Harmonizing the CI and test setup with chef-os-hardening

- Using vagrant for kitchen tests per default - Using dokken in the CI - Same travis configuration structure - Switch the tests to the latest available chef version Signed-off-by: Artem Sidorenko <artem@posteo.de>
dev-sec · May 13, 2017 · 9478a9a · 9478a9a
1 parent 3e84ded
commit 9478a9a
Show file tree

Hide file tree

Showing 6 changed files with 171 additions and 180 deletions.
diff --git a/.kitchen.dokken.yml b/.kitchen.dokken.yml
@@ -0,0 +1,81 @@
+# this file is used for configuration of kitchen dokken
+# for integration tests in the CI
+---
+driver:
+  name: dokken
+  privileged: true # because Docker and SystemD/Upstart
+
+transport:
+  name: dokken
+
+provisioner:
+  name: dokken
+
+verifier:
+  name: inspec
+  sudo: true
+
+platforms:
+- name: ubuntu-14-04
+  driver:
+    image: ubuntu:14.04
+- name: ubuntu-16-04
+  driver:
+    image: ubuntu:16.04
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    pid_one_command: /bin/systemd
+- name: centos-6
+  driver:
+    image: centos:6
+    intermediate_instructions:
+      - RUN yum install -y initscripts
+- name: centos-7
+  driver:
+    image: centos:7
+    pid_one_command: /usr/lib/systemd/systemd
+- name: oracle-6
+  driver:
+    image: oraclelinux:6
+- name: oracle-7
+  driver:
+    image: oraclelinux:7
+    pid_one_command: /usr/lib/systemd/systemd
+- name: debian-7
+  driver:
+    image: debian:7
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    - RUN /usr/bin/apt-get install -y procps
+- name: debian-8
+  driver:
+    image: debian:8
+    intermediate_instructions:
+    - RUN /usr/bin/apt-get update
+    - RUN /usr/bin/apt-get install -y procps
+    pid_one_command: /bin/systemd
+- name: fedora-24
+  driver:
+    image: fedora:24
+    pid_one_command: /usr/lib/systemd/systemd
+    intermediate_instructions:
+    - RUN dnf install -y yum
+- name: fedora-25
+  driver:
+    image: fedora:25
+    pid_one_command: /usr/lib/systemd/systemd
+    intermediate_instructions:
+    - RUN dnf install -y yum
+- name: opensuse-42
+  driver:
+    image: opensuse:leap
+    pid_one_command: /usr/lib/systemd/systemd
+
+suites:
+- name: default
+  run_list:
+  - recipe[test]
+  - recipe[ssh-hardening]
+  verifier:
+    inspec_tests:
+      - https://github.com/dev-sec/tests-ssh-hardening
diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -1,74 +1,28 @@
 ---
 driver:
-  name: dokken
-  chef_version: 12.5.1
-  privileged: true # because Docker and SystemD/Upstart
-
-transport:
-  name: dokken
-
-provisioner:
-  name: dokken
-
-verifier:
-  name: inspec
-  sudo: true
+  name: vagrant
 
 platforms:
 - name: ubuntu-14.04
-  driver:
-    image: ubuntu:14.04
 - name: ubuntu-16.04
-  driver:
-    image: ubuntu:16.04
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    pid_one_command: /bin/systemd
 - name: centos-6.8
-  driver:
-    image: centos:6.8
-    intermediate_instructions:
-      - RUN yum install -y initscripts
-- name: centos-7
-  driver:
-    image: centos:7
-    pid_one_command: /usr/lib/systemd/systemd
+- name: centos-7.3
 - name: oracle-6.8
-  driver:
-    image: oraclelinux:6.8
-- name: oracle-7.1
-  driver:
-    image: oraclelinux:7.1
-    pid_one_command: /usr/lib/systemd/systemd
-- name: debian-7
-  driver:
-    image: debian:7
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    - RUN /usr/bin/apt-get install -y procps
-- name: debian-8
-  driver:
-    image: debian:8
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    - RUN /usr/bin/apt-get install -y procps
-    pid_one_command: /bin/systemd
+- name: oracle-7.3
+- name: debian-7.11
+- name: debian-8.6
 - name: fedora-24
-  driver:
-    image: fedora:24
-    pid_one_command: /usr/lib/systemd/systemd
-    intermediate_instructions:
-    - RUN dnf install -y yum
 - name: fedora-25
-  driver:
-    image: fedora:25
-    pid_one_command: /usr/lib/systemd/systemd
-    intermediate_instructions:
-    - RUN dnf install -y yum
-- name: opensuse-42
-  driver:
-    image: opensuse:42.1
-    pid_one_command: /usr/lib/systemd/systemd
+- name: opensuse-leap-42.1
+
+provisioner:
+  name: chef_solo
+<% if ENV['CHEF_VERSION'] %>
+  require_chef_omnibus: <%= ENV['CHEF_VERSION'] %>
+<% end %>
+
+verifier:
+  name: inspec
 
 suites:
 - name: default
@@ -78,3 +32,27 @@ suites:
   verifier:
     inspec_tests:
       - https://github.com/dev-sec/tests-ssh-hardening
+- name: rhel-with-disabled-pam
+  includes:
+    - centos-6.8
+    - centos-7.3
+    - fedora-24
+    - fedora-25
+    - oracle-6.8
+    - oracle-7.3
+  driver:
+    provision: true
+    vagrantfiles:
+      - test/fixtures/vagrantfiles/enforce_selinux.rb
+  run_list:
+  - recipe[test]
+  - recipe[ssh-hardening]
+  attributes:
+    ssh-hardening:
+      ssh:
+        server:
+          use_pam: false
+  verifier:
+    inspec_tests:
+      - https://github.com/dev-sec/tests-ssh-hardening
+      - test/integration/without-pam
diff --git a/.travis.yml b/.travis.yml
@@ -1,44 +1,36 @@
 ---
 sudo: required
 language: ruby
-cache: bundler
+bundler_args: "--without development"
 dist: trusty
+cache: bundler
 
 services:
 - docker
 
+rvm: 2.3.3
+
 before_install:
-- gem --version
-- bundle version
+  - gem update --system # see https://github.com/bundler/bundler/issues/5357
+
+env:
+ - INSTANCE=ubuntu-14-04
+ - INSTANCE=ubuntu-16-04
+ - INSTANCE=centos-6
+ - INSTANCE=centos-7
+ - INSTANCE=oracle-6
+ - INSTANCE=oracle-7
+ - INSTANCE=debian-7
+ - INSTANCE=debian-8
+ - INSTANCE=fedora-24
+ - INSTANCE=fedora-25
+ - INSTANCE=opensuse-42
+
+script:
+  -  bundle exec rake kitchen KITCHEN_LOCAL_YAML=.kitchen.dokken.yml
 
 matrix:
   include:
-  # verify lint and unit
-  - rvm: 2.3.1
-    gemfile: Gemfile
-    bundler_args: "--without integration development"
-  # integration tests
-  - rvm: 2.3.1
-    bundler_args: "--without development"
-    script: bundle exec rake $SUITE
-    env: SUITE=test:integration OS='centos'
-  - rvm: 2.3.1
-    bundler_args: "--without development"
-    script: bundle exec rake $SUITE
-    env: SUITE=test:integration OS='oracle'
-  - rvm: 2.3.1
-    bundler_args: "--without development"
-    script: bundle exec rake $SUITE
-    env: SUITE=test:integration OS='ubuntu'
-  - rvm: 2.3.1
-    bundler_args: "--without development"
-    script: bundle exec rake $SUITE
-    env: SUITE=test:integration OS='debian'
-  - rvm: 2.3.1
-    bundler_args: "--without development"
-    script: bundle exec rake $SUITE
-    env: SUITE=test:integration OS='fedora'
-  - rvm: 2.3.1
-    bundler_args: "--without development"
-    script: bundle exec rake $SUITE
-    env: SUITE=test:integration OS='opensuse'
+    - env: UNIT_AND_LINT=1
+      script:
+        - bundle exec rake lint spec
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ This cookbook provides secure ssh-client and ssh-server configurations. This coo
 - CentOS 6, 7
 - Oracle Linux 6, 7
 - Fedora 24, 25
-- OpenSuse Leap 42.1
+- OpenSuse Leap 42
 
 ## Attributes
 
@@ -145,31 +145,31 @@ end
 
 ## Local Testing
 
-For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). We are writing our test with [InSpec](https://github.com/chef/inspec).
+Please install [chef-dk](https://downloads.chef.io/chefdk), [VirtualBox](https://www.virtualbox.org/) or VMware Workstation and [Vagrant](https://www.vagrantup.com/).
 
-Next install test-kitchen:
+Linting is checked with [rubocop](https://github.com/bbatsov/rubocop) and [foodcritic](http://www.foodcritic.io/):
 
 ```bash
-# Install dependencies
-gem install bundler
-bundle install
+$ chef exec rake lint
+.....
+```
 
-# Do lint checks
-bundle exec rake lint
+Unit/spec tests are done with [chefspec](https://github.com/sethvargo/chefspec):
 
-# fast test on one machine
-bundle exec kitchen test default-ubuntu-1204
+```bash
+$ chef exec rake spec
+.....
+```
 
-# test on all machines
-bundle exec kitchen test
+Integration tests are done with [test-kitchen](http://kitchen.ci/) and [inspec](https://www.inspec.io/):
 
-# for development
-bundle exec kitchen create default-ubuntu-1204
-bundle exec kitchen converge default-ubuntu-1204
+```bash
+$ chef exec rake kitchen
+.....
+# or you can use the kitchen directly
+$ kitchen test
 ```
 
-For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)
-
 ## FAQ / Pitfalls
 
 **I can't log into my account. I have registered the client key, but it still doesn't let me it.**