simp-beaker-helpers 1.23.0 → 1.23.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77288902c91655a0e3f5c7db8d5573375e3c341638a8bfc3be82b76f7753f3f6
-  data.tar.gz: ec02b6c05c5b1b69615b83b7ed5682d1e2ba9619d72752c4adfa5d48e3e3ec61
+  metadata.gz: 662fa0921ca0879ff169a372722db43cab01b6084d7fb8bd0c22b9727499d44d
+  data.tar.gz: 7fdcc1bb9a1e7384fe8e7edcb6336f3b30e5045719ac2250c67666efddffe0ad
 SHA512:
-  metadata.gz: 6c006e7df61eaeb23dce36101ae518d88f99f34778821402973cf5c9358226572beab46c319fafee6487bbf325dbe07f72f7343c49d023e3d9949dd695092b57
-  data.tar.gz: f0535c393d9a6b6b8e3e9484fcf52e78adc4892bd0eca8255479eb06185e9865ddad9af2c6c5f3cd67d55c537632f88e178c39e6ad4a48757e2b61d7b229b826
+  metadata.gz: 046ed4502f9257b59afa940d925f40f80ad3d5d4e9bb600904625382e4e437493313230a6109d105f4e1471f77537f8fbcfb176297fa71ca1d6bf979d0ccf565
+  data.tar.gz: f0d190e6abf5474bca2b4764658cfeb3af61298b13c4ad3b1cd8649417d4ecb67814eb88e6f266ee261fcbd35b77e47ee71b0ee1c7a72a59f4428e9fc5b73920

data/.fixtures.yml

@@ -4,4 +4,9 @@ fixtures:
     stdlib: https://github.com/simp/puppetlabs-stdlib
     simplib: https://github.com/simp/pupmod-simp-simplib
     compliance_markup: https://github.com/simp/pupmod-simp-compliance_markup
-
+    disa_stig-el7-baseline:
+      repo: https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline
+      target: spec/fixtures/inspec_deps/inspec_profiles/profiles
+    disa_stig-el8-baseline:
+      repo: https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline
+      target: spec/fixtures/inspec_deps/inspec_profiles/profiles

data/.github/workflows/pr_acceptance.yml

@@ -0,0 +1,71 @@
+# Run all tests as GitHub Actions
+name: Unit Tests
+on:
+  push:
+    branches:
+      # A test branch for seeing if your tests will pass in your personal fork
+      - test_me_github
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  acceptance:
+    runs-on:
+      - ubuntu-latest
+    strategy:
+      matrix:
+        ruby:
+          - 2.6
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: ensure entropy
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y rng-tools
+          sudo systemctl start rng-tools
+      - name: install podman
+        run: |
+          set -x
+          sudo apt-get remove -y podman docker-ce docker docker-engine docker.io containerd runc ||:
+          curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_$( lsb_release -rs )/Release.key | sudo apt-key add -
+          echo  "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_$( lsb_release -rs )/ /" | sudo tee /etc/apt/sources.list.d/podman.list /dev/null
+          sudo apt-get update
+          sudo apt-get install -y podman
+          sudo apt autoremove -y
+          sudo systemctl start podman
+      - name: install bundler
+        run: |
+          gem install bundler
+          bundle update
+      - name: beaker default
+        env:
+          DOCKER_HOST: unix:///var/run/podman/podman.sock
+          CONTAINER_HOST: unix:///var/run/podman/podman.sock
+        run: |
+          sudo chmod -R ugo+rwX /var/run/podman
+          bundle exec rake beaker:suites[default,docker]
+      - name: beaker puppet_collections
+        env:
+          DOCKER_HOST: unix:///var/run/podman/podman.sock
+          CONTAINER_HOST: unix:///var/run/podman/podman.sock
+        run: |
+          sudo chmod -R ugo+rwX /var/run/podman
+          bundle exec rake beaker:suites[puppet_collections,docker]
+      - name: beaker ssg
+        env:
+          DOCKER_HOST: unix:///var/run/podman/podman.sock
+          CONTAINER_HOST: unix:///var/run/podman/podman.sock
+        run: |
+          sudo chmod -R ugo+rwX /var/run/podman
+          bundle exec rake beaker:suites[ssg,docker]
+      - name: beaker inspec
+        env:
+          DOCKER_HOST: unix:///var/run/podman/podman.sock
+          CONTAINER_HOST: unix:///var/run/podman/podman.sock
+        run: |
+          sudo chmod -R ugo+rwX /var/run/podman
+          bundle exec rake beaker:suites[inspec,docker]

data/.gitlab-ci.yml

@@ -351,6 +351,7 @@ puppet7_collections:
 windows:
   <<: *pup_6_x
   <<: *acceptance_base
+  allow_failure: true
   script:
     - bundle exec rake beaker:suites[windows]
 

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+### 1.23.1 / 2021-05-19
+* Fixed:
+  * The SSG default branch is now the latest numeric tag instead of the one
+    closest to the head of the default branch. The tag closest to the default
+    branch has drifted over time.
+  * Removed direct call to `docker` when copying out inspec results
+  * Typos in `copy_in` when running against docker
+* Added:
+  * `Simp::BeakerHelpers::Inspec.enable_repo_on(suts)` to allow users to easily
+    enable the Chef repos for inspec
+  * Beaker tests for inspec and SSG basic functionality
+  * GitHub Actions for acceptance testing where possible
+
 ### 1.23.0 / 2021-03-16
 * Added:
   * For `podman` support:

data/lib/simp/beaker_helpers.rb

@@ -193,7 +193,7 @@ module Simp::BeakerHelpers
       else
         cmd = [
           %{tar #{exclude_list.join(' ')} -hcf - -C "#{File.dirname(src)}" "#{File.basename(src)}"},
-          %{#{docker_cmd} exec -i "#{container_id}" tar -C "#{File.dirname(dest)}" -xf -)}
+          %{#{docker_cmd} exec -i "#{container_id}" tar -C "#{dest}" -xf -}
         ].join(' | ')
       end
 
@@ -539,7 +539,7 @@ module Simp::BeakerHelpers
     block_on(suts, :run_in_parallel => parallel) do |sut|
       if sut['yum_repos']
         sut['yum_repos'].each_pair do |repo, metadata|
-          repo_manifest = create_yum_resource( repo, metadata)
+          repo_manifest = create_yum_resource(repo, metadata)
 
           apply_manifest_on(sut, repo_manifest, :catch_failures => true)
         end

data/lib/simp/beaker_helpers/inspec.rb

@@ -10,6 +10,21 @@ module Simp::BeakerHelpers
     attr_reader :profile_dir
     attr_reader :deps_root
 
+    def self.enable_repo_on(suts)
+      parallel = (ENV['BEAKER_SIMP_parallel'] == 'yes')
+      block_on(suts, :run_in_parallel => parallel) do |sut|
+        repo_manifest = create_yum_resource(
+          'chef-current',
+          {
+            :baseurl => "https://packages.chef.io/repos/yum/current/el/#{fact_on(sut,'os.release.major')}/$basearch",
+            :gpgkeys => ['https://packages.chef.io/chef.asc']
+          }
+        )
+
+        apply_manifest_on(sut, repo_manifest, :catch_failures => true)
+      end
+    end
+
     # Create a new Inspec helper for the specified host against the specified profile
     #
     # @param sut
@@ -81,18 +96,7 @@ module Simp::BeakerHelpers
       tmpdir = Dir.mktmpdir
       begin
         Dir.chdir(tmpdir) do
-          if @sut[:hypervisor] == 'docker'
-            # Work around for breaking changes in beaker-docker
-            if @sut.host_hash[:docker_container]
-              container_id = @sut.host_hash[:docker_container].id
-            else
-              container_id = @sut.host_hash[:docker_container_id]
-            end
-
-            %x(docker cp "#{container_id}:#{sut_inspec_results}" .)
-          else
-            scp_from(@sut, sut_inspec_results, '.')
-          end
+          scp_from(@sut, sut_inspec_results, '.')
 
           local_inspec_results = File.basename(sut_inspec_results)
 

data/lib/simp/beaker_helpers/ssg.rb

@@ -12,7 +12,7 @@ module Simp::BeakerHelpers
       GIT_REPO = 'https://github.com/ComplianceAsCode/content.git'
     end
 
-    # If this is not set, the closest tag to the default branch will be used
+    # If this is not set, the highest numeric tag will be used
     GIT_BRANCH = nil
 
     if ENV['BEAKER_ssg_branch']
@@ -25,19 +25,20 @@ module Simp::BeakerHelpers
       'git',
       'openscap-python',
       'openscap-utils',
-      'python-lxml',
-      'python-jinja2'
+      'python-jinja2',
+      'python-lxml'
     ]
 
     EL8_PACKAGES = [
-      'python3',
-      'python3-pyyaml',
       'cmake',
       'git',
+      'make',
       'openscap-python3',
       'openscap-utils',
+      'python3',
+      'python3-jinja2',
       'python3-lxml',
-      'python3-jinja2'
+      'python3-pyyaml'
     ]
 
     OS_INFO = {
@@ -265,7 +266,7 @@ module Simp::BeakerHelpers
             "contains(@idref,'#{exl}')"
           end.join(' or ')
 
-          xpath_query << ')' if exclusions.size > 1
+          xpath_query << ')' if exclusions.size > 0
         end
 
         xpath_query << ')]'
@@ -383,7 +384,12 @@ module Simp::BeakerHelpers
         if GIT_BRANCH
           on(@sut, %(cd scap-content; git checkout #{GIT_BRANCH}))
         else
-          on(@sut, %(cd scap-content; git checkout $(git describe --abbrev=0 --tags)))
+          tags = on(@sut, %(cd scap-content; git tag -l)).output
+          target_tag = tags.lines.map(&:strip)
+            .select{|x| x.start_with?(/v\d+\./)}
+            .sort.last
+
+          on(@sut, %(cd scap-content; git checkout #{target_tag}))
         end
 
         # Work around the issue where the profiles now strip out derivative

data/lib/simp/beaker_helpers/version.rb

@@ -1,5 +1,5 @@
 module Simp; end
 
 module Simp::BeakerHelpers
-  VERSION = '1.23.0'
+  VERSION = '1.23.1'
 end

data/spec/acceptance/nodesets/docker.yml

@@ -21,28 +21,6 @@ CONFIG:
   type: aio
 <% if ENV['BEAKER_PUPPET_ENVIRONMENT'] -%>
   puppet_environment: <%= ENV['BEAKER_PUPPET_ENVIRONMENT'] %>
-<% end -%>
-  # This is necessary for pretty much all containers
-  docker_cap_add:
-    - AUDIT_WRITE
-<%
-  require 'docker-api'
-  unless ::Docker.podman?
--%>
-  # All items below this point are required for systemd
-  mount_folders:
-    cgroup:
-      host_path: /sys/fs/cgroup
-      container_path: /sys/fs/cgroup
-      opts: 'ro'
-  dockeropts:
-    HostConfig:
-      Tmpfs:
-        '/run': 'rw,noexec,nosuid,nodev,size=65536k'
-        '/run/lock': 'rw,noexec,nosuid,nodev,size=65536k'
-        '/tmp': 'rw,exec,nosuid,nodev,size=65536k'
-        '/sys/fs/cgroup/systemd': 'rw,size=65536k'
-        '/var/log/journal': 'rw,noexec,nodev,nosuid,size=65536k'
 <% end -%>
   ssh:
     password: root

data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb

@@ -55,12 +55,20 @@ describe 'FIPS pre-installed' do
   hosts.each do |host|
     context "on #{host}" do
       it 'does not create an alternate apply directory' do
-        on(host, 'test ! -d /root/.beaker_fips/modules')
+        if host[:hypervisor] == 'docker'
+          skip('Not supported on docker')
+        else
+          on(host, 'test ! -d /root/.beaker_fips/modules')
+        end
       end
 
       it 'has fips enabled' do
-        stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-        expect(stdout).to eq('1')
+        if host[:hypervisor] == 'docker'
+          skip('Not supported on docker')
+        else
+          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
+          expect(stdout).to eq('1')
+        end
       end
     end
   end

data/spec/acceptance/suites/inspec/00_default_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper_acceptance'
+require 'json'
+
+test_name 'Inspec STIG Profile'
+
+describe 'Inspec STIG Profile' do
+
+  profiles_to_validate = ['disa_stig']
+
+  hosts.each do |host|
+    profiles_to_validate.each do |profile|
+      context "for profile #{profile}" do
+        context "on #{host}" do
+          profile_path = File.join(
+              fixtures_path,
+              'inspec_profiles',
+              "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}"
+            )
+
+          unless File.exist?(profile_path)
+            it 'should run inspec' do
+              skip("No matching profile available at #{profile_path}")
+            end
+          else
+            before(:all) do
+              Simp::BeakerHelpers::Inspec.enable_repo_on(hosts)
+              @inspec = Simp::BeakerHelpers::Inspec.new(host, profile)
+
+              # If we don't do this, the variable gets reset
+              @inspec_report = { :data => nil }
+            end
+
+            it 'should run inspec' do
+              @inspec.run
+            end
+
+            it 'should have an inspec report' do
+              @inspec_report[:data] = @inspec.process_inspec_results
+
+              expect(@inspec_report[:data]).to_not be_nil
+
+              @inspec.write_report(@inspec_report[:data])
+            end
+
+            it 'should have a report' do
+              expect(@inspec_report[:data][:report]).to_not be_nil
+              puts @inspec_report[:data][:report]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/acceptance/suites/inspec/metadata.yml

@@ -0,0 +1,2 @@
+---
+'default_run': true

data/spec/acceptance/suites/inspec/nodesets

@@ -0,0 +1 @@
+spec/acceptance/suites/inspec/../../nodesets

data/spec/acceptance/suites/ssg/00_default_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper_acceptance'
+
+test_name 'SSG STIG Validation'
+
+describe 'run the SSG against the STIG profile' do
+
+  hosts.each do |host|
+    context "on #{host}" do
+      before(:all) do
+        @ssg = Simp::BeakerHelpers::SSG.new(host)
+
+        # If we don't do this, the variable gets reset
+        @ssg_report = { :data => nil }
+      end
+
+      it 'should run the SSG' do
+        profile = 'xccdf_org.ssgproject.content_profile_stig'
+
+        @ssg.evaluate(profile)
+      end
+
+      it 'should have an SSG report' do
+        # Validate that the filter works
+        filter = '_rule_audit'
+        host_exclusions = ['ssh_']
+
+        @ssg_report[:data] = @ssg.process_ssg_results(filter, host_exclusions)
+
+        expect(@ssg_report[:data]).to_not be_nil
+
+        @ssg.write_report(@ssg_report[:data])
+      end
+
+      it 'should have a report' do
+        expect(@ssg_report[:data][:report]).to_not be_nil
+        puts @ssg_report[:data][:report]
+      end
+    end
+  end
+end

data/spec/acceptance/suites/ssg/metadata.yml

@@ -0,0 +1,2 @@
+---
+'default_run': true

data/spec/acceptance/suites/ssg/nodesets

@@ -0,0 +1 @@
+spec/acceptance/suites/ssg/../../nodesets

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simp-beaker-helpers
 version: !ruby/object:Gem::Version
-  version: 1.23.0
+  version: 1.23.1
 platform: ruby
 authors:
 - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-04 00:00:00.000000000 Z
+date: 2021-05-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: beaker
@@ -190,6 +190,7 @@ files:
 - ".fips_fixtures"
 - ".fixtures.yml"
 - ".github/workflows.local.json"
+- ".github/workflows/pr_acceptance.yml"
 - ".github/workflows/pr_glci.yml"
 - ".github/workflows/pr_glci_cleanup.yml"
 - ".github/workflows/pr_glci_manual.yml"
@@ -231,6 +232,9 @@ files:
 - spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
 - spec/acceptance/suites/fips_from_fixtures/metadata.yml
 - spec/acceptance/suites/fips_from_fixtures/nodesets
+- spec/acceptance/suites/inspec/00_default_spec.rb
+- spec/acceptance/suites/inspec/metadata.yml
+- spec/acceptance/suites/inspec/nodesets
 - spec/acceptance/suites/offline/00_default_spec.rb
 - spec/acceptance/suites/offline/README
 - spec/acceptance/suites/offline/nodesets/default.yml
@@ -239,11 +243,20 @@ files:
 - spec/acceptance/suites/snapshot/00_snapshot_test_spec.rb
 - spec/acceptance/suites/snapshot/10_general_usage_spec.rb
 - spec/acceptance/suites/snapshot/nodesets
+- spec/acceptance/suites/ssg/00_default_spec.rb
+- spec/acceptance/suites/ssg/metadata.yml
+- spec/acceptance/suites/ssg/nodesets
 - spec/acceptance/suites/windows/00_default_spec.rb
 - spec/acceptance/suites/windows/metadata.yml
 - spec/acceptance/suites/windows/nodesets/default.yml
 - spec/acceptance/suites/windows/nodesets/win2016.yml
 - spec/acceptance/suites/windows/nodesets/win2019.yml
+- spec/fixtures/inspec_profiles/CentOS-7-disa_stig
+- spec/fixtures/inspec_profiles/CentOS-8-disa_stig
+- spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb
+- spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml
+- spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb
+- spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml
 - spec/lib/simp/beaker_helpers_spec.rb
 - spec/spec_helper.rb
 - spec/spec_helper_acceptance.rb