Merge pull request #66 from eole/feature/support-systemd-sockets

feat(systemd): check sockets created by systemd

Author: myii

test/integration/default/controls/socket_admin_spec.rb

@@ -10,8 +10,8 @@
   describe libvirt_socket_admin do
     it { should exist }
     its('type') { should eq :socket }
-    its('owner') { should eq 'root' }
-    its('group') { should eq 'root' }
-    its('mode') { should cmp '0700' }
+    its('owner') { should eq libvirt_socket_admin.config_owner }
+    its('group') { should eq libvirt_socket_admin.config_group }
+    its('mode') { should cmp libvirt_socket_admin.config_mode }
   end
 end

test/integration/default/controls/socket_ro_spec.rb

@@ -10,8 +10,8 @@
   describe libvirt_socket_ro do
     it { should exist }
     its('type') { should eq :socket }
-    its('owner') { should eq 'root' }
-    its('group') { should eq 'root' }
-    its('mode') { should cmp '0777' }
+    its('owner') { should eq libvirt_socket_ro.config_owner }
+    its('group') { should eq libvirt_socket_ro.config_group }
+    its('mode') { should cmp libvirt_socket_ro.config_mode }
   end
 end

test/integration/default/controls/socket_rw_spec.rb

@@ -10,8 +10,8 @@
   describe libvirt_socket_rw do
     it { should exist }
     its('type') { should eq :socket }
-    its('owner') { should eq 'root' }
-    its('group') { should eq 'root' }
-    its('mode') { should cmp '0770' }
+    its('owner') { should eq libvirt_socket_rw.config_owner }
+    its('group') { should eq libvirt_socket_rw.config_group }
+    its('mode') { should cmp libvirt_socket_rw.config_mode }
   end
 end

test/integration/share/libraries/libvirt_socket_admin.rb

@@ -15,6 +15,31 @@ class LibvirtSocketAdminResource < Inspec.resource(1)
 
   def initialize
     @file = inspec.file('/var/run/libvirt/libvirt-admin-sock')
+    @systemd_status = inspec.systemd_config('libvirtd-admin.socket')
+  end
+
+  def config_owner
+    if @systemd_status.active?
+      @systemd_status.config('SocketUser') || 'root'
+    else
+      'root'
+    end
+  end
+
+  def config_group
+    if @systemd_status.active?
+      @systemd_status.config('SocketGroup') || 'root'
+    else
+      'root'
+    end
+  end
+
+  def config_mode
+    if @systemd_status.active?
+      @systemd_status.config('SocketMode') || '0666'
+    else
+      '0700'
+    end
   end
 
   # We could not inherit from Inspec::Resources::FileResource

test/integration/share/libraries/libvirt_socket_ro.rb

@@ -15,6 +15,31 @@ class LibvirtSocketRoResource < Inspec.resource(1)
 
   def initialize
     @file = inspec.file('/var/run/libvirt/libvirt-sock-ro')
+    @systemd_status = inspec.systemd_config('libvirtd-ro.socket')
+  end
+
+  def config_owner
+    if @systemd_status.active?
+      @systemd_status.config('SocketUser') || 'root'
+    else
+      'root'
+    end
+  end
+
+  def config_group
+    if @systemd_status.active?
+      @systemd_status.config('SocketGroup') || 'root'
+    else
+      'root'
+    end
+  end
+
+  def config_mode
+    if @systemd_status.active?
+      @systemd_status.config('SocketMode') || '0666'
+    else
+      '0777'
+    end
   end
 
   # We could not inherit from Inspec::Resources::FileResource

test/integration/share/libraries/libvirt_socket_rw.rb

@@ -15,6 +15,31 @@ class LibvirtSocketRwResource < Inspec.resource(1)
 
   def initialize
     @file = inspec.file('/var/run/libvirt/libvirt-sock')
+    @systemd_status = inspec.systemd_config('libvirtd.socket')
+  end
+
+  def config_owner
+    if @systemd_status.active?
+      @systemd_status.config('SocketUser') || 'root'
+    else
+      'root'
+    end
+  end
+
+  def config_group
+    if @systemd_status.active?
+      @systemd_status.config('SocketGroup') || 'root'
+    else
+      'root'
+    end
+  end
+
+  def config_mode
+    if @systemd_status.active?
+      @systemd_status.config('SocketMode') || '0666'
+    else
+      '0770'
+    end
   end
 
   # We could not inherit from Inspec::Resources::FileResource

test/integration/share/libraries/systemd_config.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+# systemd_config.rb -- InSpec resource for systemd service configuration
+# Author: Daniel Dehennin <[email protected]>
+# Copyright (C) 2020 Daniel Dehennin <[email protected]>
+
+class SystemdConfigResource < Inspec.resource(1)
+  name 'systemd_config'
+
+  supports platform_name: 'debian'
+  supports platform_name: 'ubuntu'
+  supports platform_name: 'centos'
+  supports platform_name: 'fedora'
+  supports platform_name: 'opensuse'
+
+  def initialize(service_name)
+    @service_name = service_name
+    @service_config = read_systemd_show
+  end
+
+  def enabled?
+    @service_config.send('UnitFileState') == 'enabled'
+  end
+
+  def active?
+    @service_config.send('ActiveState') == 'active'
+  end
+
+  def test
+    @service_config.methods
+  end
+
+  def config(param)
+    @service_config.send(param)
+  end
+
+  def read_systemd_show
+    cmd_string = "systemctl show #{@service_name}"
+    cmd = inspec.command(cmd_string)
+
+    unless cmd.exit_status.zero?
+      raise Inspec::Exceptions::ResourceSkipped,
+            "Error running '#{cmd_string}': #{cmd.stderr}"
+    end
+
+    parse_options = {
+      assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
+    }
+    inspec.parse_config(cmd.stdout.strip, parse_options)
+  end
+end