - IndividualCalls: 'no' - LogDenied: 'off' - RFC3964_IPv4: 'yes' - arch: amd64 - backend: - manage: true - pkg: nftables - config: /etc/firewalld.conf - default_zone: public - direct: - chain: - MYCHAIN: - ipv: ipv4 - table: raw - rule: - INTERNETACCESS: - ipv: ipv4 - table: filter - chain: FORWARD - priority: '0' - args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED - -j ACCEPT - passthrough: - MYPASSTHROUGH: - ipv: ipv4 - args: -t raw -A MYCHAIN -j DROP - enabled: true - ipset: - manage: true - pkg: ipset - ipsets: - fail2ban-ssh: - short: fail2ban-ssh - description: fail2ban-ssh ipset - type: hash:ip - options: - maxelem: - - 65536 - timeout: - - 300 - hashsize: - - 1024 - entries: - - 10.0.0.1 - fail2ban-ssh-ipv6: - short: fail2ban-ssh-ipv6 - description: fail2ban-ssh-ipv6 ipset - type: hash:ip - options: - family: - - inet6 - maxelem: - - 65536 - timeout: - - 300 - hashsize: - - 1024 - entries: - - 2a01::1 - package: firewalld - service: firewalld - services: - sshcustom: - short: sshcustom - description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging - into and executing commands on remote machines. It provides secure encrypted - communications. If you plan on accessing your machine remotely via SSH over - a firewalled interface, enable this option. You need the openssh-server package - installed for this option to be useful. - ports: - tcp: - - 3232 - - 5252 - modules: - - some_module_to_load - protocols: - - igmp - source_ports: - tcp: - - 21 - destinations: - ipv4: - - 224.0.0.251 - - 224.0.0.252 - ipv6: - - ff02::fb - - ff02::fc - zabbixcustom: - short: Zabbixcustom - description: zabbix custom rule - ports: - tcp: - - '10051' - salt-minion: - short: salt-minion - description: salt-minion - ports: - tcp: - - '8000' - zones: - public: - short: Public - description: For use in public areas. You do not trust the other computers on - networks to not harm your computer. Only selected incoming connections are accepted. - services: - - http - - https - - ssh - - salt-minion - other_services: - - zabbixcustom - protocols: - - igmp - rich_rules: - - family: ipv4 - source: - address: 8.8.8.8/24 - accept: true - - family: ipv4 - ipset: - name: fail2ban-ssh - reject: - type: icmp-port-unreachable - ports: - - comment: zabbix-agent - port: 10050 - protocol: tcp - - comment: bacula-client - port: 9102 - protocol: tcp - - comment: vsftpd - port: 21 - protocol: tcp - source_ports: - - comment: something - port: 2222 - protocol: tcp - - comment: something_else - port: 4444 - protocol: tcp - rich_public: - short: rich_public - description: Example - rich_rules: - ssh-csg: - accept: true - ipsets: - - fail2ban-ssh - - other-ipset - services: - - ssh - YAML_DUMP - - describe file('/tmp/salt_yaml_dump.yaml') do - its('content') { should include yaml_dump } - end -end diff --git a/test/integration/default/inspec.yml b/test/integration/default/inspec.yml index 70dafa1..d22aff9 100644 --- a/test/integration/default/inspec.yml +++ b/test/integration/default/inspec.yml @@ -6,6 +6,9 @@ title: firewalld formula maintainer: SaltStack Formulas license: Apache-2.0 summary: Verify that the firewalld formula is setup and configured correctly +depends: + - name: share + path: test/integration/share supports: - platform-name: debian - platform-name: ubuntu diff --git a/test/integration/share/README.md b/test/integration/share/README.md new file mode 100644 index 0000000..5bc510c --- /dev/null +++ b/test/integration/share/README.md @@ -0,0 +1,21 @@ +# InSpec Profile: `share` + +This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md). + +Its goal is to share the libraries between all profiles. + +## Libraries + +### `system` + +The `system` library provides easy access to system dependent information: + +- `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective + - `system.platform[:family]` provide a family name for Arch and Gentoo + - `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows` + - `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows: + - `Arch` is always `base-latest` + - `Amazon Linux` release `2018` is resolved as `1` + - `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`) + - `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version + - `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example) diff --git a/test/integration/share/inspec.yml b/test/integration/share/inspec.yml new file mode 100644 index 0000000..697417a --- /dev/null +++ b/test/integration/share/inspec.yml @@ -0,0 +1,21 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +name: share +title: InSpec shared resources +maintainer: SaltStack Formulas +license: Apache-2.0 +summary: shared resources +supports: + - platform-name: debian + - platform-name: ubuntu + - platform-name: centos + - platform-name: fedora + - platform-name: opensuse + - platform-name: suse + - platform-name: freebsd + - platform-name: amazon + - platform-name: oracle + - platform-name: arch + - platform-name: gentoo + - platform: windows diff --git a/test/integration/share/libraries/system.rb b/test/integration/share/libraries/system.rb new file mode 100644 index 0000000..ef23499 --- /dev/null +++ b/test/integration/share/libraries/system.rb @@ -0,0 +1,89 @@ +# frozen_string_literal: true + +# system.rb -- InSpec resources for system values +# Author: Daniel Dehennin +# Copyright (C) 2020 Daniel Dehennin + +class SystemResource < Inspec.resource(1) + name 'system' + + attr_reader :platform + + def initialize + super + @platform = build_platform + end + + private + + def build_platform + { + family: build_platform_family, + name: build_platform_name, + release: build_platform_release, + finger: build_platform_finger + } + end + + def build_platform_family + case inspec.platform[:name] + when 'arch', 'gentoo' + inspec.platform[:name] + else + inspec.platform[:family] + end + end + + def build_platform_name + case inspec.platform[:name] + when 'amazon', 'oracle' + "#{inspec.platform[:name]}linux" + when 'windows_8.1_pro', 'windows_server_2019_datacenter' + 'windows' + else + inspec.platform[:name] + end + end + + # rubocop:disable Metrics/MethodLength + def build_platform_release + case inspec.platform[:name] + when 'amazon' + # `2018` relase is named `1` in kitchen.yaml + inspec.platform[:release].gsub(/2018.*/, '1') + when 'arch' + 'base-latest' + when 'gentoo' + "#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}" + when 'windows_8.1_pro' + '8.1' + when 'windows_server_2019_datacenter' + '2019-server' + else + inspec.platform[:release] + end + end + # rubocop:enable Metrics/MethodLength + + def derive_gentoo_init_system + case inspec.command('systemctl').exist? + when true + 'sysd' + else + 'sysv' + end + end + + def build_platform_finger + "#{build_platform_name}-#{build_finger_release}" + end + + def build_finger_release + case inspec.platform[:name] + when 'ubuntu' + build_platform_release.split('.').slice(0, 2).join('.') + else + build_platform_release.split('.')[0] + end + end +end