diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..959d4d7 --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,4 @@ +fixtures: + repositories: + stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib" + concat: "git://github.com/puppetlabs/puppetlabs-concat" diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..543dd6a --- /dev/null +++ b/.gitattributes @@ -0,0 +1,4 @@ +*.rb eol=lf +*.erb eol=lf +*.pp eol=lf +*.sh eol=lf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..78d9ade --- /dev/null +++ b/.gitignore @@ -0,0 +1,21 @@ +.*.sw[op] +.metadata +.yardoc +.yardwarns +*.iml +/.bundle/ +/.idea/ +/.vagrant/ +/coverage/ +/bin/ +/doc/ +/Gemfile.local +/Gemfile.lock +/junit/ +/log/ +/log/ +/pkg/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/tmp/ +/vendor/ diff --git a/.pmtignore b/.pmtignore new file mode 100644 index 0000000..103d6db --- /dev/null +++ b/.pmtignore @@ -0,0 +1,22 @@ +docs/ +pkg/ +Gemfile.lock +Gemfile.local +vendor/ +.vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ +.bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ +junit/ +bin/ diff --git a/.project b/.project new file mode 100644 index 0000000..903e64c --- /dev/null +++ b/.project @@ -0,0 +1,23 @@ + + + vinzent-usbguard + + + + + + com.puppetlabs.geppetto.pp.dsl.ui.modulefileBuilder + + + + + org.eclipse.xtext.ui.shared.xtextBuilder + + + + + + com.puppetlabs.geppetto.pp.dsl.ui.puppetNature + com.eclipse.xtext.ui.shared.xtextNature + + diff --git a/.rspec b/.rspec new file mode 100644 index 0000000..16f9cdb --- /dev/null +++ b/.rspec @@ -0,0 +1,2 @@ +--color +--format documentation diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..27793f6 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,102 @@ +--- +require: rubocop-rspec +AllCops: + TargetRubyVersion: '2.1' + Include: + - "./**/*.rb" + Exclude: + - bin/* + - ".vendor/**/*" + - Gemfile + - Rakefile + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* +Metrics/LineLength: + Description: People have wide screens, use them. + Max: 200 +RSpec/BeforeAfterAll: + Description: Beware of using after(:all) as it may cause state to leak between tests. + A necessary evil in acceptance testing. + Exclude: + - spec/acceptance/**/*.rb +RSpec/HookArgument: + Description: Prefer explicit :each argument, matching existing module's style + EnforcedStyle: each +Style/BlockDelimiters: + Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + be consistent then. + EnforcedStyle: braces_for_chaining +Style/ClassAndModuleChildren: + Description: Compact style reduces the required amount of indentation. + EnforcedStyle: compact +Style/EmptyElse: + Description: Enforce against empty else clauses, but allow `nil` for clarity. + EnforcedStyle: empty +Style/FormatString: + Description: Following the main puppet project's style, prefer the % format format. + EnforcedStyle: percent +Style/FormatStringToken: + Description: Following the main puppet project's style, prefer the simpler template + tokens over annotated ones. + EnforcedStyle: template +Style/Lambda: + Description: Prefer the keyword for easier discoverability. + EnforcedStyle: literal +Style/RegexpLiteral: + Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 + EnforcedStyle: percent_r +Style/TernaryParentheses: + Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + on complex expressions for better readability, but seriously consider breaking + it up. + EnforcedStyle: require_parentheses_when_complex +Style/TrailingCommaInArguments: + Description: Prefer always trailing comma on multiline argument lists. This makes + diffs, and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/TrailingCommaInLiteral: + Description: Prefer always trailing comma on multiline literals. This makes diffs, + and re-ordering nicer. + EnforcedStyleForMultiline: comma +Style/SymbolArray: + Description: Using percent style obscures symbolic intent of array's contents. + EnforcedStyle: brackets +Style/CollectionMethods: + Enabled: true +Style/MethodCalledOnDoEndBlock: + Enabled: true +Style/StringMethods: + Enabled: true +Metrics/AbcSize: + Enabled: false +Metrics/BlockLength: + Enabled: false +Metrics/ClassLength: + Enabled: false +Metrics/CyclomaticComplexity: + Enabled: false +Metrics/MethodLength: + Enabled: false +Metrics/ModuleLength: + Enabled: false +Metrics/ParameterLists: + Enabled: false +Metrics/PerceivedComplexity: + Enabled: false +RSpec/DescribeClass: + Enabled: false +RSpec/ExampleLength: + Enabled: false +RSpec/MessageExpectation: + Enabled: false +RSpec/MultipleExpectations: + Enabled: false +RSpec/NestedGroups: + Enabled: false +Style/AsciiComments: + Enabled: false +Style/IfUnlessModifier: + Enabled: false +Style/SymbolProc: + Enabled: false diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..3745b7b --- /dev/null +++ b/.travis.yml @@ -0,0 +1,38 @@ +--- +sudo: false +dist: trusty +language: ruby +cache: bundler +before_install: + - bundle -v + - rm Gemfile.lock || true + - gem update --system + - gem update bundler + - gem --version + - bundle -v +script: + - 'bundle exec rake $CHECK' +matrix: + fast_finish: true + include: + - rvm: 2.3.1 + bundler_args: --without system_tests + env: PUPPET_GEM_VERSION="~> 4.0" + - rvm: 2.1.7 + bundler_args: --without system_tests + env: PUPPET_GEM_VERSION="~> 4.0" +branches: + only: + - master + - /^v\d/ +notifications: + email: false +deploy: + provider: puppetforge + user: puppet + password: + secure: "" + on: + tags: true + all_branches: true + condition: "$DEPLOY_TO_FORGE = yes" diff --git a/.yardopts b/.yardopts new file mode 100644 index 0000000..3687f51 --- /dev/null +++ b/.yardopts @@ -0,0 +1,2 @@ +--markup markdown +--output-dir docs/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..6901a21 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,17 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +## Release 0.1.0 + +**Features** + +* first release + +**Bugfixes** + +none + +**Known Issues** + +none diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..6b6af0b --- /dev/null +++ b/Gemfile @@ -0,0 +1,126 @@ +source ENV['GEM_SOURCE'] || 'https://rubygems.org' + +def location_for(place_or_version, fake_version = nil) + if place_or_version =~ %r{\A(git[:@][^#]*)#(.*)} + [fake_version, { git: Regexp.last_match(1), branch: Regexp.last_match(2), require: false }].compact + elsif place_or_version =~ %r{\Afile:\/\/(.*)} + ['>= 0', { path: File.expand_path(Regexp.last_match(1)), require: false }] + else + [place_or_version, { require: false }] + end +end + +def gem_type(place_or_version) + if place_or_version =~ %r{\Agit[:@]} + :git + elsif !place_or_version.nil? && place_or_version.start_with?('file:') + :file + else + :gem + end +end + +ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments +minor_version = ruby_version_segments[0..1].join('.') + +group :development do + gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0') + gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0') + gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0') + gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9') + gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby] + gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] + gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw] +end + +puppet_version = ENV['PUPPET_GEM_VERSION'] +puppet_type = gem_type(puppet_version) +facter_version = ENV['FACTER_GEM_VERSION'] +hiera_version = ENV['HIERA_GEM_VERSION'] + +def puppet_older_than?(version) + puppet_version = ENV['PUPPET_GEM_VERSION'] + !puppet_version.nil? && + Gem::Version.correct?(puppet_version) && + Gem::Requirement.new("< #{version}").satisfied_by?(Gem::Version.new(puppet_version.dup)) +end + +gems = {} + +gems['puppet'] = location_for(puppet_version) + +# If facter or hiera versions have been specified via the environment +# variables, use those versions. If not, and if the puppet version is < 3.5.0, +# use known good versions of both for puppet < 3.5.0. +if facter_version + gems['facter'] = location_for(facter_version) +elsif puppet_type == :gem && puppet_older_than?('3.5.0') + gems['facter'] = ['>= 1.6.11', '<= 1.7.5', require: false] +end + +if hiera_version + gems['hiera'] = location_for(ENV['HIERA_GEM_VERSION']) +elsif puppet_type == :gem && puppet_older_than?('3.5.0') + gem['hiera'] = ['>= 1.0.0', '<= 1.3.0', require: false] +end + +if Gem.win_platform? && (puppet_type != :gem || puppet_older_than?('3.5.0')) + # For Puppet gems < 3.5.0 (tested as far back as 3.0.0) on Windows + if puppet_type == :gem + gems['ffi'] = ['1.9.0', require: false] + gems['minitar'] = ['0.5.4', require: false] + gems['win32-eventlog'] = ['0.5.3', '<= 0.6.5', require: false] + gems['win32-process'] = ['0.6.5', '<= 0.7.5', require: false] + gems['win32-security'] = ['~> 0.1.2', '<= 0.2.5', require: false] + gems['win32-service'] = ['0.7.2', '<= 0.8.8', require: false] + else + gems['ffi'] = ['~> 1.9.0', require: false] + gems['minitar'] = ['~> 0.5.4', require: false] + gems['win32-eventlog'] = ['~> 0.5', '<= 0.6.5', require: false] + gems['win32-process'] = ['~> 0.6', '<= 0.7.5', require: false] + gems['win32-security'] = ['~> 0.1', '<= 0.2.5', require: false] + gems['win32-service'] = ['~> 0.7', '<= 0.8.8', require: false] + end + + gems['win32-dir'] = ['~> 0.3', '<= 0.4.9', require: false] + + if RUBY_VERSION.start_with?('1.') + gems['win32console'] = ['1.3.2', require: false] + # sys-admin was removed in Puppet 3.7.0 and doesn't compile under Ruby 2.x + gems['sys-admin'] = ['1.5.6', require: false] + end + + # Puppet < 3.7.0 requires these. + # Puppet >= 3.5.0 gem includes these as requirements. + # The following versions are tested to work with 3.0.0 <= puppet < 3.7.0. + gems['win32-api'] = ['1.4.8', require: false] + gems['win32-taskscheduler'] = ['0.2.2', require: false] + gems['windows-api'] = ['0.4.3', require: false] + gems['windows-pr'] = ['1.2.3', require: false] +elsif Gem.win_platform? + # If we're using a Puppet gem on Windows which handles its own win32-xxx gem + # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445). + gems['win32-dir'] = ['<= 0.4.9', require: false] + gems['win32-eventlog'] = ['<= 0.6.5', require: false] + gems['win32-process'] = ['<= 0.7.5', require: false] + gems['win32-security'] = ['<= 0.2.5', require: false] + gems['win32-service'] = ['<= 0.8.8', require: false] +end + +gems.each do |gem_name, gem_params| + gem gem_name, *gem_params +end + +# Evaluate Gemfile.local and ~/.gemfile if they exist +extra_gemfiles = [ + "#{__FILE__}.local", + File.join(Dir.home, '.gemfile'), +] + +extra_gemfiles.each do |gemfile| + if File.file?(gemfile) && File.readable?(gemfile) + eval(File.read(gemfile), binding) + end +end +# vim: syntax=ruby diff --git a/README.md b/README.md new file mode 100644 index 0000000..ceea3a9 --- /dev/null +++ b/README.md @@ -0,0 +1,65 @@ + +# usbguard + +#### Table of Contents + +1. [Description](#description) +2. [Setup - The basics of getting started with usbguard](#setup) + * [What usbguard affects](#what-usbguard-affects) + * [Beginning with usbguard](#beginning-with-usbguard) +3. [Usage - Configuration options and additional functionality](#usage) +4. [Reference - An under-the-hood peek at what the module is doing and how](#reference) +5. [Limitations - OS compatibility, etc.](#limitations) +6. [Development - Guide for contributing to the module](#development) + +## Description + +Install usbguard and configure the daemon and rules. + +https://dkopecek.github.io/usbguard/ + +Usbguard is available for RHEL/CentOS >= 7.4 and Fedora. + +## Setup + +### What usbguard affects + +* the usbguard package +* the usbguard-daemon.conf file +* the rules file (by default `/etc/usbguard/rules-managed-by-puppet.conf`) + +### Beginning with usbguard + +Just `include ::usbguard` to start without any rule - but it won't + +## Usage + +Install, configure some rules and start the service: + +``` +include ::usbguard + +$rule_content = @(CONTENT) + allow with-interface equals { 08:*:* } + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + | CONTENT + +# DON'T DO THIS ON YOUR COMPUTER OR YOU MIGHT LOCK YOU OUT +# this is just an example. :-) +usbguard::rule { 'allow usb disks without keyboard interface': + rule => $rule_content, +} +``` + +## Limitations + +* The usbguard package for RHEL/CentOS is only available for 7.4 and later + or you need to configure a external repo on your own (this module will + never fiddle with your repo config) + +## Development + +No defined process available. :-) Github pull-request style. diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..81381e0 --- /dev/null +++ b/Rakefile @@ -0,0 +1,2 @@ +require 'puppetlabs_spec_helper/rake_tasks' +require 'puppet-syntax/tasks/puppet-syntax' diff --git a/manifests/config.pp b/manifests/config.pp new file mode 100644 index 0000000..ca714e2 --- /dev/null +++ b/manifests/config.pp @@ -0,0 +1,43 @@ +# usbguard::config +# +# @private +# +# @summary A short summary of the purpose of this class +# +# @example +# this is a private class +class usbguard::config { + $ipc_allowed_users = join($::usbguard::daemon_ipc_allowed_users, ' ') + $ipc_allowed_groups= join($::usbguard::daemon_ipc_allowed_groups, ' ') + + $daemon_conf = @("CONTENT") + # Managed by puppet + RuleFile=${::usbguard::daemon_rule_file} + ImplicitPolicyTarget=${::usbguard::daemon_implicit_policy_target} + PresentDevicePolicy=${::usbguard::daemon_present_device_policy} + PresentControllerPolicy=${::usbguard::daemon_present_controller_policy} + IPCAllowedUsers=${ipc_allowed_users} + IPCAllowedGroups=${ipc_allowed_groups} + DeviceRulesWithPort=${::usbguard::daemon_device_rules_with_port} + AuditFilePath=${::usbguard::daemon_audit_file_path} + | CONTENT + + file { '/etc/usbguard/usbguard-daemon.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0600', + content => $daemon_conf, + } + + if $::usbguard::manage_rules_file { + # unfortunatly no comments allowed in the rules file (v0.7) + # can't add header "Managed by puppet" + concat { $::usbguard::daemon_rule_file: + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + } + } +} diff --git a/manifests/init.pp b/manifests/init.pp new file mode 100644 index 0000000..1db300f --- /dev/null +++ b/manifests/init.pp @@ -0,0 +1,35 @@ +# usbguard +# +# @summary Install and configure usbguard +# +# @example +# include usbguard +# +# @param manage_package +class usbguard( + Boolean $manage_service = true, + Boolean $manage_package = true, + Boolean $manage_rules_file = true, + String $package_name = 'usbguard', + String $service_name = 'usbguard', + Enum['running', 'stopped'] $service_ensure = 'running', + # usbguard-daemon.conf settings settings + String $daemon_audit_file_path = '/var/log/usbguard/usbguard-audit.log', + Boolean $daemon_device_rules_with_port = false, + Enum['allow', 'block', 'reject'] $daemon_implicit_policy_target = 'block', + Array[String] $daemon_ipc_allowed_groups = [ 'wheel' ], + Array[String] $daemon_ipc_allowed_users = ['root'], + Enum['allow','block','reject','keep','apply-policy'] $daemon_present_controller_policy = 'keep', + Enum['allow','block','reject','keep','apply-policy'] $daemon_present_device_policy= 'apply-policy', + String $daemon_rule_file = '/etc/usbguard/rules-managed-by-puppet.conf', + +) { + contain ::usbguard::install + contain ::usbguard::config + contain ::usbguard::service + + Class['::usbguard::install'] + -> Class['::usbguard::config'] + ~> Class['::usbguard::service'] + +} diff --git a/manifests/install.pp b/manifests/install.pp new file mode 100644 index 0000000..0cabbcb --- /dev/null +++ b/manifests/install.pp @@ -0,0 +1,15 @@ +# usbguard::install +# +# @private +# +# @summary Install the usbguard package +# +# @example +# private class - don't use it directly +class usbguard::install { + if $::usbguard::manage_package { + package { $::usbguard::package_name: + ensure => 'present', + } + } +} diff --git a/manifests/rule.pp b/manifests/rule.pp new file mode 100644 index 0000000..7abccb8 --- /dev/null +++ b/manifests/rule.pp @@ -0,0 +1,20 @@ +# Manage a usbguard rule +# +# @param rule A line of rules.conf +# @param order Order for the concat resource +define usbguard::rule( + String $rule = $title, + String $order = '500', +) { + if !defined(Class['usbguard']) { + fail('You must include usbguard before calling usbguard::rule') + } + + if $::usbguard::manage_rules_file { + concat::fragment { "${::usbguard::daemon_rule_file} ${title}": + target => $::usbguard::daemon_rule_file, + content => "${rule}\n", + order => $order, + } + } +} diff --git a/manifests/service.pp b/manifests/service.pp new file mode 100644 index 0000000..91ea74f --- /dev/null +++ b/manifests/service.pp @@ -0,0 +1,21 @@ +# usbguard::service +# +# @private +# +# @summary Manage the usbguard service +# +# @example +# this is a private class - don't use directly +class usbguard::service { + if $::usbguard::manage_service { + $enable_param = $::usbguard::service_ensure ? { + 'stopped' => false, + default => true, + } + + service { $::usbguard::service_name: + ensure => $::usbguard::service_ensure, + enable => $enable_param, + } + } +} diff --git a/metadata.json b/metadata.json new file mode 100644 index 0000000..29fd256 --- /dev/null +++ b/metadata.json @@ -0,0 +1,43 @@ +{ + "name": "vinzent-usbguard", + "version": "0.1.0", + "author": "Thomas Mueller", + "summary": "Install & configure usbguard", + "license": "Apache-2.0", + "source": "https://github.com/vinzent/puppet-usbguard", + "project_page": "https://github.com/vinzent/puppet-usbguard", + "issues_url": "https://github.com/vinzent/puppet-usbguard/issues", + "dependencies": [ + { + "name": "puppetlabs-stdlib", + "version_requirement": ">= 4.13.1 < 5.0.0" + }, + { + "name": "puppetlabs-concat", + "version_requirement": ">= 4.0.0 < 5.0.0" + } + ], + "operatingsystem_support": [ + { + "operatingsystem": "Fedora", + "operatingsystemrelease": [ + "25", "26" + ] + }, + { + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.7.0 < 6.0.0" + } + ], + "pdk-version": "1.0.1", + "template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-module-template.git", + "template-ref": "heads/master-0-g5db7961" +} diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb new file mode 100644 index 0000000..d9b6a04 --- /dev/null +++ b/spec/acceptance/class_spec.rb @@ -0,0 +1,71 @@ +require 'spec_helper_acceptance' + +describe 'usbguard class' do + let(:pp) do + <<-EOS + class { 'usbguard': } + EOS + end + + it_behaves_like 'a idempotent resource' + + describe package('usbguard') do + it { is_expected.to be_installed } + end + + describe file('/etc/usbguard/usbguard-daemon.conf') do + its(:content) { is_expected.to match('Managed by puppet') } + end + + describe file('/etc/usbguard/rules-managed-by-puppet.conf') do + it { is_expected.to be_file } + end + + describe service('usbguard') do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + context 'with a rule (single line)' do + let(:pp) do + <<-EOS + class { 'usbguard': } + usbguard::rule { 'allow with-interface equals { 08:*:* }': } + EOS + end + + it_behaves_like 'a idempotent resource' + describe file('/etc/usbguard/rules-managed-by-puppet.conf') do + it { is_expected.to be_file } + its(:content) { is_expected.to match('allow with-interface equals { 08:*:* }') } + end + end + + context 'with a rule (multi line)' do + let(:pp) do + <<-EOS + include ::usbguard + + $rule_content = @(CONTENT) + allow with-interface equals { 08:*:* } + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + | CONTENT + + # DON'T DO THIS ON YOUR COMPUTER OR YOU MIGHT LOCK YOU OUT + # this is just an example. :-) + usbguard::rule { 'allow usb disks without keyboard interface': + rule => $rule_content, + } + EOS + end + + it_behaves_like 'a idempotent resource' + describe file('/etc/usbguard/rules-managed-by-puppet.conf') do + it { is_expected.to be_file } + its(:content) { is_expected.to match('eject with-interface all-of { 08:*:* 03:00:* }') } + end + end +end diff --git a/spec/acceptance/nodesets/centos-7-x64.yml b/spec/acceptance/nodesets/centos-7-x64.yml new file mode 100644 index 0000000..e05a3ae --- /dev/null +++ b/spec/acceptance/nodesets/centos-7-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-7-x64: + roles: + - master + platform: el-7-x86_64 + box: centos/7 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/acceptance/nodesets/fedora-25-x64.yml b/spec/acceptance/nodesets/fedora-25-x64.yml new file mode 100644 index 0000000..60ae011 --- /dev/null +++ b/spec/acceptance/nodesets/fedora-25-x64.yml @@ -0,0 +1,18 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# platform is fedora 24 because there is no +# puppet-agent for fedora 25 by 2016-12-30 +HOSTS: + fedora-25-x64: + roles: + - master + platform: fedora-25-x86_64 + box: fedora/25-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/spec/classes/usbguard_spec.rb b/spec/classes/usbguard_spec.rb new file mode 100644 index 0000000..03c5f8f --- /dev/null +++ b/spec/classes/usbguard_spec.rb @@ -0,0 +1,11 @@ +require 'spec_helper' + +describe 'usbguard' do + on_supported_os(facterversion: '2.4').each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile } + end + end +end diff --git a/spec/default_facts.yml b/spec/default_facts.yml new file mode 100644 index 0000000..3248be5 --- /dev/null +++ b/spec/default_facts.yml @@ -0,0 +1,8 @@ +# Use default_module_facts.yml for module specific facts. +# +# Facts specified here will override the values provided by rspec-puppet-facts. +--- +concat_basedir: "/tmp" +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/defines/usbguard_rule_spec.rb b/spec/defines/usbguard_rule_spec.rb new file mode 100644 index 0000000..46962de --- /dev/null +++ b/spec/defines/usbguard_rule_spec.rb @@ -0,0 +1,14 @@ +require 'spec_helper' + +describe 'usbguard::rule' do + let(:pre_condition) { 'include usbguard' } + let(:title) { 'allow with-interface equals { 08:*:* }' } + + on_supported_os(facterversion: '2.4').each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile } + end + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..15266c2 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,23 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')) +default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')) + +if File.exist?(default_facts_path) && File.readable?(default_facts_path) + default_facts.merge!(YAML.safe_load(File.read(default_facts_path))) +end + +if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path) + default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path))) +end + +RSpec.configure do |c| + c.default_facts = default_facts +end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 0000000..81fe437 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,33 @@ +require 'beaker-rspec/spec_helper' +require 'beaker-rspec/helpers/serverspec' +require 'beaker/puppet_install_helper' + +run_puppet_install_helper unless ENV['BEAKER_provision'] == 'no' + +RSpec.configure do |c| + # Project root + proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) + + # Readable test descriptions + c.formatter = :documentation + + # Configure all nodes in nodeset + c.before :suite do + # Install module and dependencies + puppet_module_install(source: proj_root, module_name: 'usbguard') + hosts.each do |host| + on host, puppet('module', 'install', 'puppetlabs-stdlib'), acceptable_exit_codes: [0, 1] + on host, puppet('module', 'install', 'puppetlabs-concat'), acceptable_exit_codes: [0, 1] + end + end +end + +shared_examples 'a idempotent resource' do + it 'applies with no errors' do + apply_manifest(pp, catch_failures: true) + end + + it 'applies a second time without changes' do + apply_manifest(pp, catch_changes: true) + end +end