simp-beaker-helpers 1.11.1 → 1.11.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: de20d90d702274ad89d7c0f4971cf392e7b9810dd81c19d2a18713e2094c2e8e
4
- data.tar.gz: 98364f3ad80cb62f625e5b83fbe284e4b303a99e09bf2227d22f9e3adbf40603
3
+ metadata.gz: bae36aadf14634267010bd774a210b9b9c493131acbfd615dfb863828f6fd357
4
+ data.tar.gz: 1ed635a000523d88d2bc912f01c39fd7e1b49eadd80317ab6fa17fa4b82a1880
5
5
  SHA512:
6
- metadata.gz: d94eb890371b09ce7f2bcaa315dc6fe723228364a5186a0d363d4f56a14a4c744e171307d53251abe23460290aabd96b6124f82d30e8f79bd350ff6b6a2ac599
7
- data.tar.gz: 1cd900c931008350da80b0b13856538d01afcac2a9c912a7d546953321069ed3f4e915ab2b59052c1f413d651ce5bcc307cc3bf46d13b0d56c6edc4556e7dc69
6
+ metadata.gz: 31bb0095247c0a5fff39f822daf0a9d246c7c8cad14d2b2eaa97f169fac7f98d3526f9e63dba2758bc1bc2a154275d98f9aa2792a2fe7c087e649f4860a364a0
7
+ data.tar.gz: c00767d62bb2e611b091efe2739e5392e7fb7574249119b6217ee1abbdbfe37be84bb6a36062fa5b8eb7595da0c06ed7d31d17363c1e0797e44456d265c861c2
data/.fixtures.yml CHANGED
@@ -1,5 +1,5 @@
1
1
  ---
2
2
  fixtures:
3
3
  repositories:
4
- stdlib: "git://github.com/simp/puppetlabs-stdlib"
4
+ stdlib: "https://github.com/simp/puppetlabs-stdlib"
5
5
 
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ### 1.11.2 / 2018-10-11
2
+ * Copy ssh keys in home directories to simp standard '/etc/ssh/local_keys/'
3
+ to avoid error when certain simp puppet modules are applied
4
+ * Fix enable_fips_mode_on(), which no longer works on centos/7 vagrant boxes.
5
+
1
6
  ### 1.11.1 / 2018-10-03
2
7
  * Deprecate the 'terminus' parameter in 'write_hieradata_to' and 'set_hieradata_on'
3
8
  * Add 'copy_hiera_data_to' method to replace the one from beaker-hiera
data/README.md CHANGED
@@ -35,10 +35,12 @@ Methods to assist beaker acceptance tests for SIMP.
35
35
  * [`install_puppet`](#install_puppet)
36
36
  * [Environment variables](#environment-variables-1)
37
37
  * [`BEAKER_fips`](#beaker_fips)
38
- * [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
38
+ * [`BEAKER_fips_module_version`](#beaker_fips_module_version)
39
39
  * [`BEAKER_spec_prep`](#beaker_spec_prep)
40
+ * [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
40
41
  * [`BEAKER_stringify_facts`](#beaker_stringify_facts)
41
42
  * [`BEAKER_use_fixtures_dir_for_modules`](#beaker_use_fixtures_dir_for_modules)
43
+ * [`BEAKER_no_fix_interfaces`](#beaker_no_fix_interfaces)
42
44
  * [PUPPET_VERSION](#puppet_version)
43
45
  * [Examples](#examples)
44
46
  * [Prep OS, Generate and copy PKI certs to each SUT](#prep-os-generate-and-copy-pki-certs-to-each-sut)
@@ -332,6 +334,14 @@ _(Default: `no`)_ When set to `yes`, Beaker will enable [FIPS mode](https://acce
332
334
 
333
335
  **NOTE:** FIPS mode is only enabled on RedHat family hosts.
334
336
 
337
+ #### `BEAKER_fips_module_version`
338
+
339
+ _(Default: unset)_ Set to a version of the simp-fips Puppet module released
340
+ to Puppet Forge, when you want to specify the version of that module used to
341
+ implement enable FIPS. When unset, the latest version is used.
342
+
343
+ **NOTE:** This has no effect if the `simp-fips` module is already included in your fixtures.yml
344
+
335
345
  #### `BEAKER_spec_prep`
336
346
 
337
347
  _(Default: `yes`)_ Ensures that each fixture module is present under
@@ -104,19 +104,27 @@ module Simp::BeakerHelpers
104
104
  # Locates .fixture.yml in or above this directory.
105
105
  def fixtures_yml_path
106
106
  STDERR.puts ' ** fixtures_yml_path' if ENV['BEAKER_helpers_verbose']
107
- fixtures_yml = ''
108
- dir = '.'
109
- while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
110
- file = File.expand_path( '.fixtures.yml', dir )
111
- STDERR.puts " ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
112
- if File.exists? file
113
- fixtures_yml = file
114
- break
107
+
108
+ if ENV['FIXTURES_YML']
109
+ fixtures_yml = ENV['FIXTURES_YML']
110
+ else
111
+ fixtures_yml = ''
112
+ dir = '.'
113
+ while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
114
+ file = File.expand_path( '.fixtures.yml', dir )
115
+ STDERR.puts " ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
116
+ if File.exists? file
117
+ fixtures_yml = file
118
+ break
119
+ end
120
+ dir = "#{dir}/.."
115
121
  end
116
- dir = "#{dir}/.."
117
122
  end
123
+
118
124
  raise 'ERROR: cannot locate .fixtures.yml!' if fixtures_yml.empty?
125
+
119
126
  STDERR.puts " ** fixtures_yml_path:finished (file: '#{file}')" if ENV['BEAKER_helpers_verbose']
127
+
120
128
  fixtures_yml
121
129
  end
122
130
 
@@ -228,56 +236,40 @@ module Simp::BeakerHelpers
228
236
 
229
237
  # We need to be able to get back into our system!
230
238
  # Make these safe for all systems, even old ones.
239
+ # TODO Use simp-ssh Puppet module appropriately (i.e., in a fashion
240
+ # that doesn't break vagrant access and is appropriate for
241
+ # typical module tests.)
231
242
  fips_ssh_ciphers = [ 'aes256-cbc','aes192-cbc','aes128-cbc']
232
243
  on(sut, %(sed -i '/Ciphers /d' /etc/ssh/sshd_config))
233
244
  on(sut, %(echo 'Ciphers #{fips_ssh_ciphers.join(',')}' >> /etc/ssh/sshd_config))
234
245
 
235
- if fact_on(sut, 'osfamily') == 'RedHat'
236
- pp = <<-EOS
237
- # This is necessary to prevent a kernel panic after rebooting into FIPS
238
- # (last checked: 20150928)
239
- package { ['kernel'] : ensure => 'latest' }
240
-
241
- package { ['dracut-fips'] : ensure => 'latest' }
242
- ~>
243
- exec { 'Always run dracut after installing dracut-fips':
244
- path => ['/usr/bin', '/sbin'],
245
- command => 'dracut -f',
246
- refreshonly => true
247
- }
248
-
249
- package { ['grubby'] : ensure => 'latest' }
250
- ~>
251
- exec{ 'setup_fips':
252
- command => '/bin/bash /root/setup_fips.sh',
253
- refreshonly => true,
254
- }
255
-
256
- file{ '/root/setup_fips.sh':
257
- ensure => 'file',
258
- owner => 'root',
259
- group => 'root',
260
- mode => '0700',
261
- content => "#!/bin/bash
262
-
263
- # FIPS
264
- if [ -e /sys/firmware/efi ]; then
265
- BOOTDEV=`df /boot/efi | tail -1 | cut -f1 -d' '`
266
- else
267
- BOOTDEV=`df /boot | tail -1 | cut -f1 -d' '`
268
- fi
269
- # In case you need a working fallback
270
- DEFAULT_KERNEL_INFO=`/sbin/grubby --default-kernel`
271
- DEFAULT_INITRD=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep initrd | cut -f2 -d'='`
272
- DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 title | cut -f2 -d'='`
273
- /sbin/grubby --copy-default --make-default --args=\\\"boot=\\\${BOOTDEV} fips=1\\\" --add-kernel=`/sbin/grubby --default-kernel` --initrd=\\\${DEFAULT_INITRD} --title=\\\"FIPS \\\${DEFAULT_KERNEL_TITLE}\\\"
274
- ",
275
- notify => Exec['setup_fips']
276
- }
277
- EOS
278
- apply_manifest_on(sut, pp, :catch_failures => false)
279
- on( sut, 'shutdown -r now', { :expect_connection_failure => true } )
246
+ fips_enable_modulepath = ''
247
+
248
+ if pupmods_in_fixtures_yml.include?('fips')
249
+ copy_fixture_modules_to(sut)
250
+ else
251
+ # If we don't already have the simp-fips module installed
252
+ #
253
+ # Use the simp-fips Puppet module to set FIPS up properly:
254
+ # Download the appropriate version of the module and its dependencies from PuppetForge.
255
+ # TODO provide a R10k download option in which user provides a Puppetfile
256
+ # with simp-fips and its dependencies
257
+ on(sut, 'mkdir -p /root/.beaker_fips/modules')
258
+
259
+ fips_enable_modulepath = '--modulepath=/root/.beaker_fips/modules'
260
+
261
+ module_install_cmd = 'puppet module install simp-fips --target-dir=/root/.beaker_fips/modules'
262
+
263
+ if ENV['BEAKER_fips_module_version']
264
+ module_install_cmd += " --version #{ENV['BEAKER_fips_module_version']}"
265
+ end
266
+
267
+ on(sut, module_install_cmd)
280
268
  end
269
+
270
+ # Enable FIPS and then reboot to finish.
271
+ on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
272
+ sut.reboot
281
273
  end
282
274
  end
283
275
 
@@ -373,6 +365,15 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
373
365
  on sut, 'puppet resource group puppet gid=52'
374
366
  on sut, 'puppet resource user puppet comment="Puppet" gid="52" uid="52" home="/var/lib/puppet" managehome=true'
375
367
 
368
+ # SIMP uses a central ssh key location, but some keys are only home dirs
369
+ on(sut, "mkdir -p /etc/ssh/local_keys")
370
+ on(sut, "for path in `find / -wholename '/home/*/.ssh/authorized_keys'`;"\
371
+ "do echo $path; user=`ls -l $path | awk '{print $3}'`;"\
372
+ "echo $user; cp --preserve=all -f $path /etc/ssh/local_keys/$user; done")
373
+ on(sut, "if [ -f /root/.ssh/authorized_keys ]; then cp --preserve=all -f /root/.ssh/authorized_keys /etc/ssh/local_keys/root; fi")
374
+ on(sut, "chown -R root:root /etc/ssh/local_keys")
375
+ on(sut, "chmod 644 /etc/ssh/local_keys/*")
376
+
376
377
  # SIMP uses structured facts, therefore stringify_facts must be disabled
377
378
  unless ENV['BEAKER_stringify_facts'] == 'yes'
378
379
  on sut, 'puppet config set stringify_facts false'
@@ -1,5 +1,5 @@
1
1
  module Simp; end
2
2
 
3
3
  module Simp::BeakerHelpers
4
- VERSION = '1.11.1'
4
+ VERSION = '1.11.2'
5
5
  end
@@ -1,16 +1,23 @@
1
1
  require 'spec_helper_acceptance'
2
2
 
3
3
  hosts.each do |host|
4
- describe 'ensure FIPS mode matches ENV[BEAKER_fips]' do
4
+ describe 'FIPS enabled from Forge' do
5
5
  context "on #{host}" do
6
- it 'check /proc/sys/crypto/fips_enabled' do
7
- stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
8
- if ENV['BEAKER_fips'] == 'yes'
9
- expect(stdout).to eq("1")
10
- else
11
- expect(stdout).to eq("0")
6
+ if ENV['BEAKER_fips'] == 'yes'
7
+ it 'creates an alternate apply directory' do
8
+ on(host, 'test -d /root/.beaker_fips/modules')
12
9
  end
13
- end
10
+
11
+ it 'has fips enabled' do
12
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
13
+ expect(stdout).to eq('1')
14
+ end
15
+ else
16
+ it 'has fips disabled' do
17
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
18
+ expect(stdout).to eq('0')
19
+ end
20
+ end
14
21
  end
15
22
  end
16
23
  end
@@ -0,0 +1,63 @@
1
+ class ScrubFixtures
2
+ require 'simp/beaker_helpers'
3
+ include Simp::BeakerHelpers
4
+
5
+ def initialize
6
+ FileUtils.rm_rf(File.join(fixtures_path, 'modules'))
7
+ end
8
+ end
9
+
10
+ require 'yaml'
11
+ require 'tempfile'
12
+
13
+ alt_fixtures = File.absolute_path('.fips_fixtures.yml')
14
+
15
+ new_fixtures = {
16
+ 'fixtures' => {
17
+ 'repositories' => {}
18
+ }
19
+ }
20
+
21
+ new_fixtures['fixtures']['repositories']['fips'] = 'https://github.com/simp/pupmod-simp-fips'
22
+ new_fixtures['fixtures']['repositories']['augeasproviders_core'] = 'https://github.com/simp/augeasproviders_core'
23
+ new_fixtures['fixtures']['repositories']['augeasproviders_grub'] = 'https://github.com/simp/augeasproviders_grub'
24
+ new_fixtures['fixtures']['repositories']['simplib'] = 'https://github.com/simp/pupmod-simp-simplib'
25
+ new_fixtures['fixtures']['repositories']['stdlib'] = 'https://github.com/simp/puppetlabs-stdlib'
26
+
27
+ File.open(alt_fixtures, 'w'){ |fh| fh.puts(new_fixtures.to_yaml) }
28
+
29
+ ScrubFixtures.new
30
+
31
+ ENV['BEAKER_fips'] = 'yes'
32
+ ENV['FIXTURES_YML'] = alt_fixtures
33
+
34
+ Bundler.with_clean_env{
35
+ ENV['FIXTURES_YML'] = alt_fixtures
36
+
37
+ %x{bundle exec rake spec_prep}
38
+ }
39
+
40
+ require 'spec_helper_acceptance'
41
+
42
+ describe 'FIPS pre-installed' do
43
+ after(:all) do
44
+ if alt_fixtures && File.exist?(alt_fixtures)
45
+ FileUtils.rm(alt_fixtures)
46
+
47
+ ScrubFixtures.new
48
+ end
49
+ end
50
+
51
+ hosts.each do |host|
52
+ context "on #{host}" do
53
+ it 'does not create an alternate apply directory' do
54
+ on(host, 'test ! -d /root/.beaker_fips/modules')
55
+ end
56
+
57
+ it 'has fips enabled' do
58
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
59
+ expect(stdout).to eq('1')
60
+ end
61
+ end
62
+ end
63
+ end
@@ -0,0 +1,2 @@
1
+ ---
2
+ 'default_run': true
@@ -0,0 +1 @@
1
+ spec/acceptance/suites/fips_from_fixtures/../../nodesets
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: simp-beaker-helpers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.11.1
4
+ version: 1.11.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-10-03 00:00:00.000000000 Z
12
+ date: 2018-10-15 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: beaker
@@ -174,6 +174,9 @@ files:
174
174
  - spec/acceptance/suites/default/pki_tests_spec.rb
175
175
  - spec/acceptance/suites/default/set_hieradata_on_spec.rb
176
176
  - spec/acceptance/suites/default/write_hieradata_to_spec.rb
177
+ - spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
178
+ - spec/acceptance/suites/fips_from_fixtures/metadata.yml
179
+ - spec/acceptance/suites/fips_from_fixtures/nodesets
177
180
  - spec/acceptance/suites/puppet_collections/00_default_spec.rb
178
181
  - spec/acceptance/suites/puppet_collections/metadata.yml
179
182
  - spec/acceptance/suites/puppet_collections/nodesets/default.yml