puppet-lint-nine-check 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7bd04cd6c797fc8dfcfa90947cf9fa8464765f17da05128333b5d60ef24d7bd5
+  data.tar.gz: ebbb400e531834f99523e76881e0b874c0d0b341323714ed20d6555bcca2c981
+SHA512:
+  metadata.gz: a195b46f95951a594d854b5301e5093734d044f1d24fc1d4c3fd1f1c72bfa2c482e6feefd625df9cd331255c10724135aa8da5f43a610d2d06e270b263b13f9a
+  data.tar.gz: 632e08c48a1a0a1549c14c4b7738a7a77390c4d09d80e55a95d0b517b8c68186fe030587d1244faf613eb61cf5cf50cc319180586f9ba7c7fb97a57516d06e98

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Nine Internet Solutions AG
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,45 @@
+## Overview
+
+This linter will convert from legacy facts like `$::nine_location` or legacy hashed facts like `$facts['nine_location']` to the new structured facts like
+`$facts['nine_metadata']['location']`.
+
+## Installing
+
+### From the command line
+
+```shell
+$ gem install puppet-lint-nine-check
+```
+
+### In a Gemfile
+
+```ruby
+gem 'puppet-lint-nine-check', :require => false
+```
+
+#### Disabling the check
+
+To disable this check, you can add `--no-nine` to your puppet-lint
+command line.
+
+```shell
+$ puppet-lint --no-nine path/to/file.pp
+```
+
+Alternatively, if you’re calling puppet-lint via the Rake task, you should
+insert the following line to your `Rakefile`.
+
+```ruby
+PuppetLint.configuration.send('disable_nine')
+```
+
+Alternatively, you can disable it directly in your puppet manifest.
+
+```puppet
+# lint:ignore:nine
+$package_name = $facts['operatingsystem'] {
+  'CentOS' => 'httpd',
+  'Debian' => 'apache2',
+}
+# lint:endignore
+```

data/lib/puppet-lint/plugins/concatenated_template_files.rb

@@ -0,0 +1,59 @@
+# https://github.com/deanwilson/puppet-lint-concatenated_template_files-check/blob/4591aca68f0c30ffb52012db7e31a94b42830f0e/lib/puppet-lint/plugins/concatenated_template_files.rb
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Dean Wilson
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+PuppetLint.new_check(:concatenated_template_files) do
+  def check
+    resource_indexes.each do |resource|
+      next unless resource[:type].value == "file"
+
+      content_tokens = resource[:param_tokens].select { |pt| pt.value == "content" }
+
+      content_tokens.each do |content_token|
+        value_token = content_token.next_code_token.next_code_token
+
+        next unless value_token.value == "template"
+
+        file_names = []
+
+        current_token = value_token.next_token
+        until current_token.type == :RPAREN
+          current_token = current_token.next_code_token
+          file_names << current_token.value if current_token.type == :SSTRING
+        end
+
+        next unless file_names.length > 1
+
+        warning = 'calling "template" with multiple files concatenates them into a single string'
+
+        notify :warning, {
+          message: warning,
+          line: value_token.line,
+          column: value_token.column,
+          param_token: content_token,
+          value_token: value_token
+        }
+      end
+    end
+  end
+end

data/lib/puppet-lint/plugins/explicit_hiera_class_param_lookup.rb

@@ -0,0 +1,47 @@
+# https://github.com/deanwilson/puppet-lint-explicit_hiera_class_param_lookup-check/blob/c2c23f4635017172dee1896c8e81c4d150586759/lib/puppet-lint/plugins/explicit_hiera_class_param_lookup.rb
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Dean Wilson
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+PuppetLint.new_check(:explicit_hiera_class_param_lookup) do
+  def check
+    class_indexes.each do |class_idx|
+      next unless class_idx[:param_tokens].is_a? Array
+
+      tokens = class_idx[:param_tokens].select do |t|
+        (t.type == :NAME or t.type == :FUNCTION_NAME) and t.value == "hiera"
+      end
+
+      tokens.each do |token|
+        next unless token.next_code_token.type == :LPAREN
+
+        hiera_key = token.next_code_token.next_code_token
+
+        notify :error, {
+          message: "explicit hiera() lookup of #{hiera_key.value}",
+          line: hiera_key.line,
+          column: hiera_key.column
+        }
+      end
+    end
+  end
+end

data/lib/puppet-lint/plugins/nine_legacy_facts.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+PuppetLint.new_check(:nine_legacy_facts) do
+  def legacy_fact_tokens
+    tokens.select { |x| [:VARIABLE, :UNENC_VARIABLE].include?(x.type) }
+  end
+
+  # These facts have a one to one correlation between a legacy fact and a new
+  # structured fact.
+  def fixable_facts
+    {
+      "nine_customer" => "facts['nine_metadata']['customer']",
+      "nine_location" => "facts['nine_metadata']['location']"
+    }
+  end
+
+  # A list of valid hash key token types
+  def hash_key_type?(type)
+    [
+      :STRING,  # Double quoted string
+      :SSTRING, # Single quoted string
+      :NAME    # Unquoted single word
+    ].include?(type)
+  end
+
+  def check
+    legacy_fact_tokens.each do |token|
+      fact_name = ""
+
+      # Get rid of the top scope before we do our work. We don't need to
+      # preserve it because it won't work with the new structured facts.
+      if token.value.start_with?("::")
+        fact_name = token.value.sub(/^::/, "")
+
+      # This matches using legacy facts in a the new structured fact. For
+      # example this would match 'uuid' in $facts['uuid'] so it can be converted
+      # to facts['dmi']['product']['uuid']"
+      elsif token.value == "facts"
+        fact_name = hash_key_for(token)
+
+      elsif token.value.start_with?("facts['")
+        fact_name = token.value.match(/facts\['(.*)'\]/)[1]
+      end
+
+      unless fixable_facts.include?(fact_name)
+        next
+      end
+
+      notify :warning,
+        message: "legacy fact",
+        line: token.line,
+        column: token.column,
+        token: token,
+        fact_name: fact_name
+    end
+  end
+
+  # If the variable is using the $facts hash represented internally by multiple
+  # tokens, this helper simplifies accessing the hash key.
+  def hash_key_for(token)
+    lbrack_token = token.next_code_token
+    return "" unless lbrack_token && lbrack_token.type == :LBRACK
+
+    key_token = lbrack_token.next_code_token
+    return "" unless key_token && hash_key_type?(key_token.type)
+
+    key_token.value
+  end
+
+  def fix(problem)
+    fact_name = problem[:fact_name]
+
+    # Check if the variable is using the $facts hash represented internally by
+    # multiple tokens and remove the tokens for the old legacy key if so.
+    if problem[:token].value == "facts"
+      loop do
+        t = problem[:token].next_token
+        remove_token(t)
+        break if t.type == :RBRACK
+      end
+    end
+
+    problem[:token].value = fixable_facts[fact_name] if fixable_facts.include?(fact_name)
+  end
+end

data/lib/puppet-lint/plugins/trailing_newline.rb

@@ -0,0 +1,41 @@
+# https://github.com/rodjek/puppet-lint-trailing_newline-check/blob/6bfdd76e53a509190f95273914a754ca21e3f2f0/spec/puppet-lint/plugins/check_trailing_newline_spec.rb
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2014 Tim Sharpe
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+PuppetLint.new_check(:trailing_newline) do
+  def check
+    last_token = tokens.last
+
+    unless last_token.type == :NEWLINE
+      notify :warning, {
+        message: "expected newline at the end of the file",
+        line: last_token.line,
+        column: manifest_lines.last.length
+      }
+    end
+  end
+
+  def fix(problem)
+    tokens << PuppetLint::Lexer::Token.new(:NEWLINE, "\n", 0, 0)
+  end
+end

data/lib/puppet-lint/plugins/world_writable_files.rb

@@ -0,0 +1,49 @@
+# https://github.com/deanwilson/puppet-lint-world_writable_files-check/blob/a0956e31062d792740caa1dac30483110a39e375/lib/puppet-lint/plugins/world_writable_files.rb
+#
+# The MIT License (MIT)
+#
+# Copyright (c) 2016 Dean Wilson
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+PuppetLint.new_check(:world_writable_files) do
+  def check
+    resource_indexes.each do |resource|
+      next unless resource[:type].value == "file"
+
+      param_tokens = resource[:param_tokens].select { |pt| pt.value == "mode" }
+
+      param_tokens.each do |param_token|
+        # get the file modes value
+        value_token = param_token.next_code_token.next_code_token
+
+        # we only work with octal for now - also stops file { mode => undef }
+        break if !/^\d+$/.match?(value_token.value)
+        break if /\d+[^2367]$/.match?(value_token.value)
+
+        notify :warning, {
+          message: "files should not be created with world writable permissions",
+          line: value_token.line,
+          column: value_token.column,
+          token: value_token
+        }
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/concatenated_template_files_spec.rb

@@ -0,0 +1,75 @@
+require "spec_helper"
+
+describe "concatenated_template_files" do
+  let(:msg) { 'calling "template" with multiple files concatenates them into a single string' }
+
+  context "when the manifest has no file resources" do
+    let(:code) do
+      <<-TEST_CLASS
+        class no_file_resource {
+          host { 'syslog':
+            ip => '10.10.10.10',
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+
+  context "with file resource but no template call" do
+    context "when the template has a relative module path" do
+      let(:code) do
+        <<-TEST_CLASS
+          class template_tester {
+            file { '/tmp/template':
+              content => 'A static string',
+            }
+          }
+        TEST_CLASS
+      end
+
+      it "detects no problems" do
+        expect(problems.size).to eq(0)
+      end
+    end
+  end
+
+  context "when template function is passed one filename" do
+    let(:code) do
+      <<-TEST_CLASS
+        class single_templated_file {
+          file { '/tmp/templated':
+            content => template('mymodule/single_file.erb'),
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+
+  context "when template function is passed multiple filenames" do
+    let(:code) do
+      <<-TEST_CLASS
+        class multi_templated_file {
+          file { '/tmp/templated':
+            content => template('mymodule/first_file.erb', 'mymodule/second_file.erb'),
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "detects a single problem" do
+      expect(problems.size).to eq(1)
+    end
+
+    it "creates a warning" do
+      expect(problems).to contain_warning(msg).on_line(3).in_column(24)
+    end
+  end
+end

data/spec/puppet-lint/plugins/explicit_hiera_class_param_lookup_spec.rb

@@ -0,0 +1,58 @@
+require "spec_helper"
+
+describe "explicit_hiera_class_param_lookup" do
+  context "when class has no explicit hiera() lookups" do
+    let(:code) do
+      <<-TEST_CLASS
+        class no_explicit_lookups(
+          $my_content = undef
+        ) {
+          file { '/tmp/foo':
+            content => 'bar',
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+
+  context "when class has an explicit hiera() lookup" do
+    let(:msg) { "explicit hiera() lookup of my::nested::key" }
+
+    let(:code) do
+      <<-TEST_CLASS
+        class no_explicit_lookups(
+          $my_content = hiera('my::nested::key', 'baz')
+        ) {
+          file { '/tmp/foo':
+            content => $my_content,
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "detects a single problem" do
+      expect(problems.size).to eq(1)
+    end
+
+    it "creates an error" do
+      expect(problems).to contain_error(msg).on_line(2).in_column(31)
+    end
+  end
+
+  ### Reported issues
+  context "with an empty class with inherit and no explicit hiera() lookups" do
+    let(:code) do
+      <<-TEST_CLASS
+        class ig::base::freebsd inherits ig::base { }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+end

data/spec/puppet-lint/plugins/nine_legacy_facts_spec.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+describe "nine_legacy_facts" do
+  let(:msg) { "legacy fact" }
+  context "with fix disabled" do
+    context "fact variable using modern $facts['nine_metadata']['location'] hash" do
+      let(:code) { "$facts['nine_metadata']['location']" }
+
+      it "should not detect any problems" do
+        expect(problems.size).to eq(0)
+      end
+    end
+
+    context "fact variable using legacy $nine_location" do
+      let(:code) { "$nine_location" }
+
+      it "should not detect any problems" do
+        expect(problems.size).to eq(0)
+      end
+    end
+
+    context "fact variable using legacy $facts['nine_location']" do
+      let(:code) { "$facts['nine_location']" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+    end
+
+    context "fact variable using legacy $::nine_location" do
+      let(:code) { "$::nine_location" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+    end
+
+    context "fact variable using legacy $::nine_location" do
+      let(:code) { "$::nine_location" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+    end
+
+    context "fact variable using legacy $facts['nine_location']" do
+      let(:code) { "$facts['nine_location']" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+    end
+
+    context "fact variable using legacy facts hash variable in interpolation" do
+      let(:code) { %("${facts['nine_location']}") }
+
+      it "detects a single problem" do
+        expect(problems.size).to eq(1)
+      end
+    end
+  end
+
+  context "with fix enabled" do
+    before do
+      PuppetLint.configuration.fix = true
+    end
+
+    after do
+      PuppetLint.configuration.fix = false
+    end
+
+    context "fact variable using modern $facts['nine_metadata']['location'] hash" do
+      let(:code) { "$facts['nine_metadata']['location']" }
+
+      it "should not detect any problems" do
+        expect(problems.size).to eq(0)
+      end
+    end
+
+    context "fact variable using legacy $nine_location" do
+      let(:code) { "$nine_location" }
+
+      it "should not detect any problems" do
+        expect(problems.size).to eq(0)
+      end
+    end
+
+    context "fact variable using legacy $facts['nine_location']" do
+      let(:code) { "$facts['nine_location']" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+
+      it "should fix the problem" do
+        expect(problems).to contain_fixed(msg).on_line(1).in_column(1)
+      end
+
+      it "should use the facts hash" do
+        expect(manifest).to eq("$facts['nine_metadata']['location']")
+      end
+    end
+
+    context "fact variable using legacy $::nine_location" do
+      let(:code) { "$::nine_location" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+
+      it "should fix the problem" do
+        expect(problems).to contain_fixed(msg).on_line(1).in_column(1)
+      end
+
+      it "should use the facts hash" do
+        expect(manifest).to eq("$facts['nine_metadata']['location']")
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/trailing_newline_spec.rb

@@ -0,0 +1,65 @@
+require "spec_helper"
+
+describe "trailing_newline" do
+  let(:msg) { "expected newline at the end of the file" }
+
+  context "with fix disabled" do
+    context "code not ending with a newline" do
+      let(:code) { "'test'" }
+
+      it "should detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+
+      it "should create a warning" do
+        expect(problems).to contain_warning(msg).on_line(1).in_column(6)
+      end
+    end
+
+    context "code ending with a newline" do
+      let(:code) { "'test'\n" }
+
+      it "should not detect any problems" do
+        expect(problems.size).to eq(0)
+      end
+    end
+  end
+
+  context "with fix enabled" do
+    before do
+      PuppetLint.configuration.fix = true
+    end
+
+    after do
+      PuppetLint.configuration.fix = false
+    end
+
+    context "code not ending in a newline" do
+      let(:code) { "'test'" }
+
+      it "should only detect a single problem" do
+        expect(problems.size).to eq(1)
+      end
+
+      it "should fix the problem" do
+        expect(problems).to contain_fixed(msg).on_line(1).in_column(6)
+      end
+
+      it "should add a newline to the end of the manifest" do
+        expect(manifest).to eq("'test'\n")
+      end
+    end
+
+    context "code ending in a newline" do
+      let(:code) { "'test'\n" }
+
+      it "should not detect any problems" do
+        expect(problems.size).to eq(0)
+      end
+
+      it "should not modify the manifest" do
+        expect(manifest).to eq(code)
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/world_writable_files_spec.rb

@@ -0,0 +1,75 @@
+require "spec_helper"
+
+describe "world_writable_files" do
+  context "when the manifest has no file resources" do
+    let(:code) do
+      <<-TEST_CLASS
+        class no_file_resource {
+          host { 'syslog':
+            ip => '10.10.10.10',
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+
+  context "when file resource has a mode of 640" do
+    let(:code) do
+      <<-TEST_CLASS
+        class locked_down_file {
+          file { '/tmp/locked_down':
+            ensure => 'file',
+            mode   => '0640',
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+
+  context "when file has a mode of undef" do
+    let(:code) do
+      <<-TEST_CLASS
+        class undef_file_mode {
+          file { '/tmp/undef_file_mode':
+            ensure => 'file',
+            mode   => undef,
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "does not detect any problems" do
+      expect(problems.size).to eq(0)
+    end
+  end
+
+  context "when file has a world writable octal mode of 666" do
+    let(:msg) { "files should not be created with world writable permissions" }
+    let(:code) do
+      <<-TEST_CLASS
+        class locked_down_file {
+          file { '/tmp/open_octal':
+            ensure => 'file',
+            mode   => '0666',
+          }
+        }
+      TEST_CLASS
+    end
+
+    it "detects a problem" do
+      expect(problems.size).to eq(1)
+    end
+
+    it "creates a warning" do
+      expect(problems).to contain_warning(msg).on_line(4).in_column(23)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "puppet-lint"
+
+PuppetLint::Plugins.load_spec_helper
+
+RSpec.configure do |config|
+  config.formatter = :documentation
+end

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification
+name: puppet-lint-nine-check
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Nine Internet Solutions AG
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-10-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: puppet-lint
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-json_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-collection_matchers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+    A pupet-lint to check you are not using Nine legacy facts like `$::nine_location`
+    or `$facts['nine_location']`. You should use the new structured facts like
+    `$facts['nine_metadata']['location']` instead.
+email:
+- support@nine.ch
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/puppet-lint/plugins/concatenated_template_files.rb
+- lib/puppet-lint/plugins/explicit_hiera_class_param_lookup.rb
+- lib/puppet-lint/plugins/nine_legacy_facts.rb
+- lib/puppet-lint/plugins/trailing_newline.rb
+- lib/puppet-lint/plugins/world_writable_files.rb
+- spec/puppet-lint/plugins/concatenated_template_files_spec.rb
+- spec/puppet-lint/plugins/explicit_hiera_class_param_lookup_spec.rb
+- spec/puppet-lint/plugins/nine_legacy_facts_spec.rb
+- spec/puppet-lint/plugins/trailing_newline_spec.rb
+- spec/puppet-lint/plugins/world_writable_files_spec.rb
+- spec/spec_helper.rb
+homepage: https://gitlab.nine.ch/managed-services/puppet/tools/puppet-lint-nine-check
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key:
+specification_version: 4
+summary: A puppet-lint plugin for different checks used at Nine.
+test_files: []