Merge pull request #3814 from inspec/tas50/kitchen

Update the integration tests to use dokken-images and newer Chef technologies

.gitignore

@@ -9,6 +9,7 @@ Berksfile.lock
 .librarian
 Puppetfile.lock
 .kitchen.local.yml
+kitchen.local.yml
 profile.tar.gz
 omnibus/.cache
 omnibus/pkg

.kitchen.vagrant.yml

@@ -1,45 +0,0 @@
----
-driver:
-  name: vagrant
-
-provisioner:
-  name: chef_solo
-
-verifier:
-  name: inspec
-  sudo: true
-
-platforms:
-  - name: centos-7.1
-  - name: centos-6.7
-  - name: centos-5.11
-  - name: debian-6.0.10
-  - name: debian-7.8
-  - name: debian-8.1
-  - name: fedora-21
-  - name: fedora-22
-  - name: freebsd-9.3
-  - name: freebsd-10.2
-  - name: opensuse-13.2-x86_64
-  - name: ubuntu-14.04
-  - name: ubuntu-12.04
-  - name: ubuntu-10.04
-  - name: mint-17.2-cinnamon
-    driver_config:
-      box: artem-sidorenko/mint-17.2-cinnamon
-
-suites:
-  - name: default
-    run_list:
-      - recipe[apt]
-      - recipe[yum]
-      - recipe[os_prepare]
-    attributes:
-  - name: find_files
-    run_list:
-      - recipe[os_prepare::find_files]
-    verifier:
-      inspec_tests:
-        - test/integration/find_files
-    excludes:
-      - freebsd-10.2

.travis.yml

@@ -1,10 +1,9 @@
-sudo: required
 branches:
   only:
     - master
 language: ruby
 cache: bundler
-dist: trusty
+dist: xenial
 services:
 - docker
 bundler_args: "--without integration tools maintenance deploy"
@@ -15,39 +14,60 @@ before_install:
 matrix:
   include:
   - rvm: 2.3.8
+    env: UNIT_TESTS_23=1
   - rvm: 2.4.5
+    env: UNIT_TESTS_24=1
   - rvm: 2.5.3
+    env: UNIT_TESTS_25=1
+  #- rvm: 2.6.1 # this needs a few fixes to get enabled
+  #  bundler_args: "--without integration tools maintenance deploy"
+  #  env: UNIT_TESTS_26=1
   - rvm: 2.4.5
     script: bundle exec rake $SUITE
     env: SUITE="test:functional"
-  - rvm: 2.4.5
+  - rvm: 2.5.3
+    script: bundle exec rake $SUITE
+    env: SUITE="test:functional"
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
-    env: SUITE=test:integration[default-ubuntu-1204]
-  - rvm: 2.4.5
+    env: SUITE=test:integration[default-ubuntu-1404]
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
     env: SUITE=test:integration[default-ubuntu-1604]
-  - rvm: 2.4.5
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
-    env: SUITE=test:integration[default-centos-68]
-  - rvm: 2.4.5
+    env: SUITE=test:integration[default-ubuntu-1804]
+  - rvm: 2.5.3
+    script: bundle exec rake $SUITE
+    bundler_args: "--without tools maintenance deploy"
+    env: SUITE=test:integration[default-centos-6]
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
     env: SUITE=test:integration[default-centos-7]
-  - rvm: 2.4.5
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
     env: SUITE=test:integration[default-debian-8]
-  - rvm: 2.4.5
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
-    env: SUITE=test:integration[default-oracle-72]
-  - rvm: 2.4.5
+    env: SUITE=test:integration[default-debian-9]
+  - rvm: 2.5.3
     script: bundle exec rake $SUITE
     bundler_args: "--without tools maintenance deploy"
-    env: SUITE=test:integration[default-fedora-24]
+    env: SUITE=test:integration[default-oraclelinux-6]
+  - rvm: 2.5.3
+    script: bundle exec rake $SUITE
+    bundler_args: "--without tools maintenance deploy"
+    env: SUITE=test:integration[default-oraclelinux-7]
+  - rvm: 2.5.3
+    script: bundle exec rake $SUITE
+    bundler_args: "--without tools maintenance deploy"
+    env: SUITE=test:integration[default-fedora-29]
   - rvm: 2.4.5
     sudo: false
     cache:

Berksfile

@@ -1,13 +1,4 @@
-# encoding: utf-8
 source 'https://supermarket.chef.io'
 
 cookbook 'audit'
-cookbook 'apt'
-cookbook 'yum'
-cookbook 'postgresql', '= 7.1.0'
-cookbook 'docker'
-cookbook 'yum-epel'
-cookbook 'packagecloud'
 cookbook 'os_prepare', path: './test/cookbooks/os_prepare'
-cookbook 'runit', github: 'hw-cookbooks/runit'
-cookbook 'ssh-hardening', git: 'https://github.com/dev-sec/chef-ssh-hardening.git'

Gemfile

@@ -22,7 +22,10 @@ group :test do
 end
 
 group :integration do
-  gem 'berkshelf', '~> 5.2'
+  # this version check can be removed when inspec no longer support ruby 2.3
+  if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('2.4')
+    gem 'berkshelf', '~> 7'
+  end
   gem 'test-kitchen', '>= 1.24'
   gem 'kitchen-vagrant'
   # we need winrm v2 support >= 0.15.1

examples/kitchen-chef/recipes/nginx.rb

@@ -5,7 +5,6 @@
 # install repositories for nginx
 case node['platform']
 when 'ubuntu'
-  include_recipe('apt')
   # if ubuntu, install
   apt_repository 'nginx-php' do
     uri 'ppa:nginx/stable'

kitchen.ec2.yml

@@ -84,7 +84,4 @@ platforms:
 suites:
   - name: default
     run_list:
-      - recipe[apt]
-      - recipe[yum]
       - recipe[os_prepare]
-    attributes:

kitchen.vagrant.yml

@@ -0,0 +1,36 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: chef_solo
+
+verifier:
+  name: inspec
+  sudo: true
+
+platforms:
+  - name: centos-6
+  - name: centos-7
+  - name: debian-8
+  - name: debian-9
+  - name: fedora-28
+  - name: fedora-29
+  - name: freebsd-11
+  - name: opensuseleap-42
+  - name: ubuntu-14.04
+  - name: ubuntu-16.04
+  - name: ubuntu-18.04
+
+suites:
+  - name: default
+    run_list:
+      - recipe[os_prepare]
+  - name: find_files
+    run_list:
+      - recipe[os_prepare::find_files]
+    verifier:
+      inspec_tests:
+        - test/integration/find_files
+    excludes:
+      - freebsd-11

kitchen.yml

@@ -1,7 +1,7 @@
 ---
 driver:
   name: dokken
-  chef_version: 14.3.37
+  chef_version: 14.10.9
   privileged: true # because Docker and SystemD/Upstart
 
 transport:
@@ -22,72 +22,86 @@ verifier:
     verifier_attribute: 'Attribute Override!'
 
 platforms:
-- name: ubuntu-12.04
+- name: amazonlinux
   driver:
-    image: ubuntu:12.04
-- name: ubuntu-14.04
+    image: dokken/amazonlinux
+    pid_one_command: /sbin/init
+
+- name: amazonlinux-2
   driver:
-    image: ubuntu:14.04
-- name: ubuntu-16.04
+    image: dokken/amazonlinux-2
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: centos-6
   driver:
-    image: ubuntu:16.04
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    pid_one_command: /bin/systemd
-- name: centos-6.6
-  driver:
-    image: centos:6.6
-- name: centos-6.8
-  driver:
-    image: centos:6.8
-    intermediate_instructions:
-      - RUN yum install -y initscripts
+    image: dokken/centos-6
+    pid_one_command: /sbin/init
+
 - name: centos-7
   driver:
-    image: centos:7
+    image: dokken/centos-7
     pid_one_command: /usr/lib/systemd/systemd
-- name: oracle-6.7
-  driver:
-    image: oraclelinux:6.7
-- name: oracle-7.2
-  driver:
-    image: oraclelinux:7.2
-    pid_one_command: /usr/lib/systemd/systemd
-- name: debian-7
-  driver:
-    image: debian:7.11
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    # running it within the chef recipe is too late :-(
-    - RUN /usr/bin/apt-get install -y procps lsb-release
+
 - name: debian-8
   driver:
-    image: debian:8.5
-    intermediate_instructions:
-    - RUN /usr/bin/apt-get update
-    # running it within the chef recipe is too late :-(
-    - RUN /usr/bin/apt-get install -y procps lsb-release
+    image: dokken/debian-8
     pid_one_command: /bin/systemd
-- name: fedora-23
-  driver:
-    image: fedora:23
-    pid_one_command: /usr/lib/systemd/systemd
     intermediate_instructions:
-    - RUN dnf install -y yum
-- name: fedora-24
+      - RUN /usr/bin/apt-get update
+
+- name: debian-9
   driver:
-    image: fedora:24
-    pid_one_command: /usr/lib/systemd/systemd
+    image: dokken/debian-9
+    pid_one_command: /bin/systemd
     intermediate_instructions:
-    - RUN dnf install -y yum
+      - RUN /usr/bin/apt-get update
+
+- name: fedora-29
+  driver:
+    image: dokken/fedora-29
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: oraclelinux-6
+  driver:
+    image: dokken/oraclelinux-6
+    pid_one_command: /sbin/init
+
+- name: oraclelinux-7
+  driver:
+    image: dokken/oraclelinux-7
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: opensuse-leap
+  driver:
+    image: dokken/opensuse-leap-42
+    pid_one_command: /bin/systemd
+
+- name: ubuntu-14.04
+  driver:
+    image: dokken/ubuntu-14.04
+    pid_one_command: /sbin/init
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update
+
+- name: ubuntu-16.04
+  driver:
+    image: dokken/ubuntu-16.04
+    pid_one_command: /bin/systemd
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update
+
+- name: ubuntu-18.04
+  driver:
+    image: dokken/ubuntu-18.04
+    pid_one_command: /bin/systemd
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update
 
 suites:
 - name: default
   run_list:
   - recipe[os_prepare]
   - recipe[audit]
-  - recipe[apt]
-  - recipe[yum]
   verifier:
     inspec_tests:
       - test/integration/default

test/cookbooks/os_prepare/metadata.rb

@@ -1,15 +1,12 @@
-# encoding: utf-8
 name 'os_prepare'
 maintainer 'Chef Software, Inc.'
 maintainer_email 'support@chef.io'
 description 'This cookbook prepares the test operating systems'
 version '1.0.0'
 
-depends 'apt'
-depends 'yum'
+# this cookbook has changed rapidly in the past so we pin it here to prevent build failures
+depends 'postgresql', '= 7.1.3'
+
 depends 'runit'
-depends 'postgresql'
-depends 'windows'
 depends 'ssh-hardening'
-depends 'openssl', '= 8.1.2'
 depends 'docker'

test/cookbooks/os_prepare/recipes/_runit_service_centos.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Stephan Renatus
 
 include_recipe 'runit::default'

test/cookbooks/os_prepare/recipes/_upstart_service_centos.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Stephan Renatus
 
 directory '/etc/init' do

test/cookbooks/os_prepare/recipes/apache.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 
 case node['platform_family']

test/cookbooks/os_prepare/recipes/apt.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 

test/cookbooks/os_prepare/recipes/auditctl.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Stephan Renatus
 
 case node['platform']

test/cookbooks/os_prepare/recipes/default.rb

@@ -1,9 +1,9 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 #
 # prepare all operating systems with the required configuration
 
+apt_update if platform_family?('debian')
 
 # inject the current inspec gem for use with audit cookbook
 # this is generated via Rake test:integration
@@ -29,9 +29,6 @@ end
 # set a static node uuid for our testing nodes
 Chef::Config[:chef_guid] = uuid_from_string(node.name)
 
-# container preparation
-include_recipe('os_prepare::prep_container')
-
 # confgure ssh
 include_recipe('os_prepare::ssh')
 

test/cookbooks/os_prepare/recipes/docker_host.rb

@@ -1,8 +1,6 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 
-case node['platform']
-when 'ubuntu', 'rhel', 'centos', 'fedora'
+if platform_family?('rhel', 'debian', 'fedora')
   docker_service 'default' do
     action [:create, :start]
   end

test/cookbooks/os_prepare/recipes/file.rb

@@ -1,41 +1,21 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 #
 # prepares a sample file for verification
 
 if node['platform_family'] != 'windows'
-
-  gid = case node['platform_family']
-        when 'aix'
-          'system'
-        when 'freebsd'
-          'wheel'
-        when 'solaris', 'solaris2'
-          'sys'
-        else
-          'root'
-        end
-
-
   file '/tmp/file' do
     mode '0765'
-    owner 'root'
-    group gid
     content 'hello world'
   end
 
   file '/tmp/sfile' do
     mode '7765'
-    owner 'root'
-    group gid
     content 'hello suid/sgid/sticky'
   end
 
   directory '/tmp/folder' do
     mode '0567'
-    owner 'root'
-    group gid
   end
 
 else

test/cookbooks/os_prepare/recipes/iptables.rb

@@ -1,8 +1,6 @@
-# encoding: utf-8
 # author: Stephan Renatus
 
-case node['platform']
-when 'ubuntu', 'rhel', 'centos', 'fedora'
+if platform_family?('rhel', 'debian', 'fedora')
   execute 'iptables -A INPUT -i eth0 -p tcp -m tcp '\
           '--dport 80 -m state --state NEW -m comment '\
           '--comment "http on 80" -j ACCEPT'

test/cookbooks/os_prepare/recipes/json_yaml_csv_ini_xml.rb

@@ -1,27 +1,13 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 #
 # adds a yaml file
 
-gid = case node['platform_family']
-      when 'aix'
-        'system'
-      when 'freebsd'
-        'wheel'
-      when 'solaris', 'solaris2'
-        'sys'
-      else
-        'root'
-      end
-
 ['yml', 'json', 'csv', 'ini', 'toml', 'xml'].each { |filetype|
 
   if node['platform_family'] != 'windows'
     cookbook_file "/tmp/example.#{filetype}" do
       source "example.#{filetype}"
-      owner 'root'
-      group gid
       mode '0755'
       action :create
     end

test/cookbooks/os_prepare/recipes/mount.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 #

test/cookbooks/os_prepare/recipes/os_env.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Omar Irizarry
 #
 # change a few Windows registry keys for testing purposes

test/cookbooks/os_prepare/recipes/package.rb

@@ -1,25 +1,6 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 #
 # installs everything to do the package test
 
-case node['platform']
-when 'ubuntu', 'debian'
-  include_recipe('apt')
-  package 'curl'
-when 'rhel', 'centos', 'fedora'
-  include_recipe('yum')
-
-  # TODO: support DNF natively
-  # Special care for fedora 22, since dnf is not officially supported yet
-  # https://github.com/chef/chef/issues/3201
-  if node['platform_version'] == '22'
-    execute 'dnf install -y yum'
-  end
-
-  package 'curl'
-when 'freebsd'
-  # do nothing
-  # TODO: implement Freebsd packages
-end
+package 'curl'

test/cookbooks/os_prepare/recipes/postgres.rb

@@ -1,18 +1,10 @@
-# encoding: utf-8
 # author: Stephan Renatus
 #
 # installs everyting for the postgres tests
 
-# hw-cookbooks/postgresql is tested on these platforms
+# sous-chefs/postgresql is tested on these platforms
 case node['platform']
 when 'ubuntu', 'centos'
-
-  # also skip it on ubuntu 15.10, because the cookbook is not supported
-  # with `enable_pgdg_apt` yet
-  return if node['platform_version'] == "15.10"
-  # skip it on centos 5, because ca-certificates is not available
-  return if node['platform_version'] == "5"
-
   node.default['postgresql']['enable_pgdg_apt'] = true
   node.default['postgresql']['config']['listen_addresses'] = 'localhost'
   node.default['postgresql']['password']['postgres'] = 'md506be11be01439cb4abd537e454df34ea' # "inspec"

test/cookbooks/os_prepare/recipes/prep_container.rb

@@ -1,15 +0,0 @@
-# encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-#
-# prepares container for normal use :-)
-
-# install docker pre-conditions
-if ['ubuntu', 'debian'].include?(node['platform'])
-  include_recipe('apt')
-
-  # if package lsb-release & procps is not installed
-  # chef returns an empty node['lsb']['codename']
-  package("lsb-release")
-  package("procps")
-end

test/cookbooks/os_prepare/recipes/registry_key.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Alex Pop
 # author: Christoph Hartmann
 #

test/cookbooks/os_prepare/recipes/service.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
 #
@@ -7,7 +6,6 @@
 case node['platform']
 when 'ubuntu'
   # install ntp as a service
-  include_recipe 'apt::default'
   package 'ntp'
 
 when 'centos'

test/cookbooks/os_prepare/recipes/ssh.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # author: Christoph Hartmann
 #
 # installs ssh

test/cookbooks/os_prepare/recipes/x509.rb

@@ -1,6 +1,6 @@
 if node['platform_family'] != 'windows'
 
-  openssl_x509 '/tmp/mycert.pem' do
+  openssl_x509_certificate '/tmp/mycert.pem' do
     common_name 'www.f00bar.com'
     org 'Foo Bar'
     org_unit 'Lab'
@@ -8,7 +8,7 @@ if node['platform_family'] != 'windows'
     expire 360
   end
 
-  openssl_rsa_key '/tmp/server.key' do
+  openssl_rsa_private_key '/tmp/server.key' do
     key_length 2048
   end
 

test/integration/default/controls/x509_spec.rb

@@ -11,9 +11,9 @@ describe x509_certificate('/tmp/mycert.pem') do
   its('signature_algorithm') { should eq 'sha256WithRSAEncryption' }
   its('validity_in_days') { should_not be < 100 }
   its('validity_in_days') { should be >= 100 }
-  its('subject_dn') { should eq '/C=US/ST= /L= /O=Foo Bar/OU=Lab/CN=www.f00bar.com' }
+  its('subject_dn') { should eq '/C=US/O=Foo Bar/OU=Lab/CN=www.f00bar.com' }
   its('subject.C') { should eq 'US' }
-  its('issuer_dn') { should eq '/C=US/ST= /L= /O=Foo Bar/OU=Lab/CN=www.f00bar.com' }
+  its('issuer_dn') { should eq '/C=US/O=Foo Bar/OU=Lab/CN=www.f00bar.com' }
   its('key_length') { should be >= 2048 }
 end