From f1af45593d967c9ac734702fa31b922d28053d32 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Fri, 26 Mar 2021 11:15:02 +0000 Subject: [PATCH 1/4] ci: enable Vagrant-based testing using GitHub Actions * Semi-automated using https://github.com/myii/ssf-formula/pull/304 --- .github/workflows/kitchen.vagrant.yml | 35 +++++++++++++++++++++++++++ .yamllint | 1 + kitchen.vagrant.yml | 27 +++++++++++++++------ kitchen.yml | 1 + 4 files changed, 56 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/kitchen.vagrant.yml diff --git a/.github/workflows/kitchen.vagrant.yml b/.github/workflows/kitchen.vagrant.yml new file mode 100644 index 0000000..f773d39 --- /dev/null +++ b/.github/workflows/kitchen.vagrant.yml @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +name: 'Kitchen Vagrant (FreeBSD & OpenBSD)' +'on': ['push', 'pull_request'] + +env: + KITCHEN_LOCAL_YAML: 'kitchen.vagrant.yml' + +jobs: + test: + runs-on: 'macos-10.15' + strategy: + fail-fast: false + matrix: + instance: + - default-freebsd-122-latest-py3 + - default-freebsd-114-latest-py3 + - default-openbsd-68-latest-py3 + steps: + - name: 'Check out code' + uses: 'actions/checkout@v2' + - name: 'Set up Bundler cache' + uses: 'actions/cache@v1' + with: + path: 'vendor/bundle' + key: "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}" + restore-keys: "${{ runner.os }}-gems-" + - name: 'Run Bundler' + run: | + ruby --version + bundle config path vendor/bundle + bundle install --jobs 4 --retry 3 + - name: 'Run Test Kitchen' + run: 'bundle exec kitchen verify ${{ matrix.instance }}' diff --git a/.yamllint b/.yamllint index 5a060ef..63bc250 100644 --- a/.yamllint +++ b/.yamllint @@ -16,6 +16,7 @@ ignore: | node_modules/ test/**/states/**/*.sls .kitchen/ + test/salt/pillar/default.sls yaml-files: # Default settings diff --git a/kitchen.vagrant.yml b/kitchen.vagrant.yml index 2dcd6f3..7d26508 100644 --- a/kitchen.vagrant.yml +++ b/kitchen.vagrant.yml @@ -3,15 +3,26 @@ --- driver: name: vagrant + cache_directory: false + customize: + usbxhci: 'off' + gui: false + linked_clone: true + ssh: + shell: /bin/sh platforms: - - name: freebsd-120-2019-2-py3 + - name: freebsd-122-latest-py3 driver: - box_url: https://freebsd.z.vstack.com/FreeBSD-12.0.box - cache_directory: false - customize: - usbxhci: 'off' - gui: false - linked_clone: true + box: bento/freebsd-12.2 + - name: freebsd-114-latest-py3 + driver: + box: bento/freebsd-11.4 + - name: openbsd-68-latest-py3 + driver: + box: generic/openbsd6 ssh: - shell: '/bin/sh' + shell: /bin/ksh + +provisioner: + salt_install: bootstrap diff --git a/kitchen.yml b/kitchen.yml index 1fcd3e5..8405d65 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -310,6 +310,7 @@ suites: - name: default driver: hostname: example.net + vm_hostname: example.net provisioner: state_top: base: From 4c857fe07156260a206c9d33c7a87ce60a324803 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Thu, 25 Mar 2021 01:17:01 +0000 Subject: [PATCH 2/4] test(freebsd): add `map.jinja` verification files (for 11.4 & 12.2) --- .../default/files/_mapdata/freebsd-11.yaml | 183 ++++++++++++++++++ .../default/files/_mapdata/freebsd-12.yaml | 183 ++++++++++++++++++ 2 files changed, 366 insertions(+) create mode 100644 test/integration/default/files/_mapdata/freebsd-11.yaml create mode 100644 test/integration/default/files/_mapdata/freebsd-12.yaml diff --git a/test/integration/default/files/_mapdata/freebsd-11.yaml b/test/integration/default/files/_mapdata/freebsd-11.yaml new file mode 100644 index 0000000..25bd766 --- /dev/null +++ b/test/integration/default/files/_mapdata/freebsd-11.yaml @@ -0,0 +1,183 @@ +# yamllint disable rule:indentation rule:line-length +# FreeBSD-12 +--- +values: + map_jinja: + sources: + - Y:G@osarch + - Y:G@os_family + - Y:G@os + - Y:G@osfinger + - C:SUB@openssh:lookup + - C:SUB@openssh + - C:SUB@sshd_config:lookup + - C:SUB@sshd_config + - C:SUB@ssh_config:lookup + - C:SUB@ssh_config + - Y:G@id + openssh: + absent_dsa_keys: false + absent_ecdsa_keys: false + absent_ed25519_keys: false + absent_rsa_keys: false + auth: + joe-non-valid-ssh-key: + - comment: obsolete key - removed + enc: ssh-rsa + present: false + source: salt://ssh_keys/joe.no-valid.pub + user: joe + joe-valid-ssh-key-desktop: + - comment: main key - desktop + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.desktop.pub + user: joe + joe-valid-ssh-key-notebook: + - comment: main key - notebook + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.netbook.pub + user: joe + auth_map: + personal_keys: + source: salt://ssh_keys + users: + joe: + joe.desktop: {} + joe.netbook: + options: [] + joe.no-valid: + present: false + banner: /etc/ssh/banner + banner_src: banner + banner_string: 'Welcome to example.net! + ' + client_version: latest + dig_pkg: bind-tools + dsa: + private_key: '-----BEGIN DSA PRIVATE KEY----- + + NOT_DEFINED + + -----END DSA PRIVATE KEY----- + ' + public_key: 'ssh-dss NOT_DEFINED + ' + ecdsa: + private_key: '-----BEGIN EC PRIVATE KEY----- + + NOT_DEFINED + + -----END EC PRIVATE KEY----- + ' + public_key: 'ecdsa-sha2-nistp256 NOT_DEFINED + ' + ed25519: + private_key: '-----BEGIN OPENSSH PRIVATE KEY----- + + NOT_DEFINED + + -----END OPENSSH PRIVATE KEY----- + ' + public_key: 'ssh-ed25519 NOT_DEFINED + ' + enforce_rsa_size: false + generate_dsa_keys: false + generate_ecdsa_keys: false + generate_ed25519_keys: false + generate_rsa_keys: false + generate_rsa_size: 4096 + host_key_algos: ecdsa,ed25519,rsa + known_hosts: + aliases: + - cname-to-minion.example.org + - alias.example.org + hostnames: false + include_localhost: false + mine_hostname_function: public_ssh_hostname + mine_keys_function: public_ssh_host_keys + omit_ip_address: + - github.com + salt_ssh: + public_ssh_host_keys: + minion.id: 'ssh-rsa [...] + + ssh-ed25519 [...] + ' + public_ssh_host_names: + minion.id: + - minion.id + - alias.of.minion.id + user: salt-master + static: + github.com: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...] + gitlab.com: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...] + target: '*' + tgt_type: glob + moduli: '# Time Type Tests Tries Size Generator Modulus + + 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 + + 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB + + 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 + + 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F + ' + provide_dsa_keys: false + provide_ecdsa_keys: false + provide_ed25519_keys: false + provide_rsa_keys: false + root_group: root + rsa: + private_key: '-----BEGIN RSA PRIVATE KEY----- + + NOT_DEFINED + + -----END RSA PRIVATE KEY----- + ' + public_key: 'ssh-rsa NOT_DEFINED + ' + server_version: latest + service: sshd + ssh_config: /etc/ssh/ssh_config + ssh_config_backup: true + ssh_config_group: wheel + ssh_config_mode: '644' + ssh_config_src: ssh_config + ssh_config_user: root + ssh_known_hosts: /etc/ssh/ssh_known_hosts + ssh_known_hosts_src: ssh_known_hosts + ssh_moduli: /etc/ssh/moduli + sshd_binary: /usr/sbin/sshd + sshd_config: /etc/ssh/sshd_config + sshd_config_backup: true + sshd_config_group: wheel + sshd_config_mode: '644' + sshd_config_src: sshd_config + sshd_config_user: root + sshd_enable: true + tofs: + source_files: + manage ssh_known_hosts file: + - alt_ssh_known_hosts + ssh_config: + - alt_ssh_config + sshd_banner: + - fire_banner + sshd_config: + - alt_sshd_config + ssh_config: + Hosts: + '*': + GSSAPIAuthentication: 'yes' + HashKnownHosts: 'yes' + SendEnv: LANG LC_* + sshd_config: + AcceptEnv: LANG LC_* + ChallengeResponseAuthentication: 'no' + PrintMotd: 'no' + Subsystem: sftp /usr/lib/openssh/sftp-server + UsePAM: 'yes' + X11Forwarding: 'yes' diff --git a/test/integration/default/files/_mapdata/freebsd-12.yaml b/test/integration/default/files/_mapdata/freebsd-12.yaml new file mode 100644 index 0000000..25bd766 --- /dev/null +++ b/test/integration/default/files/_mapdata/freebsd-12.yaml @@ -0,0 +1,183 @@ +# yamllint disable rule:indentation rule:line-length +# FreeBSD-12 +--- +values: + map_jinja: + sources: + - Y:G@osarch + - Y:G@os_family + - Y:G@os + - Y:G@osfinger + - C:SUB@openssh:lookup + - C:SUB@openssh + - C:SUB@sshd_config:lookup + - C:SUB@sshd_config + - C:SUB@ssh_config:lookup + - C:SUB@ssh_config + - Y:G@id + openssh: + absent_dsa_keys: false + absent_ecdsa_keys: false + absent_ed25519_keys: false + absent_rsa_keys: false + auth: + joe-non-valid-ssh-key: + - comment: obsolete key - removed + enc: ssh-rsa + present: false + source: salt://ssh_keys/joe.no-valid.pub + user: joe + joe-valid-ssh-key-desktop: + - comment: main key - desktop + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.desktop.pub + user: joe + joe-valid-ssh-key-notebook: + - comment: main key - notebook + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.netbook.pub + user: joe + auth_map: + personal_keys: + source: salt://ssh_keys + users: + joe: + joe.desktop: {} + joe.netbook: + options: [] + joe.no-valid: + present: false + banner: /etc/ssh/banner + banner_src: banner + banner_string: 'Welcome to example.net! + ' + client_version: latest + dig_pkg: bind-tools + dsa: + private_key: '-----BEGIN DSA PRIVATE KEY----- + + NOT_DEFINED + + -----END DSA PRIVATE KEY----- + ' + public_key: 'ssh-dss NOT_DEFINED + ' + ecdsa: + private_key: '-----BEGIN EC PRIVATE KEY----- + + NOT_DEFINED + + -----END EC PRIVATE KEY----- + ' + public_key: 'ecdsa-sha2-nistp256 NOT_DEFINED + ' + ed25519: + private_key: '-----BEGIN OPENSSH PRIVATE KEY----- + + NOT_DEFINED + + -----END OPENSSH PRIVATE KEY----- + ' + public_key: 'ssh-ed25519 NOT_DEFINED + ' + enforce_rsa_size: false + generate_dsa_keys: false + generate_ecdsa_keys: false + generate_ed25519_keys: false + generate_rsa_keys: false + generate_rsa_size: 4096 + host_key_algos: ecdsa,ed25519,rsa + known_hosts: + aliases: + - cname-to-minion.example.org + - alias.example.org + hostnames: false + include_localhost: false + mine_hostname_function: public_ssh_hostname + mine_keys_function: public_ssh_host_keys + omit_ip_address: + - github.com + salt_ssh: + public_ssh_host_keys: + minion.id: 'ssh-rsa [...] + + ssh-ed25519 [...] + ' + public_ssh_host_names: + minion.id: + - minion.id + - alias.of.minion.id + user: salt-master + static: + github.com: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...] + gitlab.com: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...] + target: '*' + tgt_type: glob + moduli: '# Time Type Tests Tries Size Generator Modulus + + 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 + + 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB + + 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 + + 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F + ' + provide_dsa_keys: false + provide_ecdsa_keys: false + provide_ed25519_keys: false + provide_rsa_keys: false + root_group: root + rsa: + private_key: '-----BEGIN RSA PRIVATE KEY----- + + NOT_DEFINED + + -----END RSA PRIVATE KEY----- + ' + public_key: 'ssh-rsa NOT_DEFINED + ' + server_version: latest + service: sshd + ssh_config: /etc/ssh/ssh_config + ssh_config_backup: true + ssh_config_group: wheel + ssh_config_mode: '644' + ssh_config_src: ssh_config + ssh_config_user: root + ssh_known_hosts: /etc/ssh/ssh_known_hosts + ssh_known_hosts_src: ssh_known_hosts + ssh_moduli: /etc/ssh/moduli + sshd_binary: /usr/sbin/sshd + sshd_config: /etc/ssh/sshd_config + sshd_config_backup: true + sshd_config_group: wheel + sshd_config_mode: '644' + sshd_config_src: sshd_config + sshd_config_user: root + sshd_enable: true + tofs: + source_files: + manage ssh_known_hosts file: + - alt_ssh_known_hosts + ssh_config: + - alt_ssh_config + sshd_banner: + - fire_banner + sshd_config: + - alt_sshd_config + ssh_config: + Hosts: + '*': + GSSAPIAuthentication: 'yes' + HashKnownHosts: 'yes' + SendEnv: LANG LC_* + sshd_config: + AcceptEnv: LANG LC_* + ChallengeResponseAuthentication: 'no' + PrintMotd: 'no' + Subsystem: sftp /usr/lib/openssh/sftp-server + UsePAM: 'yes' + X11Forwarding: 'yes' From 286856058ac1b7231cbd3455826a751963c3ca45 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Thu, 25 Mar 2021 01:13:00 +0000 Subject: [PATCH 3/4] fix(openbsd): fix `dig_pkg`, avoid `UsePAM` & add verification file --- openssh/known_hosts.sls | 6 +- openssh/parameters/os_family/OpenBSD.yaml | 2 + .../default/controls/config_spec.rb | 6 +- .../default/files/_mapdata/openbsd-6.yaml | 182 ++++++++++++++++++ test/salt/pillar/default.sls | 2 + 5 files changed, 194 insertions(+), 4 deletions(-) create mode 100644 test/integration/default/files/_mapdata/openbsd-6.yaml diff --git a/openssh/known_hosts.sls b/openssh/known_hosts.sls index 96338fb..0d729df 100644 --- a/openssh/known_hosts.sls +++ b/openssh/known_hosts.sls @@ -3,9 +3,13 @@ {%- from tplroot ~ "/libtofs.jinja" import files_switch %} {%- set openssh = mapdata.openssh %} +{%- if openssh.dig_pkg %} ensure dig is available: pkg.installed: - name: {{ openssh.dig_pkg }} + - require_in: + - file: manage ssh_known_hosts file +{%- endif %} manage ssh_known_hosts file: file.managed: @@ -19,5 +23,3 @@ manage ssh_known_hosts file: - user: root - group: {{ openssh.ssh_config_group }} - mode: 644 - - require: - - pkg: ensure dig is available diff --git a/openssh/parameters/os_family/OpenBSD.yaml b/openssh/parameters/os_family/OpenBSD.yaml index b0b381c..d1d8bb1 100644 --- a/openssh/parameters/os_family/OpenBSD.yaml +++ b/openssh/parameters/os_family/OpenBSD.yaml @@ -12,6 +12,8 @@ values: openssh: service: sshd + # Already installed: `base68:/usr/bin/dig` + dig_pkg: ~ sshd_config_group: wheel ssh_config_group: wheel sshd_config: diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb index 5a9ac25..b6b0260 100644 --- a/test/integration/default/controls/config_spec.rb +++ b/test/integration/default/controls/config_spec.rb @@ -27,7 +27,9 @@ control 'openssh configuration' do its('content') { should include 'PrintMotd no' } its('content') { should include 'AcceptEnv LANG LC_*' } its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' } - its('content') { should include 'UsePAM yes' } + unless %w[openbsd].include?(platform[:name]) + its('content') { should include 'UsePAM yes' } + end end describe file('/etc/ssh/ssh_config') do @@ -45,7 +47,7 @@ control 'openssh configuration' do it { should be_file } its('mode') { should cmp '0644' } it { should be_owned_by 'root' } - it { should be_grouped_into 'root' } + it { should be_grouped_into root_group } its('content') { should include github_known_host } its('content') { should match(gitlab_known_host_re) } its('content') { should include minion_rsa_known_host } diff --git a/test/integration/default/files/_mapdata/openbsd-6.yaml b/test/integration/default/files/_mapdata/openbsd-6.yaml new file mode 100644 index 0000000..ca634ba --- /dev/null +++ b/test/integration/default/files/_mapdata/openbsd-6.yaml @@ -0,0 +1,182 @@ +# yamllint disable rule:indentation rule:line-length +# OpenBSD-6 +--- +values: + map_jinja: + sources: + - Y:G@osarch + - Y:G@os_family + - Y:G@os + - Y:G@osfinger + - C:SUB@openssh:lookup + - C:SUB@openssh + - C:SUB@sshd_config:lookup + - C:SUB@sshd_config + - C:SUB@ssh_config:lookup + - C:SUB@ssh_config + - Y:G@id + openssh: + absent_dsa_keys: false + absent_ecdsa_keys: false + absent_ed25519_keys: false + absent_rsa_keys: false + auth: + joe-non-valid-ssh-key: + - comment: obsolete key - removed + enc: ssh-rsa + present: false + source: salt://ssh_keys/joe.no-valid.pub + user: joe + joe-valid-ssh-key-desktop: + - comment: main key - desktop + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.desktop.pub + user: joe + joe-valid-ssh-key-notebook: + - comment: main key - notebook + enc: ssh-rsa + present: true + source: salt://ssh_keys/joe.netbook.pub + user: joe + auth_map: + personal_keys: + source: salt://ssh_keys + users: + joe: + joe.desktop: {} + joe.netbook: + options: [] + joe.no-valid: + present: false + banner: /etc/ssh/banner + banner_src: banner + banner_string: 'Welcome to example.net! + ' + client_version: latest + dig_pkg: ~ + dsa: + private_key: '-----BEGIN DSA PRIVATE KEY----- + + NOT_DEFINED + + -----END DSA PRIVATE KEY----- + ' + public_key: 'ssh-dss NOT_DEFINED + ' + ecdsa: + private_key: '-----BEGIN EC PRIVATE KEY----- + + NOT_DEFINED + + -----END EC PRIVATE KEY----- + ' + public_key: 'ecdsa-sha2-nistp256 NOT_DEFINED + ' + ed25519: + private_key: '-----BEGIN OPENSSH PRIVATE KEY----- + + NOT_DEFINED + + -----END OPENSSH PRIVATE KEY----- + ' + public_key: 'ssh-ed25519 NOT_DEFINED + ' + enforce_rsa_size: false + generate_dsa_keys: false + generate_ecdsa_keys: false + generate_ed25519_keys: false + generate_rsa_keys: false + generate_rsa_size: 4096 + host_key_algos: ecdsa,ed25519,rsa + known_hosts: + aliases: + - cname-to-minion.example.org + - alias.example.org + hostnames: false + include_localhost: false + mine_hostname_function: public_ssh_hostname + mine_keys_function: public_ssh_host_keys + omit_ip_address: + - github.com + salt_ssh: + public_ssh_host_keys: + minion.id: 'ssh-rsa [...] + + ssh-ed25519 [...] + ' + public_ssh_host_names: + minion.id: + - minion.id + - alias.of.minion.id + user: salt-master + static: + github.com: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...] + gitlab.com: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...] + target: '*' + tgt_type: glob + moduli: '# Time Type Tests Tries Size Generator Modulus + + 20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63 + + 20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB + + 20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53 + + 20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F + ' + provide_dsa_keys: false + provide_ecdsa_keys: false + provide_ed25519_keys: false + provide_rsa_keys: false + root_group: root + rsa: + private_key: '-----BEGIN RSA PRIVATE KEY----- + + NOT_DEFINED + + -----END RSA PRIVATE KEY----- + ' + public_key: 'ssh-rsa NOT_DEFINED + ' + server_version: latest + service: sshd + ssh_config: /etc/ssh/ssh_config + ssh_config_backup: true + ssh_config_group: wheel + ssh_config_mode: '644' + ssh_config_src: ssh_config + ssh_config_user: root + ssh_known_hosts: /etc/ssh/ssh_known_hosts + ssh_known_hosts_src: ssh_known_hosts + ssh_moduli: /etc/ssh/moduli + sshd_binary: /usr/sbin/sshd + sshd_config: /etc/ssh/sshd_config + sshd_config_backup: true + sshd_config_group: wheel + sshd_config_mode: '644' + sshd_config_src: sshd_config + sshd_config_user: root + sshd_enable: true + tofs: + source_files: + manage ssh_known_hosts file: + - alt_ssh_known_hosts + ssh_config: + - alt_ssh_config + sshd_banner: + - fire_banner + sshd_config: + - alt_sshd_config + ssh_config: + Hosts: + '*': + GSSAPIAuthentication: 'yes' + HashKnownHosts: 'yes' + SendEnv: LANG LC_* + sshd_config: + AcceptEnv: LANG LC_* + ChallengeResponseAuthentication: 'no' + PrintMotd: 'no' + Subsystem: sftp /usr/lib/openssh/sftp-server + X11Forwarding: 'yes' diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index 664b4cd..3551607 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -22,7 +22,9 @@ sshd_config: PrintMotd: 'no' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" + {%- if grains.os != "OpenBSD" %} UsePAM: 'yes' + {%- endif %} ssh_config: Hosts: From 2f8c31c66c56d7c7626c5193d7386cc280e16322 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Fri, 26 Mar 2021 14:26:34 +0000 Subject: [PATCH 4/4] docs(readme): add `Testing with Vagrant` section --- docs/README.rst | 63 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/docs/README.rst b/docs/README.rst index 5f65482..6acccf1 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -266,7 +266,7 @@ e.g. ``debian-9-2019-2-py3``. ``bin/kitchen converge`` ^^^^^^^^^^^^^^^^^^^^^^^^ -Creates the docker instance and runs the ``template`` main state, ready for testing. +Creates the docker instance and runs the ``openssh`` main states, ready for testing. ``bin/kitchen verify`` ^^^^^^^^^^^^^^^^^^^^^^ @@ -288,3 +288,64 @@ Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``veri Gives you SSH access to the instance for manual testing. +Testing with Vagrant +-------------------- + +Windows/FreeBSD/OpenBSD testing is done with ``kitchen-salt``. + +Requirements +^^^^^^^^^^^^ + +* Ruby +* Virtualbox +* Vagrant + +Setup +^^^^^ + +.. code-block:: bash + + $ gem install bundler + $ bundle install --with=vagrant + $ bin/kitchen test [platform] + +Where ``[platform]`` is the platform name defined in ``kitchen.vagrant.yml``, +e.g. ``windows-81-latest-py3``. + +Note +^^^^ + +When testing using Vagrant you must set the environment variable ``KITCHEN_LOCAL_YAML`` to ``kitchen.vagrant.yml``. For example: + +.. code-block:: bash + + $ KITCHEN_LOCAL_YAML=kitchen.vagrant.yml bin/kitchen test # Alternatively, + $ export KITCHEN_LOCAL_YAML=kitchen.vagrant.yml + $ bin/kitchen test + +Then run the following commands as needed. + +``bin/kitchen converge`` +^^^^^^^^^^^^^^^^^^^^^^^^ + +Creates the Vagrant instance and runs the ``openssh`` main states, ready for testing. + +``bin/kitchen verify`` +^^^^^^^^^^^^^^^^^^^^^^ + +Runs the ``inspec`` tests on the actual instance. + +``bin/kitchen destroy`` +^^^^^^^^^^^^^^^^^^^^^^^ + +Removes the Vagrant instance. + +``bin/kitchen test`` +^^^^^^^^^^^^^^^^^^^^ + +Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``. + +``bin/kitchen login`` +^^^^^^^^^^^^^^^^^^^^^ + +Gives you RDP/SSH access to the instance for manual testing.