fix(server-status): enable module in debian if `server_status_require…

4年前 · cb47ee30bf
--- a/apache/files/server-status.conf.jinja
+++ b/apache/files/server-status.conf.jinja
@@ -1,3 +1,7 @@
 ########################################################################
 # File managed by Salt at <{{ source }}>.
 # Your changes will be overwritten.
 ########################################################################
 <Location "/server-status">
    SetHandler server-status
 {%- if apache.version == '2.4' %}
--- a/apache/server_status.sls
+++ b/apache/server_status.sls
@@ -18,3 +18,19 @@ include:
      - module: apache-restart
      - module: apache-reload
      - service: apache

 {%- if grains['os_family'] == "Debian" %}
 a2enconf server-status:
  cmd.run:
    - unless: 'test -L /etc/apache2/conf-enabled/server-status.conf'
    - order: 225
    - require:
      - pkg: apache
      - file: {{ apache.confdir }}/server-status.conf
    - watch_in:
      - module: apache-restart
    - require_in:
      - module: apache-restart
      - module: apache-reload
      - service: apache
 {% endif %}
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -157,7 +157,7 @@ suites:
        base:
          '*':
            - apache
            - apache.mod_security
            - apache.config
      pillars:
        top.sls:
          base:
@@ -168,3 +168,21 @@ suites:
    verifier:
      inspec_tests:
        - path: test/integration/default
  - name: modules
    provisioner:
      state_top:
        base:
          '*':
            - apache
            - apache.mod_security
            - apache.server_status
      pillars:
        top.sls:
          base:
            '*':
              - apache
      pillars_from_files:
        apache.sls: test/salt/pillar/modules.sls
    verifier:
      inspec_tests:
        - path: test/integration/modules
--- a/test/integration/default/controls/config_spec.rb
+++ b/test/integration/default/controls/config_spec.rb
@@ -0,0 +1,39 @@
 # frozen_string_literal: true

 control 'apache configuration' do
  title 'should match desired lines'

  config_file =
    case platform[:family]
    when 'debian'
      '/etc/apache2/apache2.conf'
    when 'redhat', 'fedora'
      '/etc/httpd/conf/httpd.conf'
    when 'suse'
      '/etc/apache2/httpd.conf'
    # `linux` here is sufficient for `arch`
    when 'linux'
      '/etc/httpd/conf/httpd.conf'
    end
  describe file(config_file) do
    it { should be_file }
    it { should be_owned_by 'root' }
    it { should be_grouped_into 'root' }
    its('mode') { should cmp '0644' }
    its('content') do
      should include(
        'This file is managed by Salt! Do not edit by hand!'
      )
    end
  end
 end
 control 'apache configuration' do
  title 'should be valid'

  describe command('apachectl -t') do
    its('stdout') { should eq '' }
    its('stderr') { should include 'Syntax OK' }

    its('exit_status') { should eq 0 }
  end
 end
--- a/test/integration/default/controls/packages_spec.rb
+++ b/test/integration/default/controls/packages_spec.rb
@@ -0,0 +1,20 @@
 # frozen_string_literal: true

 control 'apache package' do
  title 'should be installed'

  package_name =
    case platform[:family]
    when 'debian', 'suse'
      'apache2'
    when 'redhat', 'fedora'
      'httpd'
    # `linux` here is sufficient for `arch`
    when 'linux'
      'apache'
    end

  describe package(package_name) do
    it { should be_installed }
  end
 end
--- a/test/integration/default/controls/services_spec.rb
+++ b/test/integration/default/controls/services_spec.rb
@@ -0,0 +1,19 @@
 # frozen_string_literal: true

 control 'apache service' do
  impact 0.5
  title 'should be running and enabled'

  service_name =
    case platform[:family]
    when 'debian', 'suse'
      'apache2'
    when 'redhat', 'fedora', 'linux'
      'httpd'
    end

  describe service(service_name) do
    it { should be_enabled }
    it { should be_running }
  end
 end
--- a/test/integration/modules/README.md
+++ b/test/integration/modules/README.md
@@ -0,0 +1,50 @@
 # InSpec Profile: `modules`

 This shows the implementation of the `modules` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).

 ## Verify a profile

 InSpec ships with built-in features to verify a profile structure.

 ```bash
 $ inspec check modules
 Summary
 -------
 Location: modules
 Profile: profile
 Controls: 4
 Timestamp: 2019-06-24T23:09:01+00:00
 Valid: true

 Errors
 ------

 Warnings
 --------
 ```

 ## Execute a profile

 To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.

 ```bash
 $ inspec exec modules
 ..

 Finished in 0.0025 seconds (files took 0.12449 seconds to load)
 8 examples, 0 failures
 ```

 ## Execute a specific control from a profile

 To run one control from the profile use `inspec exec /path/to/profile --controls name`.

 ```bash
 $ inspec exec modules --controls package
 .

 Finished in 0.0025 seconds (files took 0.12449 seconds to load)
 1 examples, 0 failures
 ```

 See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).
--- a/test/integration/modules/controls/config_spec.rb
+++ b/test/integration/modules/controls/config_spec.rb
@@ -0,0 +1,12 @@
 # frozen_string_literal: true

 control 'apache configuration' do
  title 'should be valid'

  describe command('apachectl -t') do
    its('stdout') { should eq '' }
    its('stderr') { should include 'Syntax OK' }

    its('exit_status') { should eq 0 }
  end
 end
--- a/test/integration/modules/controls/mod_security_spec.rb
+++ b/test/integration/modules/controls/mod_security_spec.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true

 control 'Apache mod_security configuration' do
 control 'apache mod_security configuration' do
  title 'should match desired lines'

  modspec_file =
@@ -9,6 +9,8 @@ control 'Apache mod_security configuration' do
      '/etc/httpd/conf.d/mod_security.conf'
    when 'debian'
      '/etc/modsecurity/modsecurity.conf-recommended'
    when 'suse'
      '/etc/apache2/conf.d/mod_security2.conf'
    end

  describe file(modspec_file) do
--- a/test/integration/modules/controls/packages_spec.rb
+++ b/test/integration/modules/controls/packages_spec.rb
@@ -0,0 +1,19 @@
 # frozen_string_literal: true

 control 'apache mod_security package' do
  title 'should be installed'

  package_name =
    case platform[:family]
    when 'debian'
      'libapache2-mod-security2'
    when 'redhat', 'fedora'
      'mod_security'
    when 'suse'
      'apache2-mod_security2'
    end

  describe package(package_name) do
    it { should be_installed }
  end
 end
--- a/test/integration/modules/controls/server_status_spec.rb
+++ b/test/integration/modules/controls/server_status_spec.rb
@@ -0,0 +1,36 @@
 # frozen_string_literal: true

 control 'apache server_status configuration' do
  title 'should match desired lines'

  server_status_stanza = <<~SS_STANZA
    <Location "/server-status">
        SetHandler server-status
        Require local
        Require host foo.example.com
        Require ip 10.8.8.0/24
    </Location>
  SS_STANZA

  confdir =
    case platform[:family]
    when 'debian'
      '/etc/apache2/conf-available'
    when 'redhat', 'fedora'
      '/etc/httpd/conf.d'
    when 'suse'
      '/etc/apache2/conf.d'
    # `linux` here is sufficient for `arch`
    when 'linux'
      '/etc/httpd/conf/extra'
    end

  describe file("#{confdir}/server-status.conf") do
    it { should be_file }
    it { should be_owned_by 'root' }
    it { should be_grouped_into 'root' }
    its('mode') { should cmp '0644' }
    its('content') { should include '# File managed by Salt' }
    its('content') { should include server_status_stanza }
  end
 end
--- a/test/integration/modules/controls/services_spec.rb
+++ b/test/integration/modules/controls/services_spec.rb
@@ -0,0 +1,19 @@
 # frozen_string_literal: true

 control 'apache service' do
  impact 0.5
  title 'should be running and enabled'

  service_name =
    case platform[:family]
    when 'debian', 'suse'
      'apache2'
    when 'redhat', 'fedora', 'linux'
      'httpd'
    end

  describe service(service_name) do
    it { should be_enabled }
    it { should_not be_running }
  end
 end
--- a/test/integration/modules/inspec.yml
+++ b/test/integration/modules/inspec.yml
@@ -0,0 +1,18 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
 name: modules
 title: apache formula
 maintainer: SaltStack Formulas
 license: Apache-2.0
 summary: Verify that the apache formula manages modules correctly
 supports:
  - platform-name: debian
  - platform-name: ubuntu
  - platform-name: centos
  - platform-name: fedora
  - platform-name: opensuse
  - platform-name: suse
  - platform-name: freebsd
  - platform-name: amazon
  - platform-name: arch
--- a/test/salt/pillar/default.sls
+++ b/test/salt/pillar/default.sls
@@ -1,17 +1,3 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
 apache:
  manage_service_states: false
  mod_security:
    crs_install: true
    manage_config: true
    sec_rule_engine: 'On'
    sec_request_body_access: 'On'
    sec_request_body_limit: '14000000'
    sec_request_body_no_files_limit: '114002'
    sec_request_body_in_memory_limit: '114002'
    sec_request_body_limit_action: 'Reject'
    sec_pcre_match_limit: '15000'
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'
--- a/test/salt/pillar/modules.sls
+++ b/test/salt/pillar/modules.sls
@@ -0,0 +1,22 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
 apache:
  manage_service_states: false
  mod_security:
    crs_install: true
    manage_config: true
    sec_rule_engine: 'On'
    sec_request_body_access: 'On'
    sec_request_body_limit: '14000000'
    sec_request_body_no_files_limit: '114002'
    sec_request_body_in_memory_limit: '114002'
    sec_request_body_limit_action: 'Reject'
    sec_pcre_match_limit: '15000'
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'
  server_status_require:
    ip:
      - 10.8.8.0/24
    host:
      - foo.example.com