Merge pull request #1406 from carldjohnston/apache_conf-symlinks

Allow apache_conf to include symlinked configuration files

lib/resources/apache_conf.rb

@@ -107,6 +107,7 @@ module Inspec::Resources
       (include_files + include_files_optional).each do |f|
         id    = Pathname.new(f).absolute? ? f : File.join(@conf_dir, f)
         files = find_files(id, depth: 1, type: 'file')
+        files += find_files(id, depth: 1, type: 'link')
 
         includes.push(files) if files
       end

test/cookbooks/os_prepare/files/httpd.conf

@@ -0,0 +1,5 @@
+Listen 80
+User apache
+Group apache
+LogLevel warn
+Include conf-enabled/*.conf

test/cookbooks/os_prepare/metadata.rb

@@ -9,7 +9,6 @@ depends 'apt'
 depends 'yum'
 depends 'runit'
 depends 'postgresql'
-depends 'httpd', '~> 0.2'
 depends 'windows'
 depends 'ssh-hardening'
 depends 'openssl'

test/cookbooks/os_prepare/recipes/apache.rb

@@ -1,14 +1,42 @@
 # encoding: utf-8
 # author: Christoph Hartmann
 
-# install apache service
-case node['platform']
-when 'ubuntu', 'centos', 'amazon', 'fedora'
-
-  return if node['platform_version'] == "15.10"
-
-  httpd_service 'default' do
-    action :create
-  end
-
+case node['platform_family']
+when 'rhel'
+  apache_conf_dir = 'httpd'
+  apache_conf_file = 'conf/httpd.conf'
+when 'debian'
+  apache_conf_dir = 'apache2'
+  apache_conf_file = 'apache2.conf'
+end
+
+# Create the apache configuration directory
+directory "/etc/#{apache_conf_dir}"
+
+# Create a directory for actual configuration /conf-available
+directory "/etc/#{apache_conf_dir}/conf"
+
+# Create a directory for actual configuration /conf-available
+directory "/etc/#{apache_conf_dir}/conf-available"
+
+# Create a directory for symlinked configuration /conf-enabled
+directory "/etc/#{apache_conf_dir}/conf-enabled"
+
+cookbook_file "/etc/#{apache_conf_dir}/#{apache_conf_file}" do
+  source 'httpd.conf'
+end
+
+# Create configuration file (not symlinked)
+file "/etc/#{apache_conf_dir}/conf-enabled/maxkeepaliverequests.conf" do
+  content 'MaxKeepAliveRequests 100'
+end
+
+# Create configuration to be symlinked
+file "/etc/#{apache_conf_dir}/conf-available/security.conf" do
+  content 'ServerSignature Off'
+end
+
+# and link the configuration
+link "/etc/#{apache_conf_dir}/conf-enabled/security.conf" do
+  to "/etc/#{apache_conf_dir}/conf-available/security.conf"
 end

test/helper.rb

@@ -126,7 +126,9 @@ class MockLoader
       '/etc/httpd/conf/httpd.conf' => mockfile.call('httpd.conf'),
       '/etc/httpd/conf.d/ssl.conf' => mockfile.call('ssl.conf'),
       '/etc/httpd/mods-enabled/status.conf' => mockfile.call('status.conf'),
+      '/etc/httpd/conf-enabled/security.conf' => mockfile.call('security.conf'),
       '/etc/apache2/conf-enabled/serve-cgi-bin.conf' => mockfile.call('serve-cgi-bin.conf'),
+      '/etc/apache2/conf-enabled/security.conf' => mockfile.call('security.conf'),
       '/etc/xinetd.conf' => mockfile.call('xinetd.conf'),
       '/etc/xinetd.d' => mockfile.call('xinetd.d'),
       '/etc/xinetd.d/chargen-stream' => mockfile.call('xinetd.d_chargen-stream'),
@@ -252,7 +254,9 @@ class MockLoader
       'find /etc/apache2/ports.conf -maxdepth 1 -type f' => cmd.call('find-apache2-ports-conf'),
       'find /etc/httpd/conf.d/*.conf -maxdepth 1 -type f' => cmd.call('find-httpd-ssl-conf'),
       'find /etc/httpd/mods-enabled/*.conf -maxdepth 1 -type f' => cmd.call('find-httpd-status-conf'),
+      'find /etc/httpd/conf-enabled/*.conf -maxdepth 1 -type l' => cmd.call('find-httpd-conf-enabled-link'),
       'find /etc/apache2/conf-enabled/*.conf -maxdepth 1 -type f' => cmd.call('find-apache2-conf-enabled'),
+      'find /etc/apache2/conf-enabled/*.conf -maxdepth 1 -type l' => cmd.call('find-apache2-conf-enabled-link'),
       # mount
       "mount | grep -- ' on /'" => cmd.call("mount"),
       "mount | grep -- ' on /mnt/iso-disk'" => cmd.call("mount-multiple"),

test/integration/default/apache_conf_spec.rb

@@ -14,6 +14,7 @@ end
 describe apache_conf do
   its('LogLevel') { should cmp 'warn' }
   its('MaxKeepAliveRequests') { should cmp 100 }
+  its('ServerSignature') { should cmp 'Off' }
 end
 
 # only read one param

test/unit/mock/cmd/find-apache2-conf-enabled-link

@@ -0,0 +1 @@
+/etc/apache2/conf-enabled/security.conf

test/unit/mock/cmd/find-httpd-conf-enabled-link

@@ -0,0 +1 @@
+/etc/httpd/conf-enabled/security.conf

test/unit/mock/files/httpd.conf

@@ -19,6 +19,7 @@ Include conf.d/*.conf
 # Load config files using an absolute path
 #
 Include /etc/httpd/mods-enabled/*.conf
+Include /etc/httpd/conf-enabled/*.conf
 
 # First, we configure the "default" to be a very restrictive set of
 # features.

test/unit/mock/files/security.conf

@@ -0,0 +1,2 @@
+# apache security.conf
+ServerSignature Off

test/unit/resources/apache_conf_test.rb

@@ -13,6 +13,8 @@ describe 'Inspec::Resources::ApacheConf' do
     _(resource.content).must_be_kind_of String
     _(resource.params('ServerRoot')).must_equal ['"/etc/apache2"']
     _(resource.params('Listen').sort).must_equal ['443', '80']
+    # sourced using a linked file in conf-enabled/
+    _(resource.params('ServerSignature')).must_equal ['Off']
     # TODO(sr) currently, the parser only merges parameter across separate
     # source files, not in one file
     _(resource.params('Define')).must_equal ['ENABLE_USR_LIB_CGI_BIN',
@@ -29,5 +31,7 @@ describe 'Inspec::Resources::ApacheConf' do
 
     # sourced using an absolute path in httpd.conf
     _(resource.params('ExtendedStatus')).must_equal ['Off']
+    # sourced using a linked file in conf-enabled/
+    _(resource.params('ServerSignature')).must_equal ['Off']
   end
 end