testung

.fixtures.yml

@@ -0,0 +1,7 @@
+fixtures:
+  repositories:
+    stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+    concat: "git://github.com/puppetlabs/puppetlabs-concat.git"
+    eyplib: "git://github.com/NTTCom-MS/eyp-eyplib.git"
+  symlinks:
+    audit: "#{source_dir}"

.travis.yml

@@ -8,8 +8,38 @@ script:
 bundler_args: --without system_tests
 matrix:
   include:
+  - rvm: default
+    env: LINT=puppetcode
+    dist: trusty
+    bundler_args:
+    script: bundle exec rake lint
   - rvm: default
     env: LINT=metadata
     dist: trusty
     bundler_args:
     script: bundle exec rake metadata_lint
+  - rvm: default
+    env: JOB=validate
+    dist: trusty
+    bundler_args:
+    script: bundle exec rake validate
+  - rvm: default
+    env: BEAKER_set="centos5-docker" TEST=base
+    dist: trusty
+    bundler_args:
+    script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
+  - rvm: default
+    env: BEAKER_set="centos6-docker" TEST=base
+    dist: trusty
+    bundler_args:
+    script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
+  - rvm: default
+    env: BEAKER_set="centos7-docker"
+    dist: trusty
+    bundler_args:
+    script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
+  - rvm: default
+    env: BEAKER_set="ubuntu14-docker" TEST=base
+    dist: trusty
+    bundler_args:
+    script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb

manifests/init.pp

@@ -1,6 +1,9 @@
 # == Class: audit
 #
-class audit inherits audit::params {
+class audit (
+              $buffers='320',
+              $add_default_rules=true
+            ) inherits audit::params {
 
   package { $pkg_audit:
     ensure => 'installed',
@@ -12,5 +15,29 @@
     require => Package[$pkg_audit],
   }
 
+  concat { '/etc/audit/audit.rules':
+    ensure  => 'present',
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0640',
+    notify  => Service['auditd'],
+  }
+
+  concat::fragment{ '/etc/audit/audit.rules base':
+    target  => '/etc/audit/audit.rules',
+    order   => '00',
+    content => template("${module_name}/base_audit.erb"),
+  }
+
+  if($add_default_rules)
+  {
+    concat::fragment{ '/etc/audit/audit.rules default rules':
+      target  => '/etc/audit/audit.rules',
+      order   => '01',
+      content => template("${module_name}/default_rules.erb"),
+    }
+  }
+
+
 
 }

manifests/params.pp

@@ -8,9 +8,10 @@
     {
       case $::operatingsystemrelease
       {
-        /^6.*$/:
+        /^[5-7].*$/:
         {
           $pkg_audit='audit'
+          $sysconfig=true
         }
         default: { fail("Unsupported RHEL/CentOS version! - $::operatingsystemrelease")  }
       }
@@ -27,6 +28,7 @@
             /^14.*$/:
             {
               $pkg_audit='auditd'
+              $sysconfig=false
             }
             default: { fail("Unsupported Ubuntu version! - $::operatingsystemrelease")  }
           }

metadata.json

@@ -1,35 +1,36 @@
 {
   "name": "eyp-audit",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "author": "eyp",
   "summary": "auditd",
   "license": "Apache-2.0",
   "source": "",
   "project_page": null,
   "issues_url": null,
   "dependencies": [
-    {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"}
+    {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"},
+    {"name":"puppetlabs/concat","version_requirement":">= 1.2.3"}
   ],
   "operatingsystem_support": [
     {
       "operatingsystem": "RedHat",
-      "operatingsystemrelease": [ "6", "7" ]
+      "operatingsystemrelease": [ "5", "6", "7" ]
     },
     {
       "operatingsystem": "CentOS",
-      "operatingsystemrelease": [ "6", "7" ]
+      "operatingsystemrelease": [ "5", "6", "7" ]
     },
     {
       "operatingsystem": "Scientific",
-      "operatingsystemrelease": [ "6", "7" ]
+      "operatingsystemrelease": [ "5", "6", "7" ]
     },
     {
       "operatingsystem": "OEL",
-      "operatingsystemrelease": [ "6", "7" ]
+      "operatingsystemrelease": [ "5", "6", "7" ]
     },
     {
       "operatingsystem": "OracleLinux",
-      "operatingsystemrelease": [ "6", "7" ]
+      "operatingsystemrelease": [ "5", "6", "7" ]
     },
     {
       "operatingsystem": "Ubuntu",

spec/acceptance/base_deflate_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+  context 'mod_deflate' do
+    # Using puppet_apply as a helper
+    it 'should work with no errors' do
+      pp = <<-EOF
+
+      class { 'apache':
+        server_admin=> 'webmaster@localhost',
+        maxclients=> '150',
+        maxrequestsperchild=>'1000',
+        customlog_type=>'vhost_combined',
+        logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' },
+        add_defult_logformats=>true,
+        manage_docker_service => true,
+      }
+
+      class { 'apache::mod::deflate':
+    	}
+
+      EOF
+
+      # Run it twice and test for idempotency
+      expect(apply_manifest(pp).exit_code).to_not eq(1)
+      expect(apply_manifest(pp).exit_code).to eq(0)
+    end
+
+    it "apache configtest" do
+      expect(shell("apachectl configtest").exit_code).to be_zero
+    end
+
+    it "sleep 10 to make sure apache is started" do
+      expect(shell("sleep 10").exit_code).to be_zero
+    end
+
+    describe port(80) do
+      it { should be_listening }
+    end
+
+    describe package($packagename) do
+      it { is_expected.to be_installed }
+    end
+
+    describe service($servicename) do
+      it { should be_enabled }
+      it { is_expected.to be_running }
+    end
+
+    # general conf
+    describe file($modulesconf) do
+      it { should be_file }
+      its(:content) { should match 'deflate_module' }
+    end
+
+    #default vhost
+    describe file($deflateconf) do
+      it { should be_file }
+      its(:content) { should match 'DEFLATE' }
+    end
+
+  end
+
+end

spec/acceptance/base_modnss_spec.rb

@@ -0,0 +1,134 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+  context 'basic SSL setup' do
+    # Using puppet_apply as a helper
+    it 'should work with no errors' do
+      pp = <<-EOF
+
+      class { 'apache':
+        listen => [ '80', '443' ],
+        ssl => false,
+        manage_docker_service => true,
+      }
+
+      class { 'apache::mod::nss':
+       certdbpassword => '123lestresbesones',
+      }
+
+      apache::vhost {'default':
+        defaultvh=>true,
+        documentroot => '/var/www/void',
+      }
+
+      apache::vhost {'et2blog':
+        documentroot => '/var/www/et2blog',
+      }
+
+      file { '/var/www/et2blog/check.rspec':
+        ensure => 'present',
+        content => "\nOK\n",
+        require => Apache::Vhost[['et2blog','ssl ZnVja3RoYXRiaXRjaAo.com']],
+      }
+
+      apache::nss::cert { 'ZnVja3RoYXRiaXRjaAo':
+    		aliasname => 'ZnVja3RoYXRiaXRjaAo',
+    		selfsigned => true,
+    		cn => 'www.ZnVja3RoYXRiaXRjaAo.com',
+    		organization => 'systemadmin.es',
+    		organization_unit => 'shitty apache modules team',
+    		locality => 'barcelona',
+    		state => 'barcelona',
+    		country => 'RC', # Republica Catalana
+    	}
+
+    	apache::vhost {'ssl ZnVja3RoYXRiaXRjaAo.com':
+    		servername => 'ZnVja3RoYXRiaXRjaAo.com',
+    		order        => '11',
+    		port         => '443',
+    		documentroot => '/var/www/et2blog',
+    	}
+
+    	apache::nss {'ZnVja3RoYXRiaXRjaAo':
+    		servername => 'ZnVja3RoYXRiaXRjaAo.com',
+    		vhost_order     => '11',
+    		port      => '443',
+    		enforce_validcerts => false,
+    	}
+
+      EOF
+
+      # Run it twice and test for idempotency
+      expect(apply_manifest(pp).exit_code).to_not eq(1)
+      expect(apply_manifest(pp).exit_code).to eq(0)
+    end
+
+    it "apache configtest" do
+      expect(shell("apachectl configtest").exit_code).to be_zero
+    end
+
+    it "apache configtest mod_nss" do
+      expect(shell("apachectl -M 2>&1 | grep nss_module").exit_code).to be_zero
+    end
+
+    it "sleep 60 to make sure apache is started" do
+      expect(shell("sleep 60").exit_code).to be_zero
+    end
+
+    describe port(80) do
+      it { should be_listening }
+    end
+
+    describe port(443) do
+      it { should be_listening }
+    end
+
+    describe package($packagename) do
+      it { is_expected.to be_installed }
+    end
+
+    describe service($servicename) do
+      it { should be_enabled }
+      it { is_expected.to be_running }
+    end
+
+    #default vhost
+    describe file($defaultsiteconf) do
+      it { should be_file }
+      its(:content) { should match 'DocumentRoot /var/www/void' }
+    end
+
+    #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+    describe file($et2blogconf) do
+      it { should be_file }
+      its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+    end
+
+    #test vhost - /etc/httpd/conf.d/sites/00-et2blog-443.conf
+    describe file($nssvhostconf) do
+      it { should be_file }
+      its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+      its(:content) { should_not match 'SSLEngine on' }
+    end
+
+    it "HTTP 200 SSL ZnVja3RoYXRiaXRjaAo" do
+      expect(shell("curl -I https://localhost/check.rspec --insecure 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero
+    end
+
+    it "cname SSL cert ZnVja3RoYXRiaXRjaAo" do
+      expect(shell("echo | openssl s_client -connect localhost:443 2>/dev/null  | openssl x509 -noout -subject | grep 'CN=www.ZnVja3RoYXRiaXRjaAo.com'").exit_code).to be_zero
+    end
+
+    it "TLSv1 supported" do
+      expect(shell("echo | openssl s_client -connect localhost:443 -tls1 2>&1 | grep 'Session-ID:' | awk '{ print $NF }' | grep -v 'Session-ID:'").exit_code).to be_zero
+    end
+
+    it "key size: 2048" do
+      expect(shell("echo | openssl s_client -connect localhost:443 2>&1 | grep 'Server public key' | grep 2048").exit_code).to be_zero
+    end
+
+  end
+
+end