Procházet zdrojové kódy

Merge pull request #207 from myii/feat/semantic-release

feat(semantic-release): implement for this formula
tags/v0.47.0
N před 5 roky
rodič
revize
abe4510f9f
Žádný účet není propojen s e-mailovou adresou tvůrce revize
20 změnil soubory, kde provedl 1167 přidání a 102 odebrání
  1. +122
    -0
      .gitignore
  2. +81
    -0
      .travis.yml
  3. +9
    -0
      FORMULA
  4. +6
    -0
      Gemfile
  5. +0
    -69
      README.rst
  6. +29
    -0
      bin/kitchen
  7. +3
    -0
      commitlint.config.js
  8. +159
    -0
      docs/CONTRIBUTING.rst
  9. +143
    -0
      docs/README.rst
  10. +151
    -0
      kitchen.yml
  11. +22
    -22
      pillar.example
  12. +30
    -0
      pre-commit_semantic-release.sh
  13. +18
    -0
      release-rules.js
  14. +106
    -0
      release.config.js
  15. +50
    -0
      test/integration/default/README.md
  16. +10
    -0
      test/integration/default/controls/config_spec.rb
  17. +14
    -0
      test/integration/default/inspec.yml
  18. +199
    -0
      test/salt/pillar/default.sls
  19. +10
    -8
      users/googleauth.sls
  20. +5
    -3
      users/init.sls

+ 122
- 0
.gitignore Zobrazit soubor

@@ -0,0 +1,122 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

# C extensions
*.so

# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg

# PyInstaller
# Usually these files are written by a python script from a packager
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec

# Installer logs
pip-log.txt
pip-delete-this-directory.txt

# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.kitchen
.kitchen.local.yml
kitchen.local.yml
junit-*.xml

# Translations
*.mo
*.pot

# Django stuff:
*.log
local_settings.py

# Flask stuff:
instance/
.webassets-cache

# Scrapy stuff:
.scrapy

# Sphinx documentation
docs/_build/

# PyBuilder
target/

# Jupyter Notebook
.ipynb_checkpoints

# pyenv
.python-version

# celery beat schedule file
celerybeat-schedule

# SageMath parsed files
*.sage.py

# dotenv
.env

# virtualenv
.venv
venv/
ENV/

# Spyder project settings
.spyderproject
.spyproject

# Rope project settings
.ropeproject

# mkdocs documentation
/site

# mypy
.mypy_cache/

# Bundler
Gemfile.lock

# copied `.md` files used for conversion to `.rst` using `m2r`
docs/*.md

# Vim
*.sw?

## Collected when centralising formulas (check and sort)
# `collectd-formula`
.pytest_cache/
/.idea/
Dockerfile.*_*
ignore/
tmp/

+ 81
- 0
.travis.yml Zobrazit soubor

@@ -0,0 +1,81 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
stages:
- test
- commitlint
- name: release
if: branch = master AND type != pull_request

sudo: required
cache: bundler
language: ruby
dist: xenial

services:
- docker

# Make sure the instances listed below match up with
# the `platforms` defined in `kitchen.yml`
env:
matrix:
- INSTANCE: default-debian-10-develop-py3
# - INSTANCE: default-ubuntu-1804-develop-py3
# - INSTANCE: default-centos-7-develop-py3
# - INSTANCE: default-fedora-30-develop-py3
# - INSTANCE: default-opensuse-leap-15-develop-py3
# - INSTANCE: default-amazonlinux-2-develop-py2
# - INSTANCE: default-debian-9-2019-2-py3
- INSTANCE: default-ubuntu-1804-2019-2-py3
# - INSTANCE: default-centos-7-2019-2-py3
# - INSTANCE: default-fedora-30-2019-2-py3
# - INSTANCE: default-opensuse-leap-15-2019-2-py3
- INSTANCE: default-amazonlinux-2-2019-2-py2
# - INSTANCE: default-debian-9-2018-3-py2
# - INSTANCE: default-ubuntu-1604-2018-3-py2
# - INSTANCE: default-centos-7-2018-3-py2
- INSTANCE: default-fedora-29-2018-3-py2
- INSTANCE: default-opensuse-leap-15-2018-3-py2
# - INSTANCE: default-amazonlinux-2-2018-3-py2
# - INSTANCE: default-debian-8-2017-7-py2
# - INSTANCE: default-ubuntu-1604-2017-7-py2
- INSTANCE: default-centos-6-2017-7-py2
# - INSTANCE: default-fedora-29-2017-7-py2
# - INSTANCE: default-opensuse-leap-15-2017-7-py2
# - INSTANCE: default-amazonlinux-2-2017-7-py2

script:
- bin/kitchen verify ${INSTANCE}

jobs:
include:
# Define the commitlint stage
- stage: commitlint
language: node_js
node_js: lts/*
before_install: skip
script:
- npm install @commitlint/config-conventional -D
- npm install @commitlint/travis-cli -D
- commitlint-travis
# Define the release stage that runs semantic-release
- stage: release
language: node_js
node_js: lts/*
before_install: skip
script:
# Update `AUTHORS.md`
- export MAINTAINER_TOKEN=${GH_TOKEN}
- go get github.com/myii/maintainer
- maintainer contributor

# Install all dependencies required for `semantic-release`
- npm install @semantic-release/changelog@3 -D
- npm install @semantic-release/exec@3 -D
- npm install @semantic-release/git@7 -D
deploy:
provider: script
skip_cleanup: true
script:
# Run `semantic-release`
- npx semantic-release@15

+ 9
- 0
FORMULA Zobrazit soubor

@@ -0,0 +1,9 @@
name: users
os: Debian, Ubuntu, Raspbian, RedHat, Fedora, CentOS, Suse, openSUSE, Gentoo, Funtoo, Arch, Manjaro, Alpine, FreeBSD, OpenBSD, Solaris, SmartOS, Windows, MacOS
os_family: Debian, RedHat, Suse, Gentoo, Arch, Alpine, FreeBSD, OpenBSD, Solaris, Windows, MacOS
version: 0.46.1
release: 1
minimum_version: 2017.7
summary: users formula
description: Formula to configure users via pillar
top_level_dir: users

+ 6
- 0
Gemfile Zobrazit soubor

@@ -0,0 +1,6 @@
source "https://rubygems.org"

gem 'kitchen-docker', '>= 2.9'
gem 'kitchen-salt', '>= 0.6.0'
gem 'kitchen-inspec', '>= 1.1'


+ 0
- 69
README.rst Zobrazit soubor

@@ -1,69 +0,0 @@
=====
users
=====

Formula to configure users via pillar.


.. note::

See the full `Salt Formulas installation and usage instructions
<http://docs.saltstack.com/topics/development/conventions/formulas.html>`_.

Available states
================

.. contents::
:local:

``users``
---------

Configures a user's home directory, group, the user itself, secondary groups,
and associated keys. Also configures sudo access, and absent users.

``users.sudo``
--------------

Ensures the sudo group exists, the sudo package is installed and the sudo file
is configured.

``users.bashrc``
----------------

Ensures the bashrc file exists in the users home directory. Sets 'manage_bashrc:
True' in pillar per user. Defaults to False.

``users.profile``
----------------

Ensures the profile file exists in the users home directory. Sets 'manage_profile:
True' in pillar per user. Defaults to False.

``users.vimrc``
---------------

Ensures the vimrc file exists in the users home directory. Sets 'manage_vimrc:
True' in pillar per user. Defaults to False.
This depends on the vim-formula being available and pillar `users:use_vim_formula: True`.

``users.user_files``
---------------

Permits the abitrary management of files. See pillar.example for configuration details.

Overriding default values
=========================

In order to separate actual user account definitions from configuration the pillar ``users-formula`` was introduced:

.. code-block:: yaml

users:
myuser:
# stuff

users-formula:
lookup:
root_group: toor
shell: '/bin/zsh'

+ 29
- 0
bin/kitchen Zobrazit soubor

@@ -0,0 +1,29 @@
#!/usr/bin/env ruby
# frozen_string_literal: true

#
# This file was generated by Bundler.
#
# The application 'kitchen' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require "pathname"
ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../Gemfile",
Pathname.new(__FILE__).realpath)

bundle_binstub = File.expand_path("../bundle", __FILE__)

if File.file?(bundle_binstub)
if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
load(bundle_binstub)
else
abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
end
end

require "rubygems"
require "bundler/setup"

load Gem.bin_path("test-kitchen", "kitchen")

+ 3
- 0
commitlint.config.js Zobrazit soubor

@@ -0,0 +1,3 @@
module.exports = {
extends: ['@commitlint/config-conventional'],
};

+ 159
- 0
docs/CONTRIBUTING.rst Zobrazit soubor

@@ -0,0 +1,159 @@
.. _contributing:

How to contribute
=================

This document will eventually outline all aspects of guidance to make your contributing experience a fruitful and enjoyable one.
What it already contains is information about *commit message formatting* and how that directly affects the numerous automated processes that are used for this repo.
It also covers how to contribute to this *formula's documentation*.

.. contents:: **Table of Contents**

Overview
--------

Submitting a pull request is more than just code!
To achieve a quality product, the *tests* and *documentation* need to be updated as well.
An excellent pull request will include these in the changes, wherever relevant.

Commit message formatting
-------------------------

Since every type of change requires making Git commits,
we will start by covering the importance of ensuring that all of your commit
messages are in the correct format.

Automation of multiple processes
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This formula uses `semantic-release <https://github.com/semantic-release/semantic-release>`_ for automating numerous processes such as bumping the version number appropriately, creating new tags/releases and updating the changelog.
The entire process relies on the structure of commit messages to determine the version bump, which is then used for the rest of the automation.

Full details are available in the upstream docs regarding the `Angular Commit Message Conventions <https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#-git-commit-guidelines>`_.
The key factor is that the first line of the commit message must follow this format:

.. code-block::

type(scope): subject


* E.g. ``docs(contributing): add commit message formatting instructions``.

Besides the version bump, the changelog and release notes are formatted accordingly.
So based on the example above:

..

.. raw:: html

<h3>Documentation</h3>

* **contributing:** add commit message formatting instructions


* The ``type`` translates into a ``Documentation`` sub-heading.
* The ``(scope):`` will be shown in bold text without the brackets.
* The ``subject`` follows the ``scope`` as standard text.

Linting commit messages in Travis CI
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This formula uses `commitlint <https://github.com/conventional-changelog/commitlint>`_ for checking commit messages during CI testing.
This ensures that they are in accordance with the ``semantic-release`` settings.

For more details about the default settings, refer back to the ``commitlint`` `reference rules <https://conventional-changelog.github.io/commitlint/#/reference-rules>`_.

Relationship between commit type and version bump
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This formula applies some customisations to the defaults, as outlined in the table below,
based upon the `type <https://github.com/angular/angular.js/blob/master/DEVELOPERS.md#type>`_ of the commit:

.. list-table::
:name: commit-type-vs-version-bump
:header-rows: 1
:stub-columns: 0
:widths: 1,2,3,1,1

* - Type
- Heading
- Description
- Bump (default)
- Bump (custom)
* - ``build``
- Build System
- Changes related to the build system
- –
-
* - ``chore``
- –
- Changes to the build process or auxiliary tools and libraries such as
documentation generation
- –
-
* - ``ci``
- Continuous Integration
- Changes to the continuous integration configuration
- –
-
* - ``docs``
- Documentation
- Documentation only changes
- –
- 0.0.1
* - ``feat``
- Features
- A new feature
- 0.1.0
-
* - ``fix``
- Bug Fixes
- A bug fix
- 0.0.1
-
* - ``perf``
- Performance Improvements
- A code change that improves performance
- 0.0.1
-
* - ``refactor``
- Code Refactoring
- A code change that neither fixes a bug nor adds a feature
- –
- 0.0.1
* - ``revert``
- Reverts
- A commit used to revert a previous commit
- –
- 0.0.1
* - ``style``
- Styles
- Changes that do not affect the meaning of the code (white-space,
formatting, missing semi-colons, etc.)
- –
- 0.0.1
* - ``test``
- Tests
- Adding missing or correcting existing tests
- –
- 0.0.1

Use ``BREAKING CHANGE`` to trigger a ``major`` version change
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Adding ``BREAKING CHANGE`` to the footer of the extended description of the commit message will **always** trigger a ``major`` version change, no matter which type has been used.
This will be appended to the changelog and release notes as well.
To preserve good formatting of these notes, the following format is prescribed:

* ``BREAKING CHANGE: <explanation in paragraph format>.``

An example of that:

.. code-block:: git

...

BREAKING CHANGE: With the removal of all of the `.sls` files under
`template package`, this formula no longer supports the installation of
packages.


+ 143
- 0
docs/README.rst Zobrazit soubor

@@ -0,0 +1,143 @@
.. _readme:

users
=====

|img_travis| |img_sr|

.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/users-formula.svg?branch=master
:alt: Travis CI Build Status
:scale: 100%
:target: https://travis-ci.com/saltstack-formulas/users-formula
.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
:alt: Semantic Release
:scale: 100%
:target: https://github.com/semantic-release/semantic-release

Formula to configure users via pillar.

.. contents:: **Table of Contents**

General notes
-------------

See the full `SaltStack Formulas installation and usage instructions
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.

If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.

If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.

See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.

Contributing to this repo
-------------------------

**Commit message formatting is significant!!**

Please see :ref:`How to contribute <CONTRIBUTING>` for more details.

Available states
----------------

.. contents::
:local:

``users``
^^^^^^^^^

Configures a user's home directory, group, the user itself, secondary groups,
and associated keys. Also configures sudo access, and absent users.

``users.sudo``
^^^^^^^^^^^^^^

Ensures the sudo group exists, the sudo package is installed and the sudo file
is configured.

``users.bashrc``
^^^^^^^^^^^^^^^^

Ensures the bashrc file exists in the users home directory. Sets 'manage_bashrc:
True' in pillar per user. Defaults to False.

``users.profile``
^^^^^^^^^^^^^^^^

Ensures the profile file exists in the users home directory. Sets 'manage_profile:
True' in pillar per user. Defaults to False.

``users.vimrc``
^^^^^^^^^^^^^^^

Ensures the vimrc file exists in the users home directory. Sets 'manage_vimrc:
True' in pillar per user. Defaults to False.
This depends on the vim-formula being available and pillar `users:use_vim_formula: True`.

``users.user_files``
^^^^^^^^^^^^^^^^^^^^

Permits the abitrary management of files. See pillar.example for configuration details.

Overriding default values
-------------------------

In order to separate actual user account definitions from configuration the pillar ``users-formula`` was introduced:

.. code-block:: yaml

users:
myuser:
# stuff

users-formula:
lookup:
root_group: toor
shell: '/bin/zsh'

Testing
-------

Linux testing is done with ``kitchen-salt``.

Requirements
^^^^^^^^^^^^

* Ruby
* Docker

.. code-block:: bash

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where ``[platform]`` is the platform name defined in ``kitchen.yml``,
e.g. ``debian-9-2019-2-py3``.

``bin/kitchen converge``
^^^^^^^^^^^^^^^^^^^^^^^^

Creates the docker instance and runs the ``template`` main state, ready for testing.

``bin/kitchen verify``
^^^^^^^^^^^^^^^^^^^^^^

Runs the ``inspec`` tests on the actual instance.

``bin/kitchen destroy``
^^^^^^^^^^^^^^^^^^^^^^^

Removes the docker instance.

``bin/kitchen test``
^^^^^^^^^^^^^^^^^^^^

Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.

``bin/kitchen login``
^^^^^^^^^^^^^^^^^^^^^

Gives you SSH access to the instance for manual testing.

+ 151
- 0
kitchen.yml Zobrazit soubor

@@ -0,0 +1,151 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# For help on this file's format, see https://kitchen.ci/
driver:
name: docker
use_sudo: false
privileged: true
run_command: /lib/systemd/systemd

# Make sure the platforms listed below match up with
# the `env.matrix` instances defined in `.travis.yml`
platforms:
## SALT `develop`
- name: debian-10-develop-py3
driver:
image: netmanagers/salt-develop-py3:debian-10
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: ubuntu-1804-develop-py3
driver:
image: netmanagers/salt-develop-py3:ubuntu-18.04
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: centos-7-develop-py3
driver:
image: netmanagers/salt-develop-py3:centos-7
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: fedora-30-develop-py3
driver:
image: netmanagers/salt-develop-py3:fedora-30
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: opensuse-leap-15-develop-py3
driver:
image: netmanagers/salt-develop-py3:opensuse-leap-15
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
run_command: /usr/lib/systemd/systemd
- name: amazonlinux-2-develop-py2
driver:
image: netmanagers/salt-develop-py2:amazonlinux-2
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python2 git develop

## SALT `2019.2`
- name: debian-9-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:debian-9
- name: ubuntu-1804-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:ubuntu-18.04
- name: centos-7-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:centos-7
- name: fedora-30-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:fedora-30
- name: opensuse-leap-15-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:opensuse-leap-15
run_command: /usr/lib/systemd/systemd
- name: amazonlinux-2-2019-2-py2
driver:
image: netmanagers/salt-2019.2-py2:amazonlinux-2

## SALT `2018.3`
- name: debian-9-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:debian-9
- name: ubuntu-1604-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:ubuntu-16.04
- name: centos-7-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:centos-7
- name: fedora-29-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:fedora-29
- name: opensuse-leap-15-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:opensuse-leap-15
run_command: /usr/lib/systemd/systemd
- name: amazonlinux-2-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:amazonlinux-2

## SALT `2017.7`
- name: debian-8-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:debian-8
- name: ubuntu-1604-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:ubuntu-16.04
- name: centos-6-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:centos-6
run_command: /sbin/init
- name: fedora-29-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:fedora-29
- name: opensuse-leap-15-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:opensuse-leap-15
run_command: /usr/lib/systemd/systemd
- name: amazonlinux-2-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:amazonlinux-2

provisioner:
name: salt_solo
log_level: info
salt_install: none
require_chef: false
formula: users
salt_copy_filter:
- .kitchen
- .git

verifier:
# https://www.inspec.io/
name: inspec
sudo: true
# cli, documentation, html, progress, json, json-min, json-rspec, junit
reporter:
- cli

suites:
- name: default
provisioner:
state_top:
base:
'*':
- users
pillars:
top.sls:
base:
'*':
- users
pillars_from_files:
users.sls: test/salt/pillar/default.sls
verifier:
inspec_tests:
- path: test/integration/default

+ 22
- 22
pillar.example Zobrazit soubor

@@ -1,3 +1,6 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
users-formula:
use_vim_formula: True
lookup: # override the defauls in map.jinja
@@ -7,8 +10,20 @@ users-formula:
groups:
foo:
state: present
gid: 500
gid: 1500
system: False
badguys:
absent: True
niceguys:
gid: 4242
system: False
addusers: root
delusers: toor
ssl-cert:
system: True
members:
- www-data
- openldap

users:
## Minimal required pillar values
@@ -16,7 +31,6 @@ users:
fullname: A User

## Full list of pillar values
allow_gid_change: False
buser:
fullname: B User
password: $6$w.............
@@ -35,7 +49,7 @@ users:
workphone: "(555) 555-5555"
homephone: "(555) 555-5551"
manage_vimrc: False
allow_gid_change: True
allow_gid_change: False
manage_bashrc: False
manage_profile: False
expire: 16426
@@ -61,7 +75,7 @@ users:
remove_groups: False
prime_group:
name: primarygroup
gid: 500
gid: 1501
groups:
- users
optional_groups:
@@ -138,7 +152,7 @@ users:

google_2fa: True
google_auth:
ssh: |
sshd: |
SOMEGAUTHHASHVAL
" RESETTING_TIME_SKEW 46956472+2 46991595-2
" RATE_LIMIT 3 30 1415800560
@@ -158,14 +172,14 @@ users:
# 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
# should be a salt fileserver path either with or without 'salt://'
# if not present, it defaults to 'salt://users/files/user/<username>
source: users/files/default
template: jinja
source: users/files
# template: jinja
# You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
# it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
# execution bit for example.
file_mode: keep
# You can specify octal mode for directories as well. This won't work on Windows minions
#dir_mode: 775
# dir_mode: 775
sym_mode: 640
exclude_pat: "*.gitignore"

@@ -180,17 +194,3 @@ users:
absent_users:
- donald
- bad_guy

groups:
badguys:
absent: True
niceguys:
gid: 4242
system: False
addusers: root
delusers: toor
ssl-cert:
system: True
members:
- www-data
- openldap

+ 30
- 0
pre-commit_semantic-release.sh Zobrazit soubor

@@ -0,0 +1,30 @@
#!/bin/sh

###############################################################################
# (A) Update `FORMULA` with `${nextRelease.version}`
###############################################################################
sed -i -e "s_^\(version:\).*_\1 ${1}_" FORMULA


###############################################################################
# (B) Use `m2r` to convert automatically produced `.md` docs to `.rst`
###############################################################################

# Install `m2r`
sudo -H pip install m2r

# Copy and then convert the `.md` docs
cp *.md docs/
cd docs/
m2r --overwrite *.md

# Change excess `H1` headings to `H2` in converted `CHANGELOG.rst`
sed -i -e '/^=.*$/s/=/-/g' CHANGELOG.rst
sed -i -e '1,4s/-/=/g' CHANGELOG.rst

# Use for debugging output, when required
# cat AUTHORS.rst
# cat CHANGELOG.rst

# Return back to the main directory
cd ..

+ 18
- 0
release-rules.js Zobrazit soubor

@@ -0,0 +1,18 @@
// No release is triggered for the types commented out below.
// Commits using these types will be incorporated into the next release.
//
// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`.
module.exports = [
{breaking: true, release: 'major'},
// {type: 'build', release: 'patch'},
// {type: 'chore', release: 'patch'},
// {type: 'ci', release: 'patch'},
{type: 'docs', release: 'patch'},
{type: 'feat', release: 'minor'},
{type: 'fix', release: 'patch'},
{type: 'perf', release: 'patch'},
{type: 'refactor', release: 'patch'},
{type: 'revert', release: 'patch'},
{type: 'style', release: 'patch'},
{type: 'test', release: 'patch'},
];

+ 106
- 0
release.config.js Zobrazit soubor

@@ -0,0 +1,106 @@
module.exports = {
branch: 'master',
plugins: [
['@semantic-release/commit-analyzer', {
preset: 'angular',
releaseRules: './release-rules.js',
}],
'@semantic-release/release-notes-generator',
['@semantic-release/changelog', {
changelogFile: 'CHANGELOG.md',
changelogTitle: '# Changelog',
}],
['@semantic-release/exec', {
prepareCmd: 'sh ./pre-commit_semantic-release.sh ${nextRelease.version}',
}],
['@semantic-release/git', {
assets: ['*.md', 'docs/*.rst', 'FORMULA'],
}],
'@semantic-release/github',
],
generateNotes: {
preset: 'angular',
writerOpts: {
// Required due to upstream bug preventing all types being displayed.
// Bug: https://github.com/conventional-changelog/conventional-changelog/issues/317
// Fix: https://github.com/conventional-changelog/conventional-changelog/pull/410
transform: (commit, context) => {
const issues = []

commit.notes.forEach(note => {
note.title = `BREAKING CHANGES`
})

// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`.
if (commit.type === `feat`) {
commit.type = `Features`
} else if (commit.type === `fix`) {
commit.type = `Bug Fixes`
} else if (commit.type === `perf`) {
commit.type = `Performance Improvements`
} else if (commit.type === `revert`) {
commit.type = `Reverts`
} else if (commit.type === `docs`) {
commit.type = `Documentation`
} else if (commit.type === `style`) {
commit.type = `Styles`
} else if (commit.type === `refactor`) {
commit.type = `Code Refactoring`
} else if (commit.type === `test`) {
commit.type = `Tests`
} else if (commit.type === `build`) {
commit.type = `Build System`
// } else if (commit.type === `chore`) {
// commit.type = `Maintenance`
} else if (commit.type === `ci`) {
commit.type = `Continuous Integration`
} else {
return
}

if (commit.scope === `*`) {
commit.scope = ``
}

if (typeof commit.hash === `string`) {
commit.hash = commit.hash.substring(0, 7)
}

if (typeof commit.subject === `string`) {
let url = context.repository
? `${context.host}/${context.owner}/${context.repository}`
: context.repoUrl
if (url) {
url = `${url}/issues/`
// Issue URLs.
commit.subject = commit.subject.replace(/#([0-9]+)/g, (_, issue) => {
issues.push(issue)
return `[#${issue}](${url}${issue})`
})
}
if (context.host) {
// User URLs.
commit.subject = commit.subject.replace(/\B@([a-z0-9](?:-?[a-z0-9/]){0,38})/g, (_, username) => {
if (username.includes('/')) {
return `@${username}`
}

return `[@${username}](${context.host}/${username})`
})
}
}

// remove references that already appear in the subject
commit.references = commit.references.filter(reference => {
if (issues.indexOf(reference.issue) === -1) {
return true
}

return false
})

return commit
},
},
},
};

+ 50
- 0
test/integration/default/README.md Zobrazit soubor

@@ -0,0 +1,50 @@
# InSpec Profile: `default`

This shows the implementation of the `default` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).

## Verify a profile

InSpec ships with built-in features to verify a profile structure.

```bash
$ inspec check default
Summary
-------
Location: default
Profile: profile
Controls: 4
Timestamp: 2019-06-24T23:09:01+00:00
Valid: true

Errors
------

Warnings
--------
```

## Execute a profile

To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.

```bash
$ inspec exec default
..

Finished in 0.0025 seconds (files took 0.12449 seconds to load)
8 examples, 0 failures
```

## Execute a specific control from a profile

To run one control from the profile use `inspec exec /path/to/profile --controls name`.

```bash
$ inspec exec default --controls package
.

Finished in 0.0025 seconds (files took 0.12449 seconds to load)
1 examples, 0 failures
```

See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).

+ 10
- 0
test/integration/default/controls/config_spec.rb Zobrazit soubor

@@ -0,0 +1,10 @@
control 'users configuration' do
title 'should match desired lines'

describe file('/custom/buser') do
its('type') { should eq :directory }
it { should be_owned_by 'buser' }
it { should be_grouped_into 'primarygroup' }
its('mode') { should cmp '0750' }
end
end

+ 14
- 0
test/integration/default/inspec.yml Zobrazit soubor

@@ -0,0 +1,14 @@
name: default
title: users formula
maintainer: SaltStack Formulas
license: Apache-2.0
summary: Verify that the users formula is setup and configured correctly
supports:
- platform-name: debian
- platform-name: ubuntu
- platform-name: centos
- platform-name: fedora
- platform-name: opensuse
- platform-name: suse
- platform-name: freebsd
- platform-name: amazon

+ 199
- 0
test/salt/pillar/default.sls Zobrazit soubor

@@ -0,0 +1,199 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
users-formula:
use_vim_formula: true
lookup: # override the defauls in map.jinja
root_group: root

# group initialization
groups:
foo:
state: present
gid: 1500
system: false
badguys:
absent: true
niceguys:
gid: 4242
system: false
addusers: root
delusers: toor
ssl-cert:
system: true
members:
# *TODO*: run groups after all users created and then use `auser` and `buser` instead
- root
- sshd
# - bin
# - daemon

users:
## Minimal required pillar values
auser:
fullname: A User

## Full list of pillar values
buser:
fullname: B User
password: $6$w.............
enforce_password: true
# WARNING: If 'empty_password' is set to true, the 'password' statement
# will be ignored by enabling password-less login for the user.
empty_password: false
hash_password: false
system: false
home: /custom/buser
homedir_owner: buser
homedir_group: primarygroup
user_dir_mode: 750
createhome: true
roomnumber: "A-1"
workphone: "(555) 555-5555"
homephone: "(555) 555-5551"
manage_vimrc: false
allow_gid_change: false
manage_bashrc: false
manage_profile: false
expire: 16426
# Disables user management except sudo rules.
# Useful for setting sudo rules for system accounts created by package instalation
sudoonly: false
sudouser: true
# sudo_rules doesn't need the username as a prefix for the rule
# this is added automatically by the formula.
# ----------------------------------------------------------------------
# In case your sudo_rules have a colon please have in mind to not leave
# spaces around it. For example:
# ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok)
# ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK
sudo_rules:
- ALL=(root) /usr/bin/find
- ALL=(otheruser) /usr/bin/script.sh
sudo_defaults:
- '!requiretty'
# enable polkitadmin to make user an AdminIdentity for polkit
polkitadmin: true
shell: /bin/bash
remove_groups: false
prime_group:
name: primarygroup
gid: 1501
groups:
- users
optional_groups:
- some_groups_that_might
- not_exist_on_all_minions
ssh_key_type: rsa
# # You can inline the private keys ...
# ssh_keys:
# privkey: PRIVATEKEY
# pubkey: PUBLICKEY
# # or you can provide path to key on Salt fileserver
# # privkey: salt://path_to_PRIVATEKEY
# # pubkey: salt://path_to_PUBLICKEY
# # you can provide multiple keys, the keyname is taken as filename
# # make sure your public keys suffix is .pub
# foobar: PRIVATEKEY
# foobar.pub: PUBLICKEY
# # ... or you can pull them from a different pillar,
# # for example one called "ssh_keys":
# ssh_keys_pillar:
# id_rsa: "ssh_keys"
# another_key_pair: "ssh_keys"
# ssh_auth:
# - PUBLICKEY
# ssh_auth.absent:
# - PUBLICKEY_TO_BE_REMOVED
# # Generates an authorized_keys file for the user
# # with the given keys
# ssh_auth_file:
# - PUBLICKEY
# # ... or you can pull them from a different pillar similar to ssh_keys_pillar
# ssh_auth_pillar:
# id_rsa: "ssh_keys"
# # If you prefer to keep public keys as files rather
# # than inline in pillar, this works.
# ssh_auth_sources:
# - salt://keys/buser.id_rsa.pub
# ssh_auth_sources.absent:
# - salt://keys/deleteduser.id_rsa.pub # PUBLICKEY_FILE_TO_BE_REMOVED
# Manage the ~/.ssh/config file
ssh_known_hosts:
importanthost:
port: 22
fingerprint: 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48
key: PUBLICKEY
enc: ssh-rsa
hash_known_hosts: true
timeout: 5
fingerprint_hash_type: sha256
ssh_known_hosts.absent:
- notimportanthost
ssh_config:
all:
hostname: "*"
options:
- "StrictHostKeyChecking no"
- "UserKnownHostsFile=/dev/null"
importanthost:
hostname: "needcheck.example.com"
options:
- "StrictHostKeyChecking yes"

# Using gitconfig without Git installed will result in an error
# https://docs.saltstack.com/en/latest/ref/states/all/salt.states.git.html:
# This state module now requires git 1.6.5 (released 10 October 2009) or newer.
gitconfig:
user.name: B User
user.email: buser@example.com
"url.https://.insteadOf": "git://"

gitconfig.absent:
- push.default
- color\..+

google_2fa: true
google_auth:
sshd: |
SOMEGAUTHHASHVAL
" RESETTING_TIME_SKEW 46956472+2 46991595-2
" RATE_LIMIT 3 30 1415800560
" DISALLOW_REUSE 47193352
" TOTP_AUTH
11111111
22222222
33333333
44444444
55555555
# unique: true allows user to have non unique uid
unique: false
uid: 1001

user_files:
enabled: true
# 'source' allows you to define an arbitrary directory to sync, useful to use for default files.
# should be a salt fileserver path either with or without 'salt://'
# if not present, it defaults to 'salt://users/files/user/<username>
source: users/files
# template: jinja
# You can specify octal mode for files and symlinks that will be copied. Since version 2016.11.0
# it's possible to use 'keep' for file_mode, to preserve file original mode, thus you can save
# execution bit for example.
file_mode: keep
# You can specify octal mode for directories as well. This won't work on Windows minions
# dir_mode: 775
sym_mode: 640
exclude_pat: "*.gitignore"

## Absent user
cuser:
absent: true
purge: true
force: true


## Old syntax of absent_users still supported
absent_users:
- donald
- bad_guy

+ 10
- 8
users/googleauth.sls Zobrazit soubor

@@ -1,6 +1,7 @@
# vim: sts=2 ts=2 sw=2 et ai
{% from "users/map.jinja" import users with context %}
{%- from "users/map.jinja" import users with context %}

{%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
users_googleauth-package:
pkg.installed:
- name: {{ users.googleauth_package }}
@@ -14,10 +15,10 @@ users_{{ users.googleauth_dir }}:
- group: {{ users.root_group }}
- mode: 600

{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
{%- if user.get('google_2fa', True) %}
{%- for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %}
{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
{%- if user.get('google_2fa', True) %}
users_googleauth-pam-{{ svc }}-{{ name }}:
file.replace:
- name: /etc/pam.d/{{ svc }}
@@ -25,7 +26,8 @@ users_googleauth-pam-{{ svc }}-{{ name }}:
- repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth"
- unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }}
- backup: .bak
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}

+ 5
- 3
users/init.sls Zobrazit soubor

@@ -506,8 +506,9 @@ users_{{ users.sudoers_dir }}/{{ sudoers_d_filename }}:
- name: {{ users.sudoers_dir }}/{{ sudoers_d_filename }}
{% endif %}

{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
{%- if not grains['os_family'] in ['RedHat', 'Suse'] %}
{%- if 'google_auth' in user %}
{%- for svc in user['google_auth'] %}
users_googleauth-{{ svc }}-{{ name }}:
file.managed:
- replace: false
@@ -518,7 +519,8 @@ users_googleauth-{{ svc }}-{{ name }}:
- mode: 400
- require:
- pkg: users_googleauth-package
{%- endfor %}
{%- endfor %}
{%- endif %}
{%- endif %}

# this doesn't work (Salt bug), therefore need to run state.apply twice

Načítá se…
Zrušit
Uložit