diff --git a/Berksfile b/Berksfile index 97cb323..aa11834 100644 --- a/Berksfile +++ b/Berksfile @@ -1,5 +1,3 @@ -# encoding: utf-8 - source 'https://supermarket.chef.io' metadata diff --git a/Gemfile b/Gemfile index 5c372f5..0711d52 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,3 @@ -# encoding: utf-8 - source 'https://rubygems.org' gem 'berkshelf', '~> 7.0' diff --git a/Rakefile b/Rakefile index 9118696..8a39c96 100644 --- a/Rakefile +++ b/Rakefile @@ -1,5 +1,3 @@ -# encoding: utf-8 - # rubocop:disable Style/SymbolArray require 'foodcritic' diff --git a/attributes/default.rb b/attributes/default.rb index 3d5fdbc..272ae54 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,10 +1,8 @@ -# encoding: utf-8 - # -# Cookbook Name:: ssh-hardening +# Cookbook:: ssh-hardening # Attributes:: default # -# Copyright 2012, Dominik Richter +# Copyright:: 2012, Dominik Richter # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,40 +18,38 @@ # # Define the client package name -case node['platform'] -when 'redhat', 'centos', 'fedora', 'amazon', 'oracle', 'scientific' - default['ssh-hardening']['sshclient']['package'] = 'openssh-clients' -when 'debian', 'ubuntu' - default['ssh-hardening']['sshclient']['package'] = 'openssh-client' -when 'arch', 'suse', 'opensuse', 'opensuseleap' - default['ssh-hardening']['sshclient']['package'] = 'openssh' -else - default['ssh-hardening']['sshclient']['package'] = 'openssh-client' -end +default['ssh-hardening']['sshclient']['package'] = case node['platform'] + when 'redhat', 'centos', 'fedora', 'amazon', 'oracle', 'scientific' + 'openssh-clients' + when 'debian', 'ubuntu' + 'openssh-client' + when 'arch', 'suse', 'opensuse', 'opensuseleap' + 'openssh' + else + 'openssh-client' + end # Define the package name for selinux utils -if node['platform_family'] == 'fedora' || # rubocop:disable Style/ConditionalAssignment - node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 8 +if platform_family?('fedora') || # rubocop:disable Style/ConditionalAssignment + platform_family?('rhel') && node['platform_version'].to_f >= 8 default['ssh-hardening']['selinux']['package'] = 'policycoreutils-python-utils' else default['ssh-hardening']['selinux']['package'] = 'policycoreutils-python' end # Define the server package name -case node['platform'] -when 'suse', 'opensuse', 'opensuseleap' - default['ssh-hardening']['sshserver']['package'] = 'openssh' -else - default['ssh-hardening']['sshserver']['package'] = 'openssh-server' -end +default['ssh-hardening']['sshserver']['package'] = if platform?('suse', 'opensuse', 'opensuseleap') + 'openssh' + else + 'openssh-server' + end # Define the service name for sshd -case node['platform_family'] -when 'rhel', 'fedora', 'suse', 'freebsd', 'gentoo', 'amazon' - default['ssh-hardening']['sshserver']['service_name'] = 'sshd' -else - default['ssh-hardening']['sshserver']['service_name'] = 'ssh' -end +default['ssh-hardening']['sshserver']['service_name'] = if platform_family?('rhel', 'fedora', 'suse', 'freebsd', 'gentoo', 'amazon') + 'sshd' + else + 'ssh' + end # sshd + ssh client default['ssh-hardening']['network']['ipv6']['enable'] = false @@ -68,9 +64,9 @@ client['cbc_required'] = false client['weak_hmac'] = false client['weak_kex'] = false - client['allow_agent_forwarding'] = false - client['remote_hosts'] = [] - client['password_authentication'] = false # ssh + client['allow_agent_forwarding'] = false + client['remote_hosts'] = [] + client['password_authentication'] = false # ssh # http://undeadly.org/cgi?action=article&sid=20160114142733 client['roaming'] = false client['send_env'] = ['LANG', 'LC_*', 'LANGUAGE'] @@ -80,7 +76,7 @@ end # sshd -default['ssh-hardening']['ssh']['server'].tap do |server| # rubocop: disable BlockLength +default['ssh-hardening']['ssh']['server'].tap do |server| # rubocop: disable Metrics/BlockLength server['kex'] = nil # nil = calculate best combination for server version server['cipher'] = nil # nil = calculate best combination for server version server['mac'] = nil # nil = calculate best combination for server version diff --git a/libraries/devsec_ssh.rb b/libraries/devsec_ssh.rb index a0f328e..293e586 100644 --- a/libraries/devsec_ssh.rb +++ b/libraries/devsec_ssh.rb @@ -1,13 +1,11 @@ -# encoding: utf-8 - # -# Cookbook Name:: ssh-hardening +# Cookbook:: ssh-hardening # Library:: devsec_ssh # -# Copyright 2012, Dominik Richter -# Copyright 2014, Christoph Hartmann -# Copyright 2014, Deutsche Telekom AG -# Copyright 2016, Artem Sidorenko +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Christoph Hartmann +# Copyright:: 2014, Deutsche Telekom AG +# Copyright:: 2016, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -42,40 +40,40 @@ class Ssh # rubocop:disable Metrics/ClassLength # Fallback ssh version for autodetection FALLBACK_SSH_VERSION ||= 5.9 # Support types of ssh - SSH_TYPES ||= %i[client server].freeze + SSH_TYPES ||= %i(client server).freeze # Crypto configuration for different ssh parameters CRYPTO ||= { kexs: { 5.3 => [], - 5.9 => %w[diffie-hellman-group-exchange-sha256], - 6.6 => %w[curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha256], - :weak => %w[diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1] + 5.9 => %w(diffie-hellman-group-exchange-sha256), + 6.6 => %w(curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha256), + :weak => %w(diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1), }, macs: { - 5.3 => %w[hmac-ripemd160 hmac-sha1], - 5.9 => %w[hmac-sha2-512 hmac-sha2-256 hmac-ripemd160], - 6.6 => %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com - umac-128-etm@openssh.com hmac-sha2-512 hmac-sha2-256], - :weak => %w[hmac-sha1] + 5.3 => %w(hmac-ripemd160 hmac-sha1), + 5.9 => %w(hmac-sha2-512 hmac-sha2-256 hmac-ripemd160), + 6.6 => %w(hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com + umac-128-etm@openssh.com hmac-sha2-512 hmac-sha2-256), + :weak => %w(hmac-sha1), }, ciphers: { - 5.3 => %w[aes256-ctr aes192-ctr aes128-ctr], - 6.6 => %w[chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com - aes256-ctr aes192-ctr aes128-ctr], - :weak => %w[aes256-cbc aes192-cbc aes128-cbc] - } + 5.3 => %w(aes256-ctr aes192-ctr aes128-ctr), + 6.6 => %w(chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com + aes256-ctr aes192-ctr aes128-ctr), + :weak => %w(aes256-cbc aes192-cbc aes128-cbc), + }, }.freeze # Privilege separation values PRIVILEGE_SEPARATION ||= { 5.3 => 'yes', - 5.9 => 'sandbox' + 5.9 => 'sandbox', }.freeze # Hostkey algorithms # In the current implementation they are server specific so we need own data hash for it HOSTKEY_ALGORITHMS ||= { - 5.3 => %w[rsa], - 6.0 => %w[rsa ecdsa], - 6.6 => %w[rsa ecdsa ed25519] + 5.3 => %w(rsa), + 6.0 => %w(rsa ecdsa), + 6.6 => %w(rsa ecdsa ed25519), }.freeze class << self @@ -163,7 +161,7 @@ def get_crypto_data(crypto_type, ssh_type, enable_weak) # on the particilar ssh version. Return nil in such cases if crypto.empty? Chef::Log.debug("No value present for ssh version #{found_ssh_version}. Returning nil.") - return nil + return end if enable_weak @@ -194,7 +192,7 @@ def find_ssh_version(version, versions) def get_ssh_version(package) version = node['packages'][package]['version'] # on debian we get the epoch in front of version number: 1:7.2p2-4ubuntu2.1 - version = version.split(':')[1] if node['platform_family'] == 'debian' + version = version.split(':')[1] if platform_family?('debian') Chef::Log.debug("Detected openssh version #{version} for package #{package}") version.to_f rescue NoMethodError diff --git a/metadata.rb b/metadata.rb index 460cf4c..9d46933 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,7 +1,5 @@ -# encoding: utf-8 - # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,10 +19,9 @@ maintainer_email 'dominik.richter@googlemail.com' license 'Apache-2.0' description 'This cookbook installs and provides secure ssh and sshd configurations.' -long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version '2.9.0' -chef_version '>= 12.5' if respond_to?(:chef_version) +chef_version '>= 12.5' supports 'ubuntu', '>= 12.04' supports 'debian', '>= 6.0' @@ -37,9 +34,5 @@ supports 'opensuseleap', '>= 42.1' supports 'amazon' -recipe 'ssh-hardening::default', 'installs and configures ssh client and server' -recipe 'ssh-hardening::client', 'install and apply security hardening for ssh client' -recipe 'ssh-hardening::server', 'install and apply security hardening for ssh server' - source_url 'https://github.com/dev-sec/chef-ssh-hardening' issues_url 'https://github.com/dev-sec/chef-ssh-hardening/issues' diff --git a/recipes/client.rb b/recipes/client.rb index 8156429..2510c7e 100644 --- a/recipes/client.rb +++ b/recipes/client.rb @@ -1,11 +1,9 @@ -# encoding: utf-8 - # -# Cookbook Name:: ssh-hardening +# Cookbook:: ssh-hardening # Recipe:: client.rb # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -49,7 +47,7 @@ mac: node['ssh-hardening']['ssh']['client']['mac'] || DevSec::Ssh.get_client_macs(node['ssh-hardening']['ssh']['client']['weak_hmac']), kex: node['ssh-hardening']['ssh']['client']['kex'] || DevSec::Ssh.get_client_kexs(node['ssh-hardening']['ssh']['client']['weak_kex']), cipher: node['ssh-hardening']['ssh']['client']['cipher'] || DevSec::Ssh.get_client_ciphers(node['ssh-hardening']['ssh']['client']['cbc_required']), - version: DevSec::Ssh.get_ssh_client_version + version: DevSec::Ssh.get_ssh_client_version, } end ) diff --git a/recipes/default.rb b/recipes/default.rb index 839aab5..3e68757 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -1,11 +1,9 @@ -# encoding: utf-8 - # -# Cookbook Name:: ssh-hardening +# Cookbook:: ssh-hardening # Recipe:: default.rb # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/server.rb b/recipes/server.rb index ee46f32..b873066 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -1,11 +1,9 @@ -# encoding: utf-8 - # -# Cookbook Name:: ssh-hardening +# Cookbook:: ssh-hardening # Recipe:: server.rb # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -51,7 +49,7 @@ end # Handle addional SELinux policy on RHEL/Fedora for different UsePAM options -if %w[fedora rhel].include?(node['platform_family']) +if platform_family?('fedora', 'rhel') policy_file = ::File.join(cache_dir, 'ssh_password.te') module_file = ::File.join(cache_dir, 'ssh_password.mod') package_file = ::File.join(cache_dir, 'ssh_password.pp') @@ -104,7 +102,7 @@ # remove all small primes # https://stribika.github.io/2015/01/04/secure-secure-shell.html dh_min_prime_size = node['ssh-hardening']['ssh']['server']['dh_min_prime_size'].to_i - 1 # 4096 is 4095 in the moduli file -ruby_block 'remove small primes from DH moduli' do # ~FC014 +ruby_block 'remove small primes from DH moduli' do block do tmp_file = "#{dh_moduli_file}.tmp" ::File.open(tmp_file, 'w') do |new_file| @@ -134,8 +132,7 @@ service 'sshd' do # use upstart for ubuntu, otherwise chef uses init # @see http://docs.opscode.com/resource_service.html#providers - case node['platform'] - when 'ubuntu' + if platform?('ubuntu') if node['platform_version'].to_f >= 15.04 provider Chef::Provider::Service::Systemd elsif node['platform_version'].to_f >= 12.04 @@ -144,19 +141,19 @@ end service_name node['ssh-hardening']['sshserver']['service_name'] supports value_for_platform( - 'centos' => { 'default' => %i[restart reload status] }, - 'redhat' => { 'default' => %i[restart reload status] }, - 'fedora' => { 'default' => %i[restart reload status] }, - 'scientific' => { 'default' => %i[restart reload status] }, + 'centos' => { 'default' => %i(restart reload status) }, + 'redhat' => { 'default' => %i(restart reload status) }, + 'fedora' => { 'default' => %i(restart reload status) }, + 'scientific' => { 'default' => %i(restart reload status) }, 'arch' => { 'default' => [:restart] }, - 'debian' => { 'default' => %i[restart reload status] }, + 'debian' => { 'default' => %i(restart reload status) }, 'ubuntu' => { - '8.04' => %i[restart reload], - 'default' => %i[restart reload status] + '8.04' => %i(restart reload), + 'default' => %i(restart reload status), }, - 'default' => { 'default' => %i[restart reload] } + 'default' => { 'default' => %i(restart reload) } ) - action %i[enable start] + action %i(enable start) end directory 'openssh-server ssh directory /etc/ssh' do @@ -181,7 +178,7 @@ cipher: node['ssh-hardening']['ssh']['server']['cipher'] || DevSec::Ssh.get_server_ciphers(node['ssh-hardening']['ssh']['server']['cbc_required']), use_priv_sep: node['ssh-hardening']['ssh']['use_privilege_separation'] || DevSec::Ssh.get_server_privilege_separarion, hostkeys: node['ssh-hardening']['ssh']['server']['host_key_files'] || DevSec::Ssh.get_server_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" }, - version: DevSec::Ssh.get_ssh_server_version + version: DevSec::Ssh.get_ssh_server_version, } end ) diff --git a/recipes/unlock.rb b/recipes/unlock.rb index 4d18623..5e7bf56 100644 --- a/recipes/unlock.rb +++ b/recipes/unlock.rb @@ -1,10 +1,8 @@ -# encoding: utf-8 - # -# Cookbook Name:: ssh-hardening +# Cookbook:: ssh-hardening # Recipe:: unlock # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/libraries/devsec_ssh_spec.rb b/spec/libraries/devsec_ssh_spec.rb index 65ad54e..4f57816 100644 --- a/spec/libraries/devsec_ssh_spec.rb +++ b/spec/libraries/devsec_ssh_spec.rb @@ -1,7 +1,5 @@ -# encoding: utf-8 - # -# Copyright 2016, Artem Sidorenko +# Copyright:: 2016, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -42,12 +40,12 @@ def self.debug(*); end 'platform_version' => version, 'ssh-hardening' => { 'sshclient' => { - 'package' => package_name + 'package' => package_name, }, 'sshserver' => { - 'package' => package_name - } - } + 'package' => package_name, + }, + }, } node['packages'] = { package_name => { 'version' => package_version } } if package_installed @@ -254,7 +252,7 @@ def self.debug(*); end # get_[client|server]_[kexs|macs|ciphers] # In order to cover all possible combinations, we need a complex nested loops:-\ # We start with client|server combination - %w[client server].each do |type| + %w(client server).each do |type| # Go over different types of crypto parameters, e.g. kexs, macs, ciphers DevSec::Ssh::CRYPTO.each do |crypto_type, crypto_value| # we can not use subject here, as its not in the block function = "get_#{type}_#{crypto_type}" diff --git a/spec/recipes/client_spec.rb b/spec/recipes/client_spec.rb index 8436aa3..7669eae 100644 --- a/spec/recipes/client_spec.rb +++ b/spec/recipes/client_spec.rb @@ -1,8 +1,6 @@ -# encoding: UTF-8 - # -# Copyright 2014, Deutsche Telekom AG -# Copyright 2016, Artem Sidorenko +# Copyright:: 2014, Deutsche Telekom AG +# Copyright:: 2016, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -56,13 +54,13 @@ include_examples 'does not allow weak ciphers' it 'disables client roaming' do - expect(chef_run).to render_file('/etc/ssh/ssh_config'). - with_content(/UseRoaming no/) + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/UseRoaming no/) end it 'sends default locale environment variables' do - expect(chef_run).to render_file('/etc/ssh/ssh_config'). - with_content('SendEnv LANG LC_* LANGUAGE') + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content('SendEnv LANG LC_* LANGUAGE') end include_examples 'allow ctr ciphers' @@ -135,8 +133,8 @@ end it 'uses the value of kex attribute' do - expect(chef_run).to render_file('/etc/ssh/ssh_config'). - with_content(/KexAlgorithms mycustomkexvalue/) + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/KexAlgorithms mycustomkexvalue/) end end @@ -148,8 +146,8 @@ end it 'uses the value of mac attribute' do - expect(chef_run).to render_file('/etc/ssh/ssh_config'). - with_content(/MACs mycustommacvalue/) + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/MACs mycustommacvalue/) end end @@ -161,8 +159,8 @@ end it 'uses the value of cipher attribute' do - expect(chef_run).to render_file('/etc/ssh/ssh_config'). - with_content(/Ciphers mycustomciphervalue/) + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/Ciphers mycustomciphervalue/) end end @@ -174,21 +172,21 @@ end it 'will not send any environment variables' do - expect(chef_run).to_not render_file('/etc/ssh/ssh_config'). - with_content(/SendEnv/) + expect(chef_run).to_not render_file('/etc/ssh/ssh_config') + .with_content(/SendEnv/) end end context 'with custom send_env attribute' do cached(:chef_run) do ChefSpec::SoloRunner.new do |node| - node.normal['ssh-hardening']['ssh']['client']['send_env'] = %w[some environment variables] + node.normal['ssh-hardening']['ssh']['client']['send_env'] = %w(some environment variables) end.converge(described_recipe) end it 'uses the value of send_env attribute' do - expect(chef_run).to render_file('/etc/ssh/ssh_config'). - with_content(/SendEnv some environment variables/) + expect(chef_run).to render_file('/etc/ssh/ssh_config') + .with_content(/SendEnv some environment variables/) end end @@ -200,8 +198,8 @@ it 'does not have any extra config options' do expect(chef_run).to render_file('/etc/ssh/ssh_config') - expect(chef_run).not_to render_file('/etc/ssh/ssh_config'). - with_content(/^# Extra Configuration Options/) + expect(chef_run).not_to render_file('/etc/ssh/ssh_config') + .with_content(/^# Extra Configuration Options/) end end diff --git a/spec/recipes/default_spec.rb b/spec/recipes/default_spec.rb index 541a7a2..009fd65 100644 --- a/spec/recipes/default_spec.rb +++ b/spec/recipes/default_spec.rb @@ -1,7 +1,5 @@ -# encoding: UTF-8 - # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb index 8ac1a53..30de74b 100644 --- a/spec/recipes/server_spec.rb +++ b/spec/recipes/server_spec.rb @@ -1,8 +1,6 @@ -# encoding: UTF-8 - # -# Copyright 2014, Deutsche Telekom AG -# Copyright 2016, Artem Sidorenko +# Copyright:: 2014, Deutsche Telekom AG +# Copyright:: 2016, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,8 +64,8 @@ end it 'accepts default locale environment variables' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('AcceptEnv LANG LC_* LANGUAGE') + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content('AcceptEnv LANG LC_* LANGUAGE') end include_examples 'does not allow weak hmacs' @@ -143,8 +141,8 @@ end it 'uses the value of kex attribute' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/KexAlgorithms mycustomkexvalue/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/KexAlgorithms mycustomkexvalue/) end end @@ -156,8 +154,8 @@ end it 'uses the value of mac attribute' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/MACs mycustommacvalue/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/MACs mycustommacvalue/) end end @@ -169,8 +167,8 @@ end it 'uses the value of cipher attribute' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/Ciphers mycustomciphervalue/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/Ciphers mycustomciphervalue/) end end @@ -193,8 +191,8 @@ end it 'unlocks root account' do - expect(chef_run).to run_execute('unlock root account if it is locked'). - with(command: "sed 's/^root:\!/root:*/' /etc/shadow -i") + expect(chef_run).to run_execute('unlock root account if it is locked') + .with(command: "sed 's/^root:\!/root:*/' /etc/shadow -i") end end @@ -209,8 +207,8 @@ end it 'disables the login banner' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/Banner none/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/Banner none/) end context 'with provided login banner path' do @@ -221,8 +219,8 @@ end it 'uses the given login banner' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/Banner \/etc\/ssh\/banner/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(%r{Banner /etc/ssh/banner}) end end @@ -273,7 +271,7 @@ context 'running with OpenSSH >= 7.4 on RHEL 7' do let(:chef_run) do - ChefSpec::SoloRunner.new(platform: 'centos', version: '7.5.1804').converge(described_recipe) + ChefSpec::SoloRunner.new(platform: 'centos', version: '7').converge(described_recipe) end before do @@ -439,8 +437,8 @@ end it 'disables the debian banner' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/DebianBanner no/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/DebianBanner no/) end context 'with enabled debian banner' do @@ -451,8 +449,8 @@ end it 'uses the enabled debian banner' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/DebianBanner yes/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/DebianBanner yes/) end end @@ -462,14 +460,14 @@ end cached(:chef_run) do - ChefSpec::SoloRunner.new(platform: 'centos', version: '7.5.1804') do |node| + ChefSpec::SoloRunner.new(platform: 'centos', version: '7') do |node| node.normal['ssh-hardening']['ssh']['server']['os_banner'] = true end.converge(described_recipe) end it 'does not have the debian banner option' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). - with_content(/DebianBanner/) + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/DebianBanner/) end end end @@ -482,8 +480,8 @@ it 'does not have any extra config options' do expect(chef_run).to render_file('/etc/ssh/sshd_config') - expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). - with_content(/^# Extra Configuration Options/) + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/^# Extra Configuration Options/) end end @@ -509,8 +507,8 @@ it 'does not have any match config blocks' do expect(chef_run).to render_file('/etc/ssh/sshd_config') - expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). - with_content(/^# Match Configuration Blocks/) + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/^# Match Configuration Blocks/) end end @@ -531,8 +529,8 @@ end it 'disables the challenge response authentication' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/ChallengeResponseAuthentication no/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/ChallengeResponseAuthentication no/) end context 'with challenge response authentication enabled' do @@ -543,14 +541,14 @@ end it 'enables the challenge response authentication' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/ChallengeResponseAuthentication yes/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/ChallengeResponseAuthentication yes/) end end it 'sets the login grace time to 30s' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/LoginGraceTime 30s/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/LoginGraceTime 30s/) end context 'with configured login grace time to 60s' do @@ -561,14 +559,14 @@ end it 'sets the login grace time to 60s' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/LoginGraceTime 60s/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/LoginGraceTime 60s/) end end it 'sets the log level to verbose' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('LogLevel VERBOSE') + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content('LogLevel VERBOSE') end context 'with log level set to debug' do @@ -579,61 +577,61 @@ end it 'sets the log level to debug' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('LogLevel DEBUG') + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content('LogLevel DEBUG') end end it 'leaves deny users commented' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/#DenyUsers */) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/#DenyUsers */) end it 'leaves allow users commented' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/#AllowUsers user1/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/#AllowUsers user1/) end it 'leaves deny groups commented' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/#DenyGroups */) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/#DenyGroups */) end it 'leaves allow groups commented' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/#AllowGroups group1/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/#AllowGroups group1/) end context 'with attribute deny_users' do cached(:chef_run) do ChefSpec::SoloRunner.new do |node| - node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w[someuser] + node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w(someuser) end.converge(described_recipe) end it 'adds user to deny list' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/DenyUsers [^#]*\bsomeuser\b/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/DenyUsers [^#]*\bsomeuser\b/) end end context 'with attribute deny_users mutiple' do cached(:chef_run) do ChefSpec::SoloRunner.new do |node| - node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w[someuser otheruser] + node.normal['ssh-hardening']['ssh']['server']['deny_users'] = %w(someuser otheruser) end.converge(described_recipe) end it 'adds users to deny list' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/DenyUsers [^#]*\bsomeuser otheruser\b/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/DenyUsers [^#]*\bsomeuser otheruser\b/) end end context 'without attribute use_dns' do it 'leaves UseDNS commented' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/#UseDNS no/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/#UseDNS no/) end end @@ -645,8 +643,8 @@ end it 'sets UseDNS correctly' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/UseDNS no/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/UseDNS no/) end end @@ -658,15 +656,15 @@ end it 'sets UseDNS correctly' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/UseDNS yes/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/UseDNS yes/) end end context 'without attribute ["sftp"]["enable"]' do it 'leaves SFTP Subsystem commented' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/^#Subsystem sftp/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/^#Subsystem sftp/) end end @@ -678,8 +676,8 @@ end it 'sets SFTP Subsystem correctly' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/^Subsystem sftp/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/^Subsystem sftp/) end end @@ -692,8 +690,8 @@ end it 'sets the SFTP Group correctly' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/^Match Group testgroup$/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/^Match Group testgroup$/) end end @@ -706,8 +704,8 @@ end it 'sets the SFTP chroot correctly' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/^[[:space:]]*ChrootDirectory test_home_dir$/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/^[[:space:]]*ChrootDirectory test_home_dir$/) end end @@ -719,8 +717,8 @@ end it 'sets proper IPv4 ListenAdress' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/ListenAddress 0.0.0.0/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/ListenAddress 0.0.0.0/) end end @@ -732,9 +730,9 @@ end it 'sets proper IPv4 and IPv6 ListenAdress' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/ListenAddress 0.0.0.0/). - with_content(/ListenAddress ::/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/ListenAddress 0.0.0.0/) + .with_content(/ListenAddress ::/) end end @@ -746,21 +744,21 @@ end it 'will not accept any environment variables' do - expect(chef_run).to_not render_file('/etc/ssh/sshd_config'). - with_content(/AcceptEnv/) + expect(chef_run).to_not render_file('/etc/ssh/sshd_config') + .with_content(/AcceptEnv/) end end context 'with custom accept_env attribute' do cached(:chef_run) do ChefSpec::SoloRunner.new do |node| - node.normal['ssh-hardening']['ssh']['server']['accept_env'] = %w[some environment variables] + node.normal['ssh-hardening']['ssh']['server']['accept_env'] = %w(some environment variables) end.converge(described_recipe) end it 'uses the value of accept_env attribute' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content(/AcceptEnv some environment variables/) + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content(/AcceptEnv some environment variables/) end end @@ -771,8 +769,8 @@ end it 'does not have AuthorizedKeysFile configured' do - expect(chef_run).not_to render_file('/etc/ssh/sshd_config'). - with_content(/^[[:space:]]*AuthorizedKeysFile/) + expect(chef_run).not_to render_file('/etc/ssh/sshd_config') + .with_content(/^[[:space:]]*AuthorizedKeysFile/) end end @@ -784,8 +782,8 @@ end it 'has AuthorizedKeysFile configured' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('AuthorizedKeysFile /some/authorizedkeysfile') + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content('AuthorizedKeysFile /some/authorizedkeysfile') end end @@ -798,8 +796,8 @@ end it 'has AuthorizedKeysFile configured' do - expect(chef_run).to render_file('/etc/ssh/sshd_config'). - with_content('AuthorizedKeysFile /some/authorizedkeysfile') + expect(chef_run).to render_file('/etc/ssh/sshd_config') + .with_content('AuthorizedKeysFile /some/authorizedkeysfile') end end end diff --git a/spec/recipes/unlock_spec.rb b/spec/recipes/unlock_spec.rb index f935e98..914caf9 100644 --- a/spec/recipes/unlock_spec.rb +++ b/spec/recipes/unlock_spec.rb @@ -1,7 +1,5 @@ -# encoding: UTF-8 - # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/shared_examples_crypto.rb b/spec/shared_examples_crypto.rb index 059ee5d..9d0d434 100644 --- a/spec/shared_examples_crypto.rb +++ b/spec/shared_examples_crypto.rb @@ -1,8 +1,6 @@ -# encoding: UTF-8 - # -# Copyright 2014, Deutsche Telekom AG -# Copyright 2016, Artem Sidorenko +# Copyright:: 2014, Deutsche Telekom AG +# Copyright:: 2016, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,8 +18,8 @@ RSpec.shared_examples 'does not allow weak hmacs' do it 'should not allow weak hmacs' do helper_lib::CRYPTO[:macs][:weak].each do |mac| - expect(chef_run).not_to render_file(ssh_config_file). - with_content(/MACs [^#]*\b#{mac}\b/) + expect(chef_run).not_to render_file(ssh_config_file) + .with_content(/MACs [^#]*\b#{mac}\b/) end end end @@ -29,8 +27,8 @@ RSpec.shared_examples 'does not allow weak kexs' do it 'should not allow weak kexs' do helper_lib::CRYPTO[:kexs][:weak].each do |kex| - expect(chef_run).not_to render_file(ssh_config_file). - with_content(/KexAlgorithms [^#]*\b#{kex}\b/) + expect(chef_run).not_to render_file(ssh_config_file) + .with_content(/KexAlgorithms [^#]*\b#{kex}\b/) end end end @@ -38,18 +36,18 @@ RSpec.shared_examples 'does not allow weak ciphers' do it 'should not allow weak ciphers' do helper_lib::CRYPTO[:ciphers][:weak].each do |cipher| - expect(chef_run).not_to render_file(ssh_config_file). - with_content(/Ciphers [^#]*\b#{cipher}\b/) + expect(chef_run).not_to render_file(ssh_config_file) + .with_content(/Ciphers [^#]*\b#{cipher}\b/) end end end RSpec.shared_examples 'allow ctr ciphers' do - let(:ctr_ciphers) { %w[aes256-ctr aes192-ctr aes128-ctr] } + let(:ctr_ciphers) { %w(aes256-ctr aes192-ctr aes128-ctr) } it 'should allow ctr ciphers' do ctr_ciphers.each do |cipher| - expect(chef_run).to render_file(ssh_config_file). - with_content(/Ciphers [^#]*\b#{cipher}\b/) + expect(chef_run).to render_file(ssh_config_file) + .with_content(/Ciphers [^#]*\b#{cipher}\b/) end end end @@ -57,8 +55,8 @@ RSpec.shared_examples 'allow weak hmacs' do it 'should allow weak hmacs' do helper_lib::CRYPTO[:macs][:weak].each do |mac| - expect(chef_run).to render_file(ssh_config_file). - with_content(/MACs [^#]*\b#{mac}\b/) + expect(chef_run).to render_file(ssh_config_file) + .with_content(/MACs [^#]*\b#{mac}\b/) end end end @@ -66,8 +64,8 @@ RSpec.shared_examples 'allow weak kexs' do it 'should allow weak kexs' do helper_lib::CRYPTO[:kexs][:weak].each do |kex| - expect(chef_run).to render_file(ssh_config_file). - with_content(/KexAlgorithms [^#]*\b#{kex}\b/) + expect(chef_run).to render_file(ssh_config_file) + .with_content(/KexAlgorithms [^#]*\b#{kex}\b/) end end end @@ -75,8 +73,8 @@ RSpec.shared_examples 'allow weak ciphers' do it 'should allow weak ciphers' do helper_lib::CRYPTO[:ciphers][:weak].each do |cipher| - expect(chef_run).to render_file(ssh_config_file). - with_content(/Ciphers [^#]*\b#{cipher}\b/) + expect(chef_run).to render_file(ssh_config_file) + .with_content(/Ciphers [^#]*\b#{cipher}\b/) end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 0e945c7..58f576a 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,7 +1,5 @@ -# encoding: utf-8 - # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +21,6 @@ # coverage report Coveralls.wear! -at_exit { ChefSpec::Coverage.report! } RSpec.configure do |config| # OS and version for mocking of ohai data, needed by chefspec diff --git a/test/fixtures/cookbooks/test/metadata.rb b/test/fixtures/cookbooks/test/metadata.rb index 9efab02..5a83882 100644 --- a/test/fixtures/cookbooks/test/metadata.rb +++ b/test/fixtures/cookbooks/test/metadata.rb @@ -1,9 +1,8 @@ name 'test' maintainer 'Dominik Richter' maintainer_email 'dominik.richter@googlemail.com' -license 'Apache 2.0' +license 'Apache-2.0' description 'This cookbook is used for testing purposes' -long_description 'This cookbook is used for testing purposes' version '0.0.1' depends 'compat_resource', '>= 12.16.3' diff --git a/test/fixtures/cookbooks/test/recipes/default.rb b/test/fixtures/cookbooks/test/recipes/default.rb index dfbd7e4..22b88c4 100644 --- a/test/fixtures/cookbooks/test/recipes/default.rb +++ b/test/fixtures/cookbooks/test/recipes/default.rb @@ -1,9 +1,8 @@ -# encoding: utf-8 # -# Cookbook Name:: test +# Cookbook:: test # Recipe:: default.rb # -# Copyright 2017, Artem Sidorenko +# Copyright:: 2017, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +17,7 @@ # limitations under the License. # -if node['platform_family'] == 'debian' +if platform_family?('debian') apt_update 'update-apt-cache' do action :update end