simp-beaker-helpers 1.23.4 → 1.24.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.fixtures.yml +0 -3
- data/.github/workflows/pr_acceptance.yml +1 -1
- data/.github/workflows/pr_glci.yml +2 -2
- data/.github/workflows/pr_glci_cleanup.yml +1 -1
- data/.github/workflows/tag_deploy_rubygem.yml +1 -1
- data/.gitlab-ci.yml +0 -10
- data/CHANGELOG.md +25 -0
- data/Gemfile +1 -1
- data/files/pki/make.sh +1 -1
- data/lib/simp/beaker_helpers/ssg.rb +4 -5
- data/lib/simp/beaker_helpers/version.rb +1 -1
- data/lib/simp/beaker_helpers.rb +49 -28
- data/spec/acceptance/nodesets/default.yml +1 -1
- data/spec/acceptance/nodesets/oel.yml +1 -1
- data/spec/acceptance/nodesets/ubuntu.yml +1 -1
- metadata +2 -5
- data/spec/fixtures/inspec_profiles/CentOS-8-disa_stig +0 -1
- data/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb +0 -45
- data/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml +0 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a3ebfb21a6409e25775b605532f96982fe2bfc200dced0a88683427bf1c3818e
|
4
|
+
data.tar.gz: 94ecd0803ebda28858480211e6fc0d0ab0402c96dbf3101fa4f6a7f17070c11e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 72fb511dc7fb090c5ae5f80170975af6c0e33ebf01744b090a1cae8579e052d8baa354b9d42e9b9a9b50fda12afc54e8e519e1278bc565633b8777be79827c18
|
7
|
+
data.tar.gz: 4629b633ec4a047d1549fa9f7ab2dbc457a72e1770cfbff8aaf9eba9a5648905a9be87b32a5191797caab501e25e47ba6cb975e70a1ebc9ca9b0bd16f34201de
|
data/.fixtures.yml
CHANGED
@@ -7,6 +7,3 @@ fixtures:
|
|
7
7
|
disa_stig-el7-baseline:
|
8
8
|
repo: https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline
|
9
9
|
target: spec/fixtures/inspec_deps/inspec_profiles/profiles
|
10
|
-
disa_stig-el8-baseline:
|
11
|
-
repo: https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline
|
12
|
-
target: spec/fixtures/inspec_deps/inspec_profiles/profiles
|
@@ -63,7 +63,7 @@ jobs:
|
|
63
63
|
# we restrict ourselves to sending data elsewhere.
|
64
64
|
glci-syntax:
|
65
65
|
name: '.gitlab-ci.yml Syntax'
|
66
|
-
runs-on: ubuntu-
|
66
|
+
runs-on: ubuntu-latest
|
67
67
|
outputs:
|
68
68
|
valid: ${{ steps.validate-glci-file.outputs.valid }}
|
69
69
|
steps:
|
@@ -174,7 +174,7 @@ jobs:
|
|
174
174
|
### examine_contexts:
|
175
175
|
### name: 'Examine Context contents'
|
176
176
|
### if: always()
|
177
|
-
### runs-on: ubuntu-
|
177
|
+
### runs-on: ubuntu-latest
|
178
178
|
### needs: [ glci-syntax, contributor-permissions ]
|
179
179
|
### steps:
|
180
180
|
### - name: Dump contexts
|
@@ -1,4 +1,4 @@
|
|
1
|
-
#
|
1
|
+
# When SemVer tag is pushed: create GitHub release & publish gem to rubygems.org
|
2
2
|
#
|
3
3
|
# This workflow's jobs are only triggered in repos under the `simp` organization
|
4
4
|
# ------------------------------------------------------------------------------
|
data/.gitlab-ci.yml
CHANGED
@@ -273,10 +273,6 @@ variables:
|
|
273
273
|
# Unit Tests
|
274
274
|
#-----------------------------------------------------------------------
|
275
275
|
|
276
|
-
pup5.x-unit:
|
277
|
-
<<: *pup_5_x
|
278
|
-
<<: *unit_tests
|
279
|
-
|
280
276
|
pup6.x-unit:
|
281
277
|
<<: *pup_6_x
|
282
278
|
<<: *unit_tests
|
@@ -292,12 +288,6 @@ pup7.x-unit:
|
|
292
288
|
#=======================================================================
|
293
289
|
# Packaging test
|
294
290
|
|
295
|
-
pup5.x-pkg:
|
296
|
-
<<: *pup_5_x
|
297
|
-
<<: *unit_tests
|
298
|
-
script:
|
299
|
-
'bundle exec rake pkg:gem'
|
300
|
-
|
301
291
|
pup6.x-pkg:
|
302
292
|
<<: *pup_6_x
|
303
293
|
<<: *unit_tests
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,28 @@
|
|
1
|
+
### 1.24.2 / 2022-03-09
|
2
|
+
* Fixed:
|
3
|
+
* Prevent `spec/` directory symlink recursion in `copy_fixture_modules_to`
|
4
|
+
* Update the derivatives workaround to insert an inert line instead of
|
5
|
+
commenting out the previous line to allow for logic updates
|
6
|
+
* Addressed a bug where passing an empty exceptions array would produce an
|
7
|
+
invalid xpath query
|
8
|
+
* Ensure that the new SIMP community RPMs are used
|
9
|
+
|
10
|
+
### 1.24.1 / 2021-10-27
|
11
|
+
* Fixed:
|
12
|
+
* Worked around a bug in 'puppet lookup' - PUP-11402
|
13
|
+
* Updated calls to the operating system fact when connecting to RHSM
|
14
|
+
|
15
|
+
### 1.24.0 / 2021-10-05
|
16
|
+
* Fixed:
|
17
|
+
* Pinned the version of inspec to 4.39.0 since 4.41 broke tag processing
|
18
|
+
* Only call `activate_interfaces` once per test run instead of at each context
|
19
|
+
which saves quite a bit of time during testing
|
20
|
+
* SSG tag selection logic
|
21
|
+
* Use `sed -ci` which works with docker volume mounts
|
22
|
+
* Added:
|
23
|
+
* Modified the `activate_interfaces` method to use the `networking` fact if
|
24
|
+
available which shaves quite a bit of time off of each test run
|
25
|
+
|
1
26
|
### 1.23.4 / 2021-07-07
|
2
27
|
* Fixed:
|
3
28
|
* Ensure that the openscap-scanner package is installed during SSG runs
|
data/Gemfile
CHANGED
data/files/pki/make.sh
CHANGED
@@ -73,7 +73,7 @@ for hosts in $*; do
|
|
73
73
|
done
|
74
74
|
done
|
75
75
|
|
76
|
-
sed -
|
76
|
+
sed -ci "s/# subjectAltName = #ALTNAMES#/subjectAltName = ${altnames}/" "working/${hname}.cnf"
|
77
77
|
fi
|
78
78
|
|
79
79
|
echo "-- running openssl req"
|
@@ -278,9 +278,8 @@ module Simp::BeakerHelpers
|
|
278
278
|
|
279
279
|
xpath_query << ')' if filter.size > 1
|
280
280
|
|
281
|
-
|
282
|
-
|
283
|
-
|
281
|
+
exclusions = Array(exclusions)
|
282
|
+
unless exclusions.empty?
|
284
283
|
xpath_query << 'and not('
|
285
284
|
|
286
285
|
xpath_query << exclusions.map do |exl|
|
@@ -407,7 +406,7 @@ module Simp::BeakerHelpers
|
|
407
406
|
else
|
408
407
|
tags = on(@sut, %(cd scap-content; git tag -l)).output
|
409
408
|
target_tag = tags.lines.map(&:strip)
|
410
|
-
.select{|x| x.
|
409
|
+
.select{|x| x.match?(/^v(\d+\.)+\d+$/)}
|
411
410
|
.sort.last
|
412
411
|
|
413
412
|
on(@sut, %(cd scap-content; git checkout #{target_tag}))
|
@@ -419,7 +418,7 @@ module Simp::BeakerHelpers
|
|
419
418
|
#
|
420
419
|
# This isn't 100% correct but it's "good enough" for an automated CI
|
421
420
|
# environment to tell us if something is critically out of alignment.
|
422
|
-
on(@sut, %(cd scap-content/build-scripts; sed -
|
421
|
+
on(@sut, %(cd scap-content/build-scripts; sed -ci 's/ssg.build_derivatives.profile_handling/__simp_dontcare__ = None #ssg.build_derivatives.profile_handling/g' enable_derivatives.py))
|
423
422
|
|
424
423
|
on(@sut, %(cd scap-content/build; cmake ../; make -j4 #{OS_INFO[@os][@os_rel]['ssg']['build_target']}-content && cp *ds.xml #{@scap_working_dir}))
|
425
424
|
end
|
data/lib/simp/beaker_helpers.rb
CHANGED
@@ -411,7 +411,7 @@ module Simp::BeakerHelpers
|
|
411
411
|
begin
|
412
412
|
tarfile = "#{Simp::BeakerHelpers.tmpname}.tar"
|
413
413
|
|
414
|
-
excludes = PUPPET_MODULE_INSTALL_IGNORE.map do |x|
|
414
|
+
excludes = (PUPPET_MODULE_INSTALL_IGNORE + ['spec']).map do |x|
|
415
415
|
x = "--exclude '*/#{x}'"
|
416
416
|
end.join(' ')
|
417
417
|
|
@@ -483,7 +483,7 @@ module Simp::BeakerHelpers
|
|
483
483
|
# that doesn't break vagrant access and is appropriate for
|
484
484
|
# typical module tests.)
|
485
485
|
fips_ssh_ciphers = [ 'aes256-ctr','aes192-ctr','aes128-ctr']
|
486
|
-
on(sut, %(sed -
|
486
|
+
on(sut, %(sed -ci '/Ciphers /d' /etc/ssh/sshd_config))
|
487
487
|
on(sut, %(echo 'Ciphers #{fips_ssh_ciphers.join(',')}' >> /etc/ssh/sshd_config))
|
488
488
|
|
489
489
|
fips_enable_modulepath = ''
|
@@ -688,7 +688,7 @@ module Simp::BeakerHelpers
|
|
688
688
|
if current_domain.empty?
|
689
689
|
new_fqdn = hostname + '.beaker.test'
|
690
690
|
|
691
|
-
on(sut, "sed -
|
691
|
+
on(sut, "sed -ci 's/#{hostname}.*/#{new_fqdn} #{hostname}/' /etc/hosts")
|
692
692
|
on(sut, "echo '#{new_fqdn}' > /etc/hostname", :accept_all_exit_codes => true)
|
693
693
|
on(sut, "hostname #{new_fqdn}", :accept_all_exit_codes => true)
|
694
694
|
|
@@ -810,8 +810,8 @@ module Simp::BeakerHelpers
|
|
810
810
|
rhsm_opts.merge!(opts)
|
811
811
|
end
|
812
812
|
|
813
|
-
os = fact_on(sut, '
|
814
|
-
os_release = fact_on(sut, '
|
813
|
+
os = fact_on(sut, 'os.name').strip
|
814
|
+
os_release = fact_on(sut, 'os.release.major').strip
|
815
815
|
|
816
816
|
if os == 'RedHat'
|
817
817
|
unless rhsm_opts[:username] && rhsm_opts[:password]
|
@@ -953,21 +953,31 @@ module Simp::BeakerHelpers
|
|
953
953
|
host_entry[fqdn] << host.name if (host[:hypervisor] == 'docker')
|
954
954
|
|
955
955
|
# Ensure that all interfaces are active prior to collecting data
|
956
|
-
activate_interfaces(host)
|
956
|
+
activate_interfaces(host)
|
957
957
|
|
958
|
-
|
959
|
-
|
960
|
-
|
961
|
-
|
958
|
+
networking_fact = pfact_on(host, 'networking')
|
959
|
+
if networking_fact && networking_fact['interfaces']
|
960
|
+
networking_fact['interfaces'].each do |iface, data|
|
961
|
+
next unless data['ip']
|
962
|
+
next if data['ip'].start_with?('127.')
|
962
963
|
|
963
|
-
|
964
|
+
host_entry[fqdn] << data['ip'].strip
|
965
|
+
end
|
966
|
+
else
|
967
|
+
# Gather the IP Addresses for the host to embed in the cert
|
968
|
+
interfaces = fact_on(host, 'interfaces').strip.split(',')
|
969
|
+
interfaces.each do |interface|
|
970
|
+
ipaddress = fact_on(host, "ipaddress_#{interface}")
|
964
971
|
|
965
|
-
|
972
|
+
next if ipaddress.nil? || ipaddress.empty? || ipaddress.start_with?('127.')
|
966
973
|
|
967
|
-
|
968
|
-
suts_network_info[fqdn] = host_entry[fqdn].sort.uniq
|
974
|
+
host_entry[fqdn] << ipaddress.strip
|
969
975
|
end
|
970
976
|
end
|
977
|
+
|
978
|
+
unless host_entry[fqdn].empty?
|
979
|
+
suts_network_info[fqdn] = host_entry[fqdn].sort.uniq
|
980
|
+
end
|
971
981
|
end
|
972
982
|
|
973
983
|
# Get all of the repeated SUT IP addresses:
|
@@ -1072,7 +1082,6 @@ module Simp::BeakerHelpers
|
|
1072
1082
|
on ca_sut, "chgrp -R puppet #{host_keydist_dir}"
|
1073
1083
|
end
|
1074
1084
|
|
1075
|
-
|
1076
1085
|
# Activate all network interfaces on the target system
|
1077
1086
|
#
|
1078
1087
|
# This is generally needed if the upstream vendor does not activate all
|
@@ -1080,6 +1089,8 @@ module Simp::BeakerHelpers
|
|
1080
1089
|
#
|
1081
1090
|
# Can be passed any number of hosts either singly or as an Array
|
1082
1091
|
def activate_interfaces(hosts)
|
1092
|
+
return if ENV['BEAKER_no_fix_interfaces']
|
1093
|
+
|
1083
1094
|
parallel = (ENV['BEAKER_SIMP_parallel'] == 'yes')
|
1084
1095
|
block_on(hosts, :run_in_parallel => parallel) do |host|
|
1085
1096
|
if host[:platform] =~ /windows/
|
@@ -1087,14 +1098,22 @@ module Simp::BeakerHelpers
|
|
1087
1098
|
next
|
1088
1099
|
end
|
1089
1100
|
|
1090
|
-
|
1101
|
+
networking_fact = pfact_on(host, 'networking')
|
1102
|
+
if networking_fact && networking_fact['interfaces']
|
1103
|
+
networking_fact['interfaces'].each do |iface, data|
|
1104
|
+
next if ( ( data['ip'] && !data['ip'].empty? ) || ( data['ip6'] && !data['ip6'].empty? ) )
|
1105
|
+
on(host, "ifup #{iface}", :accept_all_exit_codes => true)
|
1106
|
+
end
|
1107
|
+
else
|
1108
|
+
interfaces_fact = pfact_on(host, 'interfaces')
|
1091
1109
|
|
1092
|
-
|
1093
|
-
|
1110
|
+
interfaces = interfaces_fact.strip.split(',')
|
1111
|
+
interfaces.delete_if { |x| x =~ /^lo/ }
|
1094
1112
|
|
1095
|
-
|
1096
|
-
|
1097
|
-
|
1113
|
+
interfaces.each do |iface|
|
1114
|
+
if pfact_on(host, "ipaddress_#{iface}")
|
1115
|
+
on(host, "ifup #{iface}", :accept_all_exit_codes => true)
|
1116
|
+
end
|
1098
1117
|
end
|
1099
1118
|
end
|
1100
1119
|
end
|
@@ -1111,12 +1130,9 @@ module Simp::BeakerHelpers
|
|
1111
1130
|
RSpec.configure do |c|
|
1112
1131
|
c.before(:all) do
|
1113
1132
|
@temp_hieradata_dirs = @temp_hieradata_dirs || []
|
1114
|
-
end
|
1115
1133
|
|
1116
|
-
|
1117
|
-
|
1118
|
-
c.before(:context) do
|
1119
|
-
activate_interfaces(hosts) unless ENV['BEAKER_no_fix_interfaces']
|
1134
|
+
# We can't guarantee that the upstream vendor isn't disabling interfaces
|
1135
|
+
activate_interfaces(hosts)
|
1120
1136
|
end
|
1121
1137
|
|
1122
1138
|
c.after(:all) do
|
@@ -1228,8 +1244,11 @@ module Simp::BeakerHelpers
|
|
1228
1244
|
#
|
1229
1245
|
# @returns [String] Path to the Hieradata directory on the target system
|
1230
1246
|
def hiera_datadir(sut)
|
1247
|
+
# A workaround for PUP-11042
|
1248
|
+
sut_environment = sut.puppet_configprint['environment']
|
1249
|
+
|
1231
1250
|
# This output lets us know where Hiera is configured to look on the system
|
1232
|
-
puppet_lookup_info = on(sut,
|
1251
|
+
puppet_lookup_info = on(sut, "puppet lookup --explain --environment #{sut_environment} test__simp__test", :silent => true).output.strip.lines
|
1233
1252
|
|
1234
1253
|
if sut.puppet_configprint['manifest'].nil? || sut.puppet_configprint['manifest'].empty?
|
1235
1254
|
fail("No output returned from `puppet config print manifest` on #{sut}")
|
@@ -1479,10 +1498,12 @@ module Simp::BeakerHelpers
|
|
1479
1498
|
block_on(suts, :run_in_parallel => parallel) do |sut|
|
1480
1499
|
install_package_unless_present_on(sut, 'yum-utils')
|
1481
1500
|
|
1501
|
+
release = fact_on(sut, 'os.release.major')
|
1502
|
+
|
1482
1503
|
install_package_unless_present_on(
|
1483
1504
|
sut,
|
1484
1505
|
'simp-release-community',
|
1485
|
-
"https://download.simp-project.com/simp-release-community.rpm"
|
1506
|
+
"https://download.simp-project.com/simp-release-community.el#{release}.rpm"
|
1486
1507
|
)
|
1487
1508
|
|
1488
1509
|
to_disable = disable.dup
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: simp-beaker-helpers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.24.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Tessmer
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2022-03-10 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: beaker
|
@@ -254,11 +254,8 @@ files:
|
|
254
254
|
- spec/acceptance/suites/windows/nodesets/win2016.yml
|
255
255
|
- spec/acceptance/suites/windows/nodesets/win2019.yml
|
256
256
|
- spec/fixtures/inspec_profiles/CentOS-7-disa_stig
|
257
|
-
- spec/fixtures/inspec_profiles/CentOS-8-disa_stig
|
258
257
|
- spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb
|
259
258
|
- spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml
|
260
|
-
- spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb
|
261
|
-
- spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml
|
262
259
|
- spec/lib/simp/beaker_helpers_spec.rb
|
263
260
|
- spec/spec_helper.rb
|
264
261
|
- spec/spec_helper_acceptance.rb
|
@@ -1 +0,0 @@
|
|
1
|
-
spec/fixtures/inspec_profiles/RedHat-8-disa_stig
|
@@ -1,45 +0,0 @@
|
|
1
|
-
skips = {
|
2
|
-
'V-72209' => 'Cannot guarantee a remote syslog server during test'
|
3
|
-
}
|
4
|
-
overrides = [ 'V-72091' ]
|
5
|
-
subsystems = []
|
6
|
-
|
7
|
-
require_controls 'disa_stig-el8-baseline' do
|
8
|
-
skips.each_pair do |ctrl, reason|
|
9
|
-
control ctrl do
|
10
|
-
describe "Skip #{ctrl}" do
|
11
|
-
skip "Reason: #{skips[ctrl]}" do
|
12
|
-
end
|
13
|
-
end
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
@conf['profile'].info[:controls].each do |ctrl|
|
18
|
-
next if (overrides + skips.keys).include?(ctrl[:id])
|
19
|
-
|
20
|
-
if subsystems.empty?
|
21
|
-
control ctrl[:id]
|
22
|
-
else
|
23
|
-
tags = ctrl[:tags]
|
24
|
-
if tags && tags[:subsystems]
|
25
|
-
subsystems.each do |subsystem|
|
26
|
-
if tags[:subsystems].include?(subsystem)
|
27
|
-
control ctrl[:id]
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
## Overrides ##
|
35
|
-
|
36
|
-
# There's no email server to send anything to by default so syslog is a safer
|
37
|
-
# default for processing.
|
38
|
-
control 'V-72091' do
|
39
|
-
overrides << self.to_s
|
40
|
-
|
41
|
-
describe auditd_conf do
|
42
|
-
its('space_left_action.downcase') { should cmp 'syslog' }
|
43
|
-
end
|
44
|
-
end
|
45
|
-
end
|
@@ -1,14 +0,0 @@
|
|
1
|
-
name: EL8 STIG
|
2
|
-
title: STIG for EL 8
|
3
|
-
supports:
|
4
|
-
- os-family: redhat
|
5
|
-
maintainer: SIMP Team
|
6
|
-
copyright: Onyx Point, Inc.
|
7
|
-
copyright_email: simp@onyxpoint.com
|
8
|
-
license: Apache-2.0
|
9
|
-
summary: |
|
10
|
-
A collection of InSpec tests
|
11
|
-
version: 0.0.1
|
12
|
-
depends:
|
13
|
-
- name: disa_stig-el8-baseline
|
14
|
-
path: ../../inspec_deps/inspec_profiles/profiles/disa_stig-el8-baseline
|