puppet-lint-world_writable_files-check 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8b2909f71fa762b4d7e478b53f5dadd7b45e0d3f
+  data.tar.gz: f6af4485074efc3167488d9453a0eebee01f49e1
+SHA512:
+  metadata.gz: a1894c08b740718a36019f57194d137b7efcca2768e74428a14e86a15eae655eac2e77286065423493e91cb5216ccad226016333fcf4b7860bf6a23ce731b045
+  data.tar.gz: 9721fe6ed35fc6f4b56fc26f3f651eff712841731beaaf2476209c3cb92d2bd0432fcbb25a6a7f015c9310865e2203f8b74e8cf19e2ccc8af87671704a2cc95f

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Dean Wilson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,45 @@
+# puppet-lint world_writable_files check #
+
+A puppet-lint extension that ensures file resources do not have a mode
+that makes them world writable.
+
+[![Build Status](https://travis-ci.org/deanwilson/puppet-lint-world_writable_files-check.svg?branch=master)](https://travis-ci.org/deanwilson/puppet-lint-world_writable_files-check)
+
+On a *nix system a world writable file is one that anyone can write to.
+This is often undesirable, especially in production, where who can
+write to certain files should be limited and enabled with deliberation,
+not by accident.
+
+This plugin currently only checks octal file modes, the
+[no_symbolic_file_modes](https://github.com/deanwilson/puppet-lint-no_symbolic_file_modes-check)
+`puppet-lint` check ensure this isn't a problem for my code bases but it
+might be a consideration for other peoples usages.
+
+## Installation ##
+
+To use this plugin add the following line to your `Gemfile`
+
+    gem 'puppet-lint-world_writable_files-check'
+
+and then run `bundle install`
+
+## Usage ##
+
+This plugin provides a new check to `puppet-lint` that warns if it finds
+a file resource that would be created with a mode that allowed every one
+to write to it.
+
+    class locked_down_file {
+      file { '/tmp/open_octal':
+        ensure => 'file',
+        mode   => '0666',
+      }
+    }
+
+This example makes a file that can be read and written to by all users
+of the system and so will raise:
+
+    files should not be created with world writable permissions
+
+### Author ###
+[Dean Wilson](http://www.unixdaemon.net)

data/lib/puppet-lint/plugins/world_writable_files.rb

@@ -0,0 +1,24 @@
+PuppetLint.new_check(:world_writable_files) do
+  def check
+    resource_indexes.each do |resource|
+      if resource[:type].value == 'file'
+        resource[:param_tokens].select { |param_token|
+          param_token.value == 'mode'
+        }.each do |param_token|
+
+          # get the file modes value
+          value_token = param_token.next_code_token.next_code_token
+
+          break if value_token.value =~ /\d+[^2367]$/
+
+          notify :warning, {
+            message: 'files should not be created with world writable permissions',
+            line:    value_token.line,
+            column:  value_token.column,
+            token:   value_token,
+          }
+        end
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/puppet-lint-world_writable_files_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+describe 'world_writable_files' do
+  context 'file with a mode of 640' do
+    let(:code) do
+      <<-EOS
+        class locked_down_file {
+          file { '/tmp/locked_down':
+            ensure => 'file',
+            mode   => '0640',
+          }
+        }
+      EOS
+    end
+
+    it 'should not detect any problems' do
+      expect(problems).to have(0).problems
+    end
+  end
+
+  context 'file with a world writable octal mode of 666' do
+    let(:msg) { 'files should not be created with world writable permissions' }
+    let(:code) do
+      <<-EOS
+        class locked_down_file {
+          file { '/tmp/open_octal':
+            ensure => 'file',
+            mode   => '0666',
+          }
+        }
+      EOS
+    end
+
+    it 'should detect a problem' do
+      expect(problems).to have(1).problem
+    end
+
+    it 'should create a warning' do
+      expect(problems).to contain_warning(msg).on_line(4).in_column(23)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+require 'puppet-lint'
+
+PuppetLint::Plugins.load_spec_helper

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification
+name: puppet-lint-world_writable_files-check
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Dean Wilson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-02-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: puppet-lint
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-collection_matchers
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.36.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.36.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+      A puppet-lint extension that ensures file resources do not have a mode that makes
+      them world writable.
+email: dean.wilson@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/puppet-lint/plugins/world_writable_files.rb
+- spec/puppet-lint/plugins/puppet-lint-world_writable_files_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/deanwilson/puppet-lint-world_writable_files-check
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: puppet-lint check to ensure file resources are not world writable
+test_files:
+- spec/puppet-lint/plugins/puppet-lint-world_writable_files_spec.rb
+- spec/spec_helper.rb
+has_rdoc: