Merge pull request #1406 from carldjohnston/apache_conf-symlinks

Allow apache_conf to include symlinked configuration files
This commit is contained in:
Adam Leff 2017-04-03 10:38:22 -04:00 committed by GitHub
commit 68a930f141
11 changed files with 58 additions and 11 deletions

View file

@ -107,6 +107,7 @@ module Inspec::Resources
(include_files + include_files_optional).each do |f|
id = Pathname.new(f).absolute? ? f : File.join(@conf_dir, f)
files = find_files(id, depth: 1, type: 'file')
files += find_files(id, depth: 1, type: 'link')
includes.push(files) if files
end

View file

@ -0,0 +1,5 @@
Listen 80
User apache
Group apache
LogLevel warn
Include conf-enabled/*.conf

View file

@ -9,7 +9,6 @@ depends 'apt'
depends 'yum'
depends 'runit'
depends 'postgresql'
depends 'httpd', '~> 0.2'
depends 'windows'
depends 'ssh-hardening'
depends 'openssl'

View file

@ -1,14 +1,42 @@
# encoding: utf-8
# author: Christoph Hartmann
# install apache service
case node['platform']
when 'ubuntu', 'centos', 'amazon', 'fedora'
return if node['platform_version'] == "15.10"
httpd_service 'default' do
action :create
case node['platform_family']
when 'rhel'
apache_conf_dir = 'httpd'
apache_conf_file = 'conf/httpd.conf'
when 'debian'
apache_conf_dir = 'apache2'
apache_conf_file = 'apache2.conf'
end
# Create the apache configuration directory
directory "/etc/#{apache_conf_dir}"
# Create a directory for actual configuration /conf-available
directory "/etc/#{apache_conf_dir}/conf"
# Create a directory for actual configuration /conf-available
directory "/etc/#{apache_conf_dir}/conf-available"
# Create a directory for symlinked configuration /conf-enabled
directory "/etc/#{apache_conf_dir}/conf-enabled"
cookbook_file "/etc/#{apache_conf_dir}/#{apache_conf_file}" do
source 'httpd.conf'
end
# Create configuration file (not symlinked)
file "/etc/#{apache_conf_dir}/conf-enabled/maxkeepaliverequests.conf" do
content 'MaxKeepAliveRequests 100'
end
# Create configuration to be symlinked
file "/etc/#{apache_conf_dir}/conf-available/security.conf" do
content 'ServerSignature Off'
end
# and link the configuration
link "/etc/#{apache_conf_dir}/conf-enabled/security.conf" do
to "/etc/#{apache_conf_dir}/conf-available/security.conf"
end

View file

@ -126,7 +126,9 @@ class MockLoader
'/etc/httpd/conf/httpd.conf' => mockfile.call('httpd.conf'),
'/etc/httpd/conf.d/ssl.conf' => mockfile.call('ssl.conf'),
'/etc/httpd/mods-enabled/status.conf' => mockfile.call('status.conf'),
'/etc/httpd/conf-enabled/security.conf' => mockfile.call('security.conf'),
'/etc/apache2/conf-enabled/serve-cgi-bin.conf' => mockfile.call('serve-cgi-bin.conf'),
'/etc/apache2/conf-enabled/security.conf' => mockfile.call('security.conf'),
'/etc/xinetd.conf' => mockfile.call('xinetd.conf'),
'/etc/xinetd.d' => mockfile.call('xinetd.d'),
'/etc/xinetd.d/chargen-stream' => mockfile.call('xinetd.d_chargen-stream'),
@ -252,7 +254,9 @@ class MockLoader
'find /etc/apache2/ports.conf -maxdepth 1 -type f' => cmd.call('find-apache2-ports-conf'),
'find /etc/httpd/conf.d/*.conf -maxdepth 1 -type f' => cmd.call('find-httpd-ssl-conf'),
'find /etc/httpd/mods-enabled/*.conf -maxdepth 1 -type f' => cmd.call('find-httpd-status-conf'),
'find /etc/httpd/conf-enabled/*.conf -maxdepth 1 -type l' => cmd.call('find-httpd-conf-enabled-link'),
'find /etc/apache2/conf-enabled/*.conf -maxdepth 1 -type f' => cmd.call('find-apache2-conf-enabled'),
'find /etc/apache2/conf-enabled/*.conf -maxdepth 1 -type l' => cmd.call('find-apache2-conf-enabled-link'),
# mount
"mount | grep -- ' on /'" => cmd.call("mount"),
"mount | grep -- ' on /mnt/iso-disk'" => cmd.call("mount-multiple"),

View file

@ -14,6 +14,7 @@ end
describe apache_conf do
its('LogLevel') { should cmp 'warn' }
its('MaxKeepAliveRequests') { should cmp 100 }
its('ServerSignature') { should cmp 'Off' }
end
# only read one param

View file

@ -0,0 +1 @@
/etc/apache2/conf-enabled/security.conf

View file

@ -0,0 +1 @@
/etc/httpd/conf-enabled/security.conf

View file

@ -19,6 +19,7 @@ Include conf.d/*.conf
# Load config files using an absolute path
#
Include /etc/httpd/mods-enabled/*.conf
Include /etc/httpd/conf-enabled/*.conf
# First, we configure the "default" to be a very restrictive set of
# features.

View file

@ -0,0 +1,2 @@
# apache security.conf
ServerSignature Off

View file

@ -13,6 +13,8 @@ describe 'Inspec::Resources::ApacheConf' do
_(resource.content).must_be_kind_of String
_(resource.params('ServerRoot')).must_equal ['"/etc/apache2"']
_(resource.params('Listen').sort).must_equal ['443', '80']
# sourced using a linked file in conf-enabled/
_(resource.params('ServerSignature')).must_equal ['Off']
# TODO(sr) currently, the parser only merges parameter across separate
# source files, not in one file
_(resource.params('Define')).must_equal ['ENABLE_USR_LIB_CGI_BIN',
@ -29,5 +31,7 @@ describe 'Inspec::Resources::ApacheConf' do
# sourced using an absolute path in httpd.conf
_(resource.params('ExtendedStatus')).must_equal ['Off']
# sourced using a linked file in conf-enabled/
_(resource.params('ServerSignature')).must_equal ['Off']
end
end