serverspec-extra-types 0.4.6 → 0.4.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2577c03b1dc2888ae78a9fe968754f33b5b69e5cf5f7232bc62a51b64919ece8
-  data.tar.gz: f221aef4e11e3562f25c01faeed0210a7788f5c596a0e5c17bb3883d3b856ee6
+  metadata.gz: 92b03be089f3c675024cfbf0f04fa03e305c89564ed9c852f521bae52e8b528f
+  data.tar.gz: ce70ffde396e4687d8985710ec339309564889d6b442dfcd528afd2f614d0dd1
 SHA512:
-  metadata.gz: be104eb846a5e8f16fe5ba884684fea367bc16bd1a6d7cb31931b984965ef7e705366f2a53349a6b88c7a917b43ce93007adc7cb8996eeca7cf2e40b23a5896e
-  data.tar.gz: b19fc4d4a97db02cb2f00979efe707ba99714d363b5822075da04911dec26a0f0c2f90b249891d30d38eb529daa08bb6692cff1fcad320148d6b7ecb0e2e93ad
+  metadata.gz: 5c6a77ba14443b476225d9a1dc7506947c3f9fd4897e29de7a80f161262d198dfb500d59a00c1fd3a50aec51a11065a9bc7bf8fe9c4cf6e7f0bf8244fbda4d60
+  data.tar.gz: 14c40a38e6b0b641c05f5b6ff99d995d596e806af15378b4bc1db0d6351db717d59e4d6e5bf62823aa598422dae5f679f26500562f93191993de0dc3b0251a55

data/README.md

@@ -983,7 +983,6 @@ describe nfs_export('/var/nfsroot') do
 end
 ```
 
-
 ### rabbitmq_node_list <a name="rabbitmq_node_list" ></a>
 <sub><sup>Please note: This type requires curl to be installed on the target host</sup></sub>
 #### have_count
@@ -1149,6 +1148,76 @@ describe sudo_user('someuser') do
 end
 ```
 
+### unix_pam(pamfile, dir='/etc/pam.d' ) <a name="unix_pam" ></a>
+Provides a type and matchers for checking UNIX plugable authenticaton modules (PAM)
+#### exist
+Checks that the pamfile exists in the given directory (default = /etc/pam.d)
+```ruby
+describe unix_pam('su') do
+ it { should exist }
+end  
+```
+
+#### have_authentication(module)/have_auth(module)
+Checks that the pamfile has a 'auth' configuration item using the given module
+```ruby
+describe unix_pam('su') do
+ it { should have_auth 'pam_rootok.so'}
+end
+```
+This match also support the following matcher chains:
+```ruby
+describe unix_pam('su') do
+ ## Control Flag Chain matchers
+ # Check if module is a required module
+ it { should have_auth('pam_rootok.so').required }
+  # Check if module is a requisite module
+ it { should have_auth('pam_rootok.so').requisite }
+  # Check if module is a sufficient module
+ it { should have_auth('pam_rootok.so').sufficient }
+ # Check if module is a optional module
+ it { should have_auth('pam_rootok.so').optional }
+ #Check for a particular control flag (with_control and with_flag are provided as aliases)
+ it { should have_auth('pam_unix.so').with_control_flag('[success=1 default=ignore]') } 
+ 
+ ## Argument chain matchers
+ #Single arg
+ it { should have_auth('pam_unix.so').with_arg('nullok_secure') }
+ it { should have_auth('pam_unix.so').with_argument('nullok_secure') }
+ #Multiple args
+ it { should have_auth('pam_wheel.so').with_args(['deny', 'group=nosu']) }
+ it { should have_auth('pam_wheel.so').with_arguments(['deny', 'group=nosu']) }
+end  
+```
+
+#### have_session(module)
+Checks that the pamfile has a 'session' configuration item using the given module
+```ruby
+describe unix_pam('su') do
+ it { should have_session 'pam_env.so'}
+end  
+```
+This matcher supports all the chains of the have_auth matcher (see above)
+
+#### have_account(module)
+Checks that the pamfile has a 'account' configuration item using the given module
+```ruby
+describe unix_pam('common-account') do
+ it { should have_account 'pam_deny.so'}
+end  
+```
+This matcher supports all the chains of the have_auth matcher (see above)
+
+#### have_password(module)
+Checks that the pamfile has a 'account' configuration item using the given module
+```ruby
+describe unix_pam('common-password') do
+ it { should have_password 'pam_deny.so'}
+end  
+```
+This matcher supports all the chains of the have_auth matcher (see above)
+
+
 
 ## Development
 

data/lib/serverspec_extra_types/matchers.rb

@@ -43,4 +43,8 @@ require 'serverspec_extra_types/matchers/allowed_to_run_command'
 require 'serverspec_extra_types/matchers/allowed_to_run_anything'
 
 
-require 'serverspec_extra_types/matchers/have_version'
+require 'serverspec_extra_types/matchers/have_version'
+require 'serverspec_extra_types/matchers/have_auth'
+require 'serverspec_extra_types/matchers/have_session'
+require 'serverspec_extra_types/matchers/have_password'
+require 'serverspec_extra_types/matchers/have_account'

data/lib/serverspec_extra_types/matchers/have_account.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_account do |auth|
+  match do |actual|
+    if actual.is_a? Serverspec::Type::UnixPam
+      actual.has_account? auth, @flag, @args
+    else
+      actual.has_account? auth
+    end
+  end
+  description do |actual|
+
+    msg = "have account '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected accounts to include #{auth} was #{actual.sessions}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+
+  chain :with_args do |arg|
+    @args = arg
+  end
+
+  chain :with_arguments do |arg|
+    @args = arg
+  end
+end
+
+

data/lib/serverspec_extra_types/matchers/have_auth.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_auth do |auth|
+  match do |actual|
+    actual.has_auth? auth, @flag
+  end
+  description do
+    msg = "have authentication '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected auths to include #{auth} was #{actual.auths}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+end
+
+RSpec::Matchers.alias_matcher :have_authentication, :have_auth

data/lib/serverspec_extra_types/matchers/have_password.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_password do |auth|
+  match do |actual|
+    if actual.is_a? Serverspec::Type::UnixPam
+      actual.has_password? auth, @flag, @args
+    else
+      actual.has_password? auth
+    end
+  end
+  description do |actual|
+
+    msg = "have password '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected passwords to include #{auth} was #{actual.sessions}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+
+  chain :with_args do |arg|
+    @args = arg
+  end
+
+  chain :with_arguments do |arg|
+    @args = arg
+  end
+end
+
+

data/lib/serverspec_extra_types/matchers/have_session.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: false
+
+RSpec::Matchers.define :have_session do |auth|
+  match do |actual|
+    actual.has_session? auth, @flag, @args
+  end
+  description do
+    msg = "have session '#{auth}'"
+    msg << %( with control flag '#{@flag}') if @flag
+    msg << %( with argument '#{@args}') if @args && !@args.is_a?(Array)
+    msg << %( with arguments '#{@args}') if @args && @args.is_a?(Array)
+    msg
+  end
+  failure_message do |actual|
+    "expected sessions to include #{auth} was #{actual.sessions}"
+  end
+
+  chain :with_control do |flag|
+    @flag = flag
+  end
+
+  chain :with_flag do |flag|
+    @flag = flag
+  end
+
+  chain :with_control_flag do |flag|
+    @flag = flag
+  end
+
+  chain :required do
+    @flag = 'required'
+  end
+
+  chain :requisite do
+    @flag = 'requisite'
+  end
+
+  chain :sufficient do
+    @flag = 'sufficient'
+  end
+
+  chain :optional do
+    @flag = 'optional'
+  end
+
+  chain :with_arg do |arg|
+    @args = arg
+  end
+
+  chain :with_argument do |arg|
+    @args = arg
+  end
+
+  chain :with_args do |arg|
+    @args = arg
+  end
+
+  chain :with_arguments do |arg|
+    @args = arg
+  end
+end
+
+

data/lib/serverspec_extra_types/types.rb

@@ -9,7 +9,7 @@ module Serverspec
       types = %w[docker_service docker_node rabbitmq_vhost_policy rabbitmq_node_list rabbitmq_vhost_list
                  rabbitmq_user_permission consul_service consul_service_list consul_node consul_node_list
                  curl nfs_export jenkins_credential jenkins_job jenkins_plugin sudo_user docker_network
-                 docker_config docker_secret]
+                 docker_config docker_secret unix_pam]
 
       types.each do |type|
         require "serverspec_extra_types/types/#{type}"

data/lib/serverspec_extra_types/types/api_base.rb

@@ -11,6 +11,7 @@ module Serverspec::Type
       super(name, options)
       @insecure = options[:insecure]
       @redirects = options[:follow_redirects]
+      @host = options[:host]
     end
 
     def [](key)
@@ -37,7 +38,7 @@ module Serverspec::Type
     end
 
     def curl_command
-      "curl #{extra_args} -s #{url} #{@insecure ? '-k' : ''} #{@redirects ? '-L' : ''}"
+      "curl #{extra_args} #{@host ? '--header "Host: '+@host+'"' : '' } -s #{url} #{@insecure ? '-k' : ''} #{@redirects ? '-L' : ''}"
     end
 
     # rubocop:disable Naming/AccessorMethodName

data/lib/serverspec_extra_types/types/unix_pam.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: false
+
+require 'serverspec'
+require 'serverspec/type/base'
+require 'serverspec_extra_types/helpers/properties'
+
+module Serverspec::Type
+  class UnixPam < Base
+    def initialize(name = nil, dir = '/etc/pam.d', options = {})
+      super(name, options)
+      @name = name
+      @dir = dir
+    end
+
+    def exists?
+      get_inspection.success?
+    end
+
+    def auths
+      inspection['auth']
+    end
+
+    def auth(auth)
+      auths[auth]
+    end
+
+    def sessions
+      inspection['session']
+    end
+
+    def session(ses)
+      sessions[ses]
+    end
+
+    def accounts
+      inspection['account']
+    end
+
+    def account(acc)
+      accounts[acc]
+    end
+
+    def passwords
+      inspection['password']
+    end
+
+    def password(passwd)
+      passwords[passwd]
+    end
+
+    def includes
+      inspection['include']
+    end
+
+    def include(inc)
+      includes.include? inc
+    end
+
+    def include?(inc)
+      !self.include(inc).nil?
+    end
+
+    def has_include?(inc)
+      include? inc
+    end
+
+    def has_account?(account, control = nil, args = nil)
+      acc = self.account(account)
+      check(acc, control, args)
+    end
+
+    def has_auth?(auth, control = nil, args = nil)
+      ath = self.auth(auth)
+      check(ath, control, args)
+    end
+
+    def has_session?(session, control = nil, args = nil)
+      ses = self.session(session)
+      check(ses, control, args)
+    end
+
+    def has_password?(password, control = nil, args = nil)
+      psw = self.password(password)
+      check(psw, control, args)
+    end
+
+
+
+    def host(host_id)
+      hosts[host_id]
+    end
+
+    def inspection
+      unless @inspection
+        config = {}
+        get_inspection.stdout.each_line do |line|
+          if line.start_with?(/[a-z]/)
+            parts = %r{^([a-z]+)(?:\s+)([a-z]+|\[[a-z0-9= _]*\])(?:\s+)([a-z_\.]+)(?:\s?)(.*)}.match line
+            next unless parts
+            config[parts[1]] = {} unless config[parts[1]]
+            if config.dig(parts[1],parts[3])
+              data = {'flag' =>  parts[2] }
+              data['args'] = parts[4].split unless [nil, '' ].include?(parts[4])
+              config[parts[1]][parts[3]] << data
+            else
+              config[parts[1]][parts[3]] = []
+              data = {'flag' => parts[2] }
+              data['args'] = parts[4].split unless [nil, '' ].include?(parts[4])
+              config[parts[1]][parts[3]] << data
+            end
+          elsif line.start_with? '@inc'
+            parts = %r{^@[a-z]+(?:\s+)([a-z\-]+|\[[a-z0-9_=\-]*\])}.match line
+            next unless parts
+            config['include'] = [] unless config['include']
+            config['include'] << parts[1]
+          end
+        end
+        @inspection = config
+      end
+      @inspection
+    end
+
+    # rubocop:disable Naming/AccessorMethodName
+    def get_inspection
+      command = "cat #{@dir}/#{@name}"
+      @get_inspection ||= @runner.run_command(command)
+    end
+    # rubocop:enable Naming/AccessorMethodName
+
+    private
+
+    def check(mod, control = nil, args = nil )
+      if args && control
+        check_args(args, mod) && check_flags(control, mod)
+      elsif args
+        check_args(args, mod)
+      elsif control
+        check_flags(control, mod)
+      else
+        !mod.nil?
+      end
+    end
+
+    def check_flags(control, mod)
+      mod.find {|a| a['flag'] == control}
+    end
+
+    def check_args(args, mod)
+      if args.is_a? Array
+        mod.find {|a| (a['args'] - args).empty?}
+      else
+        mod.find {|a| a['args'].include? args}
+      end
+    end
+
+    def check_options(host_id, opts)
+      options = opts.include?(',') ? opts.spilt(',') : opts
+      if options.is_a? Array
+        host(host_id).split(',').include?(options)
+      else
+        host(host_id).include?(options)
+      end
+   end
+  end
+end

data/lib/serverspec_extra_types/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ServerspecExtraTypes
-  VERSION = '0.4.6'
+  VERSION = '0.4.7'
 end

data/properties.yml

@@ -68,6 +68,11 @@ targets:
     docker_build_dir: spec/resources/dockerfiles/nfs
     spec_type: nfs_export
 
+  pam:
+    backend: docker
+    docker_build_dir: spec/resources/dockerfiles/nfs
+    spec_type: pam
+
   jenkins_plugin:
     backend: exec
     spec_type: jenkins_plugin

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: serverspec-extra-types
 version: !ruby/object:Gem::Version
-  version: 0.4.6
+  version: 0.4.7
 platform: ruby
 authors:
 - Andrew Wardrobe
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-07-01 00:00:00.000000000 Z
+date: 2021-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -198,6 +198,8 @@ files:
 - lib/serverspec_extra_types/matchers/be_a_worker_node.rb
 - lib/serverspec_extra_types/matchers/be_active.rb
 - lib/serverspec_extra_types/matchers/configure_queue.rb
+- lib/serverspec_extra_types/matchers/have_account.rb
+- lib/serverspec_extra_types/matchers/have_auth.rb
 - lib/serverspec_extra_types/matchers/have_count.rb
 - lib/serverspec_extra_types/matchers/have_domain_name.rb
 - lib/serverspec_extra_types/matchers/have_engine_version.rb
@@ -212,10 +214,12 @@ files:
 - lib/serverspec_extra_types/matchers/have_label.rb
 - lib/serverspec_extra_types/matchers/have_mount.rb
 - lib/serverspec_extra_types/matchers/have_network.rb
+- lib/serverspec_extra_types/matchers/have_password.rb
 - lib/serverspec_extra_types/matchers/have_placement_constraint.rb
 - lib/serverspec_extra_types/matchers/have_replica_count.rb
 - lib/serverspec_extra_types/matchers/have_restart_limit.rb
 - lib/serverspec_extra_types/matchers/have_restart_policy.rb
+- lib/serverspec_extra_types/matchers/have_session.rb
 - lib/serverspec_extra_types/matchers/have_user.rb
 - lib/serverspec_extra_types/matchers/have_version.rb
 - lib/serverspec_extra_types/matchers/have_vhost.rb
@@ -256,6 +260,7 @@ files:
 - lib/serverspec_extra_types/types/rabbitmq_vhost_list.rb
 - lib/serverspec_extra_types/types/rabbitmq_vhost_policy.rb
 - lib/serverspec_extra_types/types/sudo_user.rb
+- lib/serverspec_extra_types/types/unix_pam.rb
 - lib/serverspec_extra_types/version.rb
 - properties.yml
 - serverspec-extra-types.gemspec
@@ -279,7 +284,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: Additional Types and Matchers for Serverspec