From 267042c838087710fb53f56259cb9f4186678138 Mon Sep 17 00:00:00 2001 From: Imran Iqbal Date: Mon, 16 Sep 2019 19:28:05 +0100 Subject: [PATCH] test(inspec): add tests based on existing Serverspec tests (#168) * ci(kitchen): use `openssh.config` as `state_top` * Semi-automated using https://github.com/myii/ssf-formula/pull/33 * test(pillar): remove deprecated option and disabled method * https://travis-ci.org/myii/openssh-formula/jobs/585340845#L1811-L1813: * test(pillar): use same SSH options as used by Travis * Using existing options locks out after `kitchen converge` (before `verify`) * https://travis-ci.org/myii/openssh-formula/jobs/585356835#L2957-L2965: * test(inspec): add tests based on existing Serverspec tests * Follows on from #166 --- kitchen.yml | 2 +- pillar.example | 3 +- .../default/controls/config_spec.rb | 33 +++ .../default/controls/packages_spec.rb | 13 ++ .../default/controls/services_spec.rb | 15 ++ test/salt/pillar/default.sls | 208 ++---------------- 6 files changed, 83 insertions(+), 191 deletions(-) create mode 100644 test/integration/default/controls/config_spec.rb create mode 100644 test/integration/default/controls/packages_spec.rb create mode 100644 test/integration/default/controls/services_spec.rb diff --git a/kitchen.yml b/kitchen.yml index 413397c..06cbc45 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -154,7 +154,7 @@ suites: state_top: base: '*': - - openssh + - openssh.config pillars: top.sls: base: diff --git a/pillar.example b/pillar.example index 5edf64a..8c4aafa 100644 --- a/pillar.example +++ b/pillar.example @@ -14,7 +14,6 @@ sshd_config: - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key - UsePrivilegeSeparation: 'sandbox' SyslogFacility: AUTH LogLevel: INFO ClientAliveInterval: 0 @@ -32,7 +31,7 @@ sshd_config: HostbasedAuthentication: 'no' PermitEmptyPasswords: 'no' ChallengeResponseAuthentication: 'no' - AuthenticationMethods: 'publickey,keyboard-interactive' + AuthenticationMethods: 'publickey' AuthorizedKeysFile: '%h/.ssh/authorized_keys' X11Forwarding: 'no' X11DisplayOffset: 10 diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb new file mode 100644 index 0000000..80f038e --- /dev/null +++ b/test/integration/default/controls/config_spec.rb @@ -0,0 +1,33 @@ +# Overide by Platform +root_group = 'root' +if platform[:family] == 'freebsd' + root_group = 'wheel' +end + +control 'openssh configuration' do + title 'should match desired lines' + + describe file('/etc/ssh/sshd_config') do + it { should be_file } + its('mode') { should cmp '0644' } + it { should be_owned_by 'root' } + it { should be_grouped_into root_group } + its('content') { should include 'ChallengeResponseAuthentication no' } + its('content') { should include 'X11Forwarding yes' } + its('content') { should include 'PrintMotd no' } + its('content') { should include 'AcceptEnv LANG LC_*' } + its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' } + its('content') { should include 'UsePAM yes' } + end + + describe file('/etc/ssh/ssh_config') do + it { should be_file } + its('mode') { should cmp '0644' } + it { should be_owned_by 'root' } + it { should be_grouped_into root_group } + its('content') { should include 'Host *' } + its('content') { should include ' GSSAPIAuthentication yes' } + its('content') { should include ' HashKnownHosts yes' } + its('content') { should include ' SendEnv LANG LC_*' } + end +end diff --git a/test/integration/default/controls/packages_spec.rb b/test/integration/default/controls/packages_spec.rb new file mode 100644 index 0000000..4b29db4 --- /dev/null +++ b/test/integration/default/controls/packages_spec.rb @@ -0,0 +1,13 @@ +# Overide by Platform +package_name = 'openssh-server' +if platform[:family] == 'suse' + package_name = 'openssh' +end + +control 'openssh package' do + title 'should be installed' + + describe package(package_name) do + it { should be_installed } + end +end diff --git a/test/integration/default/controls/services_spec.rb b/test/integration/default/controls/services_spec.rb new file mode 100644 index 0000000..aa01abc --- /dev/null +++ b/test/integration/default/controls/services_spec.rb @@ -0,0 +1,15 @@ +# Overide by Platform +service_name = 'sshd' +if platform[:family] == 'debian' + service_name = 'ssh' +end + +control 'openssh service' do + impact 0.5 + title 'should be running and enabled' + + describe service(service_name) do + it { should be_enabled } + it { should be_running } + end +end diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index cfb791e..0b25845 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -1,203 +1,35 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- +# yamllint disable rule:line-length +# Using a stripped down version of both `sshd_config` and `ssh_config` here +# The values introduced by the initial commit are taken from the Travis +# instances themselves +# Care must be taken when modifying this, not to lock out Travis before the +# `kitchen verify` stage takes place, resulting in: +# ``` +# $$$$$$ [SSH] connection failed, terminating (#) +# >>>>>> ------Exception------- +# >>>>>> Class: Kitchen::ActionFailed +# >>>>>> Message: 1 actions failed. +# >>>>>> Failed to complete #verify action: [Transport error, can't connect to 'ssh' backend: SSH session could not be established] on ... +# ``` +# yamllint enable rule:line-length + sshd_config: - # This keyword is totally optional - ConfigBanner: | - # Alternative banner for the config file - # (Indented) hash signs lose their special meaning here - # and the lines will be written as-is. - Port: 22 - Protocol: 2 - HostKey: - - /etc/ssh/ssh_host_rsa_key - - /etc/ssh/ssh_host_dsa_key - - /etc/ssh/ssh_host_ecdsa_key - - /etc/ssh/ssh_host_ed25519_key - UsePrivilegeSeparation: 'sandbox' - SyslogFacility: AUTH - LogLevel: INFO - ClientAliveInterval: 0 - ClientAliveCountMax: 3 - LoginGraceTime: 120 - PermitRootLogin: 'yes' - PasswordAuthentication: 'no' - StrictModes: 'yes' - MaxAuthTries: 6 - MaxSessions: 10 - PubkeyAuthentication: 'yes' - AuthorizedKeysCommand: '/usr/bin/sss_ssh_authorizedkeys' - AuthorizedKeysCommandUser: 'nobody' - IgnoreRhosts: 'yes' - HostbasedAuthentication: 'no' - PermitEmptyPasswords: 'no' ChallengeResponseAuthentication: 'no' - AuthenticationMethods: 'publickey,keyboard-interactive' - AuthorizedKeysFile: '%h/.ssh/authorized_keys' - X11Forwarding: 'no' - X11DisplayOffset: 10 - PrintMotd: 'yes' - PrintLastLog: 'yes' - TCPKeepAlive: 'yes' + X11Forwarding: 'yes' + PrintMotd: 'no' AcceptEnv: "LANG LC_*" Subsystem: "sftp /usr/lib/openssh/sftp-server" UsePAM: 'yes' - UseDNS: 'yes' - # set as string - AllowUsers: 'vader@10.0.0.1 maul@evil.com sidious luke' - # # or set as list - # AllowUsers: - # - vader@10.0.0.1 - # - maul@evil.com - # - sidious - # - luke - # # set as string - # DenyUsers: 'yoda chewbaca@112.10.21.1' - # or set as list - DenyUsers: - - yoda - - chewbaca@112.10.21.1 - # # set as string - # AllowGroups: 'wheel staff imperial' - # or set as list - AllowGroups: - - wheel - - staff - - imperial - # set as string - DenyGroups: 'rebel' - # # or set as list - # DenyGroups: - # - rebel - # - badcompany - matches: - sftp_chroot: - type: - Group: sftpusers - options: - ChrootDirectory: /sftp-chroot/%u - X11Forwarding: 'no' - AllowTcpForwarding: 'no' - ForceCommand: internal-sftp - # Supports complex compound matches in Match criteria. For example, be able - # to match against multiple Users for a given Match, or be able to match - # against address ranges. Or Groups. Or any combination thereof. - # - # Support for matching users can take one of several different appearances - # in pillar data: - match_1: - type: - User: one_user - options: - ChrootDirectory: /ex/%u - match_2: - type: - User: - - jim - - bob - - sally - options: - ChrootDirectory: /ex/%u - # Note the syntax of match_3. By using empty dicts for each user, we can - # leverage Salt's pillar mergine. If we use simple lists, we cannot do - # this; Salt can't merge simple lists, because it doesn't know what order - # they ought to be in. - match_3: - type: - User: - jim: ~ - bob: ~ - sally: ~ - options: - ChrootDirectory: /ex/%u - # Check `man sshd_config` for supported KexAlgorithms, Ciphers and MACs first. - # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. - # The configuration given in the example below is based on: - # https://stribika.github.io/2015/01/04/secure-secure-shell.html - # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' - # yamllint disable rule:line-length - # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' - # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' - # yamllint enable rule:line-length - KexAlgorithms: - - 'curve25519-sha256@libssh.org' - - 'diffie-hellman-group-exchange-sha256' - Ciphers: - - 'chacha20-poly1305@openssh.com' - - 'aes256-gcm@openssh.com' - - 'aes128-gcm@openssh.com' - - 'aes256-ctr' - - 'aes192-ctr' - - 'aes128-ctr' - MACs: - - 'hmac-sha2-512-etm@openssh.com' - - 'hmac-sha2-256-etm@openssh.com' - - 'umac-128-etm@openssh.com' - - 'hmac-sha2-512' - - 'hmac-sha2-256' - - 'umac-128@openssh.com' - -# Warning! You should generally NOT NEED to set ssh_config. Setting ssh_config -# pillar will overwrite the defaults of your distribution's SSH client. This -# will also force the default configuration for all the SSH clients on the -# machine. This can break SSH connections with servers using older versions of -# openssh. Please make sure you understand the implication of different settings ssh_config: Hosts: '*': - StrictHostKeyChecking: 'no' - ForwardAgent: 'no' - ForwardX11: 'no' - RhostsRSAAuthentication: 'no' - RSAAuthentication: 'yes' - PasswordAuthentication: 'yes' - HostbasedAuthentication: 'no' - GSSAPIAuthentication: 'no' - GSSAPIDelegateCredentials: 'no' - BatchMode: 'yes' - CheckHostIP: 'yes' - AddressFamily: 'any' - ConnectTimeout: 0 - IdentityFile: '~/.ssh/id_rsa' - Port: 22 - Protocol: 2 - Cipher: '3des' - Tunnel: 'no' - TunnelDevice: 'any:any' - PermitLocalCommand: 'no' - VisualHostKey: 'no' - # Check `man ssh_config` for supported KexAlgorithms, Ciphers and MACs first. - # WARNING! Please make sure you understand the implications of the below - # settings. The examples provided below might break your connection to older / - # legacy openssh servers. - # The configuration given in the example below is based on: - # https://stribika.github.io/2015/01/04/secure-secure-shell.html - # You can specify KexAlgorithms, Ciphers and MACs as both key or a list. - # yamllint disable rule:line-length - # KexAlgorithms: 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' - # Ciphers: 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' - # MACs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' - # yamllint enable rule:line-length - KexAlgorithms: - - 'curve25519-sha256@libssh.org' - - 'diffie-hellman-group-exchange-sha256' - - 'diffie-hellman-group-exchange-sha1' - - 'diffie-hellman-group14-sha1' - Ciphers: - - 'chacha20-poly1305@openssh.com' - - 'aes256-gcm@openssh.com' - - 'aes128-gcm@openssh.com' - - 'aes256-ctr' - - 'aes192-ctr' - - 'aes128-ctr' - MACs: - - 'hmac-sha2-512-etm@openssh.com' - - 'hmac-sha2-256-etm@openssh.com' - - 'umac-128-etm@openssh.com' - - 'hmac-sha2-512' - - 'hmac-sha2-256' - - 'umac-128@openssh.com' + GSSAPIAuthentication: 'yes' + HashKnownHosts: 'yes' + SendEnv: 'LANG LC_*' openssh: