From 756b29504d7904da1d19d4a10f9678e4624f7ba7 Mon Sep 17 00:00:00 2001 From: Jordi Prats Date: Mon, 13 Jun 2016 15:23:34 +0200 Subject: [PATCH] testung --- .fixtures.yml | 7 + .travis.yml | 30 ++ manifests/init.pp | 29 +- manifests/params.pp | 4 +- metadata.json | 15 +- spec/acceptance/base_deflate_spec.rb | 66 ++++ spec/acceptance/base_modnss_spec.rb | 134 +++++++++ spec/acceptance/base_modproxy_spec.rb | 98 ++++++ spec/acceptance/base_redirect_spec.rb | 150 ++++++++++ spec/acceptance/base_serverstatus_spec.rb | 229 ++++++++++++++ spec/acceptance/base_spec.rb | 133 +++++++++ spec/acceptance/base_ssl_spec.rb | 130 ++++++++ spec/acceptance/base_vhost_allowdeny_spec.rb | 298 +++++++++++++++++++ spec/acceptance/base_vhost_sorrypage_spec.rb | 180 +++++++++++ spec/acceptance/modphp_spec.rb | 158 ++++++++++ spec/acceptance/nodesets/centos5-docker.yml | 20 ++ spec/acceptance/nodesets/centos6-docker.yml | 16 + spec/acceptance/nodesets/centos7-docker.yml | 16 + spec/acceptance/nodesets/ubuntu14-docker.yml | 14 + spec/acceptance/version.rb | 50 ++++ spec/spec_helper_acceptance.rb | 47 +++ templates/base_audit.erb | 5 + templates/default_rules.erb | 56 ++++ 23 files changed, 1876 insertions(+), 9 deletions(-) create mode 100644 .fixtures.yml create mode 100644 spec/acceptance/base_deflate_spec.rb create mode 100644 spec/acceptance/base_modnss_spec.rb create mode 100644 spec/acceptance/base_modproxy_spec.rb create mode 100644 spec/acceptance/base_redirect_spec.rb create mode 100644 spec/acceptance/base_serverstatus_spec.rb create mode 100644 spec/acceptance/base_spec.rb create mode 100644 spec/acceptance/base_ssl_spec.rb create mode 100644 spec/acceptance/base_vhost_allowdeny_spec.rb create mode 100644 spec/acceptance/base_vhost_sorrypage_spec.rb create mode 100644 spec/acceptance/modphp_spec.rb create mode 100644 spec/acceptance/nodesets/centos5-docker.yml create mode 100644 spec/acceptance/nodesets/centos6-docker.yml create mode 100644 spec/acceptance/nodesets/centos7-docker.yml create mode 100644 spec/acceptance/nodesets/ubuntu14-docker.yml create mode 100644 spec/acceptance/version.rb create mode 100644 spec/spec_helper_acceptance.rb create mode 100644 templates/base_audit.erb create mode 100644 templates/default_rules.erb diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..fa0ff7b --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,7 @@ +fixtures: + repositories: + stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git" + concat: "git://github.com/puppetlabs/puppetlabs-concat.git" + eyplib: "git://github.com/NTTCom-MS/eyp-eyplib.git" + symlinks: + audit: "#{source_dir}" diff --git a/.travis.yml b/.travis.yml index 3a305d0..aa723d5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -8,8 +8,38 @@ script: bundler_args: --without system_tests matrix: include: + - rvm: default + env: LINT=puppetcode + dist: trusty + bundler_args: + script: bundle exec rake lint - rvm: default env: LINT=metadata dist: trusty bundler_args: script: bundle exec rake metadata_lint + - rvm: default + env: JOB=validate + dist: trusty + bundler_args: + script: bundle exec rake validate + - rvm: default + env: BEAKER_set="centos5-docker" TEST=base + dist: trusty + bundler_args: + script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb + - rvm: default + env: BEAKER_set="centos6-docker" TEST=base + dist: trusty + bundler_args: + script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb + - rvm: default + env: BEAKER_set="centos7-docker" + dist: trusty + bundler_args: + script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb + - rvm: default + env: BEAKER_set="ubuntu14-docker" TEST=base + dist: trusty + bundler_args: + script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb diff --git a/manifests/init.pp b/manifests/init.pp index d2ce76e..893a641 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,9 @@ # == Class: audit # -class audit inherits audit::params { +class audit ( + $buffers='320', + $add_default_rules=true + ) inherits audit::params { package { $pkg_audit: ensure => 'installed', @@ -12,5 +15,29 @@ require => Package[$pkg_audit], } + concat { '/etc/audit/audit.rules': + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0640', + notify => Service['auditd'], + } + + concat::fragment{ '/etc/audit/audit.rules base': + target => '/etc/audit/audit.rules', + order => '00', + content => template("${module_name}/base_audit.erb"), + } + + if($add_default_rules) + { + concat::fragment{ '/etc/audit/audit.rules default rules': + target => '/etc/audit/audit.rules', + order => '01', + content => template("${module_name}/default_rules.erb"), + } + } + + } diff --git a/manifests/params.pp b/manifests/params.pp index 853a385..2068635 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -8,9 +8,10 @@ { case $::operatingsystemrelease { - /^6.*$/: + /^[5-7].*$/: { $pkg_audit='audit' + $sysconfig=true } default: { fail("Unsupported RHEL/CentOS version! - $::operatingsystemrelease") } } @@ -27,6 +28,7 @@ /^14.*$/: { $pkg_audit='auditd' + $sysconfig=false } default: { fail("Unsupported Ubuntu version! - $::operatingsystemrelease") } } diff --git a/metadata.json b/metadata.json index 5f65eb4..85b3fdd 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "eyp-audit", - "version": "0.1.0", + "version": "0.1.1", "author": "eyp", "summary": "auditd", "license": "Apache-2.0", @@ -8,28 +8,29 @@ "project_page": null, "issues_url": null, "dependencies": [ - {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"} + {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"}, + {"name":"puppetlabs/concat","version_requirement":">= 1.2.3"} ], "operatingsystem_support": [ { "operatingsystem": "RedHat", - "operatingsystemrelease": [ "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7" ] }, { "operatingsystem": "CentOS", - "operatingsystemrelease": [ "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7" ] }, { "operatingsystem": "Scientific", - "operatingsystemrelease": [ "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7" ] }, { "operatingsystem": "OEL", - "operatingsystemrelease": [ "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7" ] }, { "operatingsystem": "OracleLinux", - "operatingsystemrelease": [ "6", "7" ] + "operatingsystemrelease": [ "5", "6", "7" ] }, { "operatingsystem": "Ubuntu", diff --git a/spec/acceptance/base_deflate_spec.rb b/spec/acceptance/base_deflate_spec.rb new file mode 100644 index 0000000..e510a23 --- /dev/null +++ b/spec/acceptance/base_deflate_spec.rb @@ -0,0 +1,66 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'mod_deflate' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + server_admin=> 'webmaster@localhost', + maxclients=> '150', + maxrequestsperchild=>'1000', + customlog_type=>'vhost_combined', + logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' }, + add_defult_logformats=>true, + manage_docker_service => true, + } + + class { 'apache::mod::deflate': + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + # general conf + describe file($modulesconf) do + it { should be_file } + its(:content) { should match 'deflate_module' } + end + + #default vhost + describe file($deflateconf) do + it { should be_file } + its(:content) { should match 'DEFLATE' } + end + + end + +end diff --git a/spec/acceptance/base_modnss_spec.rb b/spec/acceptance/base_modnss_spec.rb new file mode 100644 index 0000000..52caaa4 --- /dev/null +++ b/spec/acceptance/base_modnss_spec.rb @@ -0,0 +1,134 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'basic SSL setup' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + listen => [ '80', '443' ], + ssl => false, + manage_docker_service => true, + } + + class { 'apache::mod::nss': + certdbpassword => '123lestresbesones', + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + file { '/var/www/et2blog/check.rspec': + ensure => 'present', + content => "\nOK\n", + require => Apache::Vhost[['et2blog','ssl ZnVja3RoYXRiaXRjaAo.com']], + } + + apache::nss::cert { 'ZnVja3RoYXRiaXRjaAo': + aliasname => 'ZnVja3RoYXRiaXRjaAo', + selfsigned => true, + cn => 'www.ZnVja3RoYXRiaXRjaAo.com', + organization => 'systemadmin.es', + organization_unit => 'shitty apache modules team', + locality => 'barcelona', + state => 'barcelona', + country => 'RC', # Republica Catalana + } + + apache::vhost {'ssl ZnVja3RoYXRiaXRjaAo.com': + servername => 'ZnVja3RoYXRiaXRjaAo.com', + order => '11', + port => '443', + documentroot => '/var/www/et2blog', + } + + apache::nss {'ZnVja3RoYXRiaXRjaAo': + servername => 'ZnVja3RoYXRiaXRjaAo.com', + vhost_order => '11', + port => '443', + enforce_validcerts => false, + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "apache configtest mod_nss" do + expect(shell("apachectl -M 2>&1 | grep nss_module").exit_code).to be_zero + end + + it "sleep 60 to make sure apache is started" do + expect(shell("sleep 60").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe port(443) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-443.conf + describe file($nssvhostconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + its(:content) { should_not match 'SSLEngine on' } + end + + it "HTTP 200 SSL ZnVja3RoYXRiaXRjaAo" do + expect(shell("curl -I https://localhost/check.rspec --insecure 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero + end + + it "cname SSL cert ZnVja3RoYXRiaXRjaAo" do + expect(shell("echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -subject | grep 'CN=www.ZnVja3RoYXRiaXRjaAo.com'").exit_code).to be_zero + end + + it "TLSv1 supported" do + expect(shell("echo | openssl s_client -connect localhost:443 -tls1 2>&1 | grep 'Session-ID:' | awk '{ print $NF }' | grep -v 'Session-ID:'").exit_code).to be_zero + end + + it "key size: 2048" do + expect(shell("echo | openssl s_client -connect localhost:443 2>&1 | grep 'Server public key' | grep 2048").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/base_modproxy_spec.rb b/spec/acceptance/base_modproxy_spec.rb new file mode 100644 index 0000000..7bc626b --- /dev/null +++ b/spec/acceptance/base_modproxy_spec.rb @@ -0,0 +1,98 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'mod_proxy and co' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + listen => [ '80' ], + manage_docker_service => true, + } + + class { 'apache::mod::proxy': } + class { 'apache::mod::proxyajp': } + class { 'apache::mod::proxybalancer': } + class { 'apache::mod::proxyconnect': } + class { 'apache::mod::proxyhttp': } + class { 'apache::mod::proxyftp': } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "sleep 10 to make sure mod_proxy is started" do + expect(shell("apachectl -M 2>&1 | grep proxy_module").exit_code).to be_zero + end + + it "sleep 10 to make sure mod_proxy_ajp is started" do + expect(shell("apachectl -M 2>&1 | grep proxy_ajp_module").exit_code).to be_zero + end + + it "sleep 10 to make sure mod_proxy_balancer is started" do + expect(shell("apachectl -M 2>&1 | grep proxy_balancer_module").exit_code).to be_zero + end + + it "sleep 10 to make sure mod_proxy_connect is started" do + expect(shell("apachectl -M 2>&1 | grep proxy_connect_module").exit_code).to be_zero + end + + it "sleep 10 to make sure mod_proxy_http is started" do + expect(shell("apachectl -M 2>&1 | grep proxy_http_module").exit_code).to be_zero + end + + it "sleep 10 to make sure mod_proxy_ftp is started" do + expect(shell("apachectl -M 2>&1 | grep proxy_ftp_module").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/base_redirect_spec.rb b/spec/acceptance/base_redirect_spec.rb new file mode 100644 index 0000000..8654af4 --- /dev/null +++ b/spec/acceptance/base_redirect_spec.rb @@ -0,0 +1,150 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'redirect' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + server_admin=> 'webmaster@localhost', + maxclients=> '150', + maxrequestsperchild=>'1000', + add_defult_logformats=>true, + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + apache::redirect { 'et2blog': + path => '/', + url => 'http://systemadmin.es/', + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'Redirect' } + its(:content) { should match 'http://systemadmin.es/' } + end + + it "redirect 301" do + expect(shell("curl -I localhost -H 'Host: et2blog' 2>/dev/null | grep '^HTTP' | head -n1 | grep 301").exit_code).to be_zero + end + + it "redirect url" do + expect(shell("curl -I localhost -H 'Host: et2blog' 2>/dev/null | grep '^Location' | head -n1 | grep systemadmin.es").exit_code).to be_zero + end + + end + + context 'redirectmatch' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + server_admin=> 'webmaster@localhost', + maxclients=> '150', + maxrequestsperchild=>'1000', + customlog_type=>'vhost_combined', + logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' }, + add_defult_logformats=>true, + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + apache::redirect { 'et2blog': + match => '/lol', + url => 'http://systemadmin.es/', + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'RedirectMatch' } + its(:content) { should match 'http://systemadmin.es/' } + end + + it "redirect 301" do + expect(shell("curl -I localhost/lol -H 'Host: et2blog' 2>/dev/null | grep '^HTTP' | head -n1 | grep 301").exit_code).to be_zero + end + + it "redirect url" do + expect(shell("curl -I localhost/lol -H 'Host: et2blog' 2>/dev/null | grep '^Location' | head -n1 | grep systemadmin.es").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/base_serverstatus_spec.rb b/spec/acceptance/base_serverstatus_spec.rb new file mode 100644 index 0000000..9accd9c --- /dev/null +++ b/spec/acceptance/base_serverstatus_spec.rb @@ -0,0 +1,229 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'basic setup' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + listen => [ '80', '81' ], + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh => true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + apache::serverstatus {'et2blog': + allowedip => undef, + } + + apache::vhost {'systemadmin.es': + order => '10', + port => '81', + documentroot => '/var/www/systemadmin', + } + + apache::serverstatus {'systemadmin.es': + order => '10', + port => '81', + allowedip => [ '1.1.1.1','2.2.2.2','4.4.4.4 5.5.5.5','127.','::1' ], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + it "curl defaultvh http://localhost:80/server-status" do + expect(shell("curl http://localhost:80/server-status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero + end + + it "curl et2blog http://localhost:80/server-status" do + expect(shell("curl http://localhost:80/server-status -H 'Host: et2blog' 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero + end + + it "curl port 81 http://localhost:81/server-status" do + expect(shell("curl http://localhost:81/server-status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultvhconf) do + it { should be_file } + its(:content) { should match '' } + its(:content) { should match 'SetHandler server-status' } + its(:content) { should match '' } + end + + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match '' } + its(:content) { should match 'SetHandler server-status' } + its(:content) { should match '' } + end + + describe file($systemadminconf) do + it { should be_file } + its(:content) { should match '' } + its(:content) { should match 'SetHandler server-status' } + its(:content) { should match '' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + + end + + context 'custom url' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + listen => [ '80', '81' ], + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + apache::serverstatus {'et2blog': + serverstatus_url => '/random_status', + allowedip => undef, + } + + apache::vhost {'systemadmin.es': + order => '10', + port => '81', + documentroot => '/var/www/systemadmin', + } + + apache::serverstatus {'systemadmin.es': + serverstatus_url => '/random_status', + order => '10', + port => '81', + allowedip => ['1.1.1.1','2.2.2.2','4.4.4.4 5.5.5.5','127.','::1'], + } + + apache::vhost {'awscli.com': + order => '11', + port => '81', + documentroot => '/var/www/void', + } + + apache::serverstatus {'awscli.com': + serverstatus_url => '/fucker_status', + order => '11', + port => '81', + allowedip => [ '1.1.1.1' ], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + it "curl defaultvh http://localhost:80/server-status" do + expect(shell("curl http://localhost:80/server-status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero + end + + it "curl et2blog http://localhost:80/random_status" do + expect(shell("curl http://localhost:80/random_status -H 'Host: et2blog' 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero + end + + it "curl port 81 http://localhost:81/random_status" do + expect(shell("curl http://localhost:81/random_status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero + end + + it "403 forbidden curl port 81 http://awscli.com:81/random_status" do + expect(shell("curl -I localhost:81/fucker_status -H 'Host: awscli.com' 2>/dev/null | grep ^HTT | grep -i '403 Forbidden' > /dev/null").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe port(81) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultvhconf) do + it { should be_file } + its(:content) { should match '' } + its(:content) { should match 'SetHandler server-status' } + its(:content) { should match '' } + end + + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match '' } + its(:content) { should match 'SetHandler server-status' } + its(:content) { should match '' } + end + describe file($systemadminconf) do + it { should be_file } + its(:content) { should match '' } + its(:content) { should match 'SetHandler server-status' } + its(:content) { should match '' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + end + +end diff --git a/spec/acceptance/base_spec.rb b/spec/acceptance/base_spec.rb new file mode 100644 index 0000000..abf41bc --- /dev/null +++ b/spec/acceptance/base_spec.rb @@ -0,0 +1,133 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'basic setup' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + server_admin=> 'webmaster@localhost', + maxclients=> '150', + maxrequestsperchild=>'1000', + customlog_type=>'vhost_combined', + logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' }, + add_defult_logformats=>true, + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + apache::vhost {'testing.lol': + order => '77', + serveradmin => 'root@lolcathost.lol', + serveralias => [ '1.testing.lol', '2.testing.lol' ], + documentroot => '/var/www/testing/', + options => [ 'Indexes', 'FollowSymLinks', 'MultiViews' ], + rewrites => [ 'RewriteCond %{HTTP_HOST} !^testing\.lol', 'RewriteRule ^/(.*)$ http://www\.testing\.lol/$1 [R=301,L]' ], + aliasmatch => { 'RUC/lol' => '/var/www/testing/hc.php', + '(.*)' => '/var/www/testing/cc.php'}, + scriptalias => { '/cgi-bin/' => '"/var/www/testing/cgi-bin/"' }, + directoryindex => [ 'index.php', 'lolindex.php', 'lol.html' ], + } + + apache::directory {'/var/www/testing/cgi-bin/': + vhost_order => '77', + servername => 'testing.lol', + options => [ '+ExecCGI', '-Includes' ], + allowoverride => 'None', + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + # general conf + describe file($generalconf) do + it { should be_file } + its(:content) { should match 'MaxRequestsPerChild 1000' } + its(:content) { should match 'MaxClients 150' } + its(:content) { should match 'ServerLimit 150' } + its(:content) { should match 'ServerAdmin webmaster@localhost' } + its(:content) { should match 'access_log vhost_combined' } + its(:content) { should match 'LogFormat "%{User-agent}i" agent' } + #TODO: arreglar + #its(:content) { should match /LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined/ } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #et2 vhost + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + #testing vhost + describe file($testingconf) do + it { should be_file } + #TODO: arreglar + #its(:content) { should match // } + its(:content) { should match 'DocumentRoot /var/www/testing' } + its(:content) { should match 'ServerName testing.lol' } + its(:content) { should match 'ServerAlias 1.testing.lol' } + its(:content) { should match 'ServerAlias 2.testing.lol' } + its(:content) { should match 'ServerAdmin root@lolcathost.lol' } + its(:content) { should match 'DirectoryIndex index.php lolindex.php lol.html' } + its(:content) { should match 'Options Indexes FollowSymLinks MultiViews' } + its(:content) { should match 'RewriteEngine On' } + #TODO: arreglar + #its(:content) { should match /RewriteCond %{HTTP_HOST} !^testing\.lol/ } + #its(:content) { should match /RewriteRule ^\/(.*)$ http:\/\/www\.testing\.lol\/$1 [R=301,L]/ } + its(:content) { should match 'AliasMatch RUC/lol /var/www/testing/hc.php' } + its(:content) { should match 'AliasMatch (.*) /var/www/testing/cc.php' } + its(:content) { should match 'ScriptAlias /cgi-bin/ "/var/www/testing/cgi-bin/"' } + its(:content) { should match 'Directory /var/www/testing' } + its(:content) { should match '' } + its(:content) { should match '' } + its(:content) { should match 'AllowOverride None' } + #TODO: arreglar + #its(:content) { should match /Options +ExecCGI -Includes/ } + its(:content) { should match '' } + end + + end + +end diff --git a/spec/acceptance/base_ssl_spec.rb b/spec/acceptance/base_ssl_spec.rb new file mode 100644 index 0000000..2657663 --- /dev/null +++ b/spec/acceptance/base_ssl_spec.rb @@ -0,0 +1,130 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context 'basic SSL setup' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + listen => [ '80', '443' ], + ssl => true, + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + apache::vhost {'et2blog_ssl': + documentroot => '/var/www/et2blog', + port => 443, + certname => 'cert_et2blog_ssl', + use_intermediate => false, + } + + apache::cert {'cert_et2blog_ssl': + pk_file => '/tmp/pk', + cert_file => '/tmp/cert', + require => File[['/tmp/cert','/tmp/pk']], + } + + file { '/var/www/et2blog/check.rspec': + ensure => 'present', + content => "\nOK\n", + require => Apache::Vhost[['et2blog','et2blog_ssl']], + } + + file { '/tmp/cert': + ensure => 'present', + content => "-----BEGIN CERTIFICATE-----\nMIIDPDCCAiQCCQCKavwUiENvADANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD\nQTESMBAGA1UECAwJQmFyY2Vsb25hMRIwEAYDVQQHDAlCYXJjZWxvbmExFzAVBgNV\nBAoMDnN5c3RlbWFkbWluLmVzMRAwDgYDVQQDDAdldDJibG9nMB4XDTE2MDIyMzE0\nNTA0OFoXDTQzMDcxMTE0NTA0OFowYDELMAkGA1UEBhMCQ0ExEjAQBgNVBAgMCUJh\ncmNlbG9uYTESMBAGA1UEBwwJQmFyY2Vsb25hMRcwFQYDVQQKDA5zeXN0ZW1hZG1p\nbi5lczEQMA4GA1UEAwwHZXQyYmxvZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAM80rpsjhS6H/zH7UaX0ByJMIDKC82a5cz+1R+ylVsqagmE5TuJkF9gx\nj8tNBRz+Pj3Ef/GbPNaDAICAm6eT5xOI4q789R6ONnE5IZkKghtQFzllWDDlT6Yz\n8YSFgeFLNZhIbd6/xzmSrigwK6VpX3J2Bdf5Kzu4dV0xgygxvlYaM87lNmKUfXa+\nYzTM/XyvsIV7Y5PSF9E5TgtKiUu4tdBscWXB/SR59WLAGBGK7lh/3Q0bZZ6aiXn3\n9atVIG0pX6+nOiwcfUwZU3iu1jZBT3AzR6a9HtWd4Kas9pbygWA4Rg/CMeebp9o/\n4SzbMQsGFs26KSgkXIO8QI3tvC1qRqkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\nS+97Qm+rr9/hKo+uEDGUwrMOVE4ArOaacD65De5+7sk5Fj0qAz/RCYRnRFPf5j7j\ns1vaaslohxwwHIaP6oMCMLAFU1kpj3Nn12uPpqinLxJCUBSToCtA7vvg+TXYYcIV\n++rZJEaWZY4OIOaBn3q6vUvyaSQM2npN/xGe4StfOPTR72YkiXTGJqlJU/qxyKxz\nAoW4ov3rHBbRq4O0pxuGdlRloInLzV8echzTvefoMU/PI8jEKj6q76Bt5GsAL5ND\nfAuNWh6XaJSYTFzrycusCQ1cYlvYPZCCZIPLYaTbzBdfbj0Qe3EhYzeh3Q36DIYc\nBAZtMTRqjKRr7bBdyR1wHQ==\n-----END CERTIFICATE-----\n", + before => Apache::Vhost['et2blog_ssl'], + } + + file { '/tmp/pk': + ensure => 'present', + content => "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAzzSumyOFLof/MftRpfQHIkwgMoLzZrlzP7VH7KVWypqCYTlO\n4mQX2DGPy00FHP4+PcR/8Zs81oMAgICbp5PnE4jirvz1Ho42cTkhmQqCG1AXOWVY\nMOVPpjPxhIWB4Us1mEht3r/HOZKuKDArpWlfcnYF1/krO7h1XTGDKDG+VhozzuU2\nYpR9dr5jNMz9fK+whXtjk9IX0TlOC0qJS7i10GxxZcH9JHn1YsAYEYruWH/dDRtl\nnpqJeff1q1UgbSlfr6c6LBx9TBlTeK7WNkFPcDNHpr0e1Z3gpqz2lvKBYDhGD8Ix\n55un2j/hLNsxCwYWzbopKCRcg7xAje28LWpGqQIDAQABAoIBAHrhkVMr44XO3Ub0\n9lzmtXxfjRCnnFWlUXXMulTbUPdiXkPuSpv0JDfwXIiCqq+hD6Rt7jqIh7Hnitqq\naqUdD4MEQPrpxSxTxnGrIgOyuaoc+0jskzqcI3o7f9XJn1bO1X/0JERfk3TPSj1H\nI/s63IHzAFAu0rbeE6wq+s9RgMFqQ3Zg0VQn5t57AdtCuw72rQAz5QpXIcOxDnSh\nepyoOdipOhevbFJ1ZNyLG6MMOr7t5lrv8wyRgWYJrJzNjLd7N+DaqVToVDimn1+2\ncccgF6shkaS8Mc0nsoySqbqmAFjfMjLDmCXTRMNauzx/NhV738OIW59NDzJhY/Mk\nOY4sx+kCgYEA5rnpyim1NIQw7wIeyyILLV1a4yyfHxvmEXFin3WCTaA+aUS3aPyi\n9GHux6IYcTSVD0G+/aRVDTOvURWlA7oRLH+GGwnE+698u65+m8Pd90ZRaHoCPDVR\nIhfp87ePS2XTIXxVWbNHjXL2U4+Llm2ahbLjO7LBXX0ciH62IxVqYGcCgYEA5ecz\n1V3KEaSKQ4HPQo84PWW/HXgFPud/Wovqhtm2DfhvkJZGc7yLOLAXQD5+2M6Mg05b\nHYEtYNL0xr2JX0Ih6bt2KxXXqd0Jnctw6dP6XBuKmwof19rEVcYsr9GEhR5ZNr4K\n7u616Yn59IfckcVcxyjUOCri4YVgCUiWI7Btdm8CgYEAoDEobyJyG1pEl01DkAm8\n9OxCNERA3lqCbE3rCYeOxtKhQnlhVlVB1qdAH/8dNUwqygL91iEIpDfkW0nJ3kKL\ntfd8Zr1rtMtssOpAIWnmbM63qvA7KQ5jnGY6GuqxZMn3wuIOaE8fOMg+2llpszG5\n/WXsewBrXLuG2gYP81/lEbUCgYEAgS6FwJl/xqQXENGq/TJunolCdzOOdwcrV1yR\nPo6srnLvdWYLVlMWQ5cmqXG0YuzEpa9soUqJjgNbiSTNQNpvJd+xCYqvcQIDuker\nPahf4EuVeYKZ2/dQJQZC69Qly4r/BDSK/jDhxMVDzzRcKwikFkCJ5rmqXKBOE0lX\nG9yx1T8CgYEApqteiivtjqyzNl68OjJkdz4dQd32qDADphd6nVkvLBal9QlLH7tP\nFuE9sC1C7x4/dDzjy0zKJG1Cs6Ua7nnoZ+T149Q5DRRbCs2Csy8GaIsPc5oTjFx3\n6YoHI2TZzcP7Wk+hF1mKxqntXHZTYOtx0WtoZ6b6qlj+Obvy7UzJD4g=\n-----END RSA PRIVATE KEY-----\n", + before => Apache::Vhost['et2blog_ssl'], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe port(443) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-443.conf + describe file($et2blogconfssl) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + its(:content) { should match 'SSLEngine on' } + end + + it "HTTP 200 SSL et2blog" do + expect(shell("curl -I https://localhost/check.rspec --insecure 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero + end + + it "cname SSL cert et2blog" do + expect(shell("echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -subject | grep 'CN=et2blog'").exit_code).to be_zero + end + + it "TLSv1 supported" do + expect(shell("echo | openssl s_client -connect localhost:443 -tls1 2>&1 | grep 'Session-ID:' | awk '{ print $NF }' | grep -v 'Session-ID:'").exit_code).to be_zero + end + + it "SSLv3 disabled" do + expect(shell("echo | openssl s_client -connect localhost:443 -ssl3 2>&1 | grep 'alert handshake failure'").exit_code).to be_zero + end + + it "key size: 2048" do + expect(shell("echo | openssl s_client -connect localhost:443 2>&1 | grep 'Server public key' | grep 2048").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/base_vhost_allowdeny_spec.rb b/spec/acceptance/base_vhost_allowdeny_spec.rb new file mode 100644 index 0000000..7220cd2 --- /dev/null +++ b/spec/acceptance/base_vhost_allowdeny_spec.rb @@ -0,0 +1,298 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context ' allowedip 127.0.0.1' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + allowedip => [ '127.0.0.1' ], + } + + file { '/var/www/et2blog/check.rspec': + ensure => 'present', + content => "\nOK\n", + require => Apache::Vhost['et2blog'], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "check 200 et2blog" do + expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero + end + + it "check content et2blog" do + expect(shell("curl 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | grep OK").exit_code).to be_zero + end + + end + + context ' allowedip 1.1.1.1' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + allowedip => [ '1.1.1.1' ], + } + + file { '/var/www/et2blog/check.rspec': + ensure => 'present', + content => "\nOK\n", + require => Apache::Vhost['et2blog'], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "et2blog should return 403 " do + expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 403 Forbidden'").exit_code).to be_zero + end + + end + + context ' deniedip 127.0.0.1' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + deniedip => [ '127.0.0.1' ], + } + + file { '/var/www/et2blog/check.rspec': + ensure => 'present', + content => "\nOK\n", + require => Apache::Vhost['et2blog'], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "et2blog should return 403 " do + expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 403 Forbidden'").exit_code).to be_zero + end + + end + + context ' deniedip 1.1.1.1' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + deniedip => [ '1.1.1.1' ], + } + + file { '/var/www/et2blog/check.rspec': + ensure => 'present', + content => "\nOK\n", + require => Apache::Vhost['et2blog'], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "check 200 et2blog" do + expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero + end + + it "check content et2blog" do + expect(shell("curl 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | grep OK").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/base_vhost_sorrypage_spec.rb b/spec/acceptance/base_vhost_sorrypage_spec.rb new file mode 100644 index 0000000..bcba5af --- /dev/null +++ b/spec/acceptance/base_vhost_sorrypage_spec.rb @@ -0,0 +1,180 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'apache class' do + + context ' enabling sorrypage' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + site_running => false, + custom_sorrypage => { 'path' => '/var/www/et2blog', + 'errordocument' => 'maintenance.html', + }, + } + + file { '/var/www/et2blog/maintenance.html': + ensure => 'present', + content => "\nSorryPage\n", + require => Apache::Vhost['et2blog'], + } + + + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "check 503 et2blog" do + expect(shell("curl -I 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 503'").exit_code).to be_zero + end + + it "check content et2blog" do + expect(shell("curl 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | grep SorryPage").exit_code).to be_zero + end + + end + + context ' enabling sorrypage and exclude healthcheck' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + site_running => false, + custom_sorrypage => { 'path' => '/var/www/et2blog', + 'errordocument' => 'maintenance.html', + 'healthcheck' => 'healthcheck.html' + }, + } + + file { '/var/www/et2blog/maintenance.html': + ensure => 'present', + content => "\nSorryPage\n", + require => Apache::Vhost['et2blog'], + } + + + file { '/var/www/et2blog/healthcheck.html': + ensure => 'present', + content => "\nHealthCheck\n", + require => Apache::Vhost['et2blog'], + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "check 503 et2blog" do + expect(shell("curl -I 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 503'").exit_code).to be_zero + end + + it "check content et2blog" do + expect(shell("curl 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | grep SorryPage").exit_code).to be_zero + end + + it "check content et2blog healthcheck" do + expect(shell("curl 127.0.0.1/healthcheck.html -H 'Host: et2blog' 2>/dev/null | grep HealthCheck").exit_code).to be_zero + end + + it "check 200 et2blog healthcheck" do + expect(shell("curl -I 127.0.0.1/healthcheck.html -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/modphp_spec.rb b/spec/acceptance/modphp_spec.rb new file mode 100644 index 0000000..aa7d1e1 --- /dev/null +++ b/spec/acceptance/modphp_spec.rb @@ -0,0 +1,158 @@ +require 'spec_helper_acceptance' +require_relative './version.rb' + +describe 'mod_php class' do + + context 'basic setup' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + class { 'apache::mod::php': } + + file { '/var/www/void/phpinfo.php': + ensure=> 'present', + mode => '0666', + content => "\n", + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + #et2blog + describe file($et2blogconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/et2blog' } + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "php module loaded" do + expect(shell("apachectl -M | grep php").exit_code).to be_zero + end + + it "phpinfo HTTP 200" do + expect(shell("curl -I localhost/phpinfo.php 2>/dev/null| grep ^HTTP | grep 200").exit_code).to be_zero + end + + it "phpinfo" do + expect(shell("curl localhost/phpinfo.php 2>/dev/null| grep 'PHP License'").exit_code).to be_zero + end + + end + + context 'php uninstall' do + # Using puppet_apply as a helper + it 'should work with no errors' do + pp = <<-EOF + + class { 'apache': + manage_docker_service => true, + } + + apache::vhost {'default': + defaultvh=>true, + documentroot => '/var/www/void', + } + + apache::vhost {'et2blog': + documentroot => '/var/www/et2blog', + } + + class { 'apache::mod::php': + ensure => 'purged', + } + + file { '/var/www/void/phpinfo.php': + ensure=> 'present', + mode => '0666', + content => "\n", + } + + EOF + + # Run it twice and test for idempotency + expect(apply_manifest(pp).exit_code).to_not eq(1) + expect(apply_manifest(pp).exit_code).to eq(0) + end + + it "sleep 10 to make sure apache is started" do + expect(shell("sleep 10").exit_code).to be_zero + end + + describe port(80) do + it { should be_listening } + end + + describe package($packagename) do + it { is_expected.to be_installed } + end + + describe service($servicename) do + it { should be_enabled } + it { is_expected.to be_running } + end + + #default vhost + describe file($defaultsiteconf) do + it { should be_file } + its(:content) { should match 'DocumentRoot /var/www/void' } + end + + it "apache configtest" do + expect(shell("apachectl configtest").exit_code).to be_zero + end + + it "phpinfo HTTP 200" do + expect(shell("curl -I localhost/phpinfo.php 2>/dev/null| grep ^HTTP | grep 200").exit_code).to be_zero + end + + it "phpinfo contents" do + expect(shell("curl localhost/phpinfo.php 2>/dev/null| grep 'phpinfo()'").exit_code).to be_zero + end + + end + +end diff --git a/spec/acceptance/nodesets/centos5-docker.yml b/spec/acceptance/nodesets/centos5-docker.yml new file mode 100644 index 0000000..a929d16 --- /dev/null +++ b/spec/acceptance/nodesets/centos5-docker.yml @@ -0,0 +1,20 @@ +HOSTS: + centos-5-x64: + default_apply_opts: + order: random + strict_variables: + platform: el-5-x86_64 + hypervisor : docker + image: tianon/centos:5.10 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm -rf /var/run/network/*' + - 'yum clean all' + - 'yum install -y gcc make crontabs tar wget java-1.7.0-openjdk java-1.7.0-openjdk-devel' + - 'wget https://yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs -O /tmp/RPM-GPG-KEY-puppetlabs' + - 'rpm --import /tmp/RPM-GPG-KEY-puppetlabs' + - 'rpm --replacepkgs -ivh http://yum.puppetlabs.com/puppetlabs-release-el-5.noarch.rpm' +CONFIG: + type: foss + log_level: debug diff --git a/spec/acceptance/nodesets/centos6-docker.yml b/spec/acceptance/nodesets/centos6-docker.yml new file mode 100644 index 0000000..b54ef32 --- /dev/null +++ b/spec/acceptance/nodesets/centos6-docker.yml @@ -0,0 +1,16 @@ +HOSTS: + centos-6-x64: + default_apply_opts: + order: random + strict_variables: + platform: el-6-x86_64 + hypervisor : docker + image: centos:6 + docker_preserve_image: true + docker_cmd: '["/sbin/init"]' + docker_image_commands: + - 'rm -rf /var/run/network/*' + - 'yum install -y gcc make crontabs tar wget curl' +CONFIG: + type: foss + log_level: debug diff --git a/spec/acceptance/nodesets/centos7-docker.yml b/spec/acceptance/nodesets/centos7-docker.yml new file mode 100644 index 0000000..e99b37c --- /dev/null +++ b/spec/acceptance/nodesets/centos7-docker.yml @@ -0,0 +1,16 @@ +HOSTS: + centos-7-x64: + default_apply_opts: + order: random + strict_variables: + platform: el-7-x86_64 + hypervisor : docker + image: centos:7 + docker_preserve_image: true + docker_cmd: '["/usr/sbin/init"]' + docker_image_commands: + - 'rm -rf /var/run/network/*' + - 'yum install -y gcc make crontabs tar wget iproute java-1.7.0-openjdk java-1.7.0-openjdk-devel' +CONFIG: + type: foss + log_level: debug diff --git a/spec/acceptance/nodesets/ubuntu14-docker.yml b/spec/acceptance/nodesets/ubuntu14-docker.yml new file mode 100644 index 0000000..82cf2a8 --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu14-docker.yml @@ -0,0 +1,14 @@ +HOSTS: + ubuntu-14-04: + default_apply_opts: + order: random + strict_variables: + platform: ubuntu-14.04-x64 + hypervisor : docker + image: ubuntu:14.04 + docker_preserve_image: true + docker_image_commands: + - 'apt-get install gcc make tar wget openjdk-7-jdk openjdk-7-jre -y' +CONFIG: + type: foss + log_level: debug diff --git a/spec/acceptance/version.rb b/spec/acceptance/version.rb new file mode 100644 index 0000000..2023912 --- /dev/null +++ b/spec/acceptance/version.rb @@ -0,0 +1,50 @@ + +_osfamily = fact('osfamily') +_operatingsystem = fact('operatingsystem') +_operatingsystemrelease = fact('operatingsystemrelease').to_f + +case _osfamily +when 'RedHat' + $packagename = 'httpd' + $servicename = 'httpd' + $baseconf = '/etc/httpd' + $generalconf = '/etc/httpd/conf/httpd.conf' + $defaultsiteconf = '/etc/httpd/conf.d/00_default.conf' + $et2blogconf = '/etc/httpd/conf.d/sites/00-et2blog-80.conf' + $et2blogconfssl = '/etc/httpd/conf.d/sites/00-et2blog_ssl-443.conf' + $systemadminconf = '/etc/httpd/conf.d/sites/10-systemadmin.es-81.conf' + $testingconf = '/etc/httpd/conf.d/sites/77-testing.lol-80.conf' + $defaultvhconf = '/etc/httpd/conf.d/00_default.conf' + $modulesconf = '/etc/httpd/conf.d/modules.conf' + $deflateconf = '/etc/httpd/conf.d/deflate.conf' + $nssvhostconf = '/etc/httpd/conf.d/sites/11-ZnVja3RoYXRiaXRjaAo.com-443.conf' + +when 'Debian' + $packagename = 'apache2' + $servicename = 'apache2' + $baseconf = '/etc/apache2' + $generalconf = '/etc/apache2/apache2.conf' + $defaultsiteconf = '/etc/apache2/conf.d/00_default.conf' + $et2blogconf = '/etc/apache2/conf.d/sites/00-et2blog-80.conf' + $et2blogconfssl = '/etc/apache2/conf.d/sites/00-et2blog_ssl-443.conf' + $systemadminconf = '/etc/apache2/conf.d/sites/10-systemadmin.es-81.conf' + $testingconf = '/etc/apache2/conf.d/sites/77-testing.lol-80.conf' + $defaultvhconf = '/etc/apache2/conf.d/00_default.conf' + $modulesconf = '/etc/apache2/conf.d/modules.conf' + $deflateconf = '/etc/apache2/conf.d/deflate.conf' + $nssvhostconf = '/etc/apache2/conf.d/sites/11-ZnVja3RoYXRiaXRjaAo.com-443.conf' + +else + $packagename = '-_-' + $servicename = '-_-' + $baseconf = '-_-' + $defaultsiteconf = '-_-' + $et2blogconf = '-_-' + $et2blogconfssl = '-_-' + $systemadminconf = '-_-' + $defaultvhconf = '-_-' + $modulesconf = '-_-' + $deflateconf = '-_-' + $nssvhostconf = '-_-' + +end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 0000000..5aa0a1f --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,47 @@ +require 'beaker-rspec' +require 'beaker_spec_helper' +#require 'beaker/puppet_install_helper' +#run_puppet_install_helper + +include BeakerSpecHelper + +hosts.each do |host| + + if host['platform'] =~ /^ubuntu-(15.04|15.10)-/ + on host, "wget -O /tmp/puppet.deb http://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb" + on host, "dpkg -i --force-all /tmp/puppet.deb" + on host, "apt-get update" + host.install_package('puppet-agent') + else + install_puppet_agent_on host, {} + end + + # Install git so that we can install modules from github + if host['platform'] =~ /^el-5-/ + # git is only available on EPEL for el-5 + install_package host, 'epel-release' + end + install_package host, 'git' + + on host, "puppet cert generate $(facter fqdn)" +end + +RSpec.configure do |c| + # Project root + proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) + + # Readable test descriptions + c.formatter = :documentation + + # Configure all nodes in nodeset + c.before :suite do + # Install module and dependencies + puppet_module_install(:source => proj_root, :module_name => 'audit') + hosts.each do |host| + # dependencies + on host, puppet('module', 'install', 'puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module', 'install', 'puppetlabs-concat'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module', 'install', 'eyp-eyplib'), { :acceptable_exit_codes => [0,1] } + end + end +end diff --git a/templates/base_audit.erb b/templates/base_audit.erb new file mode 100644 index 0000000..488b57e --- /dev/null +++ b/templates/base_audit.erb @@ -0,0 +1,5 @@ +#reset rules +-D +# Increase the buffers to survive stress events. +# Make this bigger for busy systems +-b <%= @buffers %> diff --git a/templates/default_rules.erb b/templates/default_rules.erb new file mode 100644 index 0000000..9cb59e6 --- /dev/null +++ b/templates/default_rules.erb @@ -0,0 +1,56 @@ +#audit rules +-w /var/tmp -p x +-w /tmp -p x +-w /home -p x +#Record Events That Modify Date and Time Information +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change +#Record Events That Modify User/Group Information +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity +#Record Events That Modify the System\'s Network Environment +-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +<% if(@sysconfig) -%> +-w /etc/sysconfig/network -p wa -k system-locale +<% end -%> +#Collect Login and Logout Events +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/btmp -p wa -k session +#Collect Session Initiation Information +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +#Collect Discretionary Access Control Permission Modification Events +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +#Collect Unsuccessful Unauthorized Access Attempts to Files +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +#Collect mount system call by non-privileged user +-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts +#Collect File Deletion Events by User +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +#Collect Changes to System Administration Scope +-w /etc/sudoers -p wa -k scope +#Collect Kernel Module Loading and Unloading +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules