Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-09-20 14:31:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #5204 from inspec/cw/add-tk-testing

Browse source 
Reinstate resource testing on supported platforms using Test-Kitchen
This commit is contained in:
Clinton Wolfe 2021-05-03 17:01:30 -04:00 committed by GitHub
commit fa485a0fdd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 155 additions and 178 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.expeditor/config.yml
View file

@ -40,6 +40,7 @@ pipelines:
- integration/resources:
description: Test core resources with test-kitchen.
definition: .expeditor/integration.resources.yml
trigger: pull_request
# This breaks expeditor as it does not yet exist
# - integration/libraries:
# description: Integration with plugins, gems, resource packs.

22
.expeditor/integration.resources.yml
View file

@ -1 +1,21 @@
#
---
expeditor:
defaults:
buildkite:
timeout_in_minutes: 60
retry:
automatic:
limit: 1
steps:
- label: Resource-Platform Tests
command:
- RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
environment:
- CONCURRENCY: 3
- DOCKER: 1
- KITCHEN_YAML: kitchen.dokken.yml
image: ruby:2.7

13
Gemfile
View file

@ -48,3 +48,16 @@ end
group :deploy do
gem "inquirer"
end
# Only include Test Kitchen support if we are on Ruby 2.7 or higher
# as chef-zero support requires Ruby 2.6
# See https://github.com/inspec/inspec/pull/5341
if Gem.ruby_version >= Gem::Version.new("2.7.0")
group :kitchen do
gem "berkshelf"
gem "test-kitchen", ">= 2.8"
gem "kitchen-inspec", ">= 2.0"
gem "kitchen-dokken", ">= 2.11"
gem "git"
end
end

4
Rakefile
View file

@ -255,14 +255,14 @@ namespace :test do
# Inject a prerequisite task
task unit: [:accept_license]
task :integration, [:os] do |task, args|
task :kitchen, [:os] do |task, args|
concurrency = ENV["CONCURRENCY"] || 1
os = args[:os] || ENV["OS"] || ""
ENV["DOCKER"] = "true" if ENV["docker"].nil?
sh("bundle exec kitchen test -c #{concurrency} #{os}")
end
# Inject a prerequisite task
task integration: [:accept_license]
task kitchen: [:accept_license]
task :ssh, [:target] do |_t, args|
tests_path = File.join(File.dirname(__FILE__), "test", "integration", "test", "integration", "default")

8
dev-docs/integration-testing.md
View file

@ -2,7 +2,7 @@
## Introduction
Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker as our backend. You should install and have Docker running befor you run any tests.
Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker (kitchen-dokken) as our backend. You should install and have Docker running before you run any tests.
### How to run specific integrations
@ -23,8 +23,6 @@ bundle exec rake test:integration[default-ubuntu-1604]
We run the test/integration/default profile at the end of each integration test in the verify stage. This confirms that our current code is compatible with test kitchen.
### Audit Testing
### Why no audit cookbook testing?
For Audit cookbook testing Chef InSpec sets up some special hooks. The integration rake command will bundle up the current checkout into a gem which is passed along to test kitchen in the os_prepare cookbook. When this cookbook is run it will install the local inspec gem. Audit will then use this gem accordingly when running in the post chef-client validators. The .kitchen.yml is setup to export the audit report to a json file which we look for and confirm the structure in the test/integration/default/controls/audit_spec.rb file.
In the validation file we confirm that the file was created from audit and that the structure looks correct. We also validate that the inspec ran with audit is the same that the current branch is using. This validates that audit did not use a older version for some reason.
Audit cookbook testing is handled in the audit cookbook repo. In addition, the audit cookbook restricts which InSpec gem can be installed, forcing the installation from Rubygems for Chef clients 15+. Since we need to test with the from-source inspec gem, we can't use that approach. Instead, we don't test using audit cookbook here.

101
kitchen.dokken.yml Normal file
View file

@ -0,0 +1,101 @@
---
driver:
name: dokken
chef_version: :latest
privileged: true # because Docker and SystemD/Upstart
transport:
name: dokken
provisioner:
name: dokken
verifier:
name: inspec
sudo: true
# Test against every supported target platform for which we have a dokken image.
# If we don't have a dokken image, see kitchen.chef.yml for Vagrant-based testing.
# Try to keep this list up to date!
# Visit https://hub.docker.com/search and https://github.com/test-kitchen/dokken-images to search for new images
platforms:
- name: amazonlinux-2
driver:
image: dokken/amazonlinux-2
pid_one_command: /usr/lib/systemd/systemd
- name: centos-7
driver:
image: dokken/centos-7
pid_one_command: /usr/lib/systemd/systemd
- name: centos-8
driver:
image: dokken/centos-8
pid_one_command: /usr/lib/systemd/systemd
- name: debian-9
driver:
image: dokken/debian-9
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: debian-10
driver:
image: dokken/debian-10
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: fedora-latest
driver:
image: dokken/fedora-latest
pid_one_command: /usr/lib/systemd/systemd
- name: oraclelinux-7
driver:
image: dokken/oraclelinux-7
pid_one_command: /usr/lib/systemd/systemd
- name: oraclelinux-8
driver:
image: dokken/oraclelinux-8
pid_one_command: /usr/lib/systemd/systemd
- name: opensuse-leap
driver:
image: dokken/opensuse-leap-15
pid_one_command: /bin/systemd
- name: ubuntu-18.04
driver:
image: dokken/ubuntu-18.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: ubuntu-20.04
driver:
image: dokken/ubuntu-20.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
suites:
- name: resources
run_list:
- recipe[os_prepare]
verifier:
inspec_tests:
# TODO - split these out into core, database, unix, and windows resources
- test/kitchen/policies/default
attributes:
osprepare:
docker: true
application: false
# These are planned for the future
# Suites which exercise resources that exercise databases
# - name: resources-database
# Unix-only resources
# - name: resources-unix
# Windows-only resources
# - name: resources-windows

122
kitchen.yml
View file

@ -1,122 +0,0 @@
---
driver:
name: dokken
chef_version: 14.12.9
privileged: true # because Docker and SystemD/Upstart
transport:
name: dokken
lifecycle:
pre_converge:
- local: cd inspec-bin && gem build inspec-core-bin.gemspec --output ../test/kitchen/cookbooks/install_inspec/files/inspec-core-bin.gem
- local: gem build inspec-core.gemspec --output test/kitchen/cookbooks/install_inspec/files/inspec-core.gem
provisioner:
name: dokken
client_rb:
data_collector.server_url: <%= ENV['COLLECTOR_URL'] %>
data_collector.token: <%= ENV['COLLECTOR_TOKEN'] %>
ssl_verify_mode: :verify_none
verify_api_cert: false
verifier:
name: inspec
sudo: true
platforms:
- name: amazonlinux
driver:
image: dokken/amazonlinux
pid_one_command: /sbin/init
- name: amazonlinux-2
driver:
image: dokken/amazonlinux-2
pid_one_command: /usr/lib/systemd/systemd
- name: centos-6
driver:
image: dokken/centos-6
pid_one_command: /sbin/init
- name: centos-7
driver:
image: dokken/centos-7
pid_one_command: /usr/lib/systemd/systemd
- name: debian-9
driver:
image: dokken/debian-9
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: debian-10
driver:
image: dokken/debian-10
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: fedora-29
driver:
image: dokken/fedora-29
pid_one_command: /usr/lib/systemd/systemd
- name: oraclelinux-6
driver:
image: dokken/oraclelinux-6
pid_one_command: /sbin/init
- name: oraclelinux-7
driver:
image: dokken/oraclelinux-7
pid_one_command: /usr/lib/systemd/systemd
- name: opensuse-leap
driver:
image: dokken/opensuse-leap-42
pid_one_command: /bin/systemd
- name: ubuntu-16.04
driver:
image: dokken/ubuntu-16.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: ubuntu-18.04
driver:
image: dokken/ubuntu-18.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
suites:
- name: resources-core
run_list:
- recipe[os_prepare]
- recipe[audit]
verifier:
inspec_tests:
- test/kitchen/policies/resources-core
attributes:
audit:
attributes:
audit_attribute: 'Attribute Override!'
insecure: true
reporter: ['json-file','chef-automate']
fetcher: 'chef-automate'
json_file:
location: /tmp/json_export.json
profiles:
- name: integration
url: https://github.com/inspec/inspec-integration-profile/archive/master.zip
osprepare:
docker: true
application: false
- name: resources-database
- name: resources-unix
- name: resources-windows

7
test/kitchen/cookbooks/install_inspec/recipes/default.rb
View file

@ -8,10 +8,15 @@ cookbook_file "/root/inspec-core-bin.gem" do
action :create
end
# Must explicitly remove then re-install as it has an executable file
# conflict with the incoming package
chef_gem "inspec-core" do
action :remove
end
chef_gem "inspec-core" do
source "/root/inspec-core.gem"
action :upgrade
action :install
end
chef_gem "inspec-core-bin" do

4
test/kitchen/cookbooks/os_prepare/recipes/default.rb
View file

@ -3,10 +3,6 @@
apt_update if platform_family?("debian")
# inject the current inspec gem for use with audit cookbook
# this is generated via Rake test:integration
include_recipe("install_inspec")
def uuid_from_string(string)
require "digest/sha1"
hash = Digest::SHA1.new

11
test/kitchen/cookbooks/os_prepare/recipes/iptables.rb
View file

@ -1,8 +1,11 @@
if platform_family?("rhel", "debian", "amazon", "suse")
package "iptables"
if platform?("centos", "oracle")
package value_for_platform([ "centos", "oracle" ] => {"< 8" => "iptables-ipv6", ">= 8" => "iptables"})
end
end
if platform_family?("rhel", "debian", "fedora", "amazon", "suse")
package value_for_platform_family(
%w{centos oracle} => %w{iptables iptables-ipv6},
"default" => [ "iptables" ]
)
# IPv4
execute "iptables -A INPUT -i eth0 -p tcp -m tcp "\
"--dport 80 -m state --state NEW -m comment "\

1
test/kitchen/policies/default/controls/_debug_spec.rb
View file

@ -2,6 +2,7 @@ $stderr.puts "-----------------------------------"
$stderr.puts " TEST ENVIRONMENT "
$stderr.puts "-----------------------------------"
$stderr.puts " Docker: #{!ENV['DOCKER'].nil?}"
$stderr.puts " InSpec: #{Inspec::VERSION}"
$stderr.puts " OS name: #{os[:name] || 'unknown' }"
$stderr.puts "OS release: #{os[:release] || 'unknown'}"
$stderr.puts " OS family: #{os[:family] || 'unknown'}"

39
test/kitchen/policies/default/controls/audit_spec.rb
View file

@ -1,39 +0,0 @@
# This file tests the audit validation which runs as part of the
# chef-client process. This is setup to export to a json file in the .kitchen.yml
#
# For more info please see docs/dev/integratin_test.md
control 'Test audit cookbook json exist' do
describe file('/tmp/json_export.json') do
it { should exist }
its('size') { should > 0 }
end
end
# Grab bundled inspec version. This should be the same as the one
# passed for audit cookbook. If its not, you should do a `bundle install`
inspec_version = Inspec::VERSION
# or: Gem.loaded_specs['inspec'].version.to_s rescue Inspec::VERSION
control 'Test audit cookbook json output' do
describe json('/tmp/json_export.json') do
its(['platform', 'name']) { should eq platform.name }
its(['statistics', 'duration']) { should > 0 }
its('version') { should cmp inspec_version }
end
end
# make sure all tests passed
file = file('/tmp/json_export.json')
if file.exist?
json = JSON.parse(file.content)
json['profiles'].first['controls'].each do |child_control|
child_control['results'].each do |result|
control result['code_desc'] do
describe json(content: result.to_json) do
its('status') { should cmp 'passed' }
end
end
end
end
end