simp-beaker-helpers 1.23.0 → 1.23.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 77288902c91655a0e3f5c7db8d5573375e3c341638a8bfc3be82b76f7753f3f6
4
- data.tar.gz: ec02b6c05c5b1b69615b83b7ed5682d1e2ba9619d72752c4adfa5d48e3e3ec61
3
+ metadata.gz: 662fa0921ca0879ff169a372722db43cab01b6084d7fb8bd0c22b9727499d44d
4
+ data.tar.gz: 7fdcc1bb9a1e7384fe8e7edcb6336f3b30e5045719ac2250c67666efddffe0ad
5
5
  SHA512:
6
- metadata.gz: 6c006e7df61eaeb23dce36101ae518d88f99f34778821402973cf5c9358226572beab46c319fafee6487bbf325dbe07f72f7343c49d023e3d9949dd695092b57
7
- data.tar.gz: f0535c393d9a6b6b8e3e9484fcf52e78adc4892bd0eca8255479eb06185e9865ddad9af2c6c5f3cd67d55c537632f88e178c39e6ad4a48757e2b61d7b229b826
6
+ metadata.gz: 046ed4502f9257b59afa940d925f40f80ad3d5d4e9bb600904625382e4e437493313230a6109d105f4e1471f77537f8fbcfb176297fa71ca1d6bf979d0ccf565
7
+ data.tar.gz: f0d190e6abf5474bca2b4764658cfeb3af61298b13c4ad3b1cd8649417d4ecb67814eb88e6f266ee261fcbd35b77e47ee71b0ee1c7a72a59f4428e9fc5b73920
data/.fixtures.yml CHANGED
@@ -4,4 +4,9 @@ fixtures:
4
4
  stdlib: https://github.com/simp/puppetlabs-stdlib
5
5
  simplib: https://github.com/simp/pupmod-simp-simplib
6
6
  compliance_markup: https://github.com/simp/pupmod-simp-compliance_markup
7
-
7
+ disa_stig-el7-baseline:
8
+ repo: https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline
9
+ target: spec/fixtures/inspec_deps/inspec_profiles/profiles
10
+ disa_stig-el8-baseline:
11
+ repo: https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline
12
+ target: spec/fixtures/inspec_deps/inspec_profiles/profiles
@@ -0,0 +1,71 @@
1
+ # Run all tests as GitHub Actions
2
+ name: Unit Tests
3
+ on:
4
+ push:
5
+ branches:
6
+ # A test branch for seeing if your tests will pass in your personal fork
7
+ - test_me_github
8
+ pull_request_target:
9
+ types: [opened, reopened, synchronize]
10
+
11
+ jobs:
12
+ acceptance:
13
+ runs-on:
14
+ - ubuntu-latest
15
+ strategy:
16
+ matrix:
17
+ ruby:
18
+ - 2.6
19
+ fail-fast: false
20
+ steps:
21
+ - uses: actions/checkout@v2
22
+ - uses: ruby/setup-ruby@v1
23
+ with:
24
+ ruby-version: ${{ matrix.ruby }}
25
+ - name: ensure entropy
26
+ run: |
27
+ sudo apt-get update -y
28
+ sudo apt-get install -y rng-tools
29
+ sudo systemctl start rng-tools
30
+ - name: install podman
31
+ run: |
32
+ set -x
33
+ sudo apt-get remove -y podman docker-ce docker docker-engine docker.io containerd runc ||:
34
+ curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_$( lsb_release -rs )/Release.key | sudo apt-key add -
35
+ echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_$( lsb_release -rs )/ /" | sudo tee /etc/apt/sources.list.d/podman.list /dev/null
36
+ sudo apt-get update
37
+ sudo apt-get install -y podman
38
+ sudo apt autoremove -y
39
+ sudo systemctl start podman
40
+ - name: install bundler
41
+ run: |
42
+ gem install bundler
43
+ bundle update
44
+ - name: beaker default
45
+ env:
46
+ DOCKER_HOST: unix:///var/run/podman/podman.sock
47
+ CONTAINER_HOST: unix:///var/run/podman/podman.sock
48
+ run: |
49
+ sudo chmod -R ugo+rwX /var/run/podman
50
+ bundle exec rake beaker:suites[default,docker]
51
+ - name: beaker puppet_collections
52
+ env:
53
+ DOCKER_HOST: unix:///var/run/podman/podman.sock
54
+ CONTAINER_HOST: unix:///var/run/podman/podman.sock
55
+ run: |
56
+ sudo chmod -R ugo+rwX /var/run/podman
57
+ bundle exec rake beaker:suites[puppet_collections,docker]
58
+ - name: beaker ssg
59
+ env:
60
+ DOCKER_HOST: unix:///var/run/podman/podman.sock
61
+ CONTAINER_HOST: unix:///var/run/podman/podman.sock
62
+ run: |
63
+ sudo chmod -R ugo+rwX /var/run/podman
64
+ bundle exec rake beaker:suites[ssg,docker]
65
+ - name: beaker inspec
66
+ env:
67
+ DOCKER_HOST: unix:///var/run/podman/podman.sock
68
+ CONTAINER_HOST: unix:///var/run/podman/podman.sock
69
+ run: |
70
+ sudo chmod -R ugo+rwX /var/run/podman
71
+ bundle exec rake beaker:suites[inspec,docker]
data/.gitlab-ci.yml CHANGED
@@ -351,6 +351,7 @@ puppet7_collections:
351
351
  windows:
352
352
  <<: *pup_6_x
353
353
  <<: *acceptance_base
354
+ allow_failure: true
354
355
  script:
355
356
  - bundle exec rake beaker:suites[windows]
356
357
 
data/CHANGELOG.md CHANGED
@@ -1,3 +1,16 @@
1
+ ### 1.23.1 / 2021-05-19
2
+ * Fixed:
3
+ * The SSG default branch is now the latest numeric tag instead of the one
4
+ closest to the head of the default branch. The tag closest to the default
5
+ branch has drifted over time.
6
+ * Removed direct call to `docker` when copying out inspec results
7
+ * Typos in `copy_in` when running against docker
8
+ * Added:
9
+ * `Simp::BeakerHelpers::Inspec.enable_repo_on(suts)` to allow users to easily
10
+ enable the Chef repos for inspec
11
+ * Beaker tests for inspec and SSG basic functionality
12
+ * GitHub Actions for acceptance testing where possible
13
+
1
14
  ### 1.23.0 / 2021-03-16
2
15
  * Added:
3
16
  * For `podman` support:
@@ -193,7 +193,7 @@ module Simp::BeakerHelpers
193
193
  else
194
194
  cmd = [
195
195
  %{tar #{exclude_list.join(' ')} -hcf - -C "#{File.dirname(src)}" "#{File.basename(src)}"},
196
- %{#{docker_cmd} exec -i "#{container_id}" tar -C "#{File.dirname(dest)}" -xf -)}
196
+ %{#{docker_cmd} exec -i "#{container_id}" tar -C "#{dest}" -xf -}
197
197
  ].join(' | ')
198
198
  end
199
199
 
@@ -539,7 +539,7 @@ module Simp::BeakerHelpers
539
539
  block_on(suts, :run_in_parallel => parallel) do |sut|
540
540
  if sut['yum_repos']
541
541
  sut['yum_repos'].each_pair do |repo, metadata|
542
- repo_manifest = create_yum_resource( repo, metadata)
542
+ repo_manifest = create_yum_resource(repo, metadata)
543
543
 
544
544
  apply_manifest_on(sut, repo_manifest, :catch_failures => true)
545
545
  end
@@ -10,6 +10,21 @@ module Simp::BeakerHelpers
10
10
  attr_reader :profile_dir
11
11
  attr_reader :deps_root
12
12
 
13
+ def self.enable_repo_on(suts)
14
+ parallel = (ENV['BEAKER_SIMP_parallel'] == 'yes')
15
+ block_on(suts, :run_in_parallel => parallel) do |sut|
16
+ repo_manifest = create_yum_resource(
17
+ 'chef-current',
18
+ {
19
+ :baseurl => "https://packages.chef.io/repos/yum/current/el/#{fact_on(sut,'os.release.major')}/$basearch",
20
+ :gpgkeys => ['https://packages.chef.io/chef.asc']
21
+ }
22
+ )
23
+
24
+ apply_manifest_on(sut, repo_manifest, :catch_failures => true)
25
+ end
26
+ end
27
+
13
28
  # Create a new Inspec helper for the specified host against the specified profile
14
29
  #
15
30
  # @param sut
@@ -81,18 +96,7 @@ module Simp::BeakerHelpers
81
96
  tmpdir = Dir.mktmpdir
82
97
  begin
83
98
  Dir.chdir(tmpdir) do
84
- if @sut[:hypervisor] == 'docker'
85
- # Work around for breaking changes in beaker-docker
86
- if @sut.host_hash[:docker_container]
87
- container_id = @sut.host_hash[:docker_container].id
88
- else
89
- container_id = @sut.host_hash[:docker_container_id]
90
- end
91
-
92
- %x(docker cp "#{container_id}:#{sut_inspec_results}" .)
93
- else
94
- scp_from(@sut, sut_inspec_results, '.')
95
- end
99
+ scp_from(@sut, sut_inspec_results, '.')
96
100
 
97
101
  local_inspec_results = File.basename(sut_inspec_results)
98
102
 
@@ -12,7 +12,7 @@ module Simp::BeakerHelpers
12
12
  GIT_REPO = 'https://github.com/ComplianceAsCode/content.git'
13
13
  end
14
14
 
15
- # If this is not set, the closest tag to the default branch will be used
15
+ # If this is not set, the highest numeric tag will be used
16
16
  GIT_BRANCH = nil
17
17
 
18
18
  if ENV['BEAKER_ssg_branch']
@@ -25,19 +25,20 @@ module Simp::BeakerHelpers
25
25
  'git',
26
26
  'openscap-python',
27
27
  'openscap-utils',
28
- 'python-lxml',
29
- 'python-jinja2'
28
+ 'python-jinja2',
29
+ 'python-lxml'
30
30
  ]
31
31
 
32
32
  EL8_PACKAGES = [
33
- 'python3',
34
- 'python3-pyyaml',
35
33
  'cmake',
36
34
  'git',
35
+ 'make',
37
36
  'openscap-python3',
38
37
  'openscap-utils',
38
+ 'python3',
39
+ 'python3-jinja2',
39
40
  'python3-lxml',
40
- 'python3-jinja2'
41
+ 'python3-pyyaml'
41
42
  ]
42
43
 
43
44
  OS_INFO = {
@@ -265,7 +266,7 @@ module Simp::BeakerHelpers
265
266
  "contains(@idref,'#{exl}')"
266
267
  end.join(' or ')
267
268
 
268
- xpath_query << ')' if exclusions.size > 1
269
+ xpath_query << ')' if exclusions.size > 0
269
270
  end
270
271
 
271
272
  xpath_query << ')]'
@@ -383,7 +384,12 @@ module Simp::BeakerHelpers
383
384
  if GIT_BRANCH
384
385
  on(@sut, %(cd scap-content; git checkout #{GIT_BRANCH}))
385
386
  else
386
- on(@sut, %(cd scap-content; git checkout $(git describe --abbrev=0 --tags)))
387
+ tags = on(@sut, %(cd scap-content; git tag -l)).output
388
+ target_tag = tags.lines.map(&:strip)
389
+ .select{|x| x.start_with?(/v\d+\./)}
390
+ .sort.last
391
+
392
+ on(@sut, %(cd scap-content; git checkout #{target_tag}))
387
393
  end
388
394
 
389
395
  # Work around the issue where the profiles now strip out derivative
@@ -1,5 +1,5 @@
1
1
  module Simp; end
2
2
 
3
3
  module Simp::BeakerHelpers
4
- VERSION = '1.23.0'
4
+ VERSION = '1.23.1'
5
5
  end
@@ -21,28 +21,6 @@ CONFIG:
21
21
  type: aio
22
22
  <% if ENV['BEAKER_PUPPET_ENVIRONMENT'] -%>
23
23
  puppet_environment: <%= ENV['BEAKER_PUPPET_ENVIRONMENT'] %>
24
- <% end -%>
25
- # This is necessary for pretty much all containers
26
- docker_cap_add:
27
- - AUDIT_WRITE
28
- <%
29
- require 'docker-api'
30
- unless ::Docker.podman?
31
- -%>
32
- # All items below this point are required for systemd
33
- mount_folders:
34
- cgroup:
35
- host_path: /sys/fs/cgroup
36
- container_path: /sys/fs/cgroup
37
- opts: 'ro'
38
- dockeropts:
39
- HostConfig:
40
- Tmpfs:
41
- '/run': 'rw,noexec,nosuid,nodev,size=65536k'
42
- '/run/lock': 'rw,noexec,nosuid,nodev,size=65536k'
43
- '/tmp': 'rw,exec,nosuid,nodev,size=65536k'
44
- '/sys/fs/cgroup/systemd': 'rw,size=65536k'
45
- '/var/log/journal': 'rw,noexec,nodev,nosuid,size=65536k'
46
24
  <% end -%>
47
25
  ssh:
48
26
  password: root
@@ -55,12 +55,20 @@ describe 'FIPS pre-installed' do
55
55
  hosts.each do |host|
56
56
  context "on #{host}" do
57
57
  it 'does not create an alternate apply directory' do
58
- on(host, 'test ! -d /root/.beaker_fips/modules')
58
+ if host[:hypervisor] == 'docker'
59
+ skip('Not supported on docker')
60
+ else
61
+ on(host, 'test ! -d /root/.beaker_fips/modules')
62
+ end
59
63
  end
60
64
 
61
65
  it 'has fips enabled' do
62
- stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
63
- expect(stdout).to eq('1')
66
+ if host[:hypervisor] == 'docker'
67
+ skip('Not supported on docker')
68
+ else
69
+ stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
70
+ expect(stdout).to eq('1')
71
+ end
64
72
  end
65
73
  end
66
74
  end
@@ -0,0 +1,54 @@
1
+ require 'spec_helper_acceptance'
2
+ require 'json'
3
+
4
+ test_name 'Inspec STIG Profile'
5
+
6
+ describe 'Inspec STIG Profile' do
7
+
8
+ profiles_to_validate = ['disa_stig']
9
+
10
+ hosts.each do |host|
11
+ profiles_to_validate.each do |profile|
12
+ context "for profile #{profile}" do
13
+ context "on #{host}" do
14
+ profile_path = File.join(
15
+ fixtures_path,
16
+ 'inspec_profiles',
17
+ "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}"
18
+ )
19
+
20
+ unless File.exist?(profile_path)
21
+ it 'should run inspec' do
22
+ skip("No matching profile available at #{profile_path}")
23
+ end
24
+ else
25
+ before(:all) do
26
+ Simp::BeakerHelpers::Inspec.enable_repo_on(hosts)
27
+ @inspec = Simp::BeakerHelpers::Inspec.new(host, profile)
28
+
29
+ # If we don't do this, the variable gets reset
30
+ @inspec_report = { :data => nil }
31
+ end
32
+
33
+ it 'should run inspec' do
34
+ @inspec.run
35
+ end
36
+
37
+ it 'should have an inspec report' do
38
+ @inspec_report[:data] = @inspec.process_inspec_results
39
+
40
+ expect(@inspec_report[:data]).to_not be_nil
41
+
42
+ @inspec.write_report(@inspec_report[:data])
43
+ end
44
+
45
+ it 'should have a report' do
46
+ expect(@inspec_report[:data][:report]).to_not be_nil
47
+ puts @inspec_report[:data][:report]
48
+ end
49
+ end
50
+ end
51
+ end
52
+ end
53
+ end
54
+ end
@@ -0,0 +1,2 @@
1
+ ---
2
+ 'default_run': true
@@ -0,0 +1 @@
1
+ spec/acceptance/suites/inspec/../../nodesets
@@ -0,0 +1,40 @@
1
+ require 'spec_helper_acceptance'
2
+
3
+ test_name 'SSG STIG Validation'
4
+
5
+ describe 'run the SSG against the STIG profile' do
6
+
7
+ hosts.each do |host|
8
+ context "on #{host}" do
9
+ before(:all) do
10
+ @ssg = Simp::BeakerHelpers::SSG.new(host)
11
+
12
+ # If we don't do this, the variable gets reset
13
+ @ssg_report = { :data => nil }
14
+ end
15
+
16
+ it 'should run the SSG' do
17
+ profile = 'xccdf_org.ssgproject.content_profile_stig'
18
+
19
+ @ssg.evaluate(profile)
20
+ end
21
+
22
+ it 'should have an SSG report' do
23
+ # Validate that the filter works
24
+ filter = '_rule_audit'
25
+ host_exclusions = ['ssh_']
26
+
27
+ @ssg_report[:data] = @ssg.process_ssg_results(filter, host_exclusions)
28
+
29
+ expect(@ssg_report[:data]).to_not be_nil
30
+
31
+ @ssg.write_report(@ssg_report[:data])
32
+ end
33
+
34
+ it 'should have a report' do
35
+ expect(@ssg_report[:data][:report]).to_not be_nil
36
+ puts @ssg_report[:data][:report]
37
+ end
38
+ end
39
+ end
40
+ end
@@ -0,0 +1,2 @@
1
+ ---
2
+ 'default_run': true
@@ -0,0 +1 @@
1
+ spec/acceptance/suites/ssg/../../nodesets
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: simp-beaker-helpers
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.23.0
4
+ version: 1.23.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2021-05-04 00:00:00.000000000 Z
12
+ date: 2021-05-25 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: beaker
@@ -190,6 +190,7 @@ files:
190
190
  - ".fips_fixtures"
191
191
  - ".fixtures.yml"
192
192
  - ".github/workflows.local.json"
193
+ - ".github/workflows/pr_acceptance.yml"
193
194
  - ".github/workflows/pr_glci.yml"
194
195
  - ".github/workflows/pr_glci_cleanup.yml"
195
196
  - ".github/workflows/pr_glci_manual.yml"
@@ -231,6 +232,9 @@ files:
231
232
  - spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
232
233
  - spec/acceptance/suites/fips_from_fixtures/metadata.yml
233
234
  - spec/acceptance/suites/fips_from_fixtures/nodesets
235
+ - spec/acceptance/suites/inspec/00_default_spec.rb
236
+ - spec/acceptance/suites/inspec/metadata.yml
237
+ - spec/acceptance/suites/inspec/nodesets
234
238
  - spec/acceptance/suites/offline/00_default_spec.rb
235
239
  - spec/acceptance/suites/offline/README
236
240
  - spec/acceptance/suites/offline/nodesets/default.yml
@@ -239,11 +243,20 @@ files:
239
243
  - spec/acceptance/suites/snapshot/00_snapshot_test_spec.rb
240
244
  - spec/acceptance/suites/snapshot/10_general_usage_spec.rb
241
245
  - spec/acceptance/suites/snapshot/nodesets
246
+ - spec/acceptance/suites/ssg/00_default_spec.rb
247
+ - spec/acceptance/suites/ssg/metadata.yml
248
+ - spec/acceptance/suites/ssg/nodesets
242
249
  - spec/acceptance/suites/windows/00_default_spec.rb
243
250
  - spec/acceptance/suites/windows/metadata.yml
244
251
  - spec/acceptance/suites/windows/nodesets/default.yml
245
252
  - spec/acceptance/suites/windows/nodesets/win2016.yml
246
253
  - spec/acceptance/suites/windows/nodesets/win2019.yml
254
+ - spec/fixtures/inspec_profiles/CentOS-7-disa_stig
255
+ - spec/fixtures/inspec_profiles/CentOS-8-disa_stig
256
+ - spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb
257
+ - spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml
258
+ - spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb
259
+ - spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml
247
260
  - spec/lib/simp/beaker_helpers_spec.rb
248
261
  - spec/spec_helper.rb
249
262
  - spec/spec_helper_acceptance.rb