* Semi-automated using https://github.com/myii/ssf-formula/pull/286

3 years ago · 22869e0c7f
--- a/CODEOWNERS
+++ b/CODEOWNERS
 # SECTION: Owner(s) for specific directories
 # FILE PATTERN                              OWNER(S)
 /test/                                      @myii
 # SECTION: Owner(s) for files/directories related to `semantic-release`
 # FILE PATTERN                              OWNER(S)
 /docs/AUTHORS.rst                           @saltstack-formulas/ssf
 /docs/CHANGELOG.rst                         @saltstack-formulas/ssf
 /docs/TOFS_pattern.rst                      @saltstack-formulas/ssf
 /*/_mapdata/                                @saltstack-formulas/ssf
 /*/libsaltcli.jinja                         @saltstack-formulas/ssf
 /*/libtofs.jinja                            @saltstack-formulas/ssf
 /test/integration/**/_mapdata_spec.rb       @saltstack-formulas/ssf
 /test/integration/**/libraries/system.rb    @saltstack-formulas/ssf
 /test/integration/**/inspec.yml             @saltstack-formulas/ssf
 /test/integration/**/README.md              @saltstack-formulas/ssf
 /.gitignore                                 @saltstack-formulas/ssf
--- a/firewalld/_mapdata/_mapdata.jinja
+++ b/firewalld/_mapdata/_mapdata.jinja
 # yamllint disable rule:indentation rule:line-length
 # {{ grains.get("osfinger", grains.os) }}
 ---
 {#- use salt.slsutil.serialize to avoid encoding errors on some platforms #}
 {{ salt["slsutil.serialize"](
     "yaml",
     map,
     default_flow_style=False,
     allow_unicode=True,
   )
   | regex_replace("^\s+'$", "'", multiline=True)
   | trim
 }}
--- a/firewalld/_mapdata/init.sls
+++ b/firewalld/_mapdata/init.sls
 # -*- coding: utf-8 -*-
 # vim: ft=sls
 ---
 {#- Get the `tplroot` from `tpldir` #}
 {%- set tplroot = tpldir.split("/")[0] %}
 {%- from tplroot ~ "/map.jinja" import firewalld with context %}
 {%- set _mapdata = {
      "values": {
        "firewalld": firewalld,
      }
    } %}
 {%- do salt["log.debug"]("### MAP.JINJA DUMP ###\n" ~ _mapdata | yaml(False)) %}
 {%- set output_dir = "/temp" if grains.os_family == "Windows" else "/tmp" %}
 {%- set output_file = output_dir ~ "/salt_mapdata_dump.yaml" %}
 {{ tplroot }}-mapdata-dump:
  file.managed:
    - name: {{ output_file }}
    - source: salt://{{ tplroot }}/_mapdata/_mapdata.jinja
    - template: jinja
    - context:
        map: {{ _mapdata | yaml }}
--- a/firewalld/yaml_dump/init.sls
+++ b/firewalld/yaml_dump/init.sls
 # -*- coding: utf-8 -*-
 # vim: ft=sls
 ---
 {#- Get the `tplroot` from `tpldir` #}
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import firewalld as map with context %}
 {%- set output_file = '/tmp/salt_yaml_dump.yaml' %}
 yaml-dump-{{ tplroot }}:
  file.managed:
    - name: {{ output_file }}
    - source: salt://{{ tplroot }}/yaml_dump/yaml_dump.jinja
    - template: jinja
    - context:
        map: {{ map | yaml }}
--- a/firewalld/yaml_dump/yaml_dump.jinja
+++ b/firewalld/yaml_dump/yaml_dump.jinja
 # yamllint disable rule:indentation rule:line-length
 # {{ grains.get('osfinger', grains.os) }}-{{ grains.saltversion }}-py{{ grains.pythonversion[0] }}
 ---
 {{ map|yaml(False)|trim }}
--- a/kitchen.yml
+++ b/kitchen.yml
      state_top:
        base:
          '*':
            - firewalld.yaml_dump
            - firewalld._mapdata
            - firewalld
      pillars:
        top.sls:
--- a/test/integration/default/controls/_mapdata_spec.rb
+++ b/test/integration/default/controls/_mapdata_spec.rb
 # frozen_string_literal: true
 require 'yaml'
 control '`map.jinja` YAML dump' do
  title 'should match the comparison file'
  ### Method
  # The steps below for each file appear convoluted but they are both required
  # and similar in nature:
  # 1. The earliest method was to simply compare the files textually but this often
  #    led to false positives due to inconsistencies (e.g. spacing, ordering)
  # 2. The next method was to load the files back into YAML structures and then
  #    compare but InSpec provided block diffs this way, unusable by end users
  # 3. The final step was to dump the YAML structures back into a string to use
  #    for the comparison; this both worked and provided human-friendly diffs
  ### Comparison file for the specific platform
  ### Static, adjusted as part of code contributions, as map data is changed
  # Strip the `platform[:finger]` version number down to the "OS major release"
  platform_finger = system.platform[:finger].split('.').first.to_s
  # Use that to set the path to the file (relative to the InSpec suite directory)
  mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
  # Load the mapdata from profile, into a YAML structure
  # https://docs.chef.io/inspec/profiles/#profile-files
  mapdata_file_yaml = YAML.safe_load(inspec.profile.file(mapdata_file_path))
  # Dump the YAML back into a string for comparison
  mapdata_file_dump = YAML.dump(mapdata_file_yaml)
  ### Output file produced by running the `_mapdata` state
  ### Dynamic, generated during Kitchen's `converge` phase
  # Derive the location of the dumped mapdata (differs for Windows)
  output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
  # Use that to set the path to the file (absolute path, i.e. within the container)
  output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
  # Load the output into a YAML structure using InSpec's `yaml` resource
  # https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
  output_file_yaml = yaml(output_file_path).params
  # Dump the YAML back into a string for comparison
  output_file_dump = YAML.dump(output_file_yaml)
  describe 'File content' do
    it 'should match profile map data exactly' do
      expect(output_file_dump).to eq(mapdata_file_dump)
    end
  end
 end
--- a/test/integration/default/controls/yaml_dump_spec.rb
+++ b/test/integration/default/controls/yaml_dump_spec.rb
 # frozen_string_literal: true
 control 'firewalld `map.jinja` YAML dump' do
  title 'should contain the lines'
  yaml_dump = "---\n"
  yaml_dump += <<~YAML_DUMP.chomp
    AllowZoneDrifting: 'no'
    AutomaticHelpers: system
    FirewallBackend: nftables
    FlushAllOnReload: 'yes'
    IndividualCalls: 'no'
    LogDenied: 'off'
    RFC3964_IPv4: 'yes'
    arch: amd64
    backend:
      manage: true
      pkg: nftables
    config: /etc/firewalld.conf
    default_zone: public
    direct:
      chain:
        MYCHAIN:
          ipv: ipv4
          table: raw
      rule:
        INTERNETACCESS:
          ipv: ipv4
          table: filter
          chain: FORWARD
          priority: '0'
          args: -i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED
            -j ACCEPT
      passthrough:
        MYPASSTHROUGH:
          ipv: ipv4
          args: -t raw -A MYCHAIN -j DROP
    enabled: true
    ipset:
      manage: true
      pkg: ipset
    ipsets:
      fail2ban-ssh:
        short: fail2ban-ssh
        description: fail2ban-ssh ipset
        type: hash:ip
        options:
          maxelem:
          - 65536
          timeout:
          - 300
          hashsize:
          - 1024
        entries:
        - 10.0.0.1
      fail2ban-ssh-ipv6:
        short: fail2ban-ssh-ipv6
        description: fail2ban-ssh-ipv6 ipset
        type: hash:ip
        options:
          family:
          - inet6
          maxelem:
          - 65536
          timeout:
          - 300
          hashsize:
          - 1024
        entries:
        - 2a01::1
    package: firewalld
    service: firewalld
    services:
      sshcustom:
        short: sshcustom
        description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging
          into and executing commands on remote machines. It provides secure encrypted
          communications. If you plan on accessing your machine remotely via SSH over
          a firewalled interface, enable this option. You need the openssh-server package
          installed for this option to be useful.
        ports:
          tcp:
          - 3232
          - 5252
        modules:
        - some_module_to_load
        protocols:
        - igmp
        source_ports:
          tcp:
          - 21
        destinations:
          ipv4:
          - 224.0.0.251
          - 224.0.0.252
          ipv6:
          - ff02::fb
          - ff02::fc
      zabbixcustom:
        short: Zabbixcustom
        description: zabbix custom rule
        ports:
          tcp:
          - '10051'
      salt-minion:
        short: salt-minion
        description: salt-minion
        ports:
          tcp:
          - '8000'
    zones:
      public:
        short: Public
        description: For use in public areas. You do not trust the other computers on
          networks to not harm your computer. Only selected incoming connections are accepted.
        services:
        - http
        - https
        - ssh
        - salt-minion
        other_services:
        - zabbixcustom
        protocols:
        - igmp
        rich_rules:
        - family: ipv4
          source:
            address: 8.8.8.8/24
          accept: true
        - family: ipv4
          ipset:
            name: fail2ban-ssh
          reject:
            type: icmp-port-unreachable
        ports:
        - comment: zabbix-agent
          port: 10050
          protocol: tcp
        - comment: bacula-client
          port: 9102
          protocol: tcp
        - comment: vsftpd
          port: 21
          protocol: tcp
        source_ports:
        - comment: something
          port: 2222
          protocol: tcp
        - comment: something_else
          port: 4444
          protocol: tcp
      rich_public:
        short: rich_public
        description: Example
        rich_rules:
          ssh-csg:
            accept: true
            ipsets:
            - fail2ban-ssh
            - other-ipset
            services:
            - ssh
  YAML_DUMP
  describe file('/tmp/salt_yaml_dump.yaml') do
    its('content') { should include yaml_dump }
  end
 end
--- a/test/integration/default/inspec.yml
+++ b/test/integration/default/inspec.yml
 maintainer: SaltStack Formulas
 license: Apache-2.0
 summary: Verify that the firewalld formula is setup and configured correctly
 depends:
  - name: share
    path: test/integration/share
 supports:
  - platform-name: debian
  - platform-name: ubuntu
--- a/test/integration/share/README.md
+++ b/test/integration/share/README.md
 # InSpec Profile: `share`
 This shows the implementation of the `share` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
 Its goal is to share the libraries between all profiles.
 ## Libraries
 ### `system`
 The `system` library provides easy access to system dependent information:
 - `system.platform`: based on `inspec.platform`, modify to values that are more consistent from a SaltStack perspective
  - `system.platform[:family]` provide a family name for Arch and Gentoo
  - `system.platform[:name]` append `linux` to both `amazon` and `oracle`; ensure Windows platforms are resolved as simply `windows`
  - `system.platform[:release]` tweak Arch, Amazon Linux, Gentoo and Windows:
    - `Arch` is always `base-latest`
    - `Amazon Linux` release `2018` is resolved as `1`
    - `Gentoo` release is trimmed to its major version number and then the init system is appended (i.e. `sysv` or `sysd`)
    - `Windows` uses the widely-used release number (e.g. `8.1` or `2019-server`) in place of the actual system release version
  - `system.platform[:finger]` is the concatenation of the name and the major release number (except for Ubuntu, which gives `ubuntu-20.04` for example)
--- a/test/integration/share/inspec.yml
+++ b/test/integration/share/inspec.yml
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 ---
 name: share
 title: InSpec shared resources
 maintainer: SaltStack Formulas
 license: Apache-2.0
 summary: shared resources
 supports:
  - platform-name: debian
  - platform-name: ubuntu
  - platform-name: centos
  - platform-name: fedora
  - platform-name: opensuse
  - platform-name: suse
  - platform-name: freebsd
  - platform-name: amazon
  - platform-name: oracle
  - platform-name: arch
  - platform-name: gentoo
  - platform: windows
--- a/test/integration/share/libraries/system.rb
+++ b/test/integration/share/libraries/system.rb
 # frozen_string_literal: true
 # system.rb -- InSpec resources for system values
 # Author: Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
 # Copyright (C) 2020 Daniel Dehennin <daniel.dehennin@ac-dijon.fr>
 class SystemResource < Inspec.resource(1)
  name 'system'
  attr_reader :platform
  def initialize
    super
    @platform = build_platform
  end
  private
  def build_platform
    {
      family: build_platform_family,
      name: build_platform_name,
      release: build_platform_release,
      finger: build_platform_finger
    }
  end
  def build_platform_family
    case inspec.platform[:name]
    when 'arch', 'gentoo'
      inspec.platform[:name]
    else
      inspec.platform[:family]
    end
  end
  def build_platform_name
    case inspec.platform[:name]
    when 'amazon', 'oracle'
      "#{inspec.platform[:name]}linux"
    when 'windows_8.1_pro', 'windows_server_2019_datacenter'
      'windows'
    else
      inspec.platform[:name]
    end
  end
  # rubocop:disable Metrics/MethodLength
  def build_platform_release
    case inspec.platform[:name]
    when 'amazon'
      # `2018` relase is named `1` in kitchen.yaml
      inspec.platform[:release].gsub(/2018.*/, '1')
    when 'arch'
      'base-latest'
    when 'gentoo'
      "#{inspec.platform[:release].split('.')[0]}-#{derive_gentoo_init_system}"
    when 'windows_8.1_pro'
      '8.1'
    when 'windows_server_2019_datacenter'
      '2019-server'
    else
      inspec.platform[:release]
    end
  end
  # rubocop:enable Metrics/MethodLength
  def derive_gentoo_init_system
    case inspec.command('systemctl').exist?
    when true
      'sysd'
    else
      'sysv'
    end
  end
  def build_platform_finger
    "#{build_platform_name}-#{build_finger_release}"
  end
  def build_finger_release
    case inspec.platform[:name]
    when 'ubuntu'
      build_platform_release.split('.').slice(0, 2).join('.')
    else
      build_platform_release.split('.')[0]
    end
  end
 end