simp-beaker-helpers 1.11.1 → 1.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.fixtures.yml +1 -1
- data/CHANGELOG.md +5 -0
- data/README.md +11 -1
- data/lib/simp/beaker_helpers.rb +55 -54
- data/lib/simp/beaker_helpers/version.rb +1 -1
- data/spec/acceptance/suites/default/enable_fips_spec.rb +15 -8
- data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb +63 -0
- data/spec/acceptance/suites/fips_from_fixtures/metadata.yml +2 -0
- data/spec/acceptance/suites/fips_from_fixtures/nodesets +1 -0
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bae36aadf14634267010bd774a210b9b9c493131acbfd615dfb863828f6fd357
|
4
|
+
data.tar.gz: 1ed635a000523d88d2bc912f01c39fd7e1b49eadd80317ab6fa17fa4b82a1880
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 31bb0095247c0a5fff39f822daf0a9d246c7c8cad14d2b2eaa97f169fac7f98d3526f9e63dba2758bc1bc2a154275d98f9aa2792a2fe7c087e649f4860a364a0
|
7
|
+
data.tar.gz: c00767d62bb2e611b091efe2739e5392e7fb7574249119b6217ee1abbdbfe37be84bb6a36062fa5b8eb7595da0c06ed7d31d17363c1e0797e44456d265c861c2
|
data/.fixtures.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
### 1.11.2 / 2018-10-11
|
2
|
+
* Copy ssh keys in home directories to simp standard '/etc/ssh/local_keys/'
|
3
|
+
to avoid error when certain simp puppet modules are applied
|
4
|
+
* Fix enable_fips_mode_on(), which no longer works on centos/7 vagrant boxes.
|
5
|
+
|
1
6
|
### 1.11.1 / 2018-10-03
|
2
7
|
* Deprecate the 'terminus' parameter in 'write_hieradata_to' and 'set_hieradata_on'
|
3
8
|
* Add 'copy_hiera_data_to' method to replace the one from beaker-hiera
|
data/README.md
CHANGED
@@ -35,10 +35,12 @@ Methods to assist beaker acceptance tests for SIMP.
|
|
35
35
|
* [`install_puppet`](#install_puppet)
|
36
36
|
* [Environment variables](#environment-variables-1)
|
37
37
|
* [`BEAKER_fips`](#beaker_fips)
|
38
|
-
* [`
|
38
|
+
* [`BEAKER_fips_module_version`](#beaker_fips_module_version)
|
39
39
|
* [`BEAKER_spec_prep`](#beaker_spec_prep)
|
40
|
+
* [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
|
40
41
|
* [`BEAKER_stringify_facts`](#beaker_stringify_facts)
|
41
42
|
* [`BEAKER_use_fixtures_dir_for_modules`](#beaker_use_fixtures_dir_for_modules)
|
43
|
+
* [`BEAKER_no_fix_interfaces`](#beaker_no_fix_interfaces)
|
42
44
|
* [PUPPET_VERSION](#puppet_version)
|
43
45
|
* [Examples](#examples)
|
44
46
|
* [Prep OS, Generate and copy PKI certs to each SUT](#prep-os-generate-and-copy-pki-certs-to-each-sut)
|
@@ -332,6 +334,14 @@ _(Default: `no`)_ When set to `yes`, Beaker will enable [FIPS mode](https://acce
|
|
332
334
|
|
333
335
|
**NOTE:** FIPS mode is only enabled on RedHat family hosts.
|
334
336
|
|
337
|
+
#### `BEAKER_fips_module_version`
|
338
|
+
|
339
|
+
_(Default: unset)_ Set to a version of the simp-fips Puppet module released
|
340
|
+
to Puppet Forge, when you want to specify the version of that module used to
|
341
|
+
implement enable FIPS. When unset, the latest version is used.
|
342
|
+
|
343
|
+
**NOTE:** This has no effect if the `simp-fips` module is already included in your fixtures.yml
|
344
|
+
|
335
345
|
#### `BEAKER_spec_prep`
|
336
346
|
|
337
347
|
_(Default: `yes`)_ Ensures that each fixture module is present under
|
data/lib/simp/beaker_helpers.rb
CHANGED
@@ -104,19 +104,27 @@ module Simp::BeakerHelpers
|
|
104
104
|
# Locates .fixture.yml in or above this directory.
|
105
105
|
def fixtures_yml_path
|
106
106
|
STDERR.puts ' ** fixtures_yml_path' if ENV['BEAKER_helpers_verbose']
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
107
|
+
|
108
|
+
if ENV['FIXTURES_YML']
|
109
|
+
fixtures_yml = ENV['FIXTURES_YML']
|
110
|
+
else
|
111
|
+
fixtures_yml = ''
|
112
|
+
dir = '.'
|
113
|
+
while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
|
114
|
+
file = File.expand_path( '.fixtures.yml', dir )
|
115
|
+
STDERR.puts " ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
|
116
|
+
if File.exists? file
|
117
|
+
fixtures_yml = file
|
118
|
+
break
|
119
|
+
end
|
120
|
+
dir = "#{dir}/.."
|
115
121
|
end
|
116
|
-
dir = "#{dir}/.."
|
117
122
|
end
|
123
|
+
|
118
124
|
raise 'ERROR: cannot locate .fixtures.yml!' if fixtures_yml.empty?
|
125
|
+
|
119
126
|
STDERR.puts " ** fixtures_yml_path:finished (file: '#{file}')" if ENV['BEAKER_helpers_verbose']
|
127
|
+
|
120
128
|
fixtures_yml
|
121
129
|
end
|
122
130
|
|
@@ -228,56 +236,40 @@ module Simp::BeakerHelpers
|
|
228
236
|
|
229
237
|
# We need to be able to get back into our system!
|
230
238
|
# Make these safe for all systems, even old ones.
|
239
|
+
# TODO Use simp-ssh Puppet module appropriately (i.e., in a fashion
|
240
|
+
# that doesn't break vagrant access and is appropriate for
|
241
|
+
# typical module tests.)
|
231
242
|
fips_ssh_ciphers = [ 'aes256-cbc','aes192-cbc','aes128-cbc']
|
232
243
|
on(sut, %(sed -i '/Ciphers /d' /etc/ssh/sshd_config))
|
233
244
|
on(sut, %(echo 'Ciphers #{fips_ssh_ciphers.join(',')}' >> /etc/ssh/sshd_config))
|
234
245
|
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
ensure => 'file',
|
258
|
-
owner => 'root',
|
259
|
-
group => 'root',
|
260
|
-
mode => '0700',
|
261
|
-
content => "#!/bin/bash
|
262
|
-
|
263
|
-
# FIPS
|
264
|
-
if [ -e /sys/firmware/efi ]; then
|
265
|
-
BOOTDEV=`df /boot/efi | tail -1 | cut -f1 -d' '`
|
266
|
-
else
|
267
|
-
BOOTDEV=`df /boot | tail -1 | cut -f1 -d' '`
|
268
|
-
fi
|
269
|
-
# In case you need a working fallback
|
270
|
-
DEFAULT_KERNEL_INFO=`/sbin/grubby --default-kernel`
|
271
|
-
DEFAULT_INITRD=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep initrd | cut -f2 -d'='`
|
272
|
-
DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 title | cut -f2 -d'='`
|
273
|
-
/sbin/grubby --copy-default --make-default --args=\\\"boot=\\\${BOOTDEV} fips=1\\\" --add-kernel=`/sbin/grubby --default-kernel` --initrd=\\\${DEFAULT_INITRD} --title=\\\"FIPS \\\${DEFAULT_KERNEL_TITLE}\\\"
|
274
|
-
",
|
275
|
-
notify => Exec['setup_fips']
|
276
|
-
}
|
277
|
-
EOS
|
278
|
-
apply_manifest_on(sut, pp, :catch_failures => false)
|
279
|
-
on( sut, 'shutdown -r now', { :expect_connection_failure => true } )
|
246
|
+
fips_enable_modulepath = ''
|
247
|
+
|
248
|
+
if pupmods_in_fixtures_yml.include?('fips')
|
249
|
+
copy_fixture_modules_to(sut)
|
250
|
+
else
|
251
|
+
# If we don't already have the simp-fips module installed
|
252
|
+
#
|
253
|
+
# Use the simp-fips Puppet module to set FIPS up properly:
|
254
|
+
# Download the appropriate version of the module and its dependencies from PuppetForge.
|
255
|
+
# TODO provide a R10k download option in which user provides a Puppetfile
|
256
|
+
# with simp-fips and its dependencies
|
257
|
+
on(sut, 'mkdir -p /root/.beaker_fips/modules')
|
258
|
+
|
259
|
+
fips_enable_modulepath = '--modulepath=/root/.beaker_fips/modules'
|
260
|
+
|
261
|
+
module_install_cmd = 'puppet module install simp-fips --target-dir=/root/.beaker_fips/modules'
|
262
|
+
|
263
|
+
if ENV['BEAKER_fips_module_version']
|
264
|
+
module_install_cmd += " --version #{ENV['BEAKER_fips_module_version']}"
|
265
|
+
end
|
266
|
+
|
267
|
+
on(sut, module_install_cmd)
|
280
268
|
end
|
269
|
+
|
270
|
+
# Enable FIPS and then reboot to finish.
|
271
|
+
on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
|
272
|
+
sut.reboot
|
281
273
|
end
|
282
274
|
end
|
283
275
|
|
@@ -373,6 +365,15 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
|
|
373
365
|
on sut, 'puppet resource group puppet gid=52'
|
374
366
|
on sut, 'puppet resource user puppet comment="Puppet" gid="52" uid="52" home="/var/lib/puppet" managehome=true'
|
375
367
|
|
368
|
+
# SIMP uses a central ssh key location, but some keys are only home dirs
|
369
|
+
on(sut, "mkdir -p /etc/ssh/local_keys")
|
370
|
+
on(sut, "for path in `find / -wholename '/home/*/.ssh/authorized_keys'`;"\
|
371
|
+
"do echo $path; user=`ls -l $path | awk '{print $3}'`;"\
|
372
|
+
"echo $user; cp --preserve=all -f $path /etc/ssh/local_keys/$user; done")
|
373
|
+
on(sut, "if [ -f /root/.ssh/authorized_keys ]; then cp --preserve=all -f /root/.ssh/authorized_keys /etc/ssh/local_keys/root; fi")
|
374
|
+
on(sut, "chown -R root:root /etc/ssh/local_keys")
|
375
|
+
on(sut, "chmod 644 /etc/ssh/local_keys/*")
|
376
|
+
|
376
377
|
# SIMP uses structured facts, therefore stringify_facts must be disabled
|
377
378
|
unless ENV['BEAKER_stringify_facts'] == 'yes'
|
378
379
|
on sut, 'puppet config set stringify_facts false'
|
@@ -1,16 +1,23 @@
|
|
1
1
|
require 'spec_helper_acceptance'
|
2
2
|
|
3
3
|
hosts.each do |host|
|
4
|
-
describe '
|
4
|
+
describe 'FIPS enabled from Forge' do
|
5
5
|
context "on #{host}" do
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
expect(stdout).to eq("1")
|
10
|
-
else
|
11
|
-
expect(stdout).to eq("0")
|
6
|
+
if ENV['BEAKER_fips'] == 'yes'
|
7
|
+
it 'creates an alternate apply directory' do
|
8
|
+
on(host, 'test -d /root/.beaker_fips/modules')
|
12
9
|
end
|
13
|
-
|
10
|
+
|
11
|
+
it 'has fips enabled' do
|
12
|
+
stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
|
13
|
+
expect(stdout).to eq('1')
|
14
|
+
end
|
15
|
+
else
|
16
|
+
it 'has fips disabled' do
|
17
|
+
stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
|
18
|
+
expect(stdout).to eq('0')
|
19
|
+
end
|
20
|
+
end
|
14
21
|
end
|
15
22
|
end
|
16
23
|
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
class ScrubFixtures
|
2
|
+
require 'simp/beaker_helpers'
|
3
|
+
include Simp::BeakerHelpers
|
4
|
+
|
5
|
+
def initialize
|
6
|
+
FileUtils.rm_rf(File.join(fixtures_path, 'modules'))
|
7
|
+
end
|
8
|
+
end
|
9
|
+
|
10
|
+
require 'yaml'
|
11
|
+
require 'tempfile'
|
12
|
+
|
13
|
+
alt_fixtures = File.absolute_path('.fips_fixtures.yml')
|
14
|
+
|
15
|
+
new_fixtures = {
|
16
|
+
'fixtures' => {
|
17
|
+
'repositories' => {}
|
18
|
+
}
|
19
|
+
}
|
20
|
+
|
21
|
+
new_fixtures['fixtures']['repositories']['fips'] = 'https://github.com/simp/pupmod-simp-fips'
|
22
|
+
new_fixtures['fixtures']['repositories']['augeasproviders_core'] = 'https://github.com/simp/augeasproviders_core'
|
23
|
+
new_fixtures['fixtures']['repositories']['augeasproviders_grub'] = 'https://github.com/simp/augeasproviders_grub'
|
24
|
+
new_fixtures['fixtures']['repositories']['simplib'] = 'https://github.com/simp/pupmod-simp-simplib'
|
25
|
+
new_fixtures['fixtures']['repositories']['stdlib'] = 'https://github.com/simp/puppetlabs-stdlib'
|
26
|
+
|
27
|
+
File.open(alt_fixtures, 'w'){ |fh| fh.puts(new_fixtures.to_yaml) }
|
28
|
+
|
29
|
+
ScrubFixtures.new
|
30
|
+
|
31
|
+
ENV['BEAKER_fips'] = 'yes'
|
32
|
+
ENV['FIXTURES_YML'] = alt_fixtures
|
33
|
+
|
34
|
+
Bundler.with_clean_env{
|
35
|
+
ENV['FIXTURES_YML'] = alt_fixtures
|
36
|
+
|
37
|
+
%x{bundle exec rake spec_prep}
|
38
|
+
}
|
39
|
+
|
40
|
+
require 'spec_helper_acceptance'
|
41
|
+
|
42
|
+
describe 'FIPS pre-installed' do
|
43
|
+
after(:all) do
|
44
|
+
if alt_fixtures && File.exist?(alt_fixtures)
|
45
|
+
FileUtils.rm(alt_fixtures)
|
46
|
+
|
47
|
+
ScrubFixtures.new
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
hosts.each do |host|
|
52
|
+
context "on #{host}" do
|
53
|
+
it 'does not create an alternate apply directory' do
|
54
|
+
on(host, 'test ! -d /root/.beaker_fips/modules')
|
55
|
+
end
|
56
|
+
|
57
|
+
it 'has fips enabled' do
|
58
|
+
stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
|
59
|
+
expect(stdout).to eq('1')
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
@@ -0,0 +1 @@
|
|
1
|
+
spec/acceptance/suites/fips_from_fixtures/../../nodesets
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: simp-beaker-helpers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.11.
|
4
|
+
version: 1.11.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Tessmer
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2018-10-
|
12
|
+
date: 2018-10-15 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: beaker
|
@@ -174,6 +174,9 @@ files:
|
|
174
174
|
- spec/acceptance/suites/default/pki_tests_spec.rb
|
175
175
|
- spec/acceptance/suites/default/set_hieradata_on_spec.rb
|
176
176
|
- spec/acceptance/suites/default/write_hieradata_to_spec.rb
|
177
|
+
- spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
|
178
|
+
- spec/acceptance/suites/fips_from_fixtures/metadata.yml
|
179
|
+
- spec/acceptance/suites/fips_from_fixtures/nodesets
|
177
180
|
- spec/acceptance/suites/puppet_collections/00_default_spec.rb
|
178
181
|
- spec/acceptance/suites/puppet_collections/metadata.yml
|
179
182
|
- spec/acceptance/suites/puppet_collections/nodesets/default.yml
|