diff options
author | neha-p6 <neha.pansare@progress.com> | 2022-04-11 11:00:57 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-11 11:00:57 +0530 |
commit | d3dda786b2a6d61025288c002ae7b5b60c499f92 (patch) | |
tree | 2e48a0e853c05ca404be357ba2c928d491ec7b01 /spec | |
parent | d3e922a67abec71825d6f6c6ac8fd4ef9fc53019 (diff) | |
download | chef-d3dda786b2a6d61025288c002ae7b5b60c499f92.tar.gz |
SELinux integration to infra client (#12694)
* 1. Add resources for SELlinux
2. Add common helper for SELinux under a new subdirectory
3. Wire files together with corresponding changes
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 3. Include SElinux CommonHelper under action_class for corresponding resources as it uses shell_out!
4. Add SELinux config file templates for debian and default versions
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 5.Add local mode true to correctly parse template from selinux_state resource
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 6. Remove SELinux cookbook dependency from kitchen-tests as SELinux resources are now part of core chef client, update linux.rb recipe to use corresponding SELinux resources instead of include_recipe
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 7. Add unit test cases for SELinux resources
8. Add documentation for SELinux resources
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 9. Obvious fix: code linting and spellcheck
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 10. Add code linting changes.
11. Add missing comma in cspell.json resulting in issue
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 12. Add linting and spellcheck changes
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 13. Add documentation for SELinux resources for all properties, actions with examples
14. Added permissive SELinux policy for en_to_end kitchen test
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
* 15. Fix chefstyle linting
16. Update few shell_out calls to use array format of input parameters
Signed-off-by: Neha Pansare <neha.pansare@progress.com>
Diffstat (limited to 'spec')
-rw-r--r-- | spec/unit/resource/selinux_boolean_spec.rb | 92 | ||||
-rw-r--r-- | spec/unit/resource/selinux_fcontext_spec.rb | 65 | ||||
-rw-r--r-- | spec/unit/resource/selinux_install_spec.rb | 60 | ||||
-rw-r--r-- | spec/unit/resource/selinux_module_spec.rb | 55 | ||||
-rw-r--r-- | spec/unit/resource/selinux_permissive_spec.rb | 39 | ||||
-rw-r--r-- | spec/unit/resource/selinux_port_spec.rb | 42 | ||||
-rw-r--r-- | spec/unit/resource/selinux_state_spec.rb | 46 |
7 files changed, 399 insertions, 0 deletions
diff --git a/spec/unit/resource/selinux_boolean_spec.rb b/spec/unit/resource/selinux_boolean_spec.rb new file mode 100644 index 0000000000..63af7c5a3b --- /dev/null +++ b/spec/unit/resource/selinux_boolean_spec.rb @@ -0,0 +1,92 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxBoolean do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxBoolean.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:set) } + let(:selinux_state) { double("shellout!", stdout: "permissive") } + + it "sets boolean proprty as name_property" do + expect(resource.boolean).to eql("fakey_fakerton") + end + + it "sets the default action as :set" do + expect(resource.action).to eql([:set]) + end + + it "supports :set action" do + expect { resource.action :set }.not_to raise_error + end + + context "coercing value property" do + it "should set value properly to 'on' when valid parameter is sent and is literal positive" do + resource.value = 1 + expect(resource.value).to eql("on") + + resource.value = "true" + expect(resource.value).to eql("on") + + resource.value = true + expect(resource.value).to eql("on") + end + + it "should set value properly to 'off' when valid parameter is sent and is literal negative" do + resource.value = 0 + expect(resource.value).to eql("off") + + resource.value = "false" + expect(resource.value).to eql("off") + + resource.value = false + expect(resource.value).to eql("off") + end + + it "should raise an exception if invalid parameter is sent" do + expect do + resource.value = "ON" + end.to raise_error(ArgumentError) + end + end + + describe "#Chef::SELinux::CommonHelpers" do + context "#selinux_permissive?" do + it "should return true if selinux_state is :permissive" do + allow(provider).to receive(:shell_out!).and_return(selinux_state) + expect(provider.selinux_permissive?).to eql(true) + end + end + + context "#selinux_disabled?" do + it "should return false if selinux_state is :permissive" do + allow(provider).to receive(:shell_out!).and_return(selinux_state) + expect(provider.selinux_disabled?).to eql(false) + end + end + + context "#selinux_enforcing?" do + it "should return false if selinux_state is :permissive" do + allow(provider).to receive(:shell_out!).and_return(selinux_state) + expect(provider.selinux_enforcing?).to eql(false) + end + end + end +end
\ No newline at end of file diff --git a/spec/unit/resource/selinux_fcontext_spec.rb b/spec/unit/resource/selinux_fcontext_spec.rb new file mode 100644 index 0000000000..7e1c31c23e --- /dev/null +++ b/spec/unit/resource/selinux_fcontext_spec.rb @@ -0,0 +1,65 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxFcontext do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxFcontext.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:manage) } + let(:restoreconf) { double("shellout", stdout: "restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0") } + + it "sets file_spec proprty as name_property" do + expect(resource.file_spec).to eql("fakey_fakerton") + end + + it "sets the default action as :manage" do + expect(resource.action).to eql([:manage]) + end + + it "supports :manage, :addormodify, :add, :modify, :delete actions" do + expect { resource.action :manage }.not_to raise_error + expect { resource.action :addormodify }.not_to raise_error + expect { resource.action :add }.not_to raise_error + expect { resource.action :modify }.not_to raise_error + expect { resource.action :delete }.not_to raise_error + end + + it "checks 'a', 'f', 'd', 'c', 'b', 's', 'l', 'p' as valid file_type property values" do + expect { resource.file_type "a" }.not_to raise_error + expect { resource.file_type "f" }.not_to raise_error + expect { resource.file_type "d" }.not_to raise_error + expect { resource.file_type "c" }.not_to raise_error + expect { resource.file_type "b" }.not_to raise_error + expect { resource.file_type "s" }.not_to raise_error + expect { resource.file_type "l" }.not_to raise_error + expect { resource.file_type "p" }.not_to raise_error + end + + it "sets default value for file_type property to 'a'" do + expect(resource.file_type).to eql("a") + end + + describe "#relabel_files" do + it "returns verbose output with details of the file for which SELinux config is restored" do + allow(provider).to receive(:shell_out!).and_return(restoreconf) + expect(provider.relabel_files).to eql(restoreconf) + end + end +end
\ No newline at end of file diff --git a/spec/unit/resource/selinux_install_spec.rb b/spec/unit/resource/selinux_install_spec.rb new file mode 100644 index 0000000000..5e82dfb840 --- /dev/null +++ b/spec/unit/resource/selinux_install_spec.rb @@ -0,0 +1,60 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxInstall do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxInstall.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:install) } + + it "sets the default action as :install" do + expect(resource.action).to eql([:install]) + end + + it "supports :install, :upgrade, :remove actions" do + expect { resource.action :install }.not_to raise_error + expect { resource.action :upgrade }.not_to raise_error + expect { resource.action :remove }.not_to raise_error + end + + it "sets default packages on 'rhel', 'fedora', 'amazon' platforms" do + node.automatic_attrs[:platform_family] = "rhel" + expect(resource.packages).to eql(%w{make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console}) + end + + it "sets default packages on debian irrespective of platform_version" do + node.automatic_attrs[:platform_family] = "debian" + expect(resource.packages).to eql(%w{make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools}) + end + + it "sets default packages on ubuntu 18.04 platforms" do + node.automatic_attrs[:platform_family] = "debian" + node.automatic_attrs[:platform] = "ubuntu" + node.automatic_attrs[:platform_version] = 18.04 + expect(resource.packages).to eql(%w{make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools}) + end + + it "sets default packages on ubuntu platforms and versions other than 18.04" do + node.automatic_attrs[:platform_family] = "debian" + node.automatic_attrs[:platform] = "ubuntu" + node.automatic_attrs[:platform_version] = 20.04 + expect(resource.packages).to eql(%w{make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools}) + end +end
\ No newline at end of file diff --git a/spec/unit/resource/selinux_module_spec.rb b/spec/unit/resource/selinux_module_spec.rb new file mode 100644 index 0000000000..dadd9eb8fa --- /dev/null +++ b/spec/unit/resource/selinux_module_spec.rb @@ -0,0 +1,55 @@ +# +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxModule do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxModule.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:create) } + + it "sets module_name property as name_property" do + expect(resource.module_name).to eql("fakey_fakerton") + end + + it "sets default value for base_dir property" do + expect(resource.base_dir).to eql("/etc/selinux/local") + end + + it "sets the default action as :create" do + expect(resource.action).to eql([:create]) + end + + it "supports :create, :delete, :install, :remove actions" do + expect { resource.action :create }.not_to raise_error + expect { resource.action :delete }.not_to raise_error + expect { resource.action :install }.not_to raise_error + expect { resource.action :remove }.not_to raise_error + end + + describe "#selinux_module_filepath" do + it "returns selinux module file path based upon base_dir property and module_name property" do + resource.base_dir = "/opt/selinux" + resource.module_name = "my_module" + file_type = "te" + expect(provider.selinux_module_filepath(file_type)).to eql("/opt/selinux/my_module.te") + end + end +end
\ No newline at end of file diff --git a/spec/unit/resource/selinux_permissive_spec.rb b/spec/unit/resource/selinux_permissive_spec.rb new file mode 100644 index 0000000000..96ee3c3c81 --- /dev/null +++ b/spec/unit/resource/selinux_permissive_spec.rb @@ -0,0 +1,39 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxPermissive do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxPermissive.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:add) } + + it "sets context property as name_property" do + expect(resource.context).to eql("fakey_fakerton") + end + + it "sets the default action as :add" do + expect(resource.action).to eql([:add]) + end + + it "supports :add, :delete actions" do + expect { resource.action :add }.not_to raise_error + expect { resource.action :delete }.not_to raise_error + end +end
\ No newline at end of file diff --git a/spec/unit/resource/selinux_port_spec.rb b/spec/unit/resource/selinux_port_spec.rb new file mode 100644 index 0000000000..2ed14c5ef6 --- /dev/null +++ b/spec/unit/resource/selinux_port_spec.rb @@ -0,0 +1,42 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxPort do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxPort.new("5678", run_context) } + let(:provider) { resource.provider_for_action(:manage) } + + it "sets port property as name_property" do + expect(resource.port).to eql("5678") + end + + it "sets the default action as :manage" do + expect(resource.action).to eql([:manage]) + end + + it "supports :manage, :addormodify, :add, :modify, :delete actions" do + expect { resource.action :manage }.not_to raise_error + expect { resource.action :addormodify }.not_to raise_error + expect { resource.action :add }.not_to raise_error + expect { resource.action :modify }.not_to raise_error + expect { resource.action :delete }.not_to raise_error + end +end
\ No newline at end of file diff --git a/spec/unit/resource/selinux_state_spec.rb b/spec/unit/resource/selinux_state_spec.rb new file mode 100644 index 0000000000..356a872627 --- /dev/null +++ b/spec/unit/resource/selinux_state_spec.rb @@ -0,0 +1,46 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxState do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxState.new("5678", run_context) } + let(:provider) { resource.provider_for_action(:enforcing) } + + it "sets the default action as :enforcing" do + expect(resource.action).to eql([:enforcing]) + end + + it "sets default value for policy property for 'rhel', 'fedora', 'amazon' platforms" do + node.automatic_attrs[:platform_family] = "rhel" + expect(resource.policy).to eql("targeted") + end + + it "supports :enforcing, :permissive, :disabled actions" do + expect { resource.action :enforcing }.not_to raise_error + expect { resource.action :permissive }.not_to raise_error + expect { resource.action :disabled }.not_to raise_error + end + + it "sets default value for policy property for debian platforms" do + node.automatic_attrs[:platform_family] = "debian" + expect(resource.policy).to eql("default") + end +end
\ No newline at end of file |