simp-beaker-helpers 1.21.4 → 1.23.3

data/lib/simp/beaker_helpers/inspec.rb

@@ -10,6 +10,21 @@ module Simp::BeakerHelpers
     attr_reader :profile_dir
     attr_reader :deps_root
 
+    def self.enable_repo_on(suts)
+      parallel = (ENV['BEAKER_SIMP_parallel'] == 'yes')
+      block_on(suts, :run_in_parallel => parallel) do |sut|
+        repo_manifest = create_yum_resource(
+          'chef-current',
+          {
+            :baseurl => "https://packages.chef.io/repos/yum/current/el/#{fact_on(sut,'os.release.major')}/$basearch",
+            :gpgkeys => ['https://packages.chef.io/chef.asc']
+          }
+        )
+
+        apply_manifest_on(sut, repo_manifest, :catch_failures => true)
+      end
+    end
+
     # Create a new Inspec helper for the specified host against the specified profile
     #
     # @param sut
@@ -81,18 +96,7 @@ module Simp::BeakerHelpers
       tmpdir = Dir.mktmpdir
       begin
         Dir.chdir(tmpdir) do
-          if @sut[:hypervisor] == 'docker'
-            # Work around for breaking changes in beaker-docker
-            if @sut.host_hash[:docker_container]
-              container_id = @sut.host_hash[:docker_container].id
-            else
-              container_id = @sut.host_hash[:docker_container_id]
-            end
-
-            %x(docker cp "#{container_id}:#{sut_inspec_results}" .)
-          else
-            scp_from(@sut, sut_inspec_results, '.')
-          end
+          scp_from(@sut, sut_inspec_results, '.')
 
           local_inspec_results = File.basename(sut_inspec_results)
 

data/lib/simp/beaker_helpers/ssg.rb

@@ -12,7 +12,7 @@ module Simp::BeakerHelpers
       GIT_REPO = 'https://github.com/ComplianceAsCode/content.git'
     end
 
-    # If this is not set, the closest tag to the default branch will be used
+    # If this is not set, the highest numeric tag will be used
     GIT_BRANCH = nil
 
     if ENV['BEAKER_ssg_branch']
@@ -25,19 +25,21 @@ module Simp::BeakerHelpers
       'git',
       'openscap-python',
       'openscap-utils',
-      'python-lxml',
-      'python-jinja2'
+      'python-jinja2',
+      'python-lxml'
     ]
 
     EL8_PACKAGES = [
-      'python3',
-      'python3-pyyaml',
       'cmake',
       'git',
+      'make',
       'openscap-python3',
       'openscap-utils',
+      'python3',
+      'python3-jinja2',
       'python3-lxml',
-      'python3-jinja2'
+      'python3-pyyaml',
+      'libarchive'
     ]
 
     OS_INFO = {
@@ -79,7 +81,7 @@ module Simp::BeakerHelpers
         '7' => {
           'required_packages' => EL_PACKAGES,
           'ssg' => {
-            'profile_target' => 'rhel7',
+            'profile_target' => 'centos7',
             'build_target'   => 'centos7',
             'datastream'     => 'ssg-centos7-ds.xml'
           }
@@ -87,7 +89,17 @@ module Simp::BeakerHelpers
         '8' => {
           'required_packages' => EL8_PACKAGES,
           'ssg' => {
-            'profile_target' => 'rhel8',
+            'profile_target' => 'centos8',
+            'build_target'   => 'centos8',
+            'datastream'     => 'ssg-centos8-ds.xml'
+          }
+        }
+      },
+      'Rocky' => {
+        '8' => {
+          'required_packages' => EL8_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'centos8',
             'build_target'   => 'centos8',
             'datastream'     => 'ssg-centos8-ds.xml'
           }
@@ -135,7 +147,7 @@ module Simp::BeakerHelpers
       end
 
       OS_INFO[@os][@os_rel]['required_packages'].each do |pkg|
-        @sut.install_package(pkg)
+        install_latest_package_on(@sut, pkg)
       end
 
       @output_dir = File.absolute_path('sec_results/ssg')
@@ -265,7 +277,7 @@ module Simp::BeakerHelpers
             "contains(@idref,'#{exl}')"
           end.join(' or ')
 
-          xpath_query << ')' if exclusions.size > 1
+          xpath_query << ')' if exclusions.size > 0
         end
 
         xpath_query << ')]'
@@ -299,8 +311,26 @@ module Simp::BeakerHelpers
         result_id = rule_result.attributes['idref'].value.to_s
         result_value = [
           'Title: ' + doc.xpath("//Rule[@id='#{result_id}']/title/text()").first.to_s,
-          '  ID: ' + result_id
-        ].join("\n")
+          '  ID: ' + result_id,
+        ]
+
+        if result.child.content == 'fail'
+          references = {}
+
+          doc.xpath("//Rule[@id='#{result_id}']/reference").each do |ref|
+            references[ref['href']] ||= []
+            references[ref['href']] << ref.text
+          end
+
+          result_value << '  References:'
+          references.each_pair do |src, items|
+            result_value << "    *  #{src}"
+            result_value << "      * #{items.join(', ')}"
+          end
+          result_value << '  Description: ' + doc.xpath("//Rule[@id='#{result_id}']/description").text.gsub("\n","\n    ")
+        end
+
+        result_value = result_value.join("\n")
 
         if result.child.content == 'fail'
           stats[:failed] << result_value.red
@@ -365,7 +395,12 @@ module Simp::BeakerHelpers
         if GIT_BRANCH
           on(@sut, %(cd scap-content; git checkout #{GIT_BRANCH}))
         else
-          on(@sut, %(cd scap-content; git checkout $(git describe --abbrev=0 --tags)))
+          tags = on(@sut, %(cd scap-content; git tag -l)).output
+          target_tag = tags.lines.map(&:strip)
+            .select{|x| x.start_with?(/v\d+\./)}
+            .sort.last
+
+          on(@sut, %(cd scap-content; git checkout #{target_tag}))
         end
 
         # Work around the issue where the profiles now strip out derivative

data/lib/simp/beaker_helpers/version.rb

@@ -1,5 +1,5 @@
 module Simp; end
 
 module Simp::BeakerHelpers
-  VERSION = '1.21.4'
+  VERSION = '1.23.3'
 end

data/lib/simp/rake/beaker.rb

@@ -196,6 +196,7 @@ module Simp::Rake
           default_suite = ordered_suites.delete('default')
           ordered_suites.unshift(default_suite) if default_suite
 
+          suite_start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
           ordered_suites.each do |ste|
 
             next unless (suites[ste]['default_run'] == true)
@@ -225,8 +226,14 @@ module Simp::Rake
 
             nodesets.each do |nodeset_yml|
               unless File.file?(nodeset_yml)
-                $stdout.puts("=== Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found, Skipping ===")
-                next
+                # Get here if user has specified a non-existent nodeset or the
+                # implied `default` nodeset does not exist.
+                if suite_config['fail_fast']
+                  fail("*** Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found ***")
+                else
+                  $stdout.puts("=== Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found, Skipping ===")
+                  next
+                end
               end
 
               ENV['BEAKER_setfile'] = nodeset_yml
@@ -255,6 +262,11 @@ module Simp::Rake
               $stdout.puts("\n\n=== Suite '#{name}' Complete ===\n\n")
             end
           end
+          suite_end_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+          suite_run_time = ((suite_end_time - suite_start_time)/60).round(2)
+
+          $stdout.puts("== Total Runtime: #{suite_run_time} minutes ==\n\n")
 
           unless failures.keys.empty?
             $stdout.puts("The following tests had failures:")

data/simp-beaker-helpers.gemspec

@@ -24,7 +24,8 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'beaker'                      , ['>= 4.17.0', '< 5.0.0']
   s.add_runtime_dependency 'beaker-rspec'                , '~> 6.2'
   s.add_runtime_dependency 'beaker-puppet'               , ['>= 1.18.14', '< 2.0.0']
-  s.add_runtime_dependency 'beaker-docker'               , '~> 0.3'
+  s.add_runtime_dependency 'beaker-docker'               , ['>= 0.8.3', '< 2.0.0']
+  s.add_runtime_dependency 'docker-api'                  , ['>= 2.1.0', '< 3.0.0']
   s.add_runtime_dependency 'beaker-vagrant'              , ['>= 0.6.4', '< 2.0.0']
   s.add_runtime_dependency 'beaker-puppet_install_helper', '~> 0.9'
   s.add_runtime_dependency 'highline'                    , '~> 2.0'

data/spec/acceptance/nodesets/default.yml

@@ -18,7 +18,7 @@ HOSTS:
     roles:
       - el8
     platform: el-8-x86_64
-    box: centos/8
+    box: generic/centos8
     hypervisor: <%= hypervisor %>
 
   el8-0:

data/spec/acceptance/nodesets/docker.yml

@@ -1,29 +1,31 @@
 HOSTS:
-  el7:
+  el7.test.net:
     roles:
       - el7
       - master
-    platform: el-7-x86_64
+    platform:   el-7-x86_64
     hypervisor: docker
-    image: simpproject/simp_build_centos7
-    docker_cmd: '/usr/sbin/sshd -D -E /var/log/sshd.log'
+    image: simpproject/simp_beaker_el7
+    docker_cmd: '["/sbin/init"]'
 
-  el8:
+  el8.test.net:
     roles:
       - el8
-    platform: el-8-x86_64
+    platform:   el-8-x86_64
     hypervisor: docker
-    image: simpproject/simp_build_centos8
+    image: simpproject/simp_beaker_el8
     docker_cmd: '["/sbin/init"]'
 
 CONFIG:
-  docker_preserve_image: true
   log_level: verbose
   type: aio
-<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
-  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
+<% if ENV['BEAKER_PUPPET_ENVIRONMENT'] -%>
+  puppet_environment: <%= ENV['BEAKER_PUPPET_ENVIRONMENT'] %>
 <% end -%>
   ssh:
+    password: root
+    auth_methods:
+      - password
     keepalive: true
     keepalive_interval: 10
     host_key:

data/spec/acceptance/suites/default/enable_fips_spec.rb

@@ -9,13 +9,15 @@ hosts.each do |host|
         end
 
         it 'has fips enabled' do
-          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-          expect(stdout).to eq('1')
+          if host[:hypervisor] == 'docker'
+            skip('Not supported on docker')
+          else
+            expect(fips_enabled(host)).to be true
+          end
         end
       else
         it 'has fips disabled' do
-          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-          expect(stdout).to eq('0')
+          expect(fips_enabled(host)).to be false
         end
       end
     end

data/spec/acceptance/suites/default/install_simp_deps_repo_spec.rb

@@ -1,12 +1,12 @@
 require 'spec_helper_acceptance'
 
 hosts.each do |host|
-  describe '#write_hieradata_to' do
-    expect_failures = false
-    if hosts_with_role(hosts, 'el8').include?(host)
-      expect_failures = true
-    end
+  expect_failures = false
+  if hosts_with_role(hosts, 'el8').include?(host)
+    expect_failures = true
+  end
 
+  describe '#install_simp_repos' do
     it 'should install yum utils' do
       host.install_package('yum-utils')
     end
@@ -21,6 +21,18 @@ hosts.each do |host|
       end
     end
 
+    context 'when targeting a release type' do
+      it 'adjusts the SIMP release target' do
+        set_simp_repo_release(host, 'rolling')
+        expect(file_content_on(host, '/etc/yum/vars/simpreleasetype').strip).to eq('rolling')
+      end
+
+      it 'lists the simp rpm' do
+        skip "#{host} is not supported yet" if expect_failures
+        on(host, 'yum list simp')
+      end
+    end
+
     context 'when passed a disabled list ' do
       before(:all) { install_simp_repos(host, ['simp-community-simp'] ) }
 

data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb

@@ -18,6 +18,7 @@ new_fixtures = {
   }
 }
 
+new_fixtures['fixtures']['repositories']['crypto_policy'] = 'https://github.com/simp/pupmod-simp-crypto_policy'
 new_fixtures['fixtures']['repositories']['fips'] = 'https://github.com/simp/pupmod-simp-fips'
 new_fixtures['fixtures']['repositories']['augeasproviders_core'] = 'https://github.com/simp/augeasproviders_core'
 new_fixtures['fixtures']['repositories']['augeasproviders_grub'] = 'https://github.com/simp/augeasproviders_grub'
@@ -54,12 +55,19 @@ describe 'FIPS pre-installed' do
   hosts.each do |host|
     context "on #{host}" do
       it 'does not create an alternate apply directory' do
-        on(host, 'test ! -d /root/.beaker_fips/modules')
+        if host[:hypervisor] == 'docker'
+          skip('Not supported on docker')
+        else
+          on(host, 'test ! -d /root/.beaker_fips/modules')
+        end
       end
 
       it 'has fips enabled' do
-        stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-        expect(stdout).to eq('1')
+        if host[:hypervisor] == 'docker'
+          skip('Not supported on docker')
+        else
+          expect(fips_enabled(host)).to be true
+        end
       end
     end
   end

data/spec/acceptance/suites/inspec/00_default_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper_acceptance'
+require 'json'
+
+test_name 'Inspec STIG Profile'
+
+describe 'Inspec STIG Profile' do
+
+  profiles_to_validate = ['disa_stig']
+
+  hosts.each do |host|
+    profiles_to_validate.each do |profile|
+      context "for profile #{profile}" do
+        context "on #{host}" do
+          profile_path = File.join(
+              fixtures_path,
+              'inspec_profiles',
+              "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}"
+            )
+
+          unless File.exist?(profile_path)
+            it 'should run inspec' do
+              skip("No matching profile available at #{profile_path}")
+            end
+          else
+            before(:all) do
+              Simp::BeakerHelpers::Inspec.enable_repo_on(hosts)
+              @inspec = Simp::BeakerHelpers::Inspec.new(host, profile)
+
+              # If we don't do this, the variable gets reset
+              @inspec_report = { :data => nil }
+            end
+
+            it 'should run inspec' do
+              @inspec.run
+            end
+
+            it 'should have an inspec report' do
+              @inspec_report[:data] = @inspec.process_inspec_results
+
+              expect(@inspec_report[:data]).to_not be_nil
+
+              @inspec.write_report(@inspec_report[:data])
+            end
+
+            it 'should have a report' do
+              expect(@inspec_report[:data][:report]).to_not be_nil
+              puts @inspec_report[:data][:report]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/acceptance/suites/inspec/metadata.yml

@@ -0,0 +1,2 @@
+---
+'default_run': true

data/spec/acceptance/suites/inspec/nodesets

@@ -0,0 +1 @@
+spec/acceptance/suites/inspec/../../nodesets

data/spec/acceptance/suites/puppet_collections/00_default_spec.rb

@@ -13,7 +13,7 @@ end
 hosts.each do |host|
   describe 'make sure puppet version is valid' do
     context "on #{host}" do
-      client_puppet_version = on(host, 'puppet --version').output.strip
+      client_puppet_version = on(host, 'puppet --version').output.lines.last.strip
 
       it "should be running puppet version #{target_version}" do
         expect(Gem::Version.new(client_puppet_version)).to be >= Gem::Version.new(target_version)

data/spec/acceptance/suites/ssg/00_default_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper_acceptance'
+
+test_name 'SSG STIG Validation'
+
+describe 'run the SSG against the STIG profile' do
+
+  hosts.each do |host|
+    context "on #{host}" do
+      before(:all) do
+        @ssg = Simp::BeakerHelpers::SSG.new(host)
+
+        # If we don't do this, the variable gets reset
+        @ssg_report = { :data => nil }
+      end
+
+      it 'should run the SSG' do
+        profile = 'xccdf_org.ssgproject.content_profile_stig'
+
+        @ssg.evaluate(profile)
+      end
+
+      it 'should have an SSG report' do
+        # Validate that the filter works
+        filter = '_rule_audit'
+        host_exclusions = ['ssh_']
+
+        @ssg_report[:data] = @ssg.process_ssg_results(filter, host_exclusions)
+
+        expect(@ssg_report[:data]).to_not be_nil
+
+        @ssg.write_report(@ssg_report[:data])
+      end
+
+      it 'should have a report' do
+        expect(@ssg_report[:data][:report]).to_not be_nil
+        puts @ssg_report[:data][:report]
+      end
+    end
+  end
+end