serverspec-extra-types 0.4.2 → 0.4.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 54d47925a1bf914cd8f69c0ef873bd399e410b9bab4dd3fdad2382ce21e36ab8
-  data.tar.gz: 50c85c5048600085089179f75b797fffeb3fcaeac779ea5783d82e39f3459697
+  metadata.gz: 92b03be089f3c675024cfbf0f04fa03e305c89564ed9c852f521bae52e8b528f
+  data.tar.gz: ce70ffde396e4687d8985710ec339309564889d6b442dfcd528afd2f614d0dd1
 SHA512:
-  metadata.gz: a0f60ed297548de0e0d1375f3fe4853fd2a4f417a90f887399ccb921d885ea0817eb788516c1d7f58dc8340d6f22c06814948ea789d417dc5967fc20e363f022
-  data.tar.gz: 80817a68dc1db59eb561c9dd7e6693a83aa38620fb76082657e55dbde9e422ff6b8f31e4fe25735b4a83749969024bb461db5c39f4b4571f405071bcc152da4a
+  metadata.gz: 5c6a77ba14443b476225d9a1dc7506947c3f9fd4897e29de7a80f161262d198dfb500d59a00c1fd3a50aec51a11065a9bc7bf8fe9c4cf6e7f0bf8244fbda4d60
+  data.tar.gz: 14c40a38e6b0b641c05f5b6ff99d995d596e806af15378b4bc1db0d6351db717d59e4d6e5bf62823aa598422dae5f679f26500562f93191993de0dc3b0251a55

data/README.md

@@ -983,7 +983,6 @@ describe nfs_export('/var/nfsroot') do
 end
 ```
 
-
 ### rabbitmq_node_list <a name="rabbitmq_node_list" ></a>
 <sub><sup>Please note: This type requires curl to be installed on the target host</sup></sub>
 #### have_count
@@ -1122,19 +1121,15 @@ end
 Ensures the user can run a command
 ```ruby
 describe sudo_user('someuser') do
-  it { should be_allowed_run_anything }
-  # Without password
-  it { should be_allowed_run_anything.without_a_password }
-  #As a particular user
-  it { should be_allowed_run_anything.as('someotheruser') }
-  #As a particular user with out a password
-  it { should be_allowed_run_anything.as('someotheruser').without_a_password  }
-  #As any user
-  it { should be_allowed_run_anything.as_anybody }
-  #As Any user without  a password
-  it { should be_allowed_run_anything.as_anybody.without_password }
+  it { should be_allowed_to_run_command('/usr/bin/cat /var/log/messages') }
+  it { should be_allowed_to_run_command('/usr/bin/cat /var/log/messages').as('user6') }
+  it { should be_allowed_to_run_command('/usr/bin/cat /var/log/messages').as('user6').without_password }
+  it { should be_allowed_to_run_command('/usr/bin/cat /var/log/secure').without_password }
+  it { should be_allowed_to_run_command('/usr/bin/cat /tmp/logs').as_anybody }
+  it { should be_allowed_to_run_command('/usr/bin/cat /tmp/logs').as_anybody.without_password }
 end
 ```
+
 ##### be_allowed_to_run_anything
 Ensures the user can run a anything
 ```ruby
@@ -1153,6 +1148,76 @@ describe sudo_user('someuser') do
 end
 ```
 
+### unix_pam(pamfile, dir='/etc/pam.d' ) <a name="unix_pam" ></a>
+Provides a type and matchers for checking UNIX plugable authenticaton modules (PAM)
+#### exist
+Checks that the pamfile exists in the given directory (default = /etc/pam.d)
+```ruby
+describe unix_pam('su') do
+ it { should exist }
+end  
+```
+
+#### have_authentication(module)/have_auth(module)
+Checks that the pamfile has a 'auth' configuration item using the given module
+```ruby
+describe unix_pam('su') do
+ it { should have_auth 'pam_rootok.so'}
+end
+```
+This match also support the following matcher chains:
+```ruby
+describe unix_pam('su') do
+ ## Control Flag Chain matchers
+ # Check if module is a required module
+ it { should have_auth('pam_rootok.so').required }
+  # Check if module is a requisite module
+ it { should have_auth('pam_rootok.so').requisite }
+  # Check if module is a sufficient module
+ it { should have_auth('pam_rootok.so').sufficient }
+ # Check if module is a optional module
+ it { should have_auth('pam_rootok.so').optional }
+ #Check for a particular control flag (with_control and with_flag are provided as aliases)
+ it { should have_auth('pam_unix.so').with_control_flag('[success=1 default=ignore]') } 
+ 
+ ## Argument chain matchers
+ #Single arg
+ it { should have_auth('pam_unix.so').with_arg('nullok_secure') }
+ it { should have_auth('pam_unix.so').with_argument('nullok_secure') }
+ #Multiple args
+ it { should have_auth('pam_wheel.so').with_args(['deny', 'group=nosu']) }
+ it { should have_auth('pam_wheel.so').with_arguments(['deny', 'group=nosu']) }
+end  
+```
+
+#### have_session(module)
+Checks that the pamfile has a 'session' configuration item using the given module
+```ruby
+describe unix_pam('su') do
+ it { should have_session 'pam_env.so'}
+end  
+```
+This matcher supports all the chains of the have_auth matcher (see above)
+
+#### have_account(module)
+Checks that the pamfile has a 'account' configuration item using the given module
+```ruby
+describe unix_pam('common-account') do
+ it { should have_account 'pam_deny.so'}
+end  
+```
+This matcher supports all the chains of the have_auth matcher (see above)
+
+#### have_password(module)
+Checks that the pamfile has a 'account' configuration item using the given module
+```ruby
+describe unix_pam('common-password') do
+ it { should have_password 'pam_deny.so'}
+end  
+```
+This matcher supports all the chains of the have_auth matcher (see above)
+
+
 
 ## Development
 

data/lib/serverspec_extra_types.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-puts "Deprecation WARNING: serverspec_extra_types has been deprecated as the entry point to the gem. please use:"
+puts "Deprecation WARNING: \"require 'serverspec_extra_types'\" has been deprecated as the entry point to the gem. please use:"
 puts "require 'serverspec-extra-types'"
 
 require 'serverspec-extra-types'

data/lib/serverspec_extra_types/matchers.rb

@@ -41,3 +41,10 @@ require 'serverspec_extra_types/matchers/url_matchers'
 #--- sudo matchers
 require 'serverspec_extra_types/matchers/allowed_to_run_command'
 require 'serverspec_extra_types/matchers/allowed_to_run_anything'
+
+
+require 'serverspec_extra_types/matchers/have_version'
+require 'serverspec_extra_types/matchers/have_auth'
+require 'serverspec_extra_types/matchers/have_session'
+require 'serverspec_extra_types/matchers/have_password'
+require 'serverspec_extra_types/matchers/have_account'

data/lib/serverspec_extra_types/matchers/allowed_to_run_anything.rb

@@ -18,7 +18,7 @@ RSpec::Matchers.define :be_allowed_to_run_anything do
     if @user
       actual.allowed_to_run_command?('ALL', @user, @checkpw)
     else
-      actual.allowed_to_run_command?('ALL', @checkpw)
+      actual.allowed_to_run_command?('ALL', false, @checkpw)
     end
   end
 

data/lib/serverspec_extra_types/matchers/allowed_to_run_command.rb

@@ -19,7 +19,7 @@ RSpec::Matchers.define :be_allowed_to_run_command do |command|
     elsif @anybody
       (actual.allowed_to_run_command?(command, 'ALL', @checkpw) || actual.allowed_to_run_command?(command, 'ALL:ALL', @checkpw))
     else
-      actual.allowed_to_run_command?(command, @checkpw)
+      actual.allowed_to_run_command?(command, false, @checkpw)
     end
   end
 

data/lib/serverspec_extra_types/matchers/have_account.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_account do |auth|
+  match do |actual|
+    if actual.is_a? Serverspec::Type::UnixPam
+      actual.has_account? auth, @flag, @args
+    else
+      actual.has_account? auth
+    end
+  end
+  description do |actual|
+
+    msg = "have account '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected accounts to include #{auth} was #{actual.sessions}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+
+  chain :with_args do |arg|
+    @args = arg
+  end
+
+  chain :with_arguments do |arg|
+    @args = arg
+  end
+end
+
+

data/lib/serverspec_extra_types/matchers/have_auth.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_auth do |auth|
+  match do |actual|
+    actual.has_auth? auth, @flag
+  end
+  description do
+    msg = "have authentication '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected auths to include #{auth} was #{actual.auths}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+end
+
+RSpec::Matchers.alias_matcher :have_authentication, :have_auth

data/lib/serverspec_extra_types/matchers/have_password.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_password do |auth|
+  match do |actual|
+    if actual.is_a? Serverspec::Type::UnixPam
+      actual.has_password? auth, @flag, @args
+    else
+      actual.has_password? auth
+    end
+  end
+  description do |actual|
+
+    msg = "have password '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected passwords to include #{auth} was #{actual.sessions}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+
+  chain :with_args do |arg|
+    @args = arg
+  end
+
+  chain :with_arguments do |arg|
+    @args = arg
+  end
+end
+
+

data/lib/serverspec_extra_types/matchers/have_session.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_session do |auth|
+  match do |actual|
+    actual.has_session? auth, @flag, @args
+  end
+  description do
+    msg = "have session '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected sessions to include #{auth} was #{actual.sessions}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+
+  chain :with_args do |arg|
+    @args = arg
+  end
+
+  chain :with_arguments do |arg|
+    @args = arg
+  end
+end
+
+

data/lib/serverspec_extra_types/matchers/have_version.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+RSpec::Matchers.define :have_version do |version|
+  match do |actual|
+    actual.has_version? version
+  end
+
+  failure_message do |actual|
+    "expected #{actual.to_s} to have version #{version} was #{actual.version}"
+  end
+end

data/lib/serverspec_extra_types/types.rb

@@ -9,7 +9,7 @@ module Serverspec
       types = %w[docker_service docker_node rabbitmq_vhost_policy rabbitmq_node_list rabbitmq_vhost_list
                  rabbitmq_user_permission consul_service consul_service_list consul_node consul_node_list
                  curl nfs_export jenkins_credential jenkins_job jenkins_plugin sudo_user docker_network
-                 docker_config docker_secret]
+                 docker_config docker_secret unix_pam]
 
       types.each do |type|
         require "serverspec_extra_types/types/#{type}"

data/lib/serverspec_extra_types/types/api_base.rb

@@ -11,6 +11,7 @@ module Serverspec::Type
       super(name, options)
       @insecure = options[:insecure]
       @redirects = options[:follow_redirects]
+      @host = options[:host]
     end
 
     def [](key)
@@ -37,7 +38,7 @@ module Serverspec::Type
     end
 
     def curl_command
-      "curl #{extra_args} -s #{url} #{@insecure ? '-k' : ''} #{@redirects ? '-L' : ''}"
+      "curl #{extra_args} #{@host ? '--header "Host: '+@host+'"' : '' } -s #{url} #{@insecure ? '-k' : ''} #{@redirects ? '-L' : ''}"
     end
 
     # rubocop:disable Naming/AccessorMethodName

data/lib/serverspec_extra_types/types/jenkins_plugin.rb

@@ -33,7 +33,11 @@ module Serverspec::Type
     end
 
     def has_version?(version)
-      inspection['version'].to_s == version.to_s
+      self.version == version.to_s
+    end
+
+    def version
+      inspection['version'].to_s
     end
 
     def length

data/lib/serverspec_extra_types/types/sudo_user.rb

@@ -34,7 +34,7 @@ module Serverspec::Type
     end
 
     def permission(command)
-      permissions.find { |x| x[:command] == command }
+      permissions.find { |x| x[:command].include?(command) }
     end
 
     def permissions
@@ -74,10 +74,12 @@ module Serverspec::Type
       end
       if /NOPASSWD:/.match? perm
         chunks[:nopasswd] = true
-        chunks[:command] = parts[2..-1].join(' ')
+        commands = parts[2..-1].join(' ').split(',').map(&:strip)
+        chunks[:command] = commands.length > 1 ? commands : commands[0]
       else
         chunks[:nopasswd] = false
-        chunks[:command] = parts[1..-1].join(' ')
+        commands = parts[1..-1].join(' ').split(',').map(&:strip)
+        chunks[:command] = chunks[:command] = commands.length > 1 ? commands : commands[0]
       end
     end
 

data/lib/serverspec_extra_types/types/unix_pam.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: false
+
+require 'serverspec'
+require 'serverspec/type/base'
+require 'serverspec_extra_types/helpers/properties'
+
+module Serverspec::Type
+  class UnixPam < Base
+    def initialize(name = nil, dir = '/etc/pam.d', options = {})
+      super(name, options)
+      @name = name
+      @dir = dir
+    end
+
+    def exists?
+      get_inspection.success?
+    end
+
+    def auths
+      inspection['auth']
+    end
+
+    def auth(auth)
+      auths[auth]
+    end
+
+    def sessions
+      inspection['session']
+    end
+
+    def session(ses)
+      sessions[ses]
+    end
+
+    def accounts
+      inspection['account']
+    end
+
+    def account(acc)
+      accounts[acc]
+    end
+
+    def passwords
+      inspection['password']
+    end
+
+    def password(passwd)
+      passwords[passwd]
+    end
+
+    def includes
+      inspection['include']
+    end
+
+    def include(inc)
+      includes.include? inc
+    end
+
+    def include?(inc)
+      !self.include(inc).nil?
+    end
+
+    def has_include?(inc)
+      include? inc
+    end
+
+    def has_account?(account, control = nil, args = nil)
+      acc = self.account(account)
+      check(acc, control, args)
+    end
+
+    def has_auth?(auth, control = nil, args = nil)
+      ath = self.auth(auth)
+      check(ath, control, args)
+    end
+
+    def has_session?(session, control = nil, args = nil)
+      ses = self.session(session)
+      check(ses, control, args)
+    end
+
+    def has_password?(password, control = nil, args = nil)
+      psw = self.password(password)
+      check(psw, control, args)
+    end
+
+
+
+    def host(host_id)
+      hosts[host_id]
+    end
+
+    def inspection
+      unless @inspection
+        config = {}
+        get_inspection.stdout.each_line do |line|
+          if line.start_with?(/[a-z]/)
+            parts = %r{^([a-z]+)(?:\s+)([a-z]+|\[[a-z0-9= _]*\])(?:\s+)([a-z_\.]+)(?:\s?)(.*)}.match line
+            next unless parts
+            config[parts[1]] = {} unless config[parts[1]]
+            if config.dig(parts[1],parts[3])
+              data = {'flag' =>  parts[2] }
+              data['args'] = parts[4].split unless [nil, '' ].include?(parts[4])
+              config[parts[1]][parts[3]] << data
+            else
+              config[parts[1]][parts[3]] = []
+              data = {'flag' => parts[2] }
+              data['args'] = parts[4].split unless [nil, '' ].include?(parts[4])
+              config[parts[1]][parts[3]] << data
+            end
+          elsif line.start_with? '@inc'
+            parts = %r{^@[a-z]+(?:\s+)([a-z\-]+|\[[a-z0-9_=\-]*\])}.match line
+            next unless parts
+            config['include'] = [] unless config['include']
+            config['include'] << parts[1]
+          end
+        end
+        @inspection = config
+      end
+      @inspection
+    end
+
+    # rubocop:disable Naming/AccessorMethodName
+    def get_inspection
+      command = "cat #{@dir}/#{@name}"
+      @get_inspection ||= @runner.run_command(command)
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    private
+
+    def check(mod, control = nil, args = nil )
+      if args && control
+        check_args(args, mod) && check_flags(control, mod)
+      elsif args
+        check_args(args, mod)
+      elsif control
+        check_flags(control, mod)
+      else
+        !mod.nil?
+      end
+    end
+
+    def check_flags(control, mod)
+      mod.find {|a| a['flag'] == control}
+    end
+
+    def check_args(args, mod)
+      if args.is_a? Array
+        mod.find {|a| (a['args'] - args).empty?}
+      else
+        mod.find {|a| a['args'].include? args}
+      end
+    end
+
+    def check_options(host_id, opts)
+      options = opts.include?(',') ? opts.spilt(',') : opts
+      if options.is_a? Array
+        host(host_id).split(',').include?(options)
+      else
+        host(host_id).include?(options)
+      end
+   end
+  end
+end

data/lib/serverspec_extra_types/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ServerspecExtraTypes
-  VERSION = '0.4.2'
+  VERSION = '0.4.7'
 end

data/properties.yml

@@ -2,7 +2,7 @@
 
 options:
   # Stop the test on the first failure (default: true)
-  fail_on_err: false
+  fail_on_err: true
   # Specify output format defaults is docs_screen multiple formatters can be specified
   formatters:
      - tick
@@ -68,6 +68,11 @@ targets:
     docker_build_dir: spec/resources/dockerfiles/nfs
     spec_type: nfs_export
 
+  pam:
+    backend: docker
+    docker_build_dir: spec/resources/dockerfiles/nfs
+    spec_type: pam
+
   jenkins_plugin:
     backend: exec
     spec_type: jenkins_plugin

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: serverspec-extra-types
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.4.7
 platform: ruby
 authors:
 - Andrew Wardrobe
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-06-03 00:00:00.000000000 Z
+date: 2021-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -198,6 +198,8 @@ files:
 - lib/serverspec_extra_types/matchers/be_a_worker_node.rb
 - lib/serverspec_extra_types/matchers/be_active.rb
 - lib/serverspec_extra_types/matchers/configure_queue.rb
+- lib/serverspec_extra_types/matchers/have_account.rb
+- lib/serverspec_extra_types/matchers/have_auth.rb
 - lib/serverspec_extra_types/matchers/have_count.rb
 - lib/serverspec_extra_types/matchers/have_domain_name.rb
 - lib/serverspec_extra_types/matchers/have_engine_version.rb
@@ -212,11 +214,14 @@ files:
 - lib/serverspec_extra_types/matchers/have_label.rb
 - lib/serverspec_extra_types/matchers/have_mount.rb
 - lib/serverspec_extra_types/matchers/have_network.rb
+- lib/serverspec_extra_types/matchers/have_password.rb
 - lib/serverspec_extra_types/matchers/have_placement_constraint.rb
 - lib/serverspec_extra_types/matchers/have_replica_count.rb
 - lib/serverspec_extra_types/matchers/have_restart_limit.rb
 - lib/serverspec_extra_types/matchers/have_restart_policy.rb
+- lib/serverspec_extra_types/matchers/have_session.rb
 - lib/serverspec_extra_types/matchers/have_user.rb
+- lib/serverspec_extra_types/matchers/have_version.rb
 - lib/serverspec_extra_types/matchers/have_vhost.rb
 - lib/serverspec_extra_types/matchers/http_1xx.rb
 - lib/serverspec_extra_types/matchers/http_2xx.rb
@@ -255,6 +260,7 @@ files:
 - lib/serverspec_extra_types/types/rabbitmq_vhost_list.rb
 - lib/serverspec_extra_types/types/rabbitmq_vhost_policy.rb
 - lib/serverspec_extra_types/types/sudo_user.rb
+- lib/serverspec_extra_types/types/unix_pam.rb
 - lib/serverspec_extra_types/version.rb
 - properties.yml
 - serverspec-extra-types.gemspec
@@ -278,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: Additional Types and Matchers for Serverspec