From 3bdfb5224f7d6ea25e85e0b21920111d690bb4e1 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 16 Jul 2024 09:10:29 -0500 Subject: [PATCH] Remove use of File.exists? (#53) Also: * Clean up for rubocop * Drop tests for EL < 7 * Bump version * Add CHANGELOG entry Fixes #48 --- CHANGELOG | 3 + lib/facter/ima_log_size.rb | 2 +- lib/facter/ima_security_attr.rb | 14 +- metadata.json | 2 +- spec/acceptance/suites/default/00_ima_spec.rb | 25 ++- spec/classes/appraise/fixmode_spec.rb | 60 +++--- spec/classes/appraise/relabel_spec.rb | 73 +++---- spec/classes/appraise_spec.rb | 185 +++++++++--------- spec/classes/init_spec.rb | 60 +++--- spec/classes/policy_spec.rb | 156 +++++++-------- spec/spec_helper.rb | 7 +- spec/spec_helper_acceptance.rb | 18 +- spec/unit/facter/ima_log_size_spec.rb | 12 +- spec/unit/facter/ima_security_attr_spec.rb | 18 +- 14 files changed, 320 insertions(+), 315 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index d280d84..223ea33 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +* Mon Jul 15 2024 Steven Pritchard - 0.8.1 +- Fixes for Puppet 8 compatibility + * Mon Oct 23 2023 Steven Pritchard - 0.8.0 - [puppetsync] Add EL9 support diff --git a/lib/facter/ima_log_size.rb b/lib/facter/ima_log_size.rb index 1ffa02f..f607b73 100644 --- a/lib/facter/ima_log_size.rb +++ b/lib/facter/ima_log_size.rb @@ -1,7 +1,7 @@ # Detects the size of the IMA log in bytes Facter.add('ima_log_size') do confine do - File.exists? '/sys/kernel/security/ima/ascii_runtime_measurements' + File.exist? '/sys/kernel/security/ima/ascii_runtime_measurements' end setcode do diff --git a/lib/facter/ima_security_attr.rb b/lib/facter/ima_security_attr.rb index a21c001..9d4e8de 100644 --- a/lib/facter/ima_security_attr.rb +++ b/lib/facter/ima_security_attr.rb @@ -12,21 +12,21 @@ # Facter.add('ima_security_attr') do confine do - Facter.value(:cmdline) && Facter.value(:cmdline).has_key?('ima_appraise_tcb') + Facter.value(:cmdline)&.key?('ima_appraise_tcb') end setcode do vardir = Facter.value(:puppet_vardir) - # Check if the script to update the attributes is still running + # Check if the script to update the attributes is still running isrunning = Facter::Core::Execution.execute('ps -ef') if isrunning['ima_security_attr_update.sh'].nil? relabel_file = "#{vardir}/simp/.ima_relabel" - if File.exists?("#{relabel_file}") - status = 'need_relabel' - else - status = 'inactive' - end + status = if File.exist?(relabel_file) + 'need_relabel' + else + 'inactive' + end else status = 'active' end diff --git a/metadata.json b/metadata.json index 62c39fa..b3cbfd7 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-ima", - "version": "0.8.0", + "version": "0.8.1", "author": "SIMP Team", "summary": "Manages IMA", "license": "Apache-2.0", diff --git a/spec/acceptance/suites/default/00_ima_spec.rb b/spec/acceptance/suites/default/00_ima_spec.rb index a9a4c48..c6d7c0a 100644 --- a/spec/acceptance/suites/default/00_ima_spec.rb +++ b/spec/acceptance/suites/default/00_ima_spec.rb @@ -5,7 +5,7 @@ describe 'ima class' do hosts.each do |host| - it 'should set a root password' do + it 'sets a root password' do on(host, "sed -i 's/enforce_for_root//g' /etc/pam.d/*") on(host, 'echo "root:password" | chpasswd --crypt-method SHA256') end @@ -22,16 +22,15 @@ # } EOF - it 'should run puppet' do + it 'runs puppet' do apply_manifest_on(host, manifest, catch_failures: true) end - it 'should run puppet idempotently' do + it 'runs puppet idempotently' do apply_manifest_on(host, manifest, catch_changes: true) end - - it 'should run puppet idempotently after a reboot' do + it 'runs puppet idempotently after a reboot' do # reboot to apply kernel_parameter settings host.reboot # the mount will need to be reset @@ -40,7 +39,7 @@ apply_manifest_on(host, manifest, catch_changes: true) end - it 'should not lock up the filesystem' do + it 'does not lock up the filesystem' do on(host, "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 1000 | head -n 10000 > /root/hugefile") on(host, 'head -15 /sys/kernel/security/ima/ascii_runtime_measurements') on(host, 'ls -la ~') @@ -49,7 +48,7 @@ end context 'stricter rules' do - if true + if true # rubocop:disable Lint/LiteralAsCondition it 'fails to allow puppet to function in strict enforcing mode' else # This is kept around to show what *should* happen (and what did happen @@ -68,30 +67,30 @@ class { 'ima::policy': } EOF - it 'should run puppet' do + it 'runs puppet' do apply_manifest_on(host, manifest, catch_failures: true) end - it 'should run puppet idempotently' do + it 'runs puppet idempotently' do apply_manifest_on(host, manifest, catch_changes: true) end it 'locks up the filesystem after a reboot and new policy is applied' do on(host, 'yum install -y telnet') ssh_config = File.readlines(host[:ssh][:config]) - ssh_port = ssh_config.grep(/port/i).first.split(' ')[1] + ssh_port = ssh_config.grep(%r{port}i).first.split(' ')[1] expect(on(host, 'ls')).to be_truthy - tel = Net::Telnet::new("Port" => ssh_port) + tel = Net::Telnet.new('Port' => ssh_port) result = tel.cmd('echo echo') tel.close - expect(result).to match(/OpenSSH/) + expect(result).to match(%r{OpenSSH}) host.reboot sleep 30 - tel2 = Net::Telnet::new("Port" => ssh_port) + tel2 = Net::Telnet.new('Port' => ssh_port) begin result2 = tel.cmd('echo echo') rescue IOError => e diff --git a/spec/classes/appraise/fixmode_spec.rb b/spec/classes/appraise/fixmode_spec.rb index ad3d10c..6e8e907 100644 --- a/spec/classes/appraise/fixmode_spec.rb +++ b/spec/classes/appraise/fixmode_spec.rb @@ -6,43 +6,47 @@ describe 'ima::appraise' do on_supported_os.each do |os, os_facts| context "on #{os}" do - - let (:facts) do - os_facts.merge({ - :cmdline => { 'ima' => 'on' }, - }) + let(:facts) do + os_facts.merge(cmdline: { 'ima' => 'on' }) end context 'with relabel false' do - let (:params) {{ - relabel_file: '/tmp/simp/.ima_relabel', - force_fixmode: true - }} + let(:params) do + { + relabel_file: '/tmp/simp/.ima_relabel', + force_fixmode: true, + } + end - it { is_expected.to contain_kernel_parameter('ima_appraise').with({ - 'value' => 'fix', - 'bootmode' => 'normal', - }).that_notifies('Reboot_notify[ima_appraise_fix_reboot]')} - it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({'ensure' => 'absent' })} - it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]')} + it do + is_expected.to contain_kernel_parameter('ima_appraise') + .with( + 'value' => 'fix', + 'bootmode' => 'normal', + ).that_notifies('Reboot_notify[ima_appraise_fix_reboot]') + end + it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({ 'ensure' => 'absent' }) } + it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]') } end context 'with relabel true' do - let (:facts) do - os_facts.merge({ - :cmdline => { 'ima' => 'on', 'foo' => 'bar', 'ima_appraise' => 'off' } - }) + let(:facts) do + os_facts.merge(cmdline: { 'ima' => 'on', 'foo' => 'bar', 'ima_appraise' => 'off' }) + end + let(:params) do + { + relabel_file: '/tmp/simp/.ima_relabel', + } end - let (:params) {{ - relabel_file: '/tmp/simp/.ima_relabel', - }} - it { is_expected.to contain_kernel_parameter('ima_appraise').with({ - 'value' => 'fix', - 'bootmode' => 'normal', - }).that_notifies('Reboot_notify[ima_appraise_fix_reboot]')} - it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({'ensure' => 'file' })} - it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]')} + it do + is_expected.to contain_kernel_parameter('ima_appraise').with( + 'value' => 'fix', + 'bootmode' => 'normal', + ).that_notifies('Reboot_notify[ima_appraise_fix_reboot]') + end + it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({ 'ensure' => 'file' }) } + it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]') } end end end diff --git a/spec/classes/appraise/relabel_spec.rb b/spec/classes/appraise/relabel_spec.rb index 490f7c4..3a6e7ed 100644 --- a/spec/classes/appraise/relabel_spec.rb +++ b/spec/classes/appraise/relabel_spec.rb @@ -6,53 +6,56 @@ describe 'ima::appraise' do on_supported_os.each do |os, os_facts| context "on #{os}" do - let (:params) {{ - relabel_file: '/tmp/simp/.ima_relabel', - scriptdir: '/myscripts' - }} - - let (:default_facts) do - os_facts.merge({ - :cmdline => { 'ima' => 'on', 'ima_appraise' => 'fix' } - }) + let(:params) do + { + relabel_file: '/tmp/simp/.ima_relabel', + scriptdir: '/myscripts', + } + end + + let(:default_facts) do + os_facts.merge(cmdline: { 'ima' => 'on', 'ima_appraise' => 'fix' }) end context 'with ima_security_attr inactive' do - let (:facts) do - default_facts.merge({ - :ima_security_attr => 'inactive' - }) + let(:facts) do + default_facts.merge(ima_security_attr: 'inactive') end - it { is_expected.to contain_kernel_parameter('ima_appraise').with({ - 'value' => 'enforce', - 'bootmode' => 'normal', - }).that_notifies('Exec[dracut ima appraise rebuild]')} - it { is_expected.to contain_exec('dracut ima appraise rebuild').with({ - 'command' => '/sbin/dracut -f', - 'refreshonly' => true - }).that_subscribes_to('Kernel_parameter[ima_appraise]')} - it { is_expected.to contain_reboot_notify('ima_appraise_enforce_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]')} + + it { + is_expected.to contain_kernel_parameter('ima_appraise') + .with( + 'value' => 'enforce', + 'bootmode' => 'normal', + ).that_notifies('Exec[dracut ima appraise rebuild]') + } + it { + is_expected.to contain_exec('dracut ima appraise rebuild').with( + 'command' => '/sbin/dracut -f', + 'refreshonly' => true, + ).that_subscribes_to('Kernel_parameter[ima_appraise]') + } + it { is_expected.to contain_reboot_notify('ima_appraise_enforce_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]') } end context 'with ima_security_attr active' do - let (:facts) do - default_facts.merge({ - :ima_security_attr => 'active' - }) + let(:facts) do + default_facts.merge(ima_security_attr: 'active') end - it { is_expected.to contain_notify('IMA updates running')} + + it { is_expected.to contain_notify('IMA updates running') } end context 'with ima_security_attr relabel' do - let (:facts) do - default_facts.merge({ - :ima_security_attr => 'relabel' - }) + let(:facts) do + default_facts.merge(ima_security_attr: 'relabel') + end + + it { is_expected.to contain_notify('IMA updates started') } + it do + is_expected.to contain_exec('ima_security_attr_update') + .with('command' => '/myscripts/ima_security_attr_update.sh /tmp/simp/.ima_relabel &') end - it { is_expected.to contain_notify('IMA updates started')} - it { is_expected.to contain_exec('ima_security_attr_update').with({ - 'command' => '/myscripts/ima_security_attr_update.sh /tmp/simp/.ima_relabel &', - })} end end end diff --git a/spec/classes/appraise_spec.rb b/spec/classes/appraise_spec.rb index a370a5d..f12fefb 100644 --- a/spec/classes/appraise_spec.rb +++ b/spec/classes/appraise_spec.rb @@ -10,130 +10,139 @@ it { is_expected.to create_kernel_parameter('ima_appraise_tcb').with_bootmode('normal') } it { is_expected.to create_kernel_parameter('rootflags').with_value('i_version') } it { is_expected.to create_kernel_parameter('rootflags').with_bootmode('normal') } - it { is_expected.to create_file('/myscripts/ima_security_attr_update.sh').with({ - 'source' => 'puppet:///modules/ima/ima_security_attr_update.sh' - })} + it do + is_expected.to create_file('/myscripts/ima_security_attr_update.sh') + .with('source' => 'puppet:///modules/ima/ima_security_attr_update.sh') + end end describe 'ima::appraise' do on_supported_os.each do |os, os_facts| context "on #{os}" do - -# if os_facts[:operatingsystemmajrelease].to_s == '7' - let (:default_facts) do - os_facts.merge({ - :puppet => { :vardir => '/tmp'}, - :cmdline => { 'ima' => 'on' } - }) + let(:default_facts) do + os_facts.merge( + puppet: { vardir: '/tmp' }, + cmdline: { 'ima' => 'on' }, + ) end context 'with default params' do - let (:params) {{ - relabel_file: '/tmp/relabel', - ensure_packages: 'installed', - scriptdir: '/myscripts' - }} + let(:params) do + { + relabel_file: '/tmp/relabel', + ensure_packages: 'installed', + scriptdir: '/myscripts', + } + end context 'with ima_appraise not set' do - let (:facts) do - default_facts.merge({ - :cmdline => { 'foo' => 'bar' } - }) + let(:facts) do + default_facts.merge(cmdline: { 'foo' => 'bar' }) + end + + it_behaves_like 'an ima appraise enabled system' + it do + is_expected.to contain_class('ima::appraise::fixmode') + .with('relabel' => true) end - it_should_behave_like 'an ima appraise enabled system' - it { is_expected.to contain_class('ima::appraise::fixmode').with({ - 'relabel' => true - })} end context 'with ima_appraise not set but ima_appraise_tcb set' do - let (:facts) do - default_facts.merge({ - :cmdline => { 'foo' => 'bar', 'ima_appraise_tcb' => '' } - }) + let(:facts) do + default_facts.merge(cmdline: { 'foo' => 'bar', 'ima_appraise_tcb' => '' }) + end + + it_behaves_like 'an ima appraise enabled system' + it { is_expected.not_to contain_class('ima::appraise::fixmode') } + it { is_expected.not_to contain_class('ima::appraise::relabel') } + it do + is_expected.to contain_file('/tmp/relabel') + .with('ensure' => 'absent') end - it_should_behave_like 'an ima appraise enabled system' - it { is_expected.to_not contain_class('ima::appraise::fixmode') } - it { is_expected.to_not contain_class('ima::appraise::relabel') } - it { is_expected.to contain_file('/tmp/relabel').with({ - 'ensure' => 'absent' - })} end context 'with ima_appraise fix' do - let (:facts) do - default_facts.merge({ - :cmdline => { 'ima_appraise' => 'fix' } - }) + let(:facts) do + default_facts.merge(cmdline: { 'ima_appraise' => 'fix' }) + end + + it_behaves_like 'an ima appraise enabled system' + it { is_expected.not_to contain_class('ima::appraise::fixmode') } + it do + is_expected.to contain_class('ima::appraise::relabel') + .with('relabel_file' => '/tmp/relabel') end - it_should_behave_like 'an ima appraise enabled system' - it { is_expected.to_not contain_class('ima::appraise::fixmode') } - it { is_expected.to contain_class('ima::appraise::relabel').with({ - 'relabel_file' => '/tmp/relabel'})} end context 'with ima_appraise enforce' do - let (:facts) do - default_facts.merge({ - :cmdline => { 'ima_appraise' => 'enforce' } - }) + let(:facts) do + default_facts.merge(cmdline: { 'ima_appraise' => 'enforce' }) + end + + it_behaves_like 'an ima appraise enabled system' + it { is_expected.not_to contain_class('ima::appraise::fixmode') } + it { is_expected.not_to contain_class('ima::appraise::relabel') } + it do + is_expected.to contain_file('/tmp/relabel') + .with('ensure' => 'absent') end - it_should_behave_like 'an ima appraise enabled system' - it { is_expected.to_not contain_class('ima::appraise::fixmode') } - it { is_expected.to_not contain_class('ima::appraise::relabel') } - it { is_expected.to contain_file('/tmp/relabel').with({ - 'ensure' => 'absent' - })} end context 'with ima_appraise off' do - let (:facts) do - default_facts.merge({ - :cmdline => { 'ima_appraise' => 'off' } - }) + let(:facts) do + default_facts.merge(cmdline: { 'ima_appraise' => 'off' }) + end + + it_behaves_like 'an ima appraise enabled system' + it do + is_expected.to contain_class('ima::appraise::fixmode') + .with('relabel' => true) end - it_should_behave_like 'an ima appraise enabled system' - it { is_expected.to contain_class('ima::appraise::fixmode').with({ - 'relabel' => true })} - it { is_expected.to_not contain_class('ima::appraise::relabel') } + it { is_expected.not_to contain_class('ima::appraise::relabel') } end end context 'with fix_mode set to true' do - let (:params) {{ - relabel_file: '/tmp/relabel', - scriptdir: '/myscripts', - force_fixmode: true - }} - let (:facts) do - os_facts.merge({ - :cmdline => { 'ima' => 'on' } - }) + let(:params) do + { + relabel_file: '/tmp/relabel', + scriptdir: '/myscripts', + force_fixmode: true, + } + end + let(:facts) do + os_facts.merge(cmdline: { 'ima' => 'on' }) + end + + it_behaves_like 'an ima appraise enabled system' + it do + is_expected.to contain_class('ima::appraise::fixmode') + .with('relabel' => false) end - it_should_behave_like 'an ima appraise enabled system' - it { is_expected.to contain_class('ima::appraise::fixmode').with({ - 'relabel' => false })} - it { is_expected.to_not contain_class('ima::appraise::relabel') } + it { is_expected.not_to contain_class('ima::appraise::relabel') } end context 'with enable set to false' do - let (:params) {{ - enable: false, - ensure_packages: 'installed', - scriptdir: '/myscripts', - relabel_file: '/tmp/relabel' - }} - let (:facts) do - os_facts.merge({ - :cmdline => { 'ima' => 'on' } - }) + let(:params) do + { + enable: false, + ensure_packages: 'installed', + scriptdir: '/myscripts', + relabel_file: '/tmp/relabel', + } + end + let(:facts) do + os_facts.merge(cmdline: { 'ima' => 'on' }) + end + + it do + is_expected.to create_kernel_parameter('ima_appraise_tcb') + .with('ensure' => 'absent') + end + it do + is_expected.to create_kernel_parameter('ima_appraise') + .with('ensure' => 'absent') end - it { is_expected.to create_kernel_parameter('ima_appraise_tcb').with({ - 'ensure' => 'absent' - })} - it { is_expected.to create_kernel_parameter('ima_appraise').with({ - 'ensure' => 'absent' - })} end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 3a25b7a..f956dd9 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -3,11 +3,10 @@ describe 'ima' do on_supported_os.each do |os, os_facts| context "on #{os}" do - let(:facts) do os_facts.merge( cmdline: { 'ima' => 'on' }, - ima_log_size: 29000000, + ima_log_size: 29_000_000, ) end @@ -32,16 +31,16 @@ remounts: true, options: 'defaults', dump: '0', - pass: '0' + pass: '0', ) end end context 'should tell the user to reboot when the ima log is filling up' do let(:facts) do - os_facts.merge( ima_log_size: 50000002 ) + os_facts.merge(ima_log_size: 50_000_002) end - let(:params) {{ log_max_size: 50000000 }} + let(:params) { { log_max_size: 50_000_000 } } it { is_expected.to compile.with_all_deps } it { is_expected.to contain_reboot_notify('ima_log') } @@ -49,20 +48,22 @@ context 'with kernel version >= 3.13' do let(:facts) do - os_facts.merge({ - cmdline: { 'foo' => 'bar' }, - ima_log_size: 29000000, - kernelmajversion: '3.13' - }) + os_facts.merge( + cmdline: { 'foo' => 'bar' }, + ima_log_size: 29_000_000, + kernelmajversion: '3.13', + ) end - let(:params) {{ - mount_dir: '/sys/kernel/security', - ima_audit: false, - ima_template: 'ima-ng', - ima_hash: 'sha256', - ima_tcb: true - }} + let(:params) do + { + mount_dir: '/sys/kernel/security', + ima_audit: false, + ima_template: 'ima-ng', + ima_hash: 'sha256', + ima_tcb: true, + } + end it { is_expected.to compile.with_all_deps } it { is_expected.not_to contain_file(params[:mount_dir]) } @@ -81,18 +82,20 @@ context 'with_kernel_version < 3.13' do let(:facts) do - os_facts.merge({ + os_facts.merge( cmdline: { 'foo' => 'bar' }, - ima_log_size: 29000000, - kernelmajversion: '3.10' - }) + ima_log_size: 29_000_000, + kernelmajversion: '3.10', + ) end - let(:params) {{ - ima_audit: true, - ima_template: 'ima-ng', - ima_hash: 'sha256', - }} + let(:params) do + { + ima_audit: true, + ima_template: 'ima-ng', + ima_hash: 'sha256', + } + end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_reboot_notify('ima_reboot') } @@ -109,11 +112,11 @@ context 'with enable set to false' do let(:facts) do os_facts.merge( - cmdline: { 'ima' => 'on' }, + cmdline: { 'ima' => 'on' }, ) end - let(:params) {{ enable: false }} + let(:params) { { enable: false } } it { is_expected.to compile.with_all_deps } it { is_expected.to contain_reboot_notify('ima_reboot') } @@ -128,7 +131,6 @@ it { is_expected.to create_kernel_parameter('ima_hash').with_ensure('absent') } it { is_expected.to create_kernel_parameter('ima_hash').with_bootmode('normal') } end - end end end diff --git a/spec/classes/policy_spec.rb b/spec/classes/policy_spec.rb index 442734d..0090b31 100644 --- a/spec/classes/policy_spec.rb +++ b/spec/classes/policy_spec.rb @@ -3,20 +3,13 @@ describe 'ima::policy' do on_supported_os.each do |os, os_facts| context "on #{os}" do - - if os_facts[:operatingsystemmajrelease].to_s == '6' - let(:facts) do - os_facts.merge(init_systems: ['sysv']) - end - else - let(:facts) do - os_facts.merge(init_systems: ['systemd']) - end + let(:facts) do + os_facts.merge(init_systems: ['systemd']) end - let(:default_sample) { + let(:default_sample) do File.read(File.expand_path('spec/files/default_ima_policy.conf')) - } + end context 'with default params' do context 'nothing else set' do @@ -24,107 +17,104 @@ it { is_expected.to create_class('ima::policy') } it { is_expected.to contain_class('ima') } it { is_expected.to create_file('/etc/ima').with_ensure('directory') } - it { is_expected.to create_file('/etc/ima/policy.conf') \ - .with_content(IO.read('spec/files/default_ima_policy.conf')) } - if os_facts[:operatingsystemmajrelease].to_s == '6' - it { is_expected.to create_file('/etc/init.d/import_ima_rules').with({ - :ensure => 'file' - }) } - it { is_expected.to create_service('import_ima_rules').with({ - :ensure => 'stopped', - :enable => true, - }) } - else - it { is_expected.to create_exec('systemd_load_policy') } + it do + is_expected.to create_file('/etc/ima/policy.conf') + .with_content(IO.read('spec/files/default_ima_policy.conf')) end + it { is_expected.to create_exec('systemd_load_policy') } context 'with ima enabled' do - if os_facts[:operatingsystemmajrelease].to_s == '6' - let(:facts) do - os_facts.merge({ - :init_systems => ['sysv'], - :cmdline => { - :ima => 'on' - } - }) - end - else - let(:facts) do - os_facts.merge({ - :init_systems => ['systemd'], - :cmdline => { - :ima => 'on' - } - }) - end + let(:facts) do + os_facts.merge( + init_systems: ['systemd'], + cmdline: { ima: 'on' }, + ) end - it { is_expected.to create_exec('load_ima_policy') \ - .with_command('cat /etc/ima/policy.conf > /sys/kernel/security/ima/policy') } + it { + is_expected.to create_exec('load_ima_policy') + .with_command('cat /etc/ima/policy.conf > /sys/kernel/security/ima/policy') + } end end context 'with an selinux policy disabled' do - let(:params) {{ - dont_watch_lastlog_t: false, - }} + let(:params) do + { + dont_watch_lastlog_t: false, + } + end + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/ima/policy.conf') \ - .with_content(IO.read('spec/files/selinux_ima_policy.conf')) } + it do + is_expected.to create_file('/etc/ima/policy.conf') + .with_content(IO.read('spec/files/selinux_ima_policy.conf')) + end end context 'with an fsmagic disabled' do - let(:params) {{ - dont_watch_binfmtfs: false, - }} + let(:params) do + { + dont_watch_binfmtfs: false, + } + end + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/ima/policy.conf') \ - .with_content(IO.read('spec/files/fsmagic_ima_policy.conf')) } + it do + is_expected.to create_file('/etc/ima/policy.conf') + .with_content(IO.read('spec/files/fsmagic_ima_policy.conf')) + end end context 'with custom selinux contexts' do - let(:params) {{ - dont_watch_list: [ 'user_home_t', 'locale_t' ], - }} + let(:params) do + { + dont_watch_list: [ 'user_home_t', 'locale_t' ], + } + end + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/ima/policy.conf') \ - .with_content(IO.read('spec/files/custom_ima_policy.conf')) } + it do + is_expected.to create_file('/etc/ima/policy.conf') + .with_content(IO.read('spec/files/custom_ima_policy.conf')) + end end context 'with the other ima params set' do - let(:params) {{ - measure_root_read_files: true, - measure_file_mmap: true, - measure_bprm_check: true, - measure_module_check: true, - appraise_fowner: true, - }} + let(:params) do + { + measure_root_read_files: true, + measure_file_mmap: true, + measure_bprm_check: true, + measure_module_check: true, + appraise_fowner: true, + } + end + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/ima/policy.conf') \ - .with_content(IO.read('spec/files/other_ima_policy.conf').chomp) } + it do + is_expected.to create_file('/etc/ima/policy.conf') + .with_content(IO.read('spec/files/other_ima_policy.conf').chomp) + end end end context 'with manage = false' do - let(:params) {{ - manage: false, - }} + let(:params) do + { + manage: false, + } + end + it { is_expected.to create_class('ima::policy') } - if os_facts[:operatingsystemmajrelease].to_s == '6' - it { is_expected.to create_file('/etc/init.d/import_ima_rules').with_ensure('absent') } - it { is_expected.to create_service('import_ima_rules').with({ - :ensure => 'stopped', - :enable => false, - }) } - else - it { is_expected.to create_file('/usr/lib/systemd/system/import_ima_rules.service').with_ensure('absent') } - it { is_expected.to create_service('import_ima_rules.service').with.with({ - :ensure => 'stopped', - :enable => false, - }) } + it { is_expected.to create_file('/usr/lib/systemd/system/import_ima_rules.service').with_ensure('absent') } + it do + is_expected.to create_service('import_ima_rules.service').with( + ensure: 'stopped', + enable: false, + ) end end - end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 223b5ac..e076f23 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true + # # ------------------------------------------------------------------------------ # NOTICE: **This file is maintained with puppetsync** @@ -86,7 +87,7 @@ def set_hieradata(hieradata) # If nothing else... c.default_facts = { production: { - #:fqdn => 'production.rspec.test.localdomain', + # :fqdn => 'production.rspec.test.localdomain', path: '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', concat_basedir: '/tmp' } @@ -147,9 +148,9 @@ def set_hieradata(hieradata) # sanitize hieradata if defined?(hieradata) - set_hieradata(hieradata.gsub(':', '_')) + set_hieradata(hieradata.tr(':', '_')) elsif defined?(class_name) - set_hieradata(class_name.gsub(':', '_')) + set_hieradata(class_name.tr(':', '_')) end end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 9631ed6..88d7234 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -15,7 +15,6 @@ end end - RSpec.configure do |c| # ensure that environment OS is ready on each host fix_errata_on hosts @@ -31,27 +30,26 @@ c.before :suite do begin # Install modules and dependencies from spec/fixtures/modules - copy_fixture_modules_to( hosts ) + copy_fixture_modules_to(hosts) begin server = only_host_with_role(hosts, 'server') - rescue ArgumentError =>e + rescue ArgumentError => e server = only_host_with_role(hosts, 'default') end # Generate and install PKI certificates on each SUT Dir.mktmpdir do |cert_dir| - run_fake_pki_ca_on(server, hosts, cert_dir ) - hosts.each{ |sut| copy_pki_to( sut, cert_dir, '/etc/pki/simp-testing' )} + run_fake_pki_ca_on(server, hosts, cert_dir) + hosts.each { |sut| copy_pki_to(sut, cert_dir, '/etc/pki/simp-testing') } end # add PKI keys copy_keydist_to(server) rescue StandardError, ScriptError => e - if ENV['PRY'] - require 'pry'; binding.pry - else - raise e - end + raise e unless ENV['PRY'] + + require 'pry' + binding.pry # rubocop:disable Lint/Debugger end end end diff --git a/spec/unit/facter/ima_log_size_spec.rb b/spec/unit/facter/ima_log_size_spec.rb index cc97e76..c99f76f 100644 --- a/spec/unit/facter/ima_log_size_spec.rb +++ b/spec/unit/facter/ima_log_size_spec.rb @@ -1,26 +1,24 @@ require 'spec_helper' -describe 'ima_log_size', :type => :fact do - +describe 'ima_log_size', type: :fact do before :each do Facter.clear Facter.clear_messages end context 'the required file is not present' do - it 'should return nil' do - allow(File).to receive(:exists?).with('/sys/kernel/security/ima/ascii_runtime_measurements').and_return false + it 'returns nil' do + allow(File).to receive(:exist?).with('/sys/kernel/security/ima/ascii_runtime_measurements').and_return false expect(Facter.fact(:ima_log_size).value).to eq nil end end context 'the required file is present' do - it 'should read the contents of the file as an integer' do - allow(File).to receive(:exists?).with('/sys/kernel/security/ima/ascii_runtime_measurements').and_return true + it 'reads the contents of the file as an integer' do + allow(File).to receive(:exist?).with('/sys/kernel/security/ima/ascii_runtime_measurements').and_return true allow(Facter::Core::Execution).to receive(:execute).with('wc -c /sys/kernel/security/ima/ascii_runtime_measurements').and_return '1337' expect(Facter.fact(:ima_log_size).value).to eq 1337 end end - end diff --git a/spec/unit/facter/ima_security_attr_spec.rb b/spec/unit/facter/ima_security_attr_spec.rb index 0a0ca06..f7a1775 100644 --- a/spec/unit/facter/ima_security_attr_spec.rb +++ b/spec/unit/facter/ima_security_attr_spec.rb @@ -1,11 +1,10 @@ require 'spec_helper' -describe 'ima_security_attr', :type => :fact do - +describe 'ima_security_attr', type: :fact do before :each do Facter.clear Facter.clear_messages - allow(Facter).to receive(:value).with(:cmdline).and_return({'ima_appraise_tcb' => "", 'foo' => 'bar' }) + allow(Facter).to receive(:value).with(:cmdline).and_return({ 'ima_appraise_tcb' => '', 'foo' => 'bar' }) allow(Facter).to receive(:value).with(:puppet_vardir).and_return('/tmp') end @@ -14,29 +13,28 @@ allow(Facter::Core::Execution).to receive(:execute).with('ps -ef').and_return 'All kinds of junk and ima_security_attr_update.sh' end - it 'should return updating' do + it 'returns updating' do expect(Facter.fact(:ima_security_attr).value).to eq 'active' end end context 'The script is not running' do - before(:each) { allow(Facter::Core::Execution).to receive(:execute).with('ps -ef').and_return 'All kinds of junki\nAnd more junk\nbut not that which shall not be named'} + before(:each) { allow(Facter::Core::Execution).to receive(:execute).with('ps -ef').and_return 'All kinds of junki\nAnd more junk\nbut not that which shall not be named' } context 'The relabel file is not present' do - before(:each) { allow(File).to receive(:exists?).with('/tmp/simp/.ima_relabel').and_return(false) } + before(:each) { allow(File).to receive(:exist?).with('/tmp/simp/.ima_relabel').and_return(false) } - it 'should return inactive' do + it 'returns inactive' do expect(Facter.fact(:ima_security_attr).value).to eq 'inactive' end end context 'The relabel file is present' do - before(:each) { allow(File).to receive(:exists?).with('/tmp/simp/.ima_relabel').and_return(true) } + before(:each) { allow(File).to receive(:exist?).with('/tmp/simp/.ima_relabel').and_return(true) } - it 'should return inactive' do + it 'returns inactive' do expect(Facter.fact(:ima_security_attr).value).to eq 'need_relabel' end end - end end