simp-beaker-helpers 1.11.1 → 1.11.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.fixtures.yml +1 -1
- data/CHANGELOG.md +5 -0
- data/README.md +11 -1
- data/lib/simp/beaker_helpers.rb +55 -54
- data/lib/simp/beaker_helpers/version.rb +1 -1
- data/spec/acceptance/suites/default/enable_fips_spec.rb +15 -8
- data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb +63 -0
- data/spec/acceptance/suites/fips_from_fixtures/metadata.yml +2 -0
- data/spec/acceptance/suites/fips_from_fixtures/nodesets +1 -0
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bae36aadf14634267010bd774a210b9b9c493131acbfd615dfb863828f6fd357
|
4
|
+
data.tar.gz: 1ed635a000523d88d2bc912f01c39fd7e1b49eadd80317ab6fa17fa4b82a1880
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 31bb0095247c0a5fff39f822daf0a9d246c7c8cad14d2b2eaa97f169fac7f98d3526f9e63dba2758bc1bc2a154275d98f9aa2792a2fe7c087e649f4860a364a0
|
7
|
+
data.tar.gz: c00767d62bb2e611b091efe2739e5392e7fb7574249119b6217ee1abbdbfe37be84bb6a36062fa5b8eb7595da0c06ed7d31d17363c1e0797e44456d265c861c2
|
data/.fixtures.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
### 1.11.2 / 2018-10-11
|
2
|
+
* Copy ssh keys in home directories to simp standard '/etc/ssh/local_keys/'
|
3
|
+
to avoid error when certain simp puppet modules are applied
|
4
|
+
* Fix enable_fips_mode_on(), which no longer works on centos/7 vagrant boxes.
|
5
|
+
|
1
6
|
### 1.11.1 / 2018-10-03
|
2
7
|
* Deprecate the 'terminus' parameter in 'write_hieradata_to' and 'set_hieradata_on'
|
3
8
|
* Add 'copy_hiera_data_to' method to replace the one from beaker-hiera
|
data/README.md
CHANGED
@@ -35,10 +35,12 @@ Methods to assist beaker acceptance tests for SIMP.
|
|
35
35
|
* [`install_puppet`](#install_puppet)
|
36
36
|
* [Environment variables](#environment-variables-1)
|
37
37
|
* [`BEAKER_fips`](#beaker_fips)
|
38
|
-
* [`
|
38
|
+
* [`BEAKER_fips_module_version`](#beaker_fips_module_version)
|
39
39
|
* [`BEAKER_spec_prep`](#beaker_spec_prep)
|
40
|
+
* [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
|
40
41
|
* [`BEAKER_stringify_facts`](#beaker_stringify_facts)
|
41
42
|
* [`BEAKER_use_fixtures_dir_for_modules`](#beaker_use_fixtures_dir_for_modules)
|
43
|
+
* [`BEAKER_no_fix_interfaces`](#beaker_no_fix_interfaces)
|
42
44
|
* [PUPPET_VERSION](#puppet_version)
|
43
45
|
* [Examples](#examples)
|
44
46
|
* [Prep OS, Generate and copy PKI certs to each SUT](#prep-os-generate-and-copy-pki-certs-to-each-sut)
|
@@ -332,6 +334,14 @@ _(Default: `no`)_ When set to `yes`, Beaker will enable [FIPS mode](https://acce
|
|
332
334
|
|
333
335
|
**NOTE:** FIPS mode is only enabled on RedHat family hosts.
|
334
336
|
|
337
|
+
#### `BEAKER_fips_module_version`
|
338
|
+
|
339
|
+
_(Default: unset)_ Set to a version of the simp-fips Puppet module released
|
340
|
+
to Puppet Forge, when you want to specify the version of that module used to
|
341
|
+
implement enable FIPS. When unset, the latest version is used.
|
342
|
+
|
343
|
+
**NOTE:** This has no effect if the `simp-fips` module is already included in your fixtures.yml
|
344
|
+
|
335
345
|
#### `BEAKER_spec_prep`
|
336
346
|
|
337
347
|
_(Default: `yes`)_ Ensures that each fixture module is present under
|
data/lib/simp/beaker_helpers.rb
CHANGED
@@ -104,19 +104,27 @@ module Simp::BeakerHelpers
|
|
104
104
|
# Locates .fixture.yml in or above this directory.
|
105
105
|
def fixtures_yml_path
|
106
106
|
STDERR.puts ' ** fixtures_yml_path' if ENV['BEAKER_helpers_verbose']
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
107
|
+
|
108
|
+
if ENV['FIXTURES_YML']
|
109
|
+
fixtures_yml = ENV['FIXTURES_YML']
|
110
|
+
else
|
111
|
+
fixtures_yml = ''
|
112
|
+
dir = '.'
|
113
|
+
while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
|
114
|
+
file = File.expand_path( '.fixtures.yml', dir )
|
115
|
+
STDERR.puts " ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
|
116
|
+
if File.exists? file
|
117
|
+
fixtures_yml = file
|
118
|
+
break
|
119
|
+
end
|
120
|
+
dir = "#{dir}/.."
|
115
121
|
end
|
116
|
-
dir = "#{dir}/.."
|
117
122
|
end
|
123
|
+
|
118
124
|
raise 'ERROR: cannot locate .fixtures.yml!' if fixtures_yml.empty?
|
125
|
+
|
119
126
|
STDERR.puts " ** fixtures_yml_path:finished (file: '#{file}')" if ENV['BEAKER_helpers_verbose']
|
127
|
+
|
120
128
|
fixtures_yml
|
121
129
|
end
|
122
130
|
|
@@ -228,56 +236,40 @@ module Simp::BeakerHelpers
|
|
228
236
|
|
229
237
|
# We need to be able to get back into our system!
|
230
238
|
# Make these safe for all systems, even old ones.
|
239
|
+
# TODO Use simp-ssh Puppet module appropriately (i.e., in a fashion
|
240
|
+
# that doesn't break vagrant access and is appropriate for
|
241
|
+
# typical module tests.)
|
231
242
|
fips_ssh_ciphers = [ 'aes256-cbc','aes192-cbc','aes128-cbc']
|
232
243
|
on(sut, %(sed -i '/Ciphers /d' /etc/ssh/sshd_config))
|
233
244
|
on(sut, %(echo 'Ciphers #{fips_ssh_ciphers.join(',')}' >> /etc/ssh/sshd_config))
|
234
245
|
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
ensure => 'file',
|
258
|
-
owner => 'root',
|
259
|
-
group => 'root',
|
260
|
-
mode => '0700',
|
261
|
-
content => "#!/bin/bash
|
262
|
-
|
263
|
-
# FIPS
|
264
|
-
if [ -e /sys/firmware/efi ]; then
|
265
|
-
BOOTDEV=`df /boot/efi | tail -1 | cut -f1 -d' '`
|
266
|
-
else
|
267
|
-
BOOTDEV=`df /boot | tail -1 | cut -f1 -d' '`
|
268
|
-
fi
|
269
|
-
# In case you need a working fallback
|
270
|
-
DEFAULT_KERNEL_INFO=`/sbin/grubby --default-kernel`
|
271
|
-
DEFAULT_INITRD=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep initrd | cut -f2 -d'='`
|
272
|
-
DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 title | cut -f2 -d'='`
|
273
|
-
/sbin/grubby --copy-default --make-default --args=\\\"boot=\\\${BOOTDEV} fips=1\\\" --add-kernel=`/sbin/grubby --default-kernel` --initrd=\\\${DEFAULT_INITRD} --title=\\\"FIPS \\\${DEFAULT_KERNEL_TITLE}\\\"
|
274
|
-
",
|
275
|
-
notify => Exec['setup_fips']
|
276
|
-
}
|
277
|
-
EOS
|
278
|
-
apply_manifest_on(sut, pp, :catch_failures => false)
|
279
|
-
on( sut, 'shutdown -r now', { :expect_connection_failure => true } )
|
246
|
+
fips_enable_modulepath = ''
|
247
|
+
|
248
|
+
if pupmods_in_fixtures_yml.include?('fips')
|
249
|
+
copy_fixture_modules_to(sut)
|
250
|
+
else
|
251
|
+
# If we don't already have the simp-fips module installed
|
252
|
+
#
|
253
|
+
# Use the simp-fips Puppet module to set FIPS up properly:
|
254
|
+
# Download the appropriate version of the module and its dependencies from PuppetForge.
|
255
|
+
# TODO provide a R10k download option in which user provides a Puppetfile
|
256
|
+
# with simp-fips and its dependencies
|
257
|
+
on(sut, 'mkdir -p /root/.beaker_fips/modules')
|
258
|
+
|
259
|
+
fips_enable_modulepath = '--modulepath=/root/.beaker_fips/modules'
|
260
|
+
|
261
|
+
module_install_cmd = 'puppet module install simp-fips --target-dir=/root/.beaker_fips/modules'
|
262
|
+
|
263
|
+
if ENV['BEAKER_fips_module_version']
|
264
|
+
module_install_cmd += " --version #{ENV['BEAKER_fips_module_version']}"
|
265
|
+
end
|
266
|
+
|
267
|
+
on(sut, module_install_cmd)
|
280
268
|
end
|
269
|
+
|
270
|
+
# Enable FIPS and then reboot to finish.
|
271
|
+
on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
|
272
|
+
sut.reboot
|
281
273
|
end
|
282
274
|
end
|
283
275
|
|
@@ -373,6 +365,15 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
|
|
373
365
|
on sut, 'puppet resource group puppet gid=52'
|
374
366
|
on sut, 'puppet resource user puppet comment="Puppet" gid="52" uid="52" home="/var/lib/puppet" managehome=true'
|
375
367
|
|
368
|
+
# SIMP uses a central ssh key location, but some keys are only home dirs
|
369
|
+
on(sut, "mkdir -p /etc/ssh/local_keys")
|
370
|
+
on(sut, "for path in `find / -wholename '/home/*/.ssh/authorized_keys'`;"\
|
371
|
+
"do echo $path; user=`ls -l $path | awk '{print $3}'`;"\
|
372
|
+
"echo $user; cp --preserve=all -f $path /etc/ssh/local_keys/$user; done")
|
373
|
+
on(sut, "if [ -f /root/.ssh/authorized_keys ]; then cp --preserve=all -f /root/.ssh/authorized_keys /etc/ssh/local_keys/root; fi")
|
374
|
+
on(sut, "chown -R root:root /etc/ssh/local_keys")
|
375
|
+
on(sut, "chmod 644 /etc/ssh/local_keys/*")
|
376
|
+
|
376
377
|
# SIMP uses structured facts, therefore stringify_facts must be disabled
|
377
378
|
unless ENV['BEAKER_stringify_facts'] == 'yes'
|
378
379
|
on sut, 'puppet config set stringify_facts false'
|
@@ -1,16 +1,23 @@
|
|
1
1
|
require 'spec_helper_acceptance'
|
2
2
|
|
3
3
|
hosts.each do |host|
|
4
|
-
describe '
|
4
|
+
describe 'FIPS enabled from Forge' do
|
5
5
|
context "on #{host}" do
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
expect(stdout).to eq("1")
|
10
|
-
else
|
11
|
-
expect(stdout).to eq("0")
|
6
|
+
if ENV['BEAKER_fips'] == 'yes'
|
7
|
+
it 'creates an alternate apply directory' do
|
8
|
+
on(host, 'test -d /root/.beaker_fips/modules')
|
12
9
|
end
|
13
|
-
|
10
|
+
|
11
|
+
it 'has fips enabled' do
|
12
|
+
stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
|
13
|
+
expect(stdout).to eq('1')
|
14
|
+
end
|
15
|
+
else
|
16
|
+
it 'has fips disabled' do
|
17
|
+
stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
|
18
|
+
expect(stdout).to eq('0')
|
19
|
+
end
|
20
|
+
end
|
14
21
|
end
|
15
22
|
end
|
16
23
|
end
|
@@ -0,0 +1,63 @@
|
|
1
|
+
class ScrubFixtures
|
2
|
+
require 'simp/beaker_helpers'
|
3
|
+
include Simp::BeakerHelpers
|
4
|
+
|
5
|
+
def initialize
|
6
|
+
FileUtils.rm_rf(File.join(fixtures_path, 'modules'))
|
7
|
+
end
|
8
|
+
end
|
9
|
+
|
10
|
+
require 'yaml'
|
11
|
+
require 'tempfile'
|
12
|
+
|
13
|
+
alt_fixtures = File.absolute_path('.fips_fixtures.yml')
|
14
|
+
|
15
|
+
new_fixtures = {
|
16
|
+
'fixtures' => {
|
17
|
+
'repositories' => {}
|
18
|
+
}
|
19
|
+
}
|
20
|
+
|
21
|
+
new_fixtures['fixtures']['repositories']['fips'] = 'https://github.com/simp/pupmod-simp-fips'
|
22
|
+
new_fixtures['fixtures']['repositories']['augeasproviders_core'] = 'https://github.com/simp/augeasproviders_core'
|
23
|
+
new_fixtures['fixtures']['repositories']['augeasproviders_grub'] = 'https://github.com/simp/augeasproviders_grub'
|
24
|
+
new_fixtures['fixtures']['repositories']['simplib'] = 'https://github.com/simp/pupmod-simp-simplib'
|
25
|
+
new_fixtures['fixtures']['repositories']['stdlib'] = 'https://github.com/simp/puppetlabs-stdlib'
|
26
|
+
|
27
|
+
File.open(alt_fixtures, 'w'){ |fh| fh.puts(new_fixtures.to_yaml) }
|
28
|
+
|
29
|
+
ScrubFixtures.new
|
30
|
+
|
31
|
+
ENV['BEAKER_fips'] = 'yes'
|
32
|
+
ENV['FIXTURES_YML'] = alt_fixtures
|
33
|
+
|
34
|
+
Bundler.with_clean_env{
|
35
|
+
ENV['FIXTURES_YML'] = alt_fixtures
|
36
|
+
|
37
|
+
%x{bundle exec rake spec_prep}
|
38
|
+
}
|
39
|
+
|
40
|
+
require 'spec_helper_acceptance'
|
41
|
+
|
42
|
+
describe 'FIPS pre-installed' do
|
43
|
+
after(:all) do
|
44
|
+
if alt_fixtures && File.exist?(alt_fixtures)
|
45
|
+
FileUtils.rm(alt_fixtures)
|
46
|
+
|
47
|
+
ScrubFixtures.new
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
hosts.each do |host|
|
52
|
+
context "on #{host}" do
|
53
|
+
it 'does not create an alternate apply directory' do
|
54
|
+
on(host, 'test ! -d /root/.beaker_fips/modules')
|
55
|
+
end
|
56
|
+
|
57
|
+
it 'has fips enabled' do
|
58
|
+
stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
|
59
|
+
expect(stdout).to eq('1')
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
@@ -0,0 +1 @@
|
|
1
|
+
spec/acceptance/suites/fips_from_fixtures/../../nodesets
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: simp-beaker-helpers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.11.
|
4
|
+
version: 1.11.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Tessmer
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2018-10-
|
12
|
+
date: 2018-10-15 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: beaker
|
@@ -174,6 +174,9 @@ files:
|
|
174
174
|
- spec/acceptance/suites/default/pki_tests_spec.rb
|
175
175
|
- spec/acceptance/suites/default/set_hieradata_on_spec.rb
|
176
176
|
- spec/acceptance/suites/default/write_hieradata_to_spec.rb
|
177
|
+
- spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
|
178
|
+
- spec/acceptance/suites/fips_from_fixtures/metadata.yml
|
179
|
+
- spec/acceptance/suites/fips_from_fixtures/nodesets
|
177
180
|
- spec/acceptance/suites/puppet_collections/00_default_spec.rb
|
178
181
|
- spec/acceptance/suites/puppet_collections/metadata.yml
|
179
182
|
- spec/acceptance/suites/puppet_collections/nodesets/default.yml
|