simp-beaker-helpers 1.11.1 → 1.11.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: de20d90d702274ad89d7c0f4971cf392e7b9810dd81c19d2a18713e2094c2e8e
-  data.tar.gz: 98364f3ad80cb62f625e5b83fbe284e4b303a99e09bf2227d22f9e3adbf40603
+  metadata.gz: bae36aadf14634267010bd774a210b9b9c493131acbfd615dfb863828f6fd357
+  data.tar.gz: 1ed635a000523d88d2bc912f01c39fd7e1b49eadd80317ab6fa17fa4b82a1880
 SHA512:
-  metadata.gz: d94eb890371b09ce7f2bcaa315dc6fe723228364a5186a0d363d4f56a14a4c744e171307d53251abe23460290aabd96b6124f82d30e8f79bd350ff6b6a2ac599
-  data.tar.gz: 1cd900c931008350da80b0b13856538d01afcac2a9c912a7d546953321069ed3f4e915ab2b59052c1f413d651ce5bcc307cc3bf46d13b0d56c6edc4556e7dc69
+  metadata.gz: 31bb0095247c0a5fff39f822daf0a9d246c7c8cad14d2b2eaa97f169fac7f98d3526f9e63dba2758bc1bc2a154275d98f9aa2792a2fe7c087e649f4860a364a0
+  data.tar.gz: c00767d62bb2e611b091efe2739e5392e7fb7574249119b6217ee1abbdbfe37be84bb6a36062fa5b8eb7595da0c06ed7d31d17363c1e0797e44456d265c861c2

data/.fixtures.yml

@@ -1,5 +1,5 @@
 ---
 fixtures:
   repositories:
-    stdlib: "git://github.com/simp/puppetlabs-stdlib"
+    stdlib: "https://github.com/simp/puppetlabs-stdlib"
 

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+### 1.11.2 / 2018-10-11
+* Copy ssh keys in home directories to simp standard '/etc/ssh/local_keys/'
+  to avoid error when certain simp puppet modules are applied
+* Fix enable_fips_mode_on(), which no longer works on centos/7 vagrant boxes.
+
 ### 1.11.1 / 2018-10-03
 * Deprecate the 'terminus' parameter in 'write_hieradata_to' and 'set_hieradata_on'
 * Add 'copy_hiera_data_to' method to replace the one from beaker-hiera

data/README.md

@@ -35,10 +35,12 @@ Methods to assist beaker acceptance tests for SIMP.
     * [`install_puppet`](#install_puppet)
 * [Environment variables](#environment-variables-1)
     * [`BEAKER_fips`](#beaker_fips)
-    * [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
+    * [`BEAKER_fips_module_version`](#beaker_fips_module_version)
     * [`BEAKER_spec_prep`](#beaker_spec_prep)
+    * [`BEAKER_SIMP_parallel`](#beaker_simp_parallel)
     * [`BEAKER_stringify_facts`](#beaker_stringify_facts)
     * [`BEAKER_use_fixtures_dir_for_modules`](#beaker_use_fixtures_dir_for_modules)
+    * [`BEAKER_no_fix_interfaces`](#beaker_no_fix_interfaces)
     * [PUPPET_VERSION](#puppet_version)
 * [Examples](#examples)
   * [Prep OS, Generate and copy PKI certs to each SUT](#prep-os-generate-and-copy-pki-certs-to-each-sut)
@@ -332,6 +334,14 @@ _(Default: `no`)_ When set to `yes`, Beaker will enable [FIPS mode](https://acce
 
 **NOTE:** FIPS mode is only enabled on RedHat family hosts.
 
+#### `BEAKER_fips_module_version`
+
+_(Default: unset)_ Set to a version of the simp-fips Puppet module released
+to Puppet Forge, when you want to specify the version of that module used to
+implement enable FIPS. When unset, the latest version is used.
+
+**NOTE:** This has no effect if the `simp-fips` module is already included in your fixtures.yml
+
 #### `BEAKER_spec_prep`
 
 _(Default: `yes`)_  Ensures that each fixture module is present under

data/lib/simp/beaker_helpers.rb

@@ -104,19 +104,27 @@ module Simp::BeakerHelpers
   # Locates .fixture.yml in or above this directory.
   def fixtures_yml_path
     STDERR.puts '  ** fixtures_yml_path' if ENV['BEAKER_helpers_verbose']
-    fixtures_yml = ''
-    dir          = '.'
-    while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
-      file = File.expand_path( '.fixtures.yml', dir )
-      STDERR.puts "  ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
-      if File.exists? file
-        fixtures_yml = file
-        break
+
+    if ENV['FIXTURES_YML']
+      fixtures_yml = ENV['FIXTURES_YML']
+    else
+      fixtures_yml = ''
+      dir          = '.'
+      while( fixtures_yml.empty? && File.expand_path(dir) != '/' ) do
+        file = File.expand_path( '.fixtures.yml', dir )
+        STDERR.puts "  ** fixtures_yml_path: #{file}" if ENV['BEAKER_helpers_verbose']
+        if File.exists? file
+          fixtures_yml = file
+          break
+        end
+        dir = "#{dir}/.."
       end
-      dir = "#{dir}/.."
     end
+
     raise 'ERROR: cannot locate .fixtures.yml!' if fixtures_yml.empty?
+
     STDERR.puts "  ** fixtures_yml_path:finished (file: '#{file}')" if ENV['BEAKER_helpers_verbose']
+
     fixtures_yml
   end
 
@@ -228,56 +236,40 @@ module Simp::BeakerHelpers
 
       # We need to be able to get back into our system!
       # Make these safe for all systems, even old ones.
+      # TODO Use simp-ssh Puppet module appropriately (i.e., in a fashion
+      #      that doesn't break vagrant access and is appropriate for
+      #      typical module tests.)
       fips_ssh_ciphers = [ 'aes256-cbc','aes192-cbc','aes128-cbc']
       on(sut, %(sed -i '/Ciphers /d' /etc/ssh/sshd_config))
       on(sut, %(echo 'Ciphers #{fips_ssh_ciphers.join(',')}' >> /etc/ssh/sshd_config))
 
-      if fact_on(sut, 'osfamily') == 'RedHat'
-        pp = <<-EOS
-        # This is necessary to prevent a kernel panic after rebooting into FIPS
-        # (last checked: 20150928)
-          package { ['kernel'] : ensure => 'latest' }
-
-          package { ['dracut-fips'] : ensure => 'latest' }
-          ~>
-          exec { 'Always run dracut after installing dracut-fips':
-            path        => ['/usr/bin', '/sbin'],
-            command     => 'dracut -f',
-            refreshonly => true
-          }
-
-          package { ['grubby'] : ensure => 'latest' }
-          ~>
-          exec{ 'setup_fips':
-            command     => '/bin/bash /root/setup_fips.sh',
-            refreshonly => true,
-          }
-
-          file{ '/root/setup_fips.sh':
-            ensure  => 'file',
-            owner   => 'root',
-            group   => 'root',
-            mode    => '0700',
-            content => "#!/bin/bash
-
-# FIPS
-if [ -e /sys/firmware/efi ]; then
-  BOOTDEV=`df /boot/efi | tail -1 | cut -f1 -d' '`
-else
-  BOOTDEV=`df /boot | tail -1 | cut -f1 -d' '`
-fi
-# In case you need a working fallback
-DEFAULT_KERNEL_INFO=`/sbin/grubby --default-kernel`
-DEFAULT_INITRD=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep initrd | cut -f2 -d'='`
-DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 title | cut -f2 -d'='`
-/sbin/grubby --copy-default --make-default --args=\\\"boot=\\\${BOOTDEV} fips=1\\\" --add-kernel=`/sbin/grubby --default-kernel` --initrd=\\\${DEFAULT_INITRD} --title=\\\"FIPS \\\${DEFAULT_KERNEL_TITLE}\\\"
-",
-            notify => Exec['setup_fips']
-          }
-        EOS
-        apply_manifest_on(sut, pp, :catch_failures => false)
-        on( sut, 'shutdown -r now', { :expect_connection_failure => true } )
+      fips_enable_modulepath = ''
+
+      if pupmods_in_fixtures_yml.include?('fips')
+        copy_fixture_modules_to(sut)
+      else
+        # If we don't already have the simp-fips module installed
+        #
+        # Use the simp-fips Puppet module to set FIPS up properly:
+        # Download the appropriate version of the module and its dependencies from PuppetForge.
+        # TODO provide a R10k download option in which user provides a Puppetfile
+        # with simp-fips and its dependencies
+        on(sut, 'mkdir -p /root/.beaker_fips/modules')
+
+        fips_enable_modulepath = '--modulepath=/root/.beaker_fips/modules'
+
+        module_install_cmd = 'puppet module install simp-fips --target-dir=/root/.beaker_fips/modules'
+
+        if ENV['BEAKER_fips_module_version']
+          module_install_cmd += " --version #{ENV['BEAKER_fips_module_version']}"
+        end
+
+        on(sut, module_install_cmd)
       end
+
+      # Enable FIPS and then reboot to finish.
+      on(sut, %(puppet apply --verbose #{fips_enable_modulepath} -e "class { 'fips': enabled => true }"))
+      sut.reboot
     end
   end
 
@@ -373,6 +365,15 @@ DEFAULT_KERNEL_TITLE=`/sbin/grubby --info=\\\${DEFAULT_KERNEL_INFO} | grep -m1 t
       on sut, 'puppet resource group puppet gid=52'
       on sut, 'puppet resource user puppet comment="Puppet" gid="52" uid="52" home="/var/lib/puppet" managehome=true'
 
+      # SIMP uses a central ssh key location, but some keys are only home dirs
+      on(sut, "mkdir -p /etc/ssh/local_keys")
+      on(sut, "for path in `find / -wholename '/home/*/.ssh/authorized_keys'`;"\
+              "do echo $path; user=`ls -l $path | awk '{print $3}'`;"\
+              "echo $user; cp --preserve=all -f $path /etc/ssh/local_keys/$user; done")
+      on(sut, "if [ -f /root/.ssh/authorized_keys ]; then cp --preserve=all -f /root/.ssh/authorized_keys /etc/ssh/local_keys/root; fi")
+      on(sut, "chown -R root:root /etc/ssh/local_keys")
+      on(sut, "chmod 644 /etc/ssh/local_keys/*")
+
       # SIMP uses structured facts, therefore stringify_facts must be disabled
       unless ENV['BEAKER_stringify_facts'] == 'yes'
         on sut, 'puppet config set stringify_facts false'

data/lib/simp/beaker_helpers/version.rb

@@ -1,5 +1,5 @@
 module Simp; end
 
 module Simp::BeakerHelpers
-  VERSION = '1.11.1'
+  VERSION = '1.11.2'
 end

data/spec/acceptance/suites/default/enable_fips_spec.rb

@@ -1,16 +1,23 @@
 require 'spec_helper_acceptance'
 
 hosts.each do |host|
-  describe 'ensure FIPS mode matches ENV[BEAKER_fips]' do
+  describe 'FIPS enabled from Forge' do
     context "on #{host}" do
-     it 'check /proc/sys/crypto/fips_enabled' do
-        stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-        if ENV['BEAKER_fips'] == 'yes'
-          expect(stdout).to eq("1")
-        else
-          expect(stdout).to eq("0")
+      if ENV['BEAKER_fips'] == 'yes'
+        it 'creates an alternate apply directory' do
+          on(host, 'test -d /root/.beaker_fips/modules')
         end
-      end 
+
+        it 'has fips enabled' do
+          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
+          expect(stdout).to eq('1')
+        end
+      else
+        it 'has fips disabled' do
+          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
+          expect(stdout).to eq('0')
+        end
+      end
     end
   end
 end

data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb

@@ -0,0 +1,63 @@
+class ScrubFixtures
+  require 'simp/beaker_helpers'
+  include Simp::BeakerHelpers
+
+  def initialize
+    FileUtils.rm_rf(File.join(fixtures_path, 'modules'))
+  end
+end
+
+require 'yaml'
+require 'tempfile'
+
+alt_fixtures = File.absolute_path('.fips_fixtures.yml')
+
+new_fixtures = {
+  'fixtures' => {
+    'repositories' => {}
+  }
+}
+
+new_fixtures['fixtures']['repositories']['fips'] = 'https://github.com/simp/pupmod-simp-fips'
+new_fixtures['fixtures']['repositories']['augeasproviders_core'] = 'https://github.com/simp/augeasproviders_core'
+new_fixtures['fixtures']['repositories']['augeasproviders_grub'] = 'https://github.com/simp/augeasproviders_grub'
+new_fixtures['fixtures']['repositories']['simplib'] = 'https://github.com/simp/pupmod-simp-simplib'
+new_fixtures['fixtures']['repositories']['stdlib'] = 'https://github.com/simp/puppetlabs-stdlib'
+
+File.open(alt_fixtures, 'w'){ |fh| fh.puts(new_fixtures.to_yaml) }
+
+ScrubFixtures.new
+
+ENV['BEAKER_fips'] = 'yes'
+ENV['FIXTURES_YML'] = alt_fixtures
+
+Bundler.with_clean_env{
+  ENV['FIXTURES_YML'] = alt_fixtures
+
+  %x{bundle exec rake spec_prep}
+}
+
+require 'spec_helper_acceptance'
+
+describe 'FIPS pre-installed' do
+  after(:all) do
+    if alt_fixtures && File.exist?(alt_fixtures)
+      FileUtils.rm(alt_fixtures)
+
+      ScrubFixtures.new
+    end
+  end
+
+  hosts.each do |host|
+    context "on #{host}" do
+      it 'does not create an alternate apply directory' do
+        on(host, 'test ! -d /root/.beaker_fips/modules')
+      end
+
+      it 'has fips enabled' do
+        stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
+        expect(stdout).to eq('1')
+      end
+    end
+  end
+end

data/spec/acceptance/suites/fips_from_fixtures/metadata.yml

@@ -0,0 +1,2 @@
+---
+'default_run': true

data/spec/acceptance/suites/fips_from_fixtures/nodesets

@@ -0,0 +1 @@
+spec/acceptance/suites/fips_from_fixtures/../../nodesets

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simp-beaker-helpers
 version: !ruby/object:Gem::Version
-  version: 1.11.1
+  version: 1.11.2
 platform: ruby
 authors:
 - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-03 00:00:00.000000000 Z
+date: 2018-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: beaker
@@ -174,6 +174,9 @@ files:
 - spec/acceptance/suites/default/pki_tests_spec.rb
 - spec/acceptance/suites/default/set_hieradata_on_spec.rb
 - spec/acceptance/suites/default/write_hieradata_to_spec.rb
+- spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
+- spec/acceptance/suites/fips_from_fixtures/metadata.yml
+- spec/acceptance/suites/fips_from_fixtures/nodesets
 - spec/acceptance/suites/puppet_collections/00_default_spec.rb
 - spec/acceptance/suites/puppet_collections/metadata.yml
 - spec/acceptance/suites/puppet_collections/nodesets/default.yml