diff --git a/.github/workflows/pr_tests.yml b/.github/workflows/pr_tests.yml index 21ca28c..bcc5fb0 100644 --- a/.github/workflows/pr_tests.yml +++ b/.github/workflows/pr_tests.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: "Install Ruby ${{matrix.puppet.ruby_version}}" + - name: "Install Ruby 2.7" uses: ruby/setup-ruby@v1 # ruby/setup-ruby@ec106b438a1ff6ff109590de34ddc62c540232e0 with: ruby-version: 2.7 @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: "Install Ruby ${{matrix.puppet.ruby_version}}" + - name: "Install Ruby 2.7" uses: ruby/setup-ruby@v1 with: ruby-version: 2.7 @@ -56,13 +56,12 @@ jobs: - run: "bundle exec rake metadata_lint" ruby-style: - if: false # TODO Modules will need: rubocop in Gemfile, .rubocop.yml - name: 'Ruby Style (experimental)' + name: 'Ruby Style' runs-on: ubuntu-latest continue-on-error: true steps: - uses: actions/checkout@v3 - - name: "Install Ruby ${{matrix.puppet.ruby_version}}" + - name: "Install Ruby 2.7" uses: ruby/setup-ruby@v1 with: ruby-version: 2.7 @@ -89,7 +88,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: 'Install Ruby ${{matrix.puppet.ruby_version}}' + - name: 'Install Ruby 2.7' uses: ruby/setup-ruby@v1 with: ruby-version: 2.7 diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..65c8c0a --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,699 @@ +--- +require: + - rubocop-performance + - rubocop-rake + - rubocop-rspec +AllCops: + NewCops: enable + DisplayCopNames: true + TargetRubyVersion: "2.7" + Include: + - "**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* + - "**/Puppetfile" + - "**/Vagrantfile" + - "**/Guardfile" +Layout/LineLength: + Description: People have wide screens, use them. + Max: 200 +RSpec/BeforeAfterAll: + Description: + Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +RSpec/DescribeSymbol: + Exclude: + - spec/unit/facter/**/*.rb +Style/BlockDelimiters: + Description: + Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: + Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: + Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: + Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInArrayLiteral: + Description: + Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +RSpec/MessageSpies: + EnforcedStyle: receive +Style/Documentation: + Exclude: + - lib/puppet/parser/functions/**/* + - spec/**/* +Style/WordArray: + EnforcedStyle: brackets +Performance/AncestorsInclude: + Enabled: true +Performance/BigDecimalWithNumericArgument: + Enabled: true +Performance/BlockGivenWithExplicitBlock: + Enabled: true +Performance/CaseWhenSplat: + Enabled: true +Performance/ConstantRegexp: + Enabled: true +Performance/MethodObjectAsBlock: + Enabled: true +Performance/RedundantSortBlock: + Enabled: true +Performance/RedundantStringChars: + Enabled: true +Performance/ReverseFirst: + Enabled: true +Performance/SortReverse: + Enabled: true +Performance/Squeeze: + Enabled: true +Performance/StringInclude: + Enabled: true +Performance/Sum: + Enabled: true +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +Bundler/GemFilename: + Enabled: false +Bundler/InsecureProtocolSource: + Enabled: false +Gemspec/DuplicatedAssignment: + Enabled: false +Gemspec/OrderedDependencies: + Enabled: false +Gemspec/RequiredRubyVersion: + Enabled: false +Gemspec/RubyVersionGlobalsUsage: + Enabled: false +Layout/ArgumentAlignment: + Enabled: false +Layout/BeginEndAlignment: + Enabled: false +Layout/ClosingHeredocIndentation: + Enabled: false +Layout/EmptyComment: + Enabled: false +Layout/EmptyLineAfterGuardClause: + Enabled: false +Layout/EmptyLinesAroundArguments: + Enabled: false +Layout/EmptyLinesAroundAttributeAccessor: + Enabled: false +Layout/EndOfLine: + Enabled: false +Layout/FirstArgumentIndentation: + Enabled: false +Layout/HashAlignment: + Enabled: false +Layout/HeredocIndentation: + Enabled: false +Layout/LeadingEmptyLines: + Enabled: false +Layout/SpaceAroundMethodCallOperator: + Enabled: false +Layout/SpaceInsideArrayLiteralBrackets: + Enabled: false +Layout/SpaceInsideReferenceBrackets: + Enabled: false +Lint/BigDecimalNew: + Enabled: false +Lint/BooleanSymbol: + Enabled: false +Lint/ConstantDefinitionInBlock: + Enabled: false +Lint/DeprecatedOpenSSLConstant: + Enabled: false +Lint/DisjunctiveAssignmentInConstructor: + Enabled: false +Lint/DuplicateElsifCondition: + Enabled: false +Lint/DuplicateRequire: + Enabled: false +Lint/DuplicateRescueException: + Enabled: false +Lint/EmptyConditionalBody: + Enabled: false +Lint/EmptyFile: + Enabled: false +Lint/ErbNewArguments: + Enabled: false +Lint/FloatComparison: + Enabled: false +Lint/HashCompareByIdentity: + Enabled: false +Lint/IdentityComparison: + Enabled: false +Lint/InterpolationCheck: + Enabled: false +Lint/MissingCopEnableDirective: + Enabled: false +Lint/MixedRegexpCaptureTypes: + Enabled: false +Lint/NestedPercentLiteral: + Enabled: false +Lint/NonDeterministicRequireOrder: + Enabled: false +Lint/OrderedMagicComments: + Enabled: false +Lint/OutOfRangeRegexpRef: + Enabled: false +Lint/RaiseException: + Enabled: false +Lint/RedundantCopEnableDirective: + Enabled: false +Lint/RedundantRequireStatement: + Enabled: false +Lint/RedundantSafeNavigation: + Enabled: false +Lint/RedundantWithIndex: + Enabled: false +Lint/RedundantWithObject: + Enabled: false +Lint/RegexpAsCondition: + Enabled: false +Lint/ReturnInVoidContext: + Enabled: false +Lint/SafeNavigationConsistency: + Enabled: false +Lint/SafeNavigationWithEmpty: + Enabled: false +Lint/SelfAssignment: + Enabled: false +Lint/SendWithMixinArgument: + Enabled: false +Lint/ShadowedArgument: + Enabled: false +Lint/StructNewOverride: + Enabled: false +Lint/ToJSON: + Enabled: false +Lint/TopLevelReturnWithArgument: + Enabled: false +Lint/TrailingCommaInAttributeDeclaration: + Enabled: false +Lint/UnreachableLoop: + Enabled: false +Lint/UriEscapeUnescape: + Enabled: false +Lint/UriRegexp: + Enabled: false +Lint/UselessMethodDefinition: + Enabled: false +Lint/UselessTimes: + Enabled: false +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/BlockNesting: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +Migration/DepartmentName: + Enabled: false +Naming/AccessorMethodName: + Enabled: false +Naming/BlockParameterName: + Enabled: false +Naming/HeredocDelimiterCase: + Enabled: false +Naming/HeredocDelimiterNaming: + Enabled: false +Naming/MemoizedInstanceVariableName: + Enabled: false +Naming/MethodParameterName: + Enabled: false +Naming/RescuedExceptionsVariableName: + Enabled: false +Naming/VariableNumber: + Enabled: false +Performance/BindCall: + Enabled: false +Performance/DeletePrefix: + Enabled: false +Performance/DeleteSuffix: + Enabled: false +Performance/InefficientHashSearch: + Enabled: false +Performance/UnfreezeString: + Enabled: false +Performance/UriDefaultParser: + Enabled: false +RSpec/Be: + Enabled: false +RSpec/Dialect: + Enabled: false +RSpec/ContainExactly: + Enabled: false +RSpec/ContextMethod: + Enabled: false +RSpec/ContextWording: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/EmptyHook: + Enabled: false +RSpec/EmptyLineAfterExample: + Enabled: false +RSpec/EmptyLineAfterExampleGroup: + Enabled: false +RSpec/EmptyLineAfterHook: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/ExampleWithoutDescription: + Enabled: false +RSpec/ExpectChange: + Enabled: false +RSpec/ExpectInHook: + Enabled: false +RSpec/HooksBeforeExamples: + Enabled: false +RSpec/ImplicitBlockExpectation: + Enabled: false +RSpec/ImplicitSubject: + Enabled: false +RSpec/LeakyConstantDeclaration: + Enabled: false +RSpec/LetBeforeExamples: + Enabled: false +RSpec/MatchArray: + Enabled: false +RSpec/MissingExampleGroupArgument: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/MultipleMemoizedHelpers: + Enabled: false +RSpec/MultipleSubjects: + Enabled: false +RSpec/NestedGroups: + Enabled: false +RSpec/PredicateMatcher: + Enabled: false +RSpec/ReceiveCounts: + Enabled: false +RSpec/ReceiveNever: + Enabled: false +RSpec/RepeatedExampleGroupBody: + Enabled: false +RSpec/RepeatedExampleGroupDescription: + Enabled: false +RSpec/RepeatedIncludeExample: + Enabled: false +RSpec/ReturnFromStub: + Enabled: false +RSpec/SharedExamples: + Enabled: false +RSpec/StubbedMock: + Enabled: false +RSpec/UnspecifiedException: + Enabled: false +RSpec/VariableDefinition: + Enabled: false +RSpec/VoidExpect: + Enabled: false +RSpec/Yield: + Enabled: false +Security/Open: + Enabled: false +Style/AccessModifierDeclarations: + Enabled: false +Style/AccessorGrouping: + Enabled: false +Style/BisectedAttrAccessor: + Enabled: false +Style/CaseLikeIf: + Enabled: false +Style/ClassEqualityComparison: + Enabled: false +Style/ColonMethodDefinition: + Enabled: false +Style/CombinableLoops: + Enabled: false +Style/CommentedKeyword: + Enabled: false +Style/Dir: + Enabled: false +Style/DoubleCopDisableDirective: + Enabled: false +Style/EmptyBlockParameter: + Enabled: false +Style/EmptyLambdaParameter: + Enabled: false +Style/Encoding: + Enabled: false +Style/EvalWithLocation: + Enabled: false +Style/ExpandPathArguments: + Enabled: false +Style/ExplicitBlockArgument: + Enabled: false +Style/ExponentialNotation: + Enabled: false +Style/FloatDivision: + Enabled: false +Style/FrozenStringLiteralComment: + Enabled: false +Style/GlobalStdStream: + Enabled: false +Style/HashAsLastArrayItem: + Enabled: false +Style/HashLikeCase: + Enabled: false +Style/HashTransformKeys: + Enabled: false +Style/HashTransformValues: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/KeywordParametersOrder: + Enabled: false +Style/MinMax: + Enabled: false +Style/MixinUsage: + Enabled: false +Style/MultilineWhenThen: + Enabled: false +Style/NegatedUnless: + Enabled: false +Style/NumericPredicate: + Enabled: false +Style/OptionalBooleanParameter: + Enabled: false +Style/OrAssignment: + Enabled: false +Style/RandomWithOffset: + Enabled: false +Style/RedundantAssignment: + Enabled: false +Style/RedundantCondition: + Enabled: false +Style/RedundantConditional: + Enabled: false +Style/RedundantFetchBlock: + Enabled: false +Style/RedundantFileExtensionInRequire: + Enabled: false +Style/RedundantRegexpCharacterClass: + Enabled: false +Style/RedundantRegexpEscape: + Enabled: false +Style/RedundantSelfAssignment: + Enabled: false +Style/RedundantSort: + Enabled: false +Style/RescueStandardError: + Enabled: false +Style/SingleArgumentDig: + Enabled: false +Style/SlicingWithRange: + Enabled: false +Style/SoleNestedConditional: + Enabled: false +Style/StderrPuts: + Enabled: false +Style/StringConcatenation: + Enabled: false +Style/Strip: + Enabled: false +Style/SymbolProc: + Enabled: false +Style/TrailingBodyOnClass: + Enabled: false +Style/TrailingBodyOnMethodDefinition: + Enabled: false +Style/TrailingBodyOnModule: + Enabled: false +Style/TrailingCommaInHashLiteral: + Enabled: false +Style/TrailingMethodEndStatement: + Enabled: false +Style/UnpackFirst: + Enabled: false +Gemspec/DeprecatedAttributeAssignment: + Enabled: false +Gemspec/DevelopmentDependencies: + Enabled: false +Gemspec/RequireMFA: + Enabled: false +Layout/LineContinuationLeadingSpace: + Enabled: false +Layout/LineContinuationSpacing: + Enabled: false +Layout/LineEndStringConcatenationIndentation: + Enabled: false +Layout/SpaceBeforeBrackets: + Enabled: false +Lint/AmbiguousAssignment: + Enabled: false +Lint/AmbiguousOperatorPrecedence: + Enabled: false +Lint/AmbiguousRange: + Enabled: false +Lint/ConstantOverwrittenInRescue: + Enabled: false +Lint/DeprecatedConstants: + Enabled: false +Lint/DuplicateBranch: + Enabled: false +Lint/DuplicateMagicComment: + Enabled: false +Lint/DuplicateMatchPattern: + Enabled: false +Lint/DuplicateRegexpCharacterClassElement: + Enabled: false +Lint/EmptyBlock: + Enabled: false +Lint/EmptyClass: + Enabled: false +Lint/EmptyInPattern: + Enabled: false +Lint/IncompatibleIoSelectWithFiberScheduler: + Enabled: false +Lint/LambdaWithoutLiteralBlock: + Enabled: false +Lint/NoReturnInBeginEndBlocks: + Enabled: false +Lint/NonAtomicFileOperation: + Enabled: false +Lint/NumberedParameterAssignment: + Enabled: false +Lint/OrAssignmentToConstant: + Enabled: false +Lint/RedundantDirGlobSort: + Enabled: false +Lint/RefinementImportMethods: + Enabled: false +Lint/RequireRangeParentheses: + Enabled: false +Lint/RequireRelativeSelfPath: + Enabled: false +Lint/SymbolConversion: + Enabled: false +Lint/ToEnumArguments: + Enabled: false +Lint/TripleQuotes: + Enabled: false +Lint/UnexpectedBlockArity: + Enabled: false +Lint/UnmodifiedReduceAccumulator: + Enabled: false +Lint/UselessRescue: + Enabled: false +Lint/UselessRuby2Keywords: + Enabled: false +Metrics/CollectionLiteralLength: + Enabled: false +Naming/BlockForwarding: + Enabled: false +Performance/CollectionLiteralInLoop: + Enabled: false +Performance/ConcurrentMonotonicTime: + Enabled: false +Performance/MapCompact: + Enabled: false +Performance/RedundantEqualityComparisonBlock: + Enabled: false +Performance/RedundantSplitRegexpArgument: + Enabled: false +Performance/StringIdentifierArgument: + Enabled: false +RSpec/BeEq: + Enabled: false +RSpec/BeNil: + Enabled: false +RSpec/ChangeByZero: + Enabled: false +RSpec/ClassCheck: + Enabled: false +RSpec/DuplicatedMetadata: + Enabled: false +RSpec/ExcessiveDocstringSpacing: + Enabled: false +RSpec/IdenticalEqualityAssertion: + Enabled: false +RSpec/NoExpectationExample: + Enabled: false +RSpec/PendingWithoutReason: + Enabled: false +RSpec/RedundantAround: + Enabled: false +RSpec/SkipBlockInsideExample: + Enabled: false +RSpec/SortMetadata: + Enabled: false +RSpec/SubjectDeclaration: + Enabled: false +RSpec/VerifiedDoubleReference: + Enabled: false +Security/CompoundHash: + Enabled: false +Security/IoMethods: + Enabled: false +Style/ArgumentsForwarding: + Enabled: false +Style/ArrayIntersect: + Enabled: false +Style/CollectionCompact: + Enabled: false +Style/ComparableClamp: + Enabled: false +Style/ConcatArrayLiterals: + Enabled: false +Style/DataInheritance: + Enabled: false +Style/DirEmpty: + Enabled: false +Style/DocumentDynamicEvalDefinition: + Enabled: false +Style/EmptyHeredoc: + Enabled: false +Style/EndlessMethod: + Enabled: false +Style/EnvHome: + Enabled: false +Style/FetchEnvVar: + Enabled: false +Style/FileEmpty: + Enabled: false +Style/FileRead: + Enabled: false +Style/FileWrite: + Enabled: false +Style/HashConversion: + Enabled: false +Style/HashExcept: + Enabled: false +Style/IfWithBooleanLiteralBranches: + Enabled: false +Style/InPatternThen: + Enabled: false +Style/MagicCommentFormat: + Enabled: false +Style/MapCompactWithConditionalBlock: + Enabled: false +Style/MapToHash: + Enabled: false +Style/MapToSet: + Enabled: false +Style/MinMaxComparison: + Enabled: false +Style/MultilineInPatternThen: + Enabled: false +Style/NegatedIfElseCondition: + Enabled: false +Style/NestedFileDirname: + Enabled: false +Style/NilLambda: + Enabled: false +Style/NumberedParameters: + Enabled: false +Style/NumberedParametersLimit: + Enabled: false +Style/ObjectThen: + Enabled: false +Style/OpenStructUse: + Enabled: false +Style/OperatorMethodCall: + Enabled: false +Style/QuotedSymbols: + Enabled: false +Style/RedundantArgument: + Enabled: false +Style/RedundantConstantBase: + Enabled: false +Style/RedundantDoubleSplatHashBraces: + Enabled: false +Style/RedundantEach: + Enabled: false +Style/RedundantHeredocDelimiterQuotes: + Enabled: false +Style/RedundantInitialize: + Enabled: false +Style/RedundantLineContinuation: + Enabled: false +Style/RedundantSelfAssignmentBranch: + Enabled: false +Style/RedundantStringEscape: + Enabled: false +Style/SelectByRegexp: + Enabled: false +Style/StringChars: + Enabled: false +Style/SwapValues: + Enabled: false diff --git a/Gemfile b/Gemfile index e74c3da..7c330d6 100644 --- a/Gemfile +++ b/Gemfile @@ -10,16 +10,23 @@ ENV['PDK_DISABLE_ANALYTICS'] ||= 'true' gem_sources.each { |gem_source| source gem_source } +group :syntax do + gem 'metadata-json-lint' + gem 'puppet-lint-trailing_comma-check', require: false + gem 'rubocop', '~> 1.68.0' + gem 'rubocop-performance', '~> 1.23.0' + gem 'rubocop-rake', '~> 0.6.0' + gem 'rubocop-rspec', '~> 3.2.0' +end + group :test do puppet_version = ENV.fetch('PUPPET_VERSION', ['>= 7', '< 9']) major_puppet_version = Array(puppet_version).first.scan(%r{(\d+)(?:\.|\Z)}).flatten.first.to_i gem 'hiera-puppet-helper' - gem 'metadata-json-lint' gem 'pathspec', '~> 0.2' if Gem::Requirement.create('< 2.6').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) gem('pdk', ENV.fetch('PDK_VERSION', ['>= 2.0', '< 4.0']), require: false) if major_puppet_version > 5 gem 'puppet', puppet_version gem 'puppetlabs_spec_helper' - gem 'puppet-lint-trailing_comma-check', require: false gem 'puppet-strings' gem 'rake' gem 'rspec' diff --git a/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb b/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb index 0947ee9..c57f1b3 100644 --- a/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb +++ b/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb @@ -3,14 +3,14 @@ test_name 'aide STIG enforcement of simp profile' describe 'aide STIG enforcement of simp profile' do - - let(:manifest) { + let(:manifest) do <<-EOS include 'aide' EOS - } + end - let(:hieradata) { <<-EOF + let(:hieradata) do + <<-EOF --- simp_options::pki: true simp_options::pki::source: '/etc/pki/simp-testing/pki' @@ -18,11 +18,11 @@ compliance_markup::enforcement: - disa_stig EOF - } + end hosts.each do |host| - - let(:hiera_yaml) { <<-EOM + let(:hiera_yaml) do + <<-EOM --- version: 5 hierarchy: @@ -34,25 +34,25 @@ data_hash: yaml_data datadir: "#{hiera_datadir(host)}" EOM - } + end context 'when enforcing the STIG' do - it 'should work with no errors' do + it 'works with no errors' do create_remote_file(host, host.puppet['hiera_config'], hiera_yaml) write_hieradata_to(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should reboot and then run puppet twice for audit updates' do + it 'reboots and then run puppet twice for audit updates' do host.reboot - apply_manifest_on(host, manifest, :catch_failures => true) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end end end diff --git a/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb b/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb index ebf3188..e58c29d 100644 --- a/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb +++ b/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb @@ -4,7 +4,6 @@ test_name 'Check Inspec for simp profile' describe 'run inspec against the appropriate fixtures for simp audit profile' do - profiles_to_validate = ['disa_stig'] hosts.each do |host| @@ -14,32 +13,28 @@ profile_path = File.join( fixtures_path, 'inspec_profiles', - "#{fact_on(host, 'os.name')}-#{fact_on(host, 'os.release.major')}-#{profile}" + "#{fact_on(host, 'os.name')}-#{fact_on(host, 'os.release.major')}-#{profile}", ) - unless File.exist?(profile_path) - it 'should run inspec' do - skip("No matching profile available at #{profile_path}") - end - else + if File.exist?(profile_path) before(:all) do Simp::BeakerHelpers::Inspec.enable_repo_on(hosts) @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) - @inspec_report = {:data => nil} + @inspec_report = { data: nil } end - it 'should run inspec' do + it 'runs inspec' do @inspec.run end - it 'should have an inspec report' do + it 'has an inspec report' do @inspec_report[:data] = @inspec.process_inspec_results info = [ 'Results:', " * Passed: #{@inspec_report[:data][:passed]}", " * Failed: #{@inspec_report[:data][:failed]}", - " * Skipped: #{@inspec_report[:data][:skipped]}" + " * Skipped: #{@inspec_report[:data][:skipped]}", ] puts info.join("\n") @@ -47,16 +42,20 @@ @inspec.write_report(@inspec_report[:data]) end - it 'should have run some tests' do + it 'has run some tests' do expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0 end - it 'should not have any failing tests' do + it 'does not have any failing tests' do if @inspec_report[:data][:failed] > 0 puts @inspec_report[:data][:report] end - expect( @inspec_report[:data][:failed] ).to eq(0) + expect(@inspec_report[:data][:failed]).to eq(0) + end + else + it 'runs inspec' do + skip("No matching profile available at #{profile_path}") end end end diff --git a/spec/acceptance/suites/compliance/10_stig_profile_oscap_spec.rb b/spec/acceptance/suites/compliance/10_stig_profile_oscap_spec.rb index 3808dee..dd4e21b 100644 --- a/spec/acceptance/suites/compliance/10_stig_profile_oscap_spec.rb +++ b/spec/acceptance/suites/compliance/10_stig_profile_oscap_spec.rb @@ -3,7 +3,6 @@ test_name 'Check SCAP for stig profile' describe 'run the SSG against the appropriate fixtures for stig aide profile' do - hosts.each do |host| context "on #{host}" do before(:all) do @@ -18,10 +17,10 @@ end # If we don't do this, the variable gets reset - @ssg_report = { :data => nil } + @ssg_report = { data: nil } end - it 'should run the SSG' do + it 'runs the SSG' do pending("SSG support for #{@os_str}") unless @ssg_supported profile = 'xccdf_org.ssgproject.content_profile_stig' @@ -29,25 +28,25 @@ @ssg.evaluate(profile) end - it 'should have an SSG report' do + it 'has an SSG report' do pending("SSG support for #{@os_str}") unless @ssg_supported # Filter on records containing '_aide_' # This isn't perfect, but it should be partially OK @ssg_report[:data] = @ssg.process_ssg_results('rule_aide_') - expect(@ssg_report[:data]).to_not be_nil + expect(@ssg_report[:data]).not_to be_nil @ssg.write_report(@ssg_report[:data]) end - it 'should have run some tests' do + it 'has run some tests' do pending("SSG support for #{@os_str}") unless @ssg_supported expect(@ssg_report[:data][:failed].count + @ssg_report[:data][:passed].count).to be > 0 end - it 'should not have any failing tests' do + it 'does not have any failing tests' do pending("SSG support for #{@os_str}") unless @ssg_supported if @ssg_report[:data][:failed].count > 0 diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 112e3aa..ecfa3dc 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -3,107 +3,111 @@ test_name 'aide class' describe 'aide class' do - let(:manifest) { + let(:manifest) do <<-EOS include aide EOS - } + end - let(:changes_detected) { + let(:changes_detected) do # Both aide --check and aide --update return a non-zero error code # when any changes are detected. This is actually a bit mask with # bits for new file detections, removed file detections, and changed # file detections. Error codes greater than 7 are other errors. [1, 2, 3, 4, 5, 6, 7] - } + end hosts.each do |host| context 'with defaults' do - let(:hieradata) {{ - 'simp_options::auditd' => false, - 'simp_options::syslog' => false, - 'simp_options::logrotate' => false, - 'auditd::enable' => false, - }} - - it 'should install psmisc for killall' do + let(:hieradata) do + { + 'simp_options::auditd' => false, + 'simp_options::syslog' => false, + 'simp_options::logrotate' => false, + 'auditd::enable' => false, + } + end + + it 'installs psmisc for killall' do # centos/7 box doesn't have psmisc installed by default install_package(host, 'psmisc') end - it 'should work with no errors' do + it 'works with no errors' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end it "'aide' package should be installed" do check_for_package(host, 'aide') end - it 'should generate the database' do + it 'generates the database' do on(host, 'ls /var/lib/aide/aide.db.gz') end - it 'should retain the output database for SCAP xccdf_org.ssgproject.content_rule_aide_build_database' do + it 'retains the output database for SCAP xccdf_org.ssgproject.content_rule_aide_build_database' do on(host, 'ls /var/lib/aide/aide.db.new.gz') end - it 'should generate an empty or clean report when no problems are found' do + it 'generates an empty or clean report when no problems are found' do on(host, '/usr/local/sbin/update_aide') on(host, '/usr/sbin/aide --check') report = on(host, 'cat /var/log/aide/aide.report').stdout - expect(report).to match(/^(.+NO differences.+)?$/) + expect(report).to match(%r{^(.+NO differences.+)?$}) end - it 'should generate a valid report when problems are found' do + it 'generates a valid report when problems are found' do on(host, 'touch /etc/yum.conf') - on(host, '/usr/sbin/aide --check', :acceptable_exit_codes => changes_detected) + on(host, '/usr/sbin/aide --check', acceptable_exit_codes: changes_detected) on(host, "grep 'found differences between database and filesystem' /var/log/aide/aide.report") on(host, "grep '/etc/.*\.conf' /var/log/aide/aide.report") end - it 'should not generate /var/log/aide/aide.log' do - on(host, 'ls /var/log/aide/aide.log', :acceptable_exit_codes => 2) + it 'does not generate /var/log/aide/aide.log' do + on(host, 'ls /var/log/aide/aide.log', acceptable_exit_codes: 2) end end context 'with syslog and logrotate enabled' do - let(:hieradata) {{ - 'simp_options::auditd' => false , - 'simp_options::syslog' => true , - 'simp_options::logrotate' => true, - 'aide::syslog_format' => true, - 'auditd::enable' => false, - }} - - it 'should work with no errors' do + let(:hieradata) do + { + 'simp_options::auditd' => false, + 'simp_options::syslog' => true, + 'simp_options::logrotate' => true, + 'aide::syslog_format' => true, + 'auditd::enable' => false, + } + end + + it 'works with no errors' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) # rsyslog changes require a second run - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should generate an empty or clean report and log nothing when no problems are found' do + it 'generates an empty or clean report and log nothing when no problems are found' do on(host, '/usr/local/sbin/update_aide') on(host, 'logrotate --force /etc/logrotate.simp.d/aide') on(host, '/usr/sbin/aide --check') report = on(host, 'cat /var/log/aide/aide.report').stdout - expect(report).to match(/^(.+NO differences.+)?$/) + expect(report).to match(%r{^(.+NO differences.+)?$}) log = on(host, 'cat /var/log/aide/aide.log').stdout - expect(log).to match(/^(.+NO differences.+)?$/) + expect(log).to match(%r{^(.+NO differences.+)?$}) end - it 'should generate a valid report and log that report when problems are found' do + it 'generates a valid report and log that report when problems are found' do on(host, 'touch /etc/yum.conf') - on(host, '/usr/sbin/aide --check', :acceptable_exit_codes => changes_detected) + on(host, '/usr/sbin/aide --check', acceptable_exit_codes: changes_detected) on(host, "grep 'found differences between database and filesystem' /var/log/aide/aide.report") on(host, "grep '/etc/.*\.conf' /var/log/aide/aide.report") diff --git a/spec/acceptance/suites/default/05_schedule_spec.rb b/spec/acceptance/suites/default/05_schedule_spec.rb index ecf862f..69e6c25 100644 --- a/spec/acceptance/suites/default/05_schedule_spec.rb +++ b/spec/acceptance/suites/default/05_schedule_spec.rb @@ -14,7 +14,7 @@ let(:core_hieradata) do { - 'aide::enable' => true, + 'aide::enable' => true, 'simp_options::auditd' => false, 'simp_options::syslog' => false, 'simp_options::logrotate' => false, @@ -28,26 +28,26 @@ hosts.each do |host| context 'with defaults' do - it 'should work with no errors' do + it 'works with no errors' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should be running puppet_aide.timer' do + it 'is running puppet_aide.timer' do output = on(host, 'puppet resource service puppet_aide.timer --to_yaml').stdout - service = YAML.load(output)['service']['puppet_aide.timer'] - expect{ service['ensure'].to eq 'running' } - expect{ service['enable'].to eq 'true' } + service = YAML.safe_load(output)['service']['puppet_aide.timer'] + expect { service['ensure'].to eq 'running' } + expect { service['enable'].to eq 'true' } end - it 'should have puppet_aide.service loaded' do + it 'has puppet_aide.service loaded' do output = on(host, 'puppet resource service puppet_aide.service --to_yaml').stdout - service = YAML.load(output)['service']['puppet_aide.service'] - expect{ service['enable'].to eq 'true' } + service = YAML.safe_load(output)['service']['puppet_aide.service'] + expect { service['enable'].to eq 'true' } end end @@ -56,41 +56,41 @@ core_hieradata.merge( { 'aide::cron_method' => 'root' - } + }, ) end - it 'should work with no errors' do + it 'works with no errors' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should not be running puppet_aide.timer' do + it 'is not running puppet_aide.timer' do output = on(host, 'puppet resource service puppet_aide.timer --to_yaml').stdout - service = YAML.load(output)['service']['puppet_aide.timer'] - expect{ service['ensure'].to eq 'stopped' } - expect{ service['enable'].to eq 'false' } + service = YAML.safe_load(output)['service']['puppet_aide.timer'] + expect { service['ensure'].to eq 'stopped' } + expect { service['enable'].to eq 'false' } end - it 'should not have puppet_aide.service loaded' do + it 'does not have puppet_aide.service loaded' do output = on(host, 'puppet resource service puppet_aide.service --to_yaml').stdout - service = YAML.load(output)['service']['puppet_aide.service'] - expect{ service['ensure'].to eq 'stopped' } - expect{ service['enable'].to eq 'false' } + service = YAML.safe_load(output)['service']['puppet_aide.service'] + expect { service['ensure'].to eq 'stopped' } + expect { service['enable'].to eq 'false' } end - it 'should have the root cron entry' do + it 'has the root cron entry' do output = on(host, 'puppet resource cron aide_schedule --to_yaml').stdout - cron = YAML.load(output)['cron']['aide_schedule'] - expect{ cron['command'].to eq '/bin/nice -n 19 /usr/sbin/aide --check' } - expect{ cron['user'].to eq 'root' } - expect{ cron['minute'].to eq ['22'] } - expect{ cron['hour'].to eq ['4'] } - expect{ cron['weekday'].to eq ['0'] } + cron = YAML.safe_load(output)['cron']['aide_schedule'] + expect { cron['command'].to eq '/bin/nice -n 19 /usr/sbin/aide --check' } + expect { cron['user'].to eq 'root' } + expect { cron['minute'].to eq ['22'] } + expect { cron['hour'].to eq ['4'] } + expect { cron['weekday'].to eq ['0'] } end end @@ -99,82 +99,82 @@ core_hieradata.merge( { 'aide::cron_method' => 'etc' - } + }, ) end - it 'should work with no errors' do + it 'works with no errors' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should not be running puppet_aide.timer' do + it 'is not running puppet_aide.timer' do output = on(host, 'puppet resource service puppet_aide.timer --to_yaml').stdout - service = YAML.load(output)['service']['puppet_aide.timer'] - expect{ service['ensure'].to eq 'stopped' } - expect{ service['enable'].to eq 'false' } + service = YAML.safe_load(output)['service']['puppet_aide.timer'] + expect { service['ensure'].to eq 'stopped' } + expect { service['enable'].to eq 'false' } end - it 'should not have puppet_aide.service loaded' do + it 'does not have puppet_aide.service loaded' do output = on(host, 'puppet resource service puppet_aide.service --to_yaml').stdout - service = YAML.load(output)['service']['puppet_aide.service'] - expect{ service['ensure'].to eq 'stopped' } - expect{ service['enable'].to eq 'false' } + service = YAML.safe_load(output)['service']['puppet_aide.service'] + expect { service['ensure'].to eq 'stopped' } + expect { service['enable'].to eq 'false' } end - it 'should not have the root cron entry' do + it 'does not have the root cron entry' do output = on(host, 'puppet resource cron aide_schedule --to_yaml').stdout - cron = YAML.load(output)['cron']['aide_schedule'] - expect{ cron['ensure'].to eq 'absent' } + cron = YAML.safe_load(output)['cron']['aide_schedule'] + expect { cron['ensure'].to eq 'absent' } end - it 'should have the expected entry in /etc/crontab' do - crontab = file_contents_on(host, '/etc/crontab').lines.select{|x| x.include?('aide')} + it 'has the expected entry in /etc/crontab' do + crontab = file_contents_on(host, '/etc/crontab').lines.select { |x| x.include?('aide') } - expect{ crontab.size.to eq 1 } - expect{ crontab.first.strip to eq '22 4 * * 0 root /bin/nice -n 19 /usr/sbin/aide --check' } + expect { crontab.size.to eq 1 } + expect { crontab.first.strip to eq '22 4 * * 0 root /bin/nice -n 19 /usr/sbin/aide --check' } end - it 'should add an excess entry' do + it 'adds an excess entry' do on(host, 'echo "* * * * * root /usr/sbin/aide --check" >> /etc/crontab') end - it 'should run puppet' do - apply_manifest_on(host, manifest, :catch_failures => true) + it 'runs puppet' do + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should run be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'runs be idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should not have an excess entry' do - crontab = file_contents_on(host, '/etc/crontab').lines.select{|x| x.include?('aide')} + it 'does not have an excess entry' do + crontab = file_contents_on(host, '/etc/crontab').lines.select { |x| x.include?('aide') } - expect{ crontab.size.to eq 1 } - expect{ crontab.first.strip to eq '22 4 * * 0 root /bin/nice -n 19 /usr/sbin/aide --check' } + expect { crontab.size.to eq 1 } + expect { crontab.first.strip to eq '22 4 * * 0 root /bin/nice -n 19 /usr/sbin/aide --check' } end - it 'should change the current entry' do + it 'changes the current entry' do on(host, 'sed -i "s/22/21/g" /etc/crontab') end - it 'should run puppet' do - apply_manifest_on(host, manifest, :catch_failures => true) + it 'runs puppet' do + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should run be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'runs be idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should have a corrected entry' do - crontab = file_contents_on(host, '/etc/crontab').lines.select{|x| x.include?('aide')} + it 'has a corrected entry' do + crontab = file_contents_on(host, '/etc/crontab').lines.select { |x| x.include?('aide') } - expect{ crontab.size.to eq 1 } - expect{ crontab.first.strip to eq '22 4 * * 0 root /bin/nice -n 19 /usr/sbin/aide --check' } + expect { crontab.size.to eq 1 } + expect { crontab.first.strip to eq '22 4 * * 0 root /bin/nice -n 19 /usr/sbin/aide --check' } end end end diff --git a/spec/classes/default_rules_spec.rb b/spec/classes/default_rules_spec.rb index dce3e90..8e947cd 100644 --- a/spec/classes/default_rules_spec.rb +++ b/spec/classes/default_rules_spec.rb @@ -109,14 +109,14 @@ end context 'with custom ruledir' do - let(:params) {{ :ruledir => '/etc/aide.d' }} + let(:params) { { ruledir: '/etc/aide.d' } } it { is_expected.to contain_aide__rule('default').with_ruledir('/etc/aide.d') } end context 'with custom default rules' do let(:custom_rules) { "/bin HIGH\n/sbin HIGH" } - let(:params) {{ :default_rules => custom_rules }} + let(:params) { { default_rules: custom_rules } } it { is_expected.to contain_aide__rule('default').with_rules(custom_rules) } end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 1aa0e33..86aeab8 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2,23 +2,23 @@ describe 'aide' do context 'supported operating systems' do - on_supported_os.each do |os, os_facts| + on_supported_os.each_value do |os_facts| context 'with FIPS enabled' do - let(:facts) { + let(:facts) do facts = os_facts.dup facts['fips_enabled'] = true facts - } + end context 'with default parameters' do it { is_expected.to create_class('aide') } it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('aide::default_rules') } - it { is_expected.to create_file('/etc/aide.conf.d/default.aide').with_content(/\/bin\s+NORMAL/) } - it { is_expected.to_not contain_class('aide::set_schedule') } - it { is_expected.to_not contain_class('aide::logrotate') } - it { is_expected.to_not contain_class('aide::syslog') } - it { is_expected.to_not contain_auditd__rule('aide') } + it { is_expected.to create_file('/etc/aide.conf.d/default.aide').with_content(%r{/bin\s+NORMAL}) } + it { is_expected.not_to contain_class('aide::set_schedule') } + it { is_expected.not_to contain_class('aide::logrotate') } + it { is_expected.not_to contain_class('aide::syslog') } + it { is_expected.not_to contain_auditd__rule('aide') } it { is_expected.to contain_package('aide') } it { is_expected.to contain_file('/etc/aide.conf.d').with_ensure('directory') } it { is_expected.to contain_file('/var/lib/aide').with_ensure('directory') } @@ -26,7 +26,8 @@ it { is_expected.to contain_concat('/etc/aide.conf') } it { is_expected.to contain_concat__fragment('aide.conf').with_target('/etc/aide.conf') } - it { is_expected.to contain_concat__fragment('aide.conf').with_content(<<~EOM + it { + is_expected.to contain_concat__fragment('aide.conf').with_content(<<~EOM, @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide database=file:@@{DBDIR}/aide.db.gz @@ -47,7 +48,8 @@ LSPP = R DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha1+sha256 EOM - )} + ) + } it { expected = <<~EOM @@ -80,31 +82,39 @@ end context 'with enabled logrotate, syslog, and auditd set to true' do - let(:params) {{ - :enable => true, - :logrotate => true, - :syslog => true, - :auditd => true - }} + let(:params) do + { + enable: true, + logrotate: true, + syslog: true, + auditd: true + } + end it { is_expected.to contain_class('aide::set_schedule') } - it{ is_expected.to contain_concat__fragment('aide.conf').with_content( - /report_url=file:@@{LOGDIR}\/aide.report/ ) + it { + is_expected.to contain_concat__fragment('aide.conf').with_content( + %r{report_url=file:@@{LOGDIR}/aide.report}, + ) } - it{ is_expected.to contain_concat__fragment('aide.conf').with_content( - /report_url=syslog:LOG_LOCAL6/ ) + it { + is_expected.to contain_concat__fragment('aide.conf').with_content( + %r{report_url=syslog:LOG_LOCAL6}, + ) } it { is_expected.to contain_class('aide::logrotate') } - it { is_expected.to contain_logrotate__rule('aide').with( { - :log_files => [ "/var/log/aide/*.log" ], - :missingok => true, - :rotate_period => 'weekly', - :rotate => 4, - :lastaction_restart_logger => true - } ) } + it { + is_expected.to contain_logrotate__rule('aide').with({ + log_files: [ '/var/log/aide/*.log' ], + missingok: true, + rotate_period: 'weekly', + rotate: 4, + lastaction_restart_logger: true + }) + } it { is_expected.to contain_class('aide::syslog') } it { is_expected.to contain_class('rsyslog') } @@ -115,27 +125,31 @@ end context 'custom default rules' do - let(:params) {{ - :default_rules => <<~EOM + let(:params) do + { + default_rules: <<~EOM /bin HIGH /sbin HIGH EOM - }} - it { is_expected.to create_file('/etc/aide.conf.d/default.aide').with_content(/\/bin\s+HIGH/) } + } + end + + it { is_expected.to create_file('/etc/aide.conf.d/default.aide').with_content(%r{/bin\s+HIGH}) } end end context 'with FIPS disabled' do - let(:facts) { + let(:facts) do facts = os_facts.dup facts['fips_enabled'] = false facts - } + end context 'with default parameters' do it { is_expected.to create_class('aide') } if os_facts[:os][:release][:major] < '8' - it { is_expected.to contain_concat__fragment('aide.conf').with_content(<<~EOM + it { + is_expected.to contain_concat__fragment('aide.conf').with_content(<<~EOM, @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide database=file:@@{DBDIR}/aide.db.gz @@ -156,9 +170,11 @@ LSPP = R DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 EOM - ) } + ) + } else - it { is_expected.to contain_concat__fragment('aide.conf').with_content(<<~EOM + it { + is_expected.to contain_concat__fragment('aide.conf').with_content(<<~EOM, @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide database=file:@@{DBDIR}/aide.db.gz @@ -176,7 +192,8 @@ LSPP = R DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 EOM - ) } + ) + } end end end diff --git a/spec/classes/set_schedule_spec.rb b/spec/classes/set_schedule_spec.rb index 333fc62..0e0ff96 100644 --- a/spec/classes/set_schedule_spec.rb +++ b/spec/classes/set_schedule_spec.rb @@ -2,7 +2,7 @@ describe 'aide::set_schedule' do context 'supported operating systems' do - on_supported_os.each do |os, os_facts| + on_supported_os.each_value do |os_facts| let(:pre_condition) do <<~PRECOND function assert_private(){} @@ -17,13 +17,13 @@ it { is_expected.to create_class('aide::set_schedule') } it do - is_expected.to create_systemd__timer('puppet_aide.timer'). - with_timer_content(/OnCalendar=Sun \*-\* 4:\d+/). - with_service_content(/Type=oneshot/). - with_service_content(/SuccessExitStatus=1 2 3 4 5 6 7/). - with_service_content(%r{ExecStart=/bin/nice -n 19 /usr/sbin/aide --check}). - with_active(true). - with_enable(true) + is_expected.to create_systemd__timer('puppet_aide.timer') + .with_timer_content(%r{OnCalendar=Sun \*-\* 4:\d+}) + .with_service_content(%r{Type=oneshot}) + .with_service_content(%r{SuccessExitStatus=1 2 3 4 5 6 7}) + .with_service_content(%r{ExecStart=/bin/nice -n 19 /usr/sbin/aide --check}) + .with_active(true) + .with_enable(true) end it { is_expected.to create_cron('aide_schedule').with_ensure('absent') } @@ -32,31 +32,32 @@ context 'root mode' do let(:params) do { - :method => 'root' + method: 'root' } end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('aide::set_schedule') } it do - is_expected.to create_systemd__timer('puppet_aide.timer'). - with_timer_content(/OnCalendar=Sun \*-\* 4:\d+/). - with_service_content(/Type=oneshot/). - with_service_content(/SuccessExitStatus=1 2 3 4 5 6 7/). - with_service_content(%r{ExecStart=/bin/nice -n 19 /usr/sbin/aide --check}). - with_active(false). - with_enable(false) + is_expected.to create_systemd__timer('puppet_aide.timer') + .with_timer_content(%r{OnCalendar=Sun \*-\* 4:\d+}) + .with_service_content(%r{Type=oneshot}) + .with_service_content(%r{SuccessExitStatus=1 2 3 4 5 6 7}) + .with_service_content(%r{ExecStart=/bin/nice -n 19 /usr/sbin/aide --check}) + .with_active(false) + .with_enable(false) end it do - is_expected.to create_cron('aide_schedule'). - with_command('/bin/nice -n 19 /usr/sbin/aide --check'). - with_user('root'). - with_minute(/\d+/). - with_hour(4). - with_monthday('*'). - with_month('*'). - with_weekday(0) + is_expected.to create_cron('aide_schedule') + .with_command('/bin/nice -n 19 /usr/sbin/aide --check') + .with_user('root') + .with_minute(%r{\d+}) + .with_hour(4) + .with_monthday('*') + .with_month('*') + .with_weekday(0) end it { is_expected.to create_augeas('remove_aide_schedule') } @@ -65,20 +66,21 @@ context 'etc mode' do let(:params) do { - :method => 'etc' + method: 'etc' } end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('aide::set_schedule') } it do - is_expected.to create_systemd__timer('puppet_aide.timer'). - with_timer_content(/OnCalendar=Sun \*-\* 4:\d+/). - with_service_content(/Type=oneshot/). - with_service_content(/SuccessExitStatus=1 2 3 4 5 6 7/). - with_service_content(%r{ExecStart=/bin/nice -n 19 /usr/sbin/aide --check}). - with_active(false). - with_enable(false) + is_expected.to create_systemd__timer('puppet_aide.timer') + .with_timer_content(%r{OnCalendar=Sun \*-\* 4:\d+}) + .with_service_content(%r{Type=oneshot}) + .with_service_content(%r{SuccessExitStatus=1 2 3 4 5 6 7}) + .with_service_content(%r{ExecStart=/bin/nice -n 19 /usr/sbin/aide --check}) + .with_active(false) + .with_enable(false) end it { is_expected.to create_cron('aide_schedule').with_ensure('absent') } diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index b59bcc1..ac57dc4 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -2,16 +2,15 @@ describe 'aide::rule' do context 'supported operating systems' do - on_supported_os.each do |os, facts| - + on_supported_os.each_value do |facts| let(:facts) { facts } let(:pre_condition) { 'include "aide"' } - let(:title) {'test_rules'} - let(:params) {{ :rules => 'test_rules' }} + let(:title) { 'test_rules' } + let(:params) { { rules: 'test_rules' } } - it { should compile.with_all_deps } - it { should create_file('/etc/aide.conf.d/test_rules.aide').with_content(/test_rules/) } + it { is_expected.to compile.with_all_deps } + it { is_expected.to create_file('/etc/aide.conf.d/test_rules.aide').with_content(%r{test_rules}) } end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index ef4fe64..acc4013 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true + # # ------------------------------------------------------------------------------ # NOTICE: **This file is maintained with puppetsync** @@ -90,7 +91,7 @@ def set_hieradata(hieradata) # If nothing else... c.default_facts = { production: { - #:fqdn => 'production.rspec.test.localdomain', + # :fqdn => 'production.rspec.test.localdomain', path: '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', concat_basedir: '/tmp' } @@ -150,9 +151,9 @@ def set_hieradata(hieradata) # sanitize hieradata if defined?(hieradata) - set_hieradata(hieradata.gsub(':', '_')) + set_hieradata(hieradata.tr(':', '_')) elsif defined?(class_name) - set_hieradata(class_name.gsub(':', '_')) + set_hieradata(class_name.tr(':', '_')) end end @@ -164,9 +165,7 @@ def set_hieradata(hieradata) end Dir.glob("#{RSpec.configuration.module_path}/*").each do |dir| - begin - Pathname.new(dir).realpath - rescue StandardError - raise "ERROR: The module '#{dir}' is not installed. Tests cannot continue." - end + Pathname.new(dir).realpath +rescue StandardError + raise "ERROR: The module '#{dir}' is not installed. Tests cannot continue." end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 505d29d..ae258c4 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -15,7 +15,6 @@ end end - RSpec.configure do |c| # ensure that environment OS is ready on each host fix_errata_on hosts @@ -29,25 +28,21 @@ # Configure all nodes in nodeset c.before :suite do - begin - # Install modules and dependencies from spec/fixtures/modules - copy_fixture_modules_to( hosts ) - server = only_host_with_role(hosts, 'server') - - # Generate and install PKI certificates on each SUT - Dir.mktmpdir do |cert_dir| - run_fake_pki_ca_on(server, hosts, cert_dir ) - hosts.each{ |sut| copy_pki_to( sut, cert_dir, '/etc/pki/simp-testing' )} - end - - # add PKI keys - copy_keydist_to(server) - rescue StandardError, ScriptError => e - if ENV['PRY'] - require 'pry'; binding.pry - else - raise e - end + # Install modules and dependencies from spec/fixtures/modules + copy_fixture_modules_to(hosts) + server = only_host_with_role(hosts, 'server') + + # Generate and install PKI certificates on each SUT + Dir.mktmpdir do |cert_dir| + run_fake_pki_ca_on(server, hosts, cert_dir) + hosts.each { |sut| copy_pki_to(sut, cert_dir, '/etc/pki/simp-testing') } end + + # add PKI keys + copy_keydist_to(server) + rescue StandardError, ScriptError => e + raise e unless ENV['PRY'] + require 'pry' + binding.pry end end diff --git a/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb b/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb index 1e4ae82..bcee3d8 100644 --- a/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb +++ b/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb @@ -7,10 +7,9 @@ # This is the class that needs to be added to the catalog last to make the # reporting work. describe 'compliance_markup', type: :class do - compliance_profiles = [ 'disa_stig', - 'nist_800_53:rev4' + 'nist_800_53:rev4', ] # A list of classes that we expect to be included for compliance @@ -18,53 +17,53 @@ # This needs to be well defined since we can also manipulate defined type # defaults expected_classes = [ - 'aide' + 'aide', ] allowed_failures = { 'documented_missing_parameters' => [ - ] + expected_classes.map{|c| Regexp.new("^(?!#{c}(::.*)?)")}, + ] + expected_classes.map { |c| Regexp.new("^(?!#{c}(::.*)?)") }, 'documented_missing_resources' => [ - ] + expected_classes.map{|c| Regexp.new("^(?!#{c}(::.*)?)")} + ] + expected_classes.map { |c| Regexp.new("^(?!#{c}(::.*)?)") } } on_supported_os.each do |os, os_facts| context "on #{os}" do compliance_profiles.each do |target_profile| context "with compliance profile '#{target_profile}'" do - let(:facts){ + let(:facts) do os_facts.merge({ - :target_compliance_profile => target_profile - }) - } - - let(:pre_condition) {%( - #{expected_classes.map{|c| %{include #{c}}}.join("\n")} - )} - - let(:hieradata){ 'compliance-engine' } - - it { is_expected.to compile } - - let(:compliance_report) { - @compliance_report ||= JSON.load( - catalogue.resource("File[#{facts[:puppet_vardir]}/compliance_report.json]")[:content] + target_compliance_profile: target_profile + }) + end + let(:compliance_report) do + @compliance_report ||= JSON.parse( + catalogue.resource("File[#{facts[:puppet_vardir]}/compliance_report.json]")[:content], ) @compliance_report - } - - let(:compliance_profile_data) { + end + let(:compliance_profile_data) do @compliance_profile_data ||= compliance_report['compliance_profiles'][target_profile] @compliance_profile_data - } + end + + let(:pre_condition) do + %( + #{expected_classes.map { |c| %(include #{c}) }.join("\n")} + ) + end + + let(:hieradata) { 'compliance-engine' } + + it { is_expected.to compile } - it 'should have a compliance profile report' do - expect(compliance_profile_data).to_not be_nil + it 'has a compliance profile report' do + expect(compliance_profile_data).not_to be_nil end - it 'should have a 100% compliant report' do + it 'has a 100% compliant report' do expect(compliance_profile_data['summary']['percent_compliant']).to eq(100) end @@ -84,29 +83,29 @@ # classes included, this report may be useless and is disabled by # default. # - 'documented_missing_resources' + 'documented_missing_resources', ] report_validators.each do |report_section| - it "should have no issues with the '#{report_section}' report" do + it "has no issues with the '#{report_section}' report" do if compliance_profile_data[report_section] # This just gets us a good print out of what went wrong - compliance_profile_data[report_section].delete_if{ |item| - rm = false - - Array(allowed_failures[report_section]).each do |allowed| - if allowed.is_a?(Regexp) - if allowed.match?(item) - rm = true - break - end - else - rm = (allowed == item) + compliance_profile_data[report_section].delete_if do |item| + rm = false + + Array(allowed_failures[report_section]).each do |allowed| + if allowed.is_a?(Regexp) + if allowed.match?(item) + rm = true + break end + else + rm = (allowed == item) end + end - rm - } + rm + end expect(compliance_profile_data[report_section]).to eq([]) end