puppet-lint-infrasecure 1.1.0

data/lib/puppet-lint-infrasecure/regex.rb

@@ -0,0 +1,18 @@
+module Regex  
+  class FromConfig
+    attr_accessor :whitelist, :dependencies
+
+    def initialize()
+      @whitelist = nil
+      @dependencies = nil
+    end
+
+    def load_whitelist(path)
+      @whitelist = Regexp.new File.open(path).read.gsub("\n",'|')
+    end
+
+    def load_dependencies(path)
+      @dependencies =  Regexp.new YAML.load_file(path).join('|')
+    end
+  end
+end

data/lib/puppet-lint-infrasecure/rules.rb

@@ -0,0 +1,51 @@
+module Rules
+    class << self
+        attr_accessor :password
+        attr_accessor :credentials
+        attr_accessor :cyrillic
+        attr_accessor :secret
+        attr_accessor :nonsecret
+        attr_accessor :ip_addr_bind
+        attr_accessor :susp_comment
+        attr_accessor :http
+        attr_accessor :poor_crypto
+        attr_accessor :whitelist
+        attr_accessor :dependencies
+    end
+  
+    def self.password
+      @password ||= /pass(word|_|$)|pwd/
+    end
+
+    def self.credentials
+        @credentials ||= /user|usr|pass(word|_|$)|pwd/
+    end
+
+    def self.cyrillic
+        @cyrillic ||= /^(http(s)?:\/\/)?.*\p{Cyrillic}+/
+    end
+
+    def self.secret
+        @secret ||= /user|usr|pass(word|_|$)|pwd|key|secret/
+    end
+
+    def self.nonsecret
+        @nonsecret ||= /gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid/
+    end
+
+    def self.ip_addr_bind
+        @ip_addr_bind ||= /^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$/
+    end
+
+    def self.susp_comment
+        @susp_comment ||= /hack|fixme|ticket|bug|hack|checkme|secur|debug|defect|weak/
+    end
+
+    def self.http
+        @http ||=  /^http:\/\/.+/
+    end
+
+    def self.poor_crypto
+        @poor_crypto ||=  /^(sha1|md5)/
+    end
+end

data/lib/puppet-lint-infrasecure/version.rb

@@ -0,0 +1,3 @@
+class InfraSecure
+    VERSION = '1.1.0'
+end

data/lib/puppet-lint-infrasecure.rb

@@ -0,0 +1,62 @@
+require 'puppet-lint'
+require 'puppet-lint/linter'
+require 'puppet-lint-infrasecure/regex'
+require 'puppet-lint-infrasecure/rules'
+require 'dotenv/load'
+require 'json'
+require 'yaml'
+
+
+def get_root()
+  return File.dirname(File.expand_path(__FILE__))
+end 
+
+def get_config(root)
+  return File.join(root, 'puppet-lint-infrasecure/config/')
+end
+
+def get_depen(root)
+  return File.join(root, 'puppet-lint-infrasecure/dependencies/')
+end
+
+def load_regex(cpath)
+  regex = Regex::FromConfig.new()
+  # load dependencies list
+  dpath = "#{cpath}dependencies.yml"
+  regex.load_dependencies(dpath)
+
+  # if a .env files exists
+  if File.exist?('.env')
+    # loads .env file
+    Dotenv.load('.env')
+    # if config for WHITELIST exists
+    if ENV.has_key?('WHITELIST')
+      # loads whitelist urls
+      if ENV['WHITELIST'] != '' and File.exist?(ENV['WHITELIST'])
+        regex.load_whitelist(ENV['WHITELIST'])
+        return regex
+      end
+    end
+  end
+  # config default list
+  wpath = "#{cpath}whitelist"
+  regex.load_whitelist(wpath)
+  return regex
+end
+
+module Config
+  class << self
+    attr_accessor :regex
+    attr_accessor :path
+  end
+
+  def self.regex
+    @regex ||= regex.new
+  end
+
+  def self.dpath
+    @path ||= get_depen(get_root())
+  end
+end
+
+Config.regex = load_regex(get_config(get_root()))

data/spec/puppet-lint/plugins/check_admin_by_default_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+describe 'admin_by_default' do
+    let(:msg) { '[SECURITY] Admin by default (line=6, col=24) | Do not make user/password as admin as for $user in line 6. This can be easily exploited.' }
+    
+    context 'with fix disabled' do
+        context 'user configuration as admin' do
+            let(:code) { "
+    class swift::test_file (
+        $password,
+        $auth_server = '127.0.0.1',
+        $tenant      = 'openstack',
+        $user        = 'admin'
+
+    ) {
+        include swift::deps
+          
+        file { '/tmp/swift_test_file.rb':
+            mode    => '0755',
+            content => template('swift/swift_keystone_test.erb'),
+            tag     => 'swift-file',
+        }
+    }     
+    " }
+            it 'should detect one problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning for svnwc user config' do
+                expect(problems).to contain_warning(msg).on_line(6).in_column(24)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb

@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+describe 'cyrillic_homograph_attack' do
+    let(:msg) {'[SECURITY] Homograph Attack (line=2, col=35). This link (https://www.аpple.com/phish) has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.' }
+    
+    context 'with fix disabled' do
+        context 'homograph attack using cyrillic chars not rendered by normal browsers' do
+            let(:code) { "
+                $apple_phishing = 'https://www.аpple.com/phish'
+                $apple_ok = 'https://www.apple.com/ok'
+            " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(2).in_column(35)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_empty_password_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe 'empty_password' do
+    let(:msg) { '[SECURITY] Empty Password (line=12, col=32) | Do not keep the password field empty as for $password in line 12. Use kms/heira/vault instead.' }
+    
+    context 'with fix disabled' do
+        context 'code configuration using empty passwords' do
+            let(:code) { "
+    define znc::user (
+        $ensure          = 'present',
+        $realname        = undef,
+        $admin           = false,
+        $buffer          = 500,
+        $keepbuffer      = true,
+        $server          = 'irc.freenode.net',
+        $port            = 6667,
+        $ssl             = false,
+        $quitmsg         = 'quit',
+        $password            = '',
+        $channels        = undef,
+        $network         = undef,
+        $maxnetworks     = 1,
+        $loadmodules     = undef,) {
+        if ! defined(Class['znc']) {
+            fail('You must include znc base class before using any user defined resources')
+        }
+        include znc::params
+          
+        File {
+            owner => $::znc::params::zc_user,
+            group => $::znc::params::zc_group,
+            mode  => '0600',
+        }
+        
+
+        $real_htpasswd_file = $htpasswd_file ? {
+            ''      => '${apache::params::config_dir}/htpasswd'
+}
+
+        Exec {
+            path => '/bin:/sbin:/usr/bin:/usr/sbin', 
+        }
+    }      
+    " }
+  
+            it 'should detect one problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning for svnwc user config' do
+                expect(problems).to contain_warning(msg).on_line(12).in_column(32)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe 'hardcoded_secret' do
+    let(:msg) { '[SECURITY] Hard Coded Secret (line=10, col=27) | Do not keep secrets on your scripts as for $username = apmirror in 10. Use kms/heira/vault instead.' }
+    
+    context 'with fix disabled' do
+        context 'code contains hard coded usernames' do
+            let(:code) { "
+    class apmirror (
+        $uid            = 508,
+        $gid            = 508,
+        $group_present  = 'present',
+        $groupname      = 'apmirror',
+        $groups         = [],
+        $service_ensure = 'running',
+        $shell          = '/bin/bash',
+        $username       = 'apmirror',
+        $packages       = ['libwww-perl', 'libnet-dns-perl'],
+    ){
+        package { $packages:
+            ensure => present,
+        }
+
+        $cert_generation_class      = '::puppet::puppetserver::generate_cert'
+
+        $pwd = 'unset'
+        $pwd = $cert
+        $pwd = 'pe-puppet'
+          
+        user { $username:
+            ensure     => $user_present,
+            name       => $username,
+            home       => '/home/${username}',
+            shell      => $shell,
+            uid        => $uid,
+            gid        => $groupname,
+            groups     => $groups,
+            managehome => true,
+            require    => [ Group[$groupname], Group[$apbackup::username] ],
+        }
+    }
+    " }
+  
+            it 'should detect one problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning for username hard coded config' do
+                expect(problems).to contain_warning(msg).on_line(10).in_column(27)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe 'invalid_ip_addr_binding' do
+    let(:msg) {'[SECURITY] Invalid IP Address Binding (line=4, col=30) | Don\'t bind your host to 0.0.0.0. This config allows connections from every possible network. Restrict your available IPs.' }
+    
+    context 'with fix disabled' do
+        context 'invalid ip adress binding configuration' do
+            let(:code) { "
+    class centos_cloud::controller::nova (
+        $allowed_hosts     = '172.22.6.%',
+        $bind_host         = '0.0.0.0',
+        $controller        = 'controller.openstack.ci.centos.org',
+        $memcached_servers = ['127.0.0.1:11211'],
+        $password          = 'nova',
+        $password_api      = 'nova_api',
+        $rabbit_port       = '5672',
+        $user              = 'nova',
+        $user_api          = 'nova_api',
+        $neutron_password  = 'neutron',
+        $workers           = '8',
+        $threads           = '1'
+    ) { 
+        rabbitmq_user { $user:
+            admin    => true,
+            provider => 'rabbitmqctl',
+            require  => Class['::rabbitmq']
+        }
+
+        if $bind_ip == '0.0.0.0' {
+            $bind_ip_real = '127.0.0.1'
+          } else {
+            $bind_ip_real = $bind_ip
+          }        
+    }
+    " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(4).in_column(30)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_malicious_dependency_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe 'malicious_dependency' do
+    let(:msg) {'[SECURITY] Malicious Dependency (line=10, col=40) | This software is using a third-party library/software (postgresql v9.4) affected by known CVEs (CVE-2017-12172, CVE-2017-15098, CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, CVE-2016-0766, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424).'}
+    
+    context 'with fix disabled' do
+        context 'software uses malicious dependencies' do
+            let(:code) { "
+                postgresql::server::pg_hba_rule { 'allow application network to access app database':
+                    description        => 'Open up postgresql for access from 200.1.2.0/24',
+                    type               => 'host',
+                    database           => 'app',
+                    user               => 'app',
+                    address            => '200.1.2.0/24',
+                    auth_method        => 'md5',
+                    target             => '/path/to/pg_hba.conf',
+                    postgresql_version => '9.4',
+                  }
+                  
+                class { 'test':
+                    openstack_version => '10'
+                }
+
+                class { 'postgresql::globals':
+                    manage_package_repo => true,
+                    version             => '9.2',
+                }
+            " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(3).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(10).in_column(40)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_suspicious_comment_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe 'suspicious_comment' do
+    let(:msg) { '[SECURITY] Suspicious Comment (line=8, col=9) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.' }
+    
+    context 'with fix disabled' do
+        context 'code with suspicious comment' do
+            let(:code) { "
+    if $::realm == 'labs' {
+        # The 'ssh-key-ldap-lookup' tool is called during login ssh via AuthorizedKeysCommand.  It
+        #  returns public keys from ldap for the specified username.
+        # It is in /usr/sbin and not /usr/local/sbin because on Debian /usr/local is 0775
+        # and sshd refuses to use anything under /usr/local because of the permissive group
+        # permission there (and group is set to 'staff', slightly different from root).
+        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
+        if os_version('debian == jessie') {
+            file { '/usr/sbin/ssh-key-ldap-lookup':
+                owner  => 'root',
+                group  => 'root',
+                mode   => '0555',
+                source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup-python2.py',
+            }
+        } else {
+            file { '/usr/sbin/ssh-key-ldap-lookup':
+                owner  => 'root',
+                group  => 'root',
+                mode   => '0555',
+                source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup.py',
+            }
+        }
+        # sshd will only run ssh-key-ldap-lookup as the 'ssh-key-ldap-lookup' user.
+        user { 'ssh-key-ldap-lookup':
+            ensure => present,
+            system => true,
+            home   => '/nonexistent', # Since things seem to check for $HOME/.whatever unconditionally...
+            shell  => '/bin/false',
+        }
+    }
+    " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(8).in_column(9)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_use_http_without_tls_spec.rb

@@ -0,0 +1,100 @@
+require 'spec_helper'
+
+describe 'use_http_without_tls' do
+    let(:msg) { '[SECURITY] HTTP without TLS (line=2, col=23) | Do not use HTTP without TLS as in http://localhost:2021. This may cause a MITM attack.' }
+  
+    context 'with fix disabled' do
+        context 'configuration using http' do
+            let(:code) { "
+            $server = 'http://localhost:2021'
+
+    apt::source { 'deb-updates':
+    location          => 'http://ftp.nl.debian.org/debian/',
+    release           => 'jessie-updates',
+    repos             => 'main',
+    include_src       => true
+        }
+    
+    wget::fetch { 'deb-updates':
+    location          => 'http://ftp.nl.debian.org/debian/',
+    release           => 'jessie-updates',
+    repos             => 'main',
+    include_src       => true
+        }
+
+        aptly::mirror {
+            'aptly':
+              location => 'http://repo.aptly.info',
+              release  => 'squeeze',
+              key      => 'ED75B5A4483DA07C';
+            'duplicity':
+              location => 'http://ppa.launchpad.net/duplicity-team/ppa/ubuntu',
+              release  => 'trusty',
+              key      => 'AF953139C1DF9EF3476DE1D58F571BB27A86F4A2';
+            'docker':
+              location => 'https://download.docker.com/linux/ubuntu',
+              release  => 'trusty',
+              repos    => ['stable'],
+              key      => '9DC858229FC7DD38854AE2D88D81803C0EBFCD88';
+            'govuk-ppa-trusty':
+              location => 'http://ppa.launchpad.net/gds/govuk/ubuntu',
+              release  => 'trusty',
+              key      => '914D5813';
+            'grafana':
+              location => 'https://packagecloud.io/grafana/stable/debian',
+              release  => 'jessie',
+              key      => '418A7F2FB0E1E6E7EABF6FE8C2E73424D59097AB';
+        }
+
+        apt::source {
+      'debian':
+        location => 'http://mirrors/debian/',
+        release  => $::lsbdistcodename,
+        repos    => $repos,
+        include  => {
+          src => true
+        };
+
+      'debian-updates':
+        location => 'http://mirrors/debian/',
+        release  => 'updates',
+        repos    => $repos,
+        include  => {
+          src => true
+        };
+    }
+        $package_gpg_key            = 'http://www.rabbitmq.com/rabbitmq-signing-key-public.asc'
+        $elasticsearch_uri = 'http://elasticsearch6'
+
+        $check = $puppet_metrics_dashboard::use_dashboard_ssl ? {
+            true    => 'https',
+            default => 'http',
+          }
+        
+        mirrorlist     => 'http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates'
+
+
+        $fedora = 'http://archives.fedoraproject.org/pub/archive/fedora/linux/releases'
+        $fedora_2 = 'http://archives.fedoraproject.org/pub/archive/fedora/linux/releases'
+
+        yumrepo{'contrib':
+        descr          => 'CentOS-$releasever - Contrib',
+        baseurl    => 'http://pulp.inuits.eu/pulp/repos/centos/$releasever/contrib/$basearch'
+    }
+
+        $backports_location = 'http://hello.com'
+
+        $pwd = root
+        changes => 'set exist/xquery/builtin-modules/module[#attribute/uri = \"http://exist-db.org/xquery/xmldiff\"]/#attribute/class org.exist.xquery.modules.xmldiff.XmlDiffModule'
+    " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(2).in_column(23)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_use_of_weak_crypto_algorithm_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'use_of_weak_crypto_algorithm' do
+    let(:msg) { '[SECURITY] Weak Crypto Algorithm (line=22, col=21) | Do not use sha1, as they have security weakness. Use SHA-512 instead.' }
+    
+    context 'with fix disabled' do
+        context 'code using unsecure algorithms' do
+            let(:code) { "
+    notice(artifactory_sha1('http://bit.ly/1Tfk4vQ'))
+    define tomcat::instance (
+        $catalina_home          = undef,
+        $catalina_base          = undef,
+        $user                   = undef,
+        $group                  = undef,
+        $manage_user            = undef,
+        $manage_group           = undef,
+        $manage_service         = undef,
+        $manage_base            = undef,
+        $java_home              = undef,
+        $use_jsvc               = undef,
+        $use_init               = undef,
+        $install_from_source    = undef,
+        $source_url             = undef,
+        $source_strip_first_dir = undef,
+        $package_ensure         = undef,
+        $package_name           = undef,
+        $package_options        = undef,
+    ) {
+        $home_sha = sha1($_catalina_home)
+    }
+    " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(22).in_column(21)
+            end
+        end
+    end
+end

data/spec/puppet-lint/plugins/check_weak_password_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+describe 'weak_password' do
+    let(:msg) { '[SECURITY] Weak Password (line=9, col=20) | Passwords should be strong to be hard to uncover by hackers (weak_password=12345678). In any case, you should use kms/heira/vault to store secrets instead.' }
+    
+    context 'with fix disabled' do
+        context 'code using weak password' do
+            let(:code) { "
+            $sievedir      = '/var/imap/sieve'
+            $statedir      = '/var/imap'
+            $spooldir      = '/var/spool/imap'
+            $lmtp_external   = get_var('imap_lmtp_external', false)
+          
+            $dashboard_password = '!$jNb#khug679!'
+            $template_imapd = template_version($version_imapd, '2.3.12_p2@2.3.13@:2.3.12_p2,', '2.3.12_p2')
+            $pwd = '12345678'
+
+            " }
+  
+            it 'should detect a single problem' do
+                expect(problems).to have(1).problem
+            end
+  
+            it 'should create a warning' do
+                expect(problems).to contain_warning(msg).on_line(9).in_column(20)
+            end
+        end
+    end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+require 'puppet-lint'
+
+PuppetLint::Plugins.load_spec_helper