simp-beaker-helpers 1.11.1 → 1.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: de20d90d702274ad89d7c0f4971cf392e7b9810dd81c19d2a18713e2094c2e8e
4
- data.tar.gz: 98364f3ad80cb62f625e5b83fbe284e4b303a99e09bf2227d22f9e3adbf40603
3
+ metadata.gz: bae36aadf14634267010bd774a210b9b9c493131acbfd615dfb863828f6fd357
4
+ data.tar.gz: 1ed635a000523d88d2bc912f01c39fd7e1b49eadd80317ab6fa17fa4b82a1880
5
5
  SHA512:
6
- metadata.gz: d94eb890371b09ce7f2bcaa315dc6fe723228364a5186a0d363d4f56a14a4c744e171307d53251abe23460290aabd96b6124f82d30e8f79bd350ff6b6a2ac599
7
- data.tar.gz: 1cd900c931008350da80b0b13856538d01afcac2a9c912a7d546953321069ed3f4e915ab2b59052c1f413d651ce5bcc307cc3bf46d13b0d56c6edc4556e7dc69
6
+ metadata.gz: 31bb0095247c0a5fff39f822daf0a9d246c7c8cad14d2b2eaa97f169fac7f98d3526f9e63dba2758bc1bc2a154275d98f9aa2792a2fe7c087e649f4860a364a0
7
+ data.tar.gz: c00767d62bb2e611b091efe2739e5392e7fb7574249119b6217ee1abbdbfe37be84bb6a36062fa5b8eb7595da0c06ed7d31d17363c1e0797e44456d265c861c2
data/.fixtures.yml CHANGED
@@ -1,5 +1,5 @@
1
1
  ---
2
2
  fixtures:
3
3
  repositories:
4
- stdlib: "git://github.com/simp/puppetlabs-stdlib"
4
+ stdlib: "https://github.com/simp/puppetlabs-stdlib"
5
5
 
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ### 1.11.2 / 2018-10-11
2
+ * Copy ssh keys in home directories to simp standard '/etc/ssh/local_keys/'
3
+ to avoid error when certain simp puppet modules are applied
4
+ * Fix enable_fips_mode_on(), which no longer works on centos/7 vagrant boxes.
5
+
1
6
  ### 1.11.1 / 2018-10-03
2
7
  * Deprecate the 'terminus' parameter in 'write_hieradata_to' and 'set_hieradata_on'
3
8
  * Add 'copy_hiera_data_to' method to replace the one from beaker-hiera
data/README.md CHANGED
@@ -35,10 +35,12 @@ Methods to assist beaker acceptance tests for SIMP.
35
35
  * [`install_puppet`](#install_puppet)
36
36
  * [Environment variables](#environment-variables-1)
37
37
  * [`BEAKER_fips`](#beaker_fips)
38
- * [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
38
+ * [`BEAKER_fips_module_version`](#beaker_fips_module_version)
39
39
  * [`BEAKER_spec_prep`](#beaker_spec_prep)
40
+ * [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
40
41
  * [`BEAKER_stringify_facts`](#beaker_stringify_facts)
41
42
  * [`BEAKER_use_fixtures_dir_for_modules`](#beaker_use_fixtures_dir_for_modules)
43
+ * [`BEAKER_no_fix_interfaces`](#beaker_no_fix_interfaces)
42
44
  * [PUPPET_VERSION](#puppet_version)
43
45
  * [Examples](#examples)
44
46
  * [Prep OS, Generate and copy PKI certs to each SUT](#prep-os-generate-and-copy-pki-certs-to-each-sut)
@@ -332,6 +334,14 @@ _(Default: `no`)_ When set to `yes`, Beaker will enable [FIPS mode](https://acce
332
334
 
333
335
  **NOTE:** FIPS mode is only enabled on RedHat family hosts.
334
336
 
337
+ #### `BEAKER_fips_module_version`
338
+
339
+ _(Default: unset)_ Set to a version of the simp-fips Puppet module released
340
+ to Puppet Forge, when you want to specify the version of that module used to
341
+ implement enable FIPS. When unset, the latest version is used.
342
+
343
+ **NOTE:** This has no effect if the `simp-fips` module is already included in your fixtures.yml
344
+
335
345
  #### `BEAKER_spec_prep`
336
346
 
337
347
  _(Default: `yes`)_ Ensures that each fixture module is present under
@@ -104,19 +104,27 @@ module Simp::BeakerHelpers
104
104
  # Locates .fixture.yml in or above this directory.
105
105
  def fixtures_yml_path
106
106
  STDERR.puts ' ** fixtures_yml_path' if ENV['BEAKER_helpers_verbose']
107
- fixtures_yml = ''
108
- dir = '.'
109
- while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
110
- file = File.expand_path( '.fixtures.yml', dir )
111
- STDERR.puts " ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
112
- if File.exists? file
113
- fixtures_yml = file
114
- break
107
+
108
+ if ENV['FIXTURES_YML']
109
+ fixtures_yml = ENV['FIXTURES_YML']
110
+ else
111
+ fixtures_yml = ''
112
+ dir = '.'
113
+ while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
114
+ file = File.expand_path( '.fixtures.yml', dir )
115
+ STDERR.puts " ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
116
+ if File.exists? file
117
+ fixtures_yml = file
118
+ break
119
+ end
120
+ dir = "#{dir}/.."
115
121
  end
116
- dir = "#{dir}/.."
117
122
  end
123
+
118
124
  raise 'ERROR: cannot locate .fixtures.yml!' if fixtures_yml.empty?
125
+
119
126
  STDERR.puts " ** fixtures_yml_path:finished (file: '#{file}')" if ENV['BEAKER_helpers_verbose']
127
+
120
128
  fixtures_yml
121
129
  end
122
130
 
@@ -228,56 +236,40 @@ module Simp::BeakerHelpers
228
236
 
229
237
  # We need to be able to get back into our system!
230
238
  # Make these safe for all systems, even old ones.
239
+ # TODO Use simp-ssh Puppet module appropriately (i.e., in a fashion
240
+ # that doesn't break vagrant access and is appropriate for
241
+ # typical module tests.)
231
242
  fips_ssh_ciphers = [ 'aes256-cbc','aes192-cbc','aes128-cbc']
232
243
  on(sut, %(sed -i '/Ciphers /d' /etc/ssh/sshd_config))
233
244
  on(sut, %(echo 'Ciphers #{fips_ssh_ciphers.join(',')}' >> /etc/ssh/sshd_config))
234
245
 
235
- if fact_on(sut, 'osfamily') == 'RedHat'
236
- pp = <<-EOS
237
- # This is necessary to prevent a kernel panic after rebooting into FIPS
238
- # (last checked: 20150928)
239
- package { ['kernel'] : ensure => 'latest' }
240
-
241
- package { ['dracut-fips'] : ensure => 'latest' }
242
- ~>
243
- exec { 'Always run dracut after installing dracut-fips':
244
- path => ['/usr/bin', '/sbin'],
245
- command => 'dracut -f',
246
- refreshonly => true
247
- }
248
-
249
- package { ['grubby'] : ensure => 'latest' }
250
- ~>
251
- exec{ 'setup_fips':
252
- command => '/bin/bash /root/setup_fips.sh',
253
- refreshonly => true,
254
- }
255
-
256
- file{ '/root/setup_fips.sh':
257
- ensure => 'file',
258
- owner => 'root',
259
- group => 'root',
260
- mode => '0700',
261
- content => "#!/bin/bash
262
-
263
- # FIPS
264
- if [ -e /sys/firmware/efi ]; then
265
- BOOTDEV=`df /boot/efi | tail -1 | cut -f1 -d' '`
266
- else
267
- BOOTDEV=`df /boot | tail -1 | cut -f1 -d' '`
268
- fi
269
- # In case you need a working fallback
270
- DEFAULT_KERNEL_INFO=`/sbin/grubby --default-kernel`
271
- DEFAULT_INITRD=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep initrd | cut -f2 -d'='`
272
- DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 title | cut -f2 -d'='`
273
- /sbin/grubby --copy-default --make-default --args=\\\"boot=\\\${BOOTDEV} fips=1\\\" --add-kernel=`/sbin/grubby --default-kernel` --initrd=\\\${DEFAULT_INITRD} --title=\\\"FIPS \\\${DEFAULT_KERNEL_TITLE}\\\"
274
- ",
275
- notify => Exec['setup_fips']
276
- }
277
- EOS
278
- apply_manifest_on(sut, pp, :catch_failures => false)
279
- on( sut, 'shutdown -r now', { :expect_connection_failure => true } )
246
+ fips_enable_modulepath = ''
247
+
248
+ if pupmods_in_fixtures_yml.include?('fips')
249
+ copy_fixture_modules_to(sut)
250
+ else
251
+ # If we don't already have the simp-fips module installed
252
+ #
253
+ # Use the simp-fips Puppet module to set FIPS up properly:
254
+ # Download the appropriate version of the module and its dependencies from PuppetForge.
255
+ # TODO provide a R10k download option in which user provides a Puppetfile
256
+ # with simp-fips and its dependencies
257
+ on(sut, 'mkdir -p /root/.beaker_fips/modules')
258
+
259
+ fips_enable_modulepath = '--modulepath=/root/.beaker_fips/modules'
260
+
261
+ module_install_cmd = 'puppet module install simp-fips --target-dir=/root/.beaker_fips/modules'
262
+
263
+ if ENV['BEAKER_fips_module_version']
264
+ module_install_cmd += " --version #{ENV['BEAKER_fips_module_version']}"
265
+ end
266
+
267
+ on(sut, module_install_cmd)
280
268
  end
269
+
270
+ # Enable FIPS and then reboot to finish.
271
+ on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
272
+ sut.reboot
281
273
  end
282
274
  end
283
275
 
@@ -373,6 +365,15 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
373
365
  on sut, 'puppet resource group puppet gid=52'
374
366
  on sut, 'puppet resource user puppet comment="Puppet" gid="52" uid="52" home="/var/lib/puppet" managehome=true'
375
367
 
368
+ # SIMP uses a central ssh key location, but some keys are only home dirs
369
+ on(sut, "mkdir -p /etc/ssh/local_keys")
370
+ on(sut, "for path in `find / -wholename '/home/*/.ssh/authorized_keys'`;"\
371
+ "do echo $path; user=`ls -l $path | awk '{print $3}'`;"\
372
+ "echo $user; cp --preserve=all -f $path /etc/ssh/local_keys/$user; done")
373
+ on(sut, "if [ -f /root/.ssh/authorized_keys ]; then cp --preserve=all -f /root/.ssh/authorized_keys /etc/ssh/local_keys/root; fi")
374
+ on(sut, "chown -R root:root /etc/ssh/local_keys")
375
+ on(sut, "chmod 644 /etc/ssh/local_keys/*")
376
+
376
377
  # SIMP uses structured facts, therefore stringify_facts must be disabled
377
378
  unless ENV['BEAKER_stringify_facts'] == 'yes'
378
379
  on sut, 'puppet config set stringify_facts false'
@@ -1,5 +1,5 @@
1
1
  module Simp; end
2
2
 
3
3
  module Simp::BeakerHelpers
4
- VERSION = '1.11.1'
4
+ VERSION = '1.11.2'
5
5
  end
@@ -1,16 +1,23 @@
1
1
  require 'spec_helper_acceptance'
2
2
 
3
3
  hosts.each do |host|
4
- describe 'ensure FIPS mode matches ENV[BEAKER_fips]' do
4
+ describe 'FIPS enabled from Forge' do
5
5
  context "on #{host}" do
6
- it 'check /proc/sys/crypto/fips_enabled' do
7
- stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
8
- if ENV['BEAKER_fips'] == 'yes'
9
- expect(stdout).to eq("1")
10
- else
11
- expect(stdout).to eq("0")
6
+ if ENV['BEAKER_fips'] == 'yes'
7
+ it 'creates an alternate apply directory' do
8
+ on(host, 'test -d /root/.beaker_fips/modules')
12
9
  end
13
- end
10
+
11
+ it 'has fips enabled' do
12
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
13
+ expect(stdout).to eq('1')
14
+ end
15
+ else
16
+ it 'has fips disabled' do
17
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
18
+ expect(stdout).to eq('0')
19
+ end
20
+ end
14
21
  end
15
22
  end
16
23
  end
@@ -0,0 +1,63 @@
1
+ class ScrubFixtures
2
+ require 'simp/beaker_helpers'
3
+ include Simp::BeakerHelpers
4
+
5
+ def initialize
6
+ FileUtils.rm_rf(File.join(fixtures_path, 'modules'))
7
+ end
8
+ end
9
+
10
+ require 'yaml'
11
+ require 'tempfile'
12
+
13
+ alt_fixtures = File.absolute_path('.fips_fixtures.yml')
14
+
15
+ new_fixtures = {
16
+ 'fixtures' => {
17
+ 'repositories' => {}
18
+ }
19
+ }
20
+
21
+ new_fixtures['fixtures']['repositories']['fips'] = 'https://github.com/simp/pupmod-simp-fips'
22
+ new_fixtures['fixtures']['repositories']['augeasproviders_core'] = 'https://github.com/simp/augeasproviders_core'
23
+ new_fixtures['fixtures']['repositories']['augeasproviders_grub'] = 'https://github.com/simp/augeasproviders_grub'
24
+ new_fixtures['fixtures']['repositories']['simplib'] = 'https://github.com/simp/pupmod-simp-simplib'
25
+ new_fixtures['fixtures']['repositories']['stdlib'] = 'https://github.com/simp/puppetlabs-stdlib'
26
+
27
+ File.open(alt_fixtures, 'w'){ |fh| fh.puts(new_fixtures.to_yaml) }
28
+
29
+ ScrubFixtures.new
30
+
31
+ ENV['BEAKER_fips'] = 'yes'
32
+ ENV['FIXTURES_YML'] = alt_fixtures
33
+
34
+ Bundler.with_clean_env{
35
+ ENV['FIXTURES_YML'] = alt_fixtures
36
+
37
+ %x{bundle exec rake spec_prep}
38
+ }
39
+
40
+ require 'spec_helper_acceptance'
41
+
42
+ describe 'FIPS pre-installed' do
43
+ after(:all) do
44
+ if alt_fixtures && File.exist?(alt_fixtures)
45
+ FileUtils.rm(alt_fixtures)
46
+
47
+ ScrubFixtures.new
48
+ end
49
+ end
50
+
51
+ hosts.each do |host|
52
+ context "on #{host}" do
53
+ it 'does not create an alternate apply directory' do
54
+ on(host, 'test ! -d /root/.beaker_fips/modules')
55
+ end
56
+
57
+ it 'has fips enabled' do
58
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
59
+ expect(stdout).to eq('1')
60
+ end
61
+ end
62
+ end
63
+ end
@@ -0,0 +1,2 @@
1
+ ---
2
+ 'default_run': true
@@ -0,0 +1 @@
1
+ spec/acceptance/suites/fips_from_fixtures/../../nodesets
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: simp-beaker-helpers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.11.1
4
+ version: 1.11.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-10-03 00:00:00.000000000 Z
12
+ date: 2018-10-15 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: beaker
@@ -174,6 +174,9 @@ files:
174
174
  - spec/acceptance/suites/default/pki_tests_spec.rb
175
175
  - spec/acceptance/suites/default/set_hieradata_on_spec.rb
176
176
  - spec/acceptance/suites/default/write_hieradata_to_spec.rb
177
+ - spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
178
+ - spec/acceptance/suites/fips_from_fixtures/metadata.yml
179
+ - spec/acceptance/suites/fips_from_fixtures/nodesets
177
180
  - spec/acceptance/suites/puppet_collections/00_default_spec.rb
178
181
  - spec/acceptance/suites/puppet_collections/metadata.yml
179
182
  - spec/acceptance/suites/puppet_collections/nodesets/default.yml