diff --git a/.github/workflows/pr_tests.yml b/.github/workflows/pr_tests.yml index 21ca28c..bcc5fb0 100644 --- a/.github/workflows/pr_tests.yml +++ b/.github/workflows/pr_tests.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: "Install Ruby ${{matrix.puppet.ruby_version}}" + - name: "Install Ruby 2.7" uses: ruby/setup-ruby@v1 # ruby/setup-ruby@ec106b438a1ff6ff109590de34ddc62c540232e0 with: ruby-version: 2.7 @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: "Install Ruby ${{matrix.puppet.ruby_version}}" + - name: "Install Ruby 2.7" uses: ruby/setup-ruby@v1 with: ruby-version: 2.7 @@ -56,13 +56,12 @@ jobs: - run: "bundle exec rake metadata_lint" ruby-style: - if: false # TODO Modules will need: rubocop in Gemfile, .rubocop.yml - name: 'Ruby Style (experimental)' + name: 'Ruby Style' runs-on: ubuntu-latest continue-on-error: true steps: - uses: actions/checkout@v3 - - name: "Install Ruby ${{matrix.puppet.ruby_version}}" + - name: "Install Ruby 2.7" uses: ruby/setup-ruby@v1 with: ruby-version: 2.7 @@ -89,7 +88,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: 'Install Ruby ${{matrix.puppet.ruby_version}}' + - name: 'Install Ruby 2.7' uses: ruby/setup-ruby@v1 with: ruby-version: 2.7 diff --git a/.rubocop.yml b/.rubocop.yml index c5b2c68..65c8c0a 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,61 +1,41 @@ --- require: -- rubocop-rspec -- rubocop-i18n + - rubocop-performance + - rubocop-rake + - rubocop-rspec AllCops: + NewCops: enable DisplayCopNames: true - TargetRubyVersion: '2.4' + TargetRubyVersion: "2.7" Include: - - "**/*.rb" + - "**/*.rb" Exclude: - - bin/* - - ".vendor/**/*" - - "**/Gemfile" - - "**/Rakefile" - - pkg/**/* - - spec/fixtures/**/* - - vendor/**/* - - "**/Puppetfile" - - "**/Vagrantfile" - - "**/Guardfile" -Layout/EmptyLinesAroundAttributeAccessor: - Enabled: true + - bin/* + - ".vendor/**/*" + - pkg/**/* + - spec/fixtures/**/* + - vendor/**/* + - "**/Puppetfile" + - "**/Vagrantfile" + - "**/Guardfile" Layout/LineLength: Description: People have wide screens, use them. Max: 200 -Layout/SpaceAroundMethodCallOperator: - Enabled: true -Lint/RaiseException: - Enabled: true -Lint/StructNewOverride: - Enabled: false -GetText: - Enabled: false -GetText/DecorateString: - Description: We don't want to decorate test output. - Exclude: - - spec/**/* - Enabled: false -Naming/AccessorMethodName: - Exclude: - - spec/**/* RSpec/BeforeAfterAll: - Description: Beware of using after(:all) as it may cause state to leak between tests. + Description: + Beware of using after(:all) as it may cause state to leak between tests. A necessary evil in acceptance testing. Exclude: - - spec/acceptance/**/*.rb -RSpec/ExpectInHook: - Exclude: - - spec/unit/**/*.rb + - spec/acceptance/**/*.rb RSpec/HookArgument: Description: Prefer explicit :each argument, matching existing module's style EnforcedStyle: each -RSpec/NamedSubject: +RSpec/DescribeSymbol: Exclude: - - spec/classes/**/* - - spec/defines/**/* + - spec/unit/facter/**/*.rb Style/BlockDelimiters: - Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to + Description: + Prefer braces for chaining. Mostly an aesthetical choice. Better to be consistent then. EnforcedStyle: braces_for_chaining Style/ClassAndModuleChildren: @@ -64,49 +44,36 @@ Style/ClassAndModuleChildren: Style/EmptyElse: Description: Enforce against empty else clauses, but allow `nil` for clarity. EnforcedStyle: empty -Style/ExponentialNotation: - Enabled: true Style/FormatString: Description: Following the main puppet project's style, prefer the % format format. EnforcedStyle: percent Style/FormatStringToken: - Description: Following the main puppet project's style, prefer the simpler template + Description: + Following the main puppet project's style, prefer the simpler template tokens over annotated ones. EnforcedStyle: template -Style/HashEachMethods: - Enabled: true -Style/HashSyntax: - Enabled: false -Style/HashTransformKeys: - Enabled: false -Style/HashTransformValues: - Enabled: true Style/Lambda: Description: Prefer the keyword for easier discoverability. EnforcedStyle: literal -Style/MixinUsage: - Exclude: - - spec/**/* -Style/RedundantBegin: - Enabled: false Style/RegexpLiteral: Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168 EnforcedStyle: percent_r Style/TernaryParentheses: - Description: Checks for use of parentheses around ternary conditions. Enforce parentheses + Description: + Checks for use of parentheses around ternary conditions. Enforce parentheses on complex expressions for better readability, but seriously consider breaking it up. EnforcedStyle: require_parentheses_when_complex Style/TrailingCommaInArguments: - Description: Prefer always trailing comma on multiline argument lists. This makes + Description: + Prefer always trailing comma on multiline argument lists. This makes diffs, and re-ordering nicer. EnforcedStyleForMultiline: comma Style/TrailingCommaInArrayLiteral: - Description: Prefer always trailing comma on multiline literals. This makes diffs, + Description: + Prefer always trailing comma on multiline literals. This makes diffs, and re-ordering nicer. EnforcedStyleForMultiline: comma -Style/SlicingWithRange: - Enabled: true Style/SymbolArray: Description: Using percent style obscures symbolic intent of array's contents. EnforcedStyle: brackets @@ -114,30 +81,176 @@ RSpec/MessageSpies: EnforcedStyle: receive Style/Documentation: Exclude: - - lib/puppet/parser/functions/**/* - - spec/**/* + - lib/puppet/parser/functions/**/* + - spec/**/* Style/WordArray: EnforcedStyle: brackets +Performance/AncestorsInclude: + Enabled: true +Performance/BigDecimalWithNumericArgument: + Enabled: true +Performance/BlockGivenWithExplicitBlock: + Enabled: true +Performance/CaseWhenSplat: + Enabled: true +Performance/ConstantRegexp: + Enabled: true +Performance/MethodObjectAsBlock: + Enabled: true +Performance/RedundantSortBlock: + Enabled: true +Performance/RedundantStringChars: + Enabled: true +Performance/ReverseFirst: + Enabled: true +Performance/SortReverse: + Enabled: true +Performance/Squeeze: + Enabled: true +Performance/StringInclude: + Enabled: true +Performance/Sum: + Enabled: true Style/CollectionMethods: Enabled: true Style/MethodCalledOnDoEndBlock: Enabled: true Style/StringMethods: Enabled: true -GetText/DecorateFunctionMessage: +Bundler/GemFilename: Enabled: false -GetText/DecorateStringFormattingUsingInterpolation: +Bundler/InsecureProtocolSource: Enabled: false -GetText/DecorateStringFormattingUsingPercent: +Gemspec/DuplicatedAssignment: + Enabled: false +Gemspec/OrderedDependencies: + Enabled: false +Gemspec/RequiredRubyVersion: + Enabled: false +Gemspec/RubyVersionGlobalsUsage: + Enabled: false +Layout/ArgumentAlignment: + Enabled: false +Layout/BeginEndAlignment: + Enabled: false +Layout/ClosingHeredocIndentation: + Enabled: false +Layout/EmptyComment: + Enabled: false +Layout/EmptyLineAfterGuardClause: + Enabled: false +Layout/EmptyLinesAroundArguments: + Enabled: false +Layout/EmptyLinesAroundAttributeAccessor: Enabled: false Layout/EndOfLine: Enabled: false +Layout/FirstArgumentIndentation: + Enabled: false +Layout/HashAlignment: + Enabled: false Layout/HeredocIndentation: Enabled: false +Layout/LeadingEmptyLines: + Enabled: false +Layout/SpaceAroundMethodCallOperator: + Enabled: false +Layout/SpaceInsideArrayLiteralBrackets: + Enabled: false +Layout/SpaceInsideReferenceBrackets: + Enabled: false +Lint/BigDecimalNew: + Enabled: false +Lint/BooleanSymbol: + Enabled: false +Lint/ConstantDefinitionInBlock: + Enabled: false +Lint/DeprecatedOpenSSLConstant: + Enabled: false +Lint/DisjunctiveAssignmentInConstructor: + Enabled: false +Lint/DuplicateElsifCondition: + Enabled: false +Lint/DuplicateRequire: + Enabled: false +Lint/DuplicateRescueException: + Enabled: false +Lint/EmptyConditionalBody: + Enabled: false +Lint/EmptyFile: + Enabled: false +Lint/ErbNewArguments: + Enabled: false +Lint/FloatComparison: + Enabled: false +Lint/HashCompareByIdentity: + Enabled: false +Lint/IdentityComparison: + Enabled: false +Lint/InterpolationCheck: + Enabled: false +Lint/MissingCopEnableDirective: + Enabled: false +Lint/MixedRegexpCaptureTypes: + Enabled: false +Lint/NestedPercentLiteral: + Enabled: false +Lint/NonDeterministicRequireOrder: + Enabled: false +Lint/OrderedMagicComments: + Enabled: false +Lint/OutOfRangeRegexpRef: + Enabled: false +Lint/RaiseException: + Enabled: false +Lint/RedundantCopEnableDirective: + Enabled: false +Lint/RedundantRequireStatement: + Enabled: false +Lint/RedundantSafeNavigation: + Enabled: false +Lint/RedundantWithIndex: + Enabled: false +Lint/RedundantWithObject: + Enabled: false +Lint/RegexpAsCondition: + Enabled: false +Lint/ReturnInVoidContext: + Enabled: false +Lint/SafeNavigationConsistency: + Enabled: false +Lint/SafeNavigationWithEmpty: + Enabled: false +Lint/SelfAssignment: + Enabled: false +Lint/SendWithMixinArgument: + Enabled: false +Lint/ShadowedArgument: + Enabled: false +Lint/StructNewOverride: + Enabled: false +Lint/ToJSON: + Enabled: false +Lint/TopLevelReturnWithArgument: + Enabled: false +Lint/TrailingCommaInAttributeDeclaration: + Enabled: false +Lint/UnreachableLoop: + Enabled: false +Lint/UriEscapeUnescape: + Enabled: false +Lint/UriRegexp: + Enabled: false +Lint/UselessMethodDefinition: + Enabled: false +Lint/UselessTimes: + Enabled: false Metrics/AbcSize: Enabled: false Metrics/BlockLength: Enabled: false +Metrics/BlockNesting: + Enabled: false Metrics/ClassLength: Enabled: false Metrics/CyclomaticComplexity: @@ -150,19 +263,437 @@ Metrics/ParameterLists: Enabled: false Metrics/PerceivedComplexity: Enabled: false +Migration/DepartmentName: + Enabled: false +Naming/AccessorMethodName: + Enabled: false +Naming/BlockParameterName: + Enabled: false +Naming/HeredocDelimiterCase: + Enabled: false +Naming/HeredocDelimiterNaming: + Enabled: false +Naming/MemoizedInstanceVariableName: + Enabled: false +Naming/MethodParameterName: + Enabled: false +Naming/RescuedExceptionsVariableName: + Enabled: false +Naming/VariableNumber: + Enabled: false +Performance/BindCall: + Enabled: false +Performance/DeletePrefix: + Enabled: false +Performance/DeleteSuffix: + Enabled: false +Performance/InefficientHashSearch: + Enabled: false +Performance/UnfreezeString: + Enabled: false +Performance/UriDefaultParser: + Enabled: false +RSpec/Be: + Enabled: false +RSpec/Dialect: + Enabled: false +RSpec/ContainExactly: + Enabled: false +RSpec/ContextMethod: + Enabled: false +RSpec/ContextWording: + Enabled: false RSpec/DescribeClass: Enabled: false +RSpec/EmptyHook: + Enabled: false +RSpec/EmptyLineAfterExample: + Enabled: false +RSpec/EmptyLineAfterExampleGroup: + Enabled: false +RSpec/EmptyLineAfterHook: + Enabled: false RSpec/ExampleLength: Enabled: false -RSpec/MessageExpectation: +RSpec/ExampleWithoutDescription: + Enabled: false +RSpec/ExpectChange: + Enabled: false +RSpec/ExpectInHook: + Enabled: false +RSpec/HooksBeforeExamples: + Enabled: false +RSpec/ImplicitBlockExpectation: + Enabled: false +RSpec/ImplicitSubject: + Enabled: false +RSpec/LeakyConstantDeclaration: + Enabled: false +RSpec/LetBeforeExamples: + Enabled: false +RSpec/MatchArray: + Enabled: false +RSpec/MissingExampleGroupArgument: Enabled: false RSpec/MultipleExpectations: Enabled: false +RSpec/MultipleMemoizedHelpers: + Enabled: false +RSpec/MultipleSubjects: + Enabled: false RSpec/NestedGroups: Enabled: false -Style/AsciiComments: +RSpec/PredicateMatcher: + Enabled: false +RSpec/ReceiveCounts: + Enabled: false +RSpec/ReceiveNever: + Enabled: false +RSpec/RepeatedExampleGroupBody: + Enabled: false +RSpec/RepeatedExampleGroupDescription: + Enabled: false +RSpec/RepeatedIncludeExample: + Enabled: false +RSpec/ReturnFromStub: + Enabled: false +RSpec/SharedExamples: + Enabled: false +RSpec/StubbedMock: + Enabled: false +RSpec/UnspecifiedException: + Enabled: false +RSpec/VariableDefinition: + Enabled: false +RSpec/VoidExpect: + Enabled: false +RSpec/Yield: + Enabled: false +Security/Open: + Enabled: false +Style/AccessModifierDeclarations: + Enabled: false +Style/AccessorGrouping: + Enabled: false +Style/BisectedAttrAccessor: + Enabled: false +Style/CaseLikeIf: + Enabled: false +Style/ClassEqualityComparison: + Enabled: false +Style/ColonMethodDefinition: + Enabled: false +Style/CombinableLoops: + Enabled: false +Style/CommentedKeyword: + Enabled: false +Style/Dir: + Enabled: false +Style/DoubleCopDisableDirective: + Enabled: false +Style/EmptyBlockParameter: + Enabled: false +Style/EmptyLambdaParameter: + Enabled: false +Style/Encoding: + Enabled: false +Style/EvalWithLocation: + Enabled: false +Style/ExpandPathArguments: + Enabled: false +Style/ExplicitBlockArgument: + Enabled: false +Style/ExponentialNotation: + Enabled: false +Style/FloatDivision: + Enabled: false +Style/FrozenStringLiteralComment: + Enabled: false +Style/GlobalStdStream: + Enabled: false +Style/HashAsLastArrayItem: + Enabled: false +Style/HashLikeCase: + Enabled: false +Style/HashTransformKeys: + Enabled: false +Style/HashTransformValues: Enabled: false Style/IfUnlessModifier: Enabled: false +Style/KeywordParametersOrder: + Enabled: false +Style/MinMax: + Enabled: false +Style/MixinUsage: + Enabled: false +Style/MultilineWhenThen: + Enabled: false +Style/NegatedUnless: + Enabled: false +Style/NumericPredicate: + Enabled: false +Style/OptionalBooleanParameter: + Enabled: false +Style/OrAssignment: + Enabled: false +Style/RandomWithOffset: + Enabled: false +Style/RedundantAssignment: + Enabled: false +Style/RedundantCondition: + Enabled: false +Style/RedundantConditional: + Enabled: false +Style/RedundantFetchBlock: + Enabled: false +Style/RedundantFileExtensionInRequire: + Enabled: false +Style/RedundantRegexpCharacterClass: + Enabled: false +Style/RedundantRegexpEscape: + Enabled: false +Style/RedundantSelfAssignment: + Enabled: false +Style/RedundantSort: + Enabled: false +Style/RescueStandardError: + Enabled: false +Style/SingleArgumentDig: + Enabled: false +Style/SlicingWithRange: + Enabled: false +Style/SoleNestedConditional: + Enabled: false +Style/StderrPuts: + Enabled: false +Style/StringConcatenation: + Enabled: false +Style/Strip: + Enabled: false Style/SymbolProc: Enabled: false +Style/TrailingBodyOnClass: + Enabled: false +Style/TrailingBodyOnMethodDefinition: + Enabled: false +Style/TrailingBodyOnModule: + Enabled: false +Style/TrailingCommaInHashLiteral: + Enabled: false +Style/TrailingMethodEndStatement: + Enabled: false +Style/UnpackFirst: + Enabled: false +Gemspec/DeprecatedAttributeAssignment: + Enabled: false +Gemspec/DevelopmentDependencies: + Enabled: false +Gemspec/RequireMFA: + Enabled: false +Layout/LineContinuationLeadingSpace: + Enabled: false +Layout/LineContinuationSpacing: + Enabled: false +Layout/LineEndStringConcatenationIndentation: + Enabled: false +Layout/SpaceBeforeBrackets: + Enabled: false +Lint/AmbiguousAssignment: + Enabled: false +Lint/AmbiguousOperatorPrecedence: + Enabled: false +Lint/AmbiguousRange: + Enabled: false +Lint/ConstantOverwrittenInRescue: + Enabled: false +Lint/DeprecatedConstants: + Enabled: false +Lint/DuplicateBranch: + Enabled: false +Lint/DuplicateMagicComment: + Enabled: false +Lint/DuplicateMatchPattern: + Enabled: false +Lint/DuplicateRegexpCharacterClassElement: + Enabled: false +Lint/EmptyBlock: + Enabled: false +Lint/EmptyClass: + Enabled: false +Lint/EmptyInPattern: + Enabled: false +Lint/IncompatibleIoSelectWithFiberScheduler: + Enabled: false +Lint/LambdaWithoutLiteralBlock: + Enabled: false +Lint/NoReturnInBeginEndBlocks: + Enabled: false +Lint/NonAtomicFileOperation: + Enabled: false +Lint/NumberedParameterAssignment: + Enabled: false +Lint/OrAssignmentToConstant: + Enabled: false +Lint/RedundantDirGlobSort: + Enabled: false +Lint/RefinementImportMethods: + Enabled: false +Lint/RequireRangeParentheses: + Enabled: false +Lint/RequireRelativeSelfPath: + Enabled: false +Lint/SymbolConversion: + Enabled: false +Lint/ToEnumArguments: + Enabled: false +Lint/TripleQuotes: + Enabled: false +Lint/UnexpectedBlockArity: + Enabled: false +Lint/UnmodifiedReduceAccumulator: + Enabled: false +Lint/UselessRescue: + Enabled: false +Lint/UselessRuby2Keywords: + Enabled: false +Metrics/CollectionLiteralLength: + Enabled: false +Naming/BlockForwarding: + Enabled: false +Performance/CollectionLiteralInLoop: + Enabled: false +Performance/ConcurrentMonotonicTime: + Enabled: false +Performance/MapCompact: + Enabled: false +Performance/RedundantEqualityComparisonBlock: + Enabled: false +Performance/RedundantSplitRegexpArgument: + Enabled: false +Performance/StringIdentifierArgument: + Enabled: false +RSpec/BeEq: + Enabled: false +RSpec/BeNil: + Enabled: false +RSpec/ChangeByZero: + Enabled: false +RSpec/ClassCheck: + Enabled: false +RSpec/DuplicatedMetadata: + Enabled: false +RSpec/ExcessiveDocstringSpacing: + Enabled: false +RSpec/IdenticalEqualityAssertion: + Enabled: false +RSpec/NoExpectationExample: + Enabled: false +RSpec/PendingWithoutReason: + Enabled: false +RSpec/RedundantAround: + Enabled: false +RSpec/SkipBlockInsideExample: + Enabled: false +RSpec/SortMetadata: + Enabled: false +RSpec/SubjectDeclaration: + Enabled: false +RSpec/VerifiedDoubleReference: + Enabled: false +Security/CompoundHash: + Enabled: false +Security/IoMethods: + Enabled: false +Style/ArgumentsForwarding: + Enabled: false +Style/ArrayIntersect: + Enabled: false +Style/CollectionCompact: + Enabled: false +Style/ComparableClamp: + Enabled: false +Style/ConcatArrayLiterals: + Enabled: false +Style/DataInheritance: + Enabled: false +Style/DirEmpty: + Enabled: false +Style/DocumentDynamicEvalDefinition: + Enabled: false +Style/EmptyHeredoc: + Enabled: false +Style/EndlessMethod: + Enabled: false +Style/EnvHome: + Enabled: false +Style/FetchEnvVar: + Enabled: false +Style/FileEmpty: + Enabled: false +Style/FileRead: + Enabled: false +Style/FileWrite: + Enabled: false +Style/HashConversion: + Enabled: false +Style/HashExcept: + Enabled: false +Style/IfWithBooleanLiteralBranches: + Enabled: false +Style/InPatternThen: + Enabled: false +Style/MagicCommentFormat: + Enabled: false +Style/MapCompactWithConditionalBlock: + Enabled: false +Style/MapToHash: + Enabled: false +Style/MapToSet: + Enabled: false +Style/MinMaxComparison: + Enabled: false +Style/MultilineInPatternThen: + Enabled: false +Style/NegatedIfElseCondition: + Enabled: false +Style/NestedFileDirname: + Enabled: false +Style/NilLambda: + Enabled: false +Style/NumberedParameters: + Enabled: false +Style/NumberedParametersLimit: + Enabled: false +Style/ObjectThen: + Enabled: false +Style/OpenStructUse: + Enabled: false +Style/OperatorMethodCall: + Enabled: false +Style/QuotedSymbols: + Enabled: false +Style/RedundantArgument: + Enabled: false +Style/RedundantConstantBase: + Enabled: false +Style/RedundantDoubleSplatHashBraces: + Enabled: false +Style/RedundantEach: + Enabled: false +Style/RedundantHeredocDelimiterQuotes: + Enabled: false +Style/RedundantInitialize: + Enabled: false +Style/RedundantLineContinuation: + Enabled: false +Style/RedundantSelfAssignmentBranch: + Enabled: false +Style/RedundantStringEscape: + Enabled: false +Style/SelectByRegexp: + Enabled: false +Style/StringChars: + Enabled: false +Style/SwapValues: + Enabled: false diff --git a/Gemfile b/Gemfile index e74c3da..7c330d6 100644 --- a/Gemfile +++ b/Gemfile @@ -10,16 +10,23 @@ ENV['PDK_DISABLE_ANALYTICS'] ||= 'true' gem_sources.each { |gem_source| source gem_source } +group :syntax do + gem 'metadata-json-lint' + gem 'puppet-lint-trailing_comma-check', require: false + gem 'rubocop', '~> 1.68.0' + gem 'rubocop-performance', '~> 1.23.0' + gem 'rubocop-rake', '~> 0.6.0' + gem 'rubocop-rspec', '~> 3.2.0' +end + group :test do puppet_version = ENV.fetch('PUPPET_VERSION', ['>= 7', '< 9']) major_puppet_version = Array(puppet_version).first.scan(%r{(\d+)(?:\.|\Z)}).flatten.first.to_i gem 'hiera-puppet-helper' - gem 'metadata-json-lint' gem 'pathspec', '~> 0.2' if Gem::Requirement.create('< 2.6').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) gem('pdk', ENV.fetch('PDK_VERSION', ['>= 2.0', '< 4.0']), require: false) if major_puppet_version > 5 gem 'puppet', puppet_version gem 'puppetlabs_spec_helper' - gem 'puppet-lint-trailing_comma-check', require: false gem 'puppet-strings' gem 'rake' gem 'rspec' diff --git a/lib/puppet/provider/selinux_login/semanage.rb b/lib/puppet/provider/selinux_login/semanage.rb index 5f991d0..463412e 100644 --- a/lib/puppet/provider/selinux_login/semanage.rb +++ b/lib/puppet/provider/selinux_login/semanage.rb @@ -17,7 +17,7 @@ def self.setrans(category) unless selinux_policy if File.exist?('/etc/selinux/config') - selinux_type_entry = File.read('/etc/selinux/config').lines.grep(/\A\s*SELINUXTYPE=/).last + selinux_type_entry = File.read('/etc/selinux/config').lines.grep(%r{\A\s*SELINUXTYPE=}).last if selinux_type_entry selinux_policy = selinux_type_entry.split('=').last.strip @@ -34,22 +34,20 @@ def self.setrans(category) if File.exist?(setrans_file) @setrans_table = Hash[ - File.read(setrans_file).lines.map do |line| - if line =~ /^\s*#/ + File.read(setrans_file).lines.map { |line| + if %r{^\s*#}.match?(line) nil else line.strip.split('=').reverse end - end.compact + }.compact ] end end - if @setrans_table[category] - return @setrans_table[category] - else - return category - end + return @setrans_table[category] if @setrans_table[category] + + category end def setrans(category) @@ -62,12 +60,12 @@ def self.instances # We're calling this instead of using a Python helper because the internal # Python logic is not a simple resource mapping semanage('login', '-l', '-n').lines.each do |entry| - login, seuser, mls_range = entry.strip.split(/\s+/) + login, seuser, mls_range = entry.strip.split(%r{\s+}) resource = { - :ensure => :present, - :name => login, - :seuser => seuser + ensure: :present, + name: login, + seuser: seuser } # Not all environments are MLS enabled @@ -81,7 +79,7 @@ def self.instances def self.prefetch(resources) instances.each do |prov| - if resource = resources[prov.name] + if (resource = resources[prov.name]) resource.provider = prov end end @@ -134,8 +132,7 @@ def flush semanage(args) # Changing any of these is cause to relabel everything at the next boot - if ['__default__', 'root'].include?(@resource[:name]) - touch '/.autorelabel' - end + return unless ['__default__', 'root'].include?(@resource[:name]) + touch '/.autorelabel' end end diff --git a/lib/puppet/provider/selinux_state/selinux_state.rb b/lib/puppet/provider/selinux_state/selinux_state.rb index d51efa6..97642e5 100644 --- a/lib/puppet/provider/selinux_state/selinux_state.rb +++ b/lib/puppet/provider/selinux_state/selinux_state.rb @@ -1,20 +1,20 @@ Puppet::Type.type(:selinux_state).provide(:selinux_state) do desc 'Set the SELinux state on the machine, and optionally relabel the filesystem.' - commands :setenforce => '/usr/sbin/setenforce' - commands :touch => '/bin/touch' + commands setenforce: '/usr/sbin/setenforce' + commands touch: '/bin/touch' def relabel?(should) - on_cases = ['enforcing',:true] - off_cases = ['permissive','disabled',:false] + on_cases = ['enforcing', :true] + off_cases = ['permissive', 'disabled', :false] return true if (should == 'permissive') && (self.ensure == 'disabled') - return on_cases.include?(should) && off_cases.include?(self.ensure) + on_cases.include?(should) && off_cases.include?(self.ensure) end def ensure return 'disabled' if String(Facter.value(:selinux)) == 'false' - return Facter.value(:selinux_current_mode).downcase + Facter.value(:selinux_current_mode).downcase end def ensure=(should) @@ -22,16 +22,15 @@ def ensure=(should) # so don't try. if String(Facter.value(:selinux)) != 'false' case String(should) - when 'enforcing' - setenforce '1' - else - setenforce '0' + when 'enforcing' + setenforce '1' + else + setenforce '0' end end # If we're going from off to on, we should touch /.autorelabel - if resource[:autorelabel] && relabel?(String(should)) - touch '/.autorelabel' - end + return unless resource[:autorelabel] && relabel?(String(should)) + touch '/.autorelabel' end end diff --git a/lib/puppet/type/selinux_login.rb b/lib/puppet/type/selinux_login.rb index b06a3dc..6fecf92 100644 --- a/lib/puppet/type/selinux_login.rb +++ b/lib/puppet/type/selinux_login.rb @@ -12,11 +12,11 @@ ensurable - newparam(:name, :namevar => true) do + newparam(:name, namevar: true) do desc 'The user or group name to be managed. Groups must be prefixed with a "%"' end - newparam(:force, :boolean => true, :parent => Puppet::Parameter::Boolean) do + newparam(:force, boolean: true, parent: Puppet::Parameter::Boolean) do desc 'Force the modification of potentially unsafe logins such as "root" and "__default__"' defaultto 'false' @@ -28,13 +28,13 @@ You can get a list by running `semanage user -l` EOM - newvalues(/^.+$/) + newvalues(%r{^.+$}) end newproperty(:mls_range) do desc 'The Multi-Level Security range to be applied to the login' - newvalues(/^.+$/) + newvalues(%r{^.+$}) def insync?(is) provider.mls_range?(is, should) diff --git a/lib/puppet/type/selinux_state.rb b/lib/puppet/type/selinux_state.rb index cb4a7f2..ff74b24 100644 --- a/lib/puppet/type/selinux_state.rb +++ b/lib/puppet/type/selinux_state.rb @@ -1,14 +1,13 @@ require 'puppet/parameter/boolean' Puppet::Type.newtype(:selinux_state) do - @doc = "Toggle the enforcement of selinux" + @doc = 'Toggle the enforcement of selinux' - - newparam(:name, :namevar => true) do - desc "An arbitrary, but unique, name for the resource." + newparam(:name, namevar: true) do + desc 'An arbitrary, but unique, name for the resource.' end - newparam(:autorelabel, :boolean => true, :parent => Puppet::Parameter::Boolean) do + newparam(:autorelabel, boolean: true, parent: Puppet::Parameter::Boolean) do desc 'Automatically determine if the filesystem needs to be relabeled. Enforcing > Permissive > Disabled Going to the right requires relabeling.' @@ -19,14 +18,14 @@ newproperty(:ensure) do desc 'Set the SELinux state on the system' defaultto(:enforcing) - newvalues(:false,:true,:disabled,:permissive,:enforcing) + newvalues(:false, :true, :disabled, :permissive, :enforcing) munge do |value| case value - when true,'true' - value = :enforcing - when false,'false' - value = :disabled + when true, 'true' + value = :enforcing + when false, 'false' + value = :disabled end value @@ -36,10 +35,10 @@ # Autorequire ALL Selbooleans autorequire(:selboolean) do req = [] - resource = catalog.resources.find_all { |r| + resource = catalog.resources.select do |r| r.is_a?(Puppet::Type.type(:selboolean)) - } - if not resource.empty? then + end + unless resource.empty? req << resource end req.flatten! diff --git a/spec/acceptance/nodesets/rocky.yml b/spec/acceptance/nodesets/rocky.yml new file mode 100644 index 0000000..8c45a01 --- /dev/null +++ b/spec/acceptance/nodesets/rocky.yml @@ -0,0 +1,20 @@ +<% + if ENV['BEAKER_HYPERVISOR'] + hypervisor = ENV['BEAKER_HYPERVISOR'] + else + hypervisor = 'vagrant' + end +-%> +HOSTS: + el8: + platform: el-8-x86_64 + box: generic/rocky8 + hypervisor: <%= hypervisor %> + +CONFIG: + log_level: verbose + type: aio + vagrant_memsize: 256 +<% if ENV['BEAKER_PUPPET_COLLECTION'] -%> + puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %> +<% end -%> diff --git a/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb b/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb index b867ec1..4f9590c 100644 --- a/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb +++ b/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb @@ -3,14 +3,14 @@ test_name 'selinux STIG enforcement of simp profile' describe 'selinux STIG enforcement of simp profile' do - - let(:manifest) { + let(:manifest) do <<-EOS include 'selinux' EOS - } + end - let(:hieradata) { <<~EOF + let(:hieradata) do + <<~EOF --- simp_options::pki: true simp_options::pki::source: '/etc/pki/simp-testing/pki' @@ -18,10 +18,11 @@ compliance_markup::enforcement: - disa_stig EOF - } + end hosts.each do |host| - let(:hiera_yaml) { <<~EOM + let(:hiera_yaml) do + <<~EOM --- version: 5 hierarchy: @@ -33,18 +34,18 @@ data_hash: yaml_data datadir: "#{hiera_datadir(host)}" EOM - } + end context 'when enforcing the STIG' do - it 'should work with no errors' do + it 'works with no errors' do create_remote_file(host, host.puppet['hiera_config'], hiera_yaml) write_hieradata_to(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end end end diff --git a/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb b/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb index f5553a3..067bab6 100644 --- a/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb +++ b/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb @@ -4,7 +4,6 @@ test_name 'Check Inspec for simp profile' describe 'run inspec against the appropriate fixtures' do - profiles_to_validate = ['disa_stig'] hosts.each do |host| @@ -14,31 +13,27 @@ profile_path = File.join( fixtures_path, 'inspec_profiles', - "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}" + "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}", ) - unless File.exist?(profile_path) - it 'should run inspec' do - skip("No matching profile available at #{profile_path}") - end - else + if File.exist?(profile_path) before(:all) do @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) - @inspec_report = {:data => nil} + @inspec_report = { data: nil } end - it 'should run inspec' do + it 'runs inspec' do @inspec.run end - it 'should have an inspec report' do + it 'has an inspec report' do @inspec_report[:data] = @inspec.process_inspec_results info = [ 'Results:', " * Passed: #{@inspec_report[:data][:passed]}", " * Failed: #{@inspec_report[:data][:failed]}", - " * Skipped: #{@inspec_report[:data][:skipped]}" + " * Skipped: #{@inspec_report[:data][:skipped]}", ] puts info.join("\n") @@ -46,16 +41,20 @@ @inspec.write_report(@inspec_report[:data]) end - it 'should have run some tests' do + it 'has run some tests' do expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0 end - it 'should not have any failing tests' do + it 'does not have any failing tests' do if @inspec_report[:data][:failed] > 0 puts @inspec_report[:data][:report] end - expect( @inspec_report[:data][:failed] ).to eq(0) + expect(@inspec_report[:data][:failed]).to eq(0) + end + else + it 'runs inspec' do + skip("No matching profile available at #{profile_path}") end end end diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 1974cd8..3523a78 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -4,19 +4,18 @@ describe 'selinux class' do hosts.each do |host| - let(:manifest) { "include 'selinux'" } let(:host_fqdn) { fact_on(host, 'fqdn') } context 'prep' do # There have been issues with OEL 7 and SSH hanging due to an old EL7 bug if fact_on(host, 'operatingsystem').strip == 'OracleLinux' - it 'should update systemd packages' do + it 'updates systemd packages' do on(host, 'yum -y update systemd*') end end - it 'should enable SELinux and set it to permissive' do + it 'enables SELinux and set it to permissive' do enable_selinux_manifest = <<-EOM class { 'selinux': ensure => 'permissive', @@ -30,81 +29,89 @@ class { 'selinux': end context 'default parameters' do - let(:hieradata) {{ - 'selinux::ensure' => true, - }} + let(:hieradata) do + { + 'selinux::ensure' => true, + } + end - it 'should work with no errors and set selinux enforcing' do + it 'works with no errors and set selinux enforcing' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) result = on(host, 'getenforce') - expect(result.output).to match(/Enforcing/) + expect(result.output).to match(%r{Enforcing}) - result = on(host, %{source /etc/selinux/config && echo $SELINUX}) - expect(result.output.strip).to be == 'enforcing' + result = on(host, %(source /etc/selinux/config && echo $SELINUX)) + expect(result.output.strip).to eq 'enforcing' host.reboot end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end end context 'with simp_options::selinux: false' do - let(:hieradata) {{ - 'selinux::ensure' => false, - }} - it 'should disable selinux, set the current state to permissive, and require reboot' do + let(:hieradata) do + { + 'selinux::ensure' => false, + } + end + + it 'disables selinux, set the current state to permissive, and require reboot' do set_hieradata_on(host, hieradata) - agent_output = apply_manifest_on(host, manifest, :catch_failures => true) - expect(agent_output.stdout).to match(/ensure changed 'enforcing' to 'disabled'/) - expect(agent_output.stdout).to match(/System Reboot Required Because:\n\s+selinux => A reboot is required to modify the selinux state/) + agent_output = apply_manifest_on(host, manifest, catch_failures: true) + expect(agent_output.stdout).to match(%r{ensure changed 'enforcing' to 'disabled'}) + expect(agent_output.stdout).to match(%r{System Reboot Required Because:\n\s+selinux => A reboot is required to modify the selinux state}) status = on(host, 'getenforce') - expect(status.output).to match(/Permissive/) + expect(status.output).to match(%r{Permissive}) # This will not be idempotent until after reboot since the system will # always show as 'disabled' end - it 'should be disabled after reboot' do + it 'is disabled after reboot' do host.reboot status = on(host, 'getenforce') - expect(status.output).to match(/Disabled/) + expect(status.output).to match(%r{Disabled}) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end end context 'when re-enabling selinux after being disabled' do - let(:hieradata) {{ - 'selinux::ensure' => true, - }} - it 'should work with no errors and set selinux enforcing' do + let(:hieradata) do + { + 'selinux::ensure' => true, + } + end + + it 'works with no errors and set selinux enforcing' do set_hieradata_on(host, hieradata) - agent_output = apply_manifest_on(host, manifest, :catch_failures => true) - expect(agent_output.stdout).to match(/ensure changed 'disabled' to 'enforcing'/) - expect(agent_output.stdout).to match(/System Reboot Required Because:\n\s+selinux => A reboot is required to modify the selinux state/) + agent_output = apply_manifest_on(host, manifest, catch_failures: true) + expect(agent_output.stdout).to match(%r{ensure changed 'disabled' to 'enforcing'}) + expect(agent_output.stdout).to match(%r{System Reboot Required Because:\n\s+selinux => A reboot is required to modify the selinux state}) status = on(host, 'getenforce') # Won't take effect until after reboot - expect(status.output).to match(/Disabled/) + expect(status.output).to match(%r{Disabled}) end - it 'should be enforcing after reboot' do + it 'is enforcing after reboot' do host.reboot status = on(host, 'getenforce') - expect(status.output).to match(/Enforcing/) + expect(status.output).to match(%r{Enforcing}) end - it 'should be idempotent at the second run' do + it 'is idempotent at the second run' do # There is an selinux context switch on /etc/selinux/config that needs # to happen - apply_manifest_on(host, manifest, :catch_failures => true) - apply_manifest_on(host, manifest, :catch_changes => true) + apply_manifest_on(host, manifest, catch_failures: true) + apply_manifest_on(host, manifest, catch_changes: true) end end end diff --git a/spec/acceptance/suites/default/05_kernel_enforce_spec.rb b/spec/acceptance/suites/default/05_kernel_enforce_spec.rb index 808d1cc..44f3cda 100644 --- a/spec/acceptance/suites/default/05_kernel_enforce_spec.rb +++ b/spec/acceptance/suites/default/05_kernel_enforce_spec.rb @@ -4,42 +4,43 @@ describe 'selinux class kernel enforcement' do hosts.each do |host| - let(:manifest) { "include 'selinux'" } context 'kernel enforcing' do - let(:hieradata) {{ - 'selinux::ensure' => true, + let(:hieradata) do + { + 'selinux::ensure' => true, 'selinux::kernel_enforce' => true - }} + } + end - it 'should work with no errors and set selinux enforcing' do + it 'works with no errors and set selinux enforcing' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) host.reboot os_fact = fact_on(host, 'os') # EL 9 machines don't appear to show selinux info on /proc/cmdline # For those machines, check getenforce instead - if (os_fact['release']['major'].to_i > 8) + if os_fact['release']['major'].to_i > 8 result = on(host, 'getenforce') expect(result.stdout.strip).to eq('Enforcing') else result = on(host, 'cat /proc/cmdline').output.strip - result = Hash[result.split(/\s+/).grep(/=/).map{|x| + result = Hash[result.split(%r{\s+}).grep(%r{=}).map do |x| # Some RHS entries can contain '=' y = x.split('=') [y[0], y[1..-1].join('=')] - }] + end] expect(result['selinux']).to eq('1') expect(result['enforcing']).to eq('1') end end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end end end diff --git a/spec/acceptance/suites/default/10_selinux_login_spec.rb b/spec/acceptance/suites/default/10_selinux_login_spec.rb index 9353bc6..24812ff 100644 --- a/spec/acceptance/suites/default/10_selinux_login_spec.rb +++ b/spec/acceptance/suites/default/10_selinux_login_spec.rb @@ -5,7 +5,7 @@ describe 'selinux_login' do hosts.each do |host| let(:login_context) { 'staff_u' } - let(:hieradata) { + let(:hieradata) do <<-EOM --- selinux::login_resources: @@ -13,51 +13,51 @@ seuser: #{login_context} mls_range: "s0-s0:c0.c1023" EOM - } + end - let(:manifest) { + let(:manifest) do <<-EOM include 'selinux' EOM - } + end - let(:alt_manifest) { + let(:alt_manifest) do <<-EOM selinux_login{ '__default__': seuser => '#{login_context}', mls_range => 'SystemLow-SystemHigh' } EOM - } + end context "on #{host}" do - it 'should apply' do + it 'applies' do set_hieradata_on(host, hieradata) - apply_manifest_on(host, manifest, :catch_failures => true) + apply_manifest_on(host, manifest, catch_failures: true) end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) + it 'is idempotent' do + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should be idempotent with the translated :mls_range' do - apply_manifest_on(host, alt_manifest, :catch_changes => true) + it 'is idempotent with the translated :mls_range' do + apply_manifest_on(host, alt_manifest, catch_changes: true) end context 'after reboot' do - it 'should be idempotent' do + it 'is idempotent' do host.reboot - apply_manifest_on(host, manifest, :catch_changes => true) + apply_manifest_on(host, manifest, catch_changes: true) end - it 'should be idempotent with the translated :mls_range' do - apply_manifest_on(host, alt_manifest, :catch_changes => true) + it 'is idempotent with the translated :mls_range' do + apply_manifest_on(host, alt_manifest, catch_changes: true) end - it 'should change the default login context' do - vagrant_context = on(host, %(selinuxdefcon vagrant), :accept_all_exit_codes => true).stdout.strip + it 'changes the default login context' do + vagrant_context = on(host, %(selinuxdefcon vagrant), accept_all_exit_codes: true).stdout.strip - expect(vagrant_context).to match(/^#{login_context}:/) + expect(vagrant_context).to match(%r{^#{login_context}:}) end end end diff --git a/spec/acceptance/suites/default/99_proc_hidepid_spec.rb b/spec/acceptance/suites/default/99_proc_hidepid_spec.rb index 4630ab7..1b03b41 100644 --- a/spec/acceptance/suites/default/99_proc_hidepid_spec.rb +++ b/spec/acceptance/suites/default/99_proc_hidepid_spec.rb @@ -51,7 +51,7 @@ class { 'selinux': end it 'has issues with MCS translation' do - on(host, 'ls -Z / | grep SystemLow', :acceptable_exit_codes => [1]) + on(host, 'ls -Z / | grep SystemLow', acceptable_exit_codes: [1]) end it 'applies with no errors' do diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index c1e872e..b86f7ad 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -27,16 +27,17 @@ def mock_selinux_enforcing_facts(os_facts) end let(:mcstrans_service) do - os_facts[:os][:release][:major].to_i >= 7 ? 'mcstransd' : 'mcstrans' + (os_facts[:os][:release][:major].to_i >= 7) ? 'mcstransd' : 'mcstrans' end let(:policycoreutils_package) do - os_facts[:os][:release][:major].to_i >= 7 ? 'policycoreutils-restorecond' : 'policycoreutils' + (os_facts[:os][:release][:major].to_i >= 7) ? 'policycoreutils-restorecond' : 'policycoreutils' end context 'with default parameters' do it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(/^\s+/,'') + it { + is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(%r{^\s+}, ''), # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. @@ -48,8 +49,9 @@ def mock_selinux_enforcing_facts(os_facts) # strict - Full SELinux protection. SELINUXTYPE=targeted EOF - ) } - it { is_expected.to contain_package('checkpolicy').with_ensure(/\A(present|installed)\Z/) } + ) + } + it { is_expected.to contain_package('checkpolicy').with_ensure(%r{\A(present|installed)\Z}) } it { is_expected.not_to contain_package('mcstrans') } it { is_expected.not_to contain_service('mcstransd') } @@ -57,42 +59,46 @@ def mock_selinux_enforcing_facts(os_facts) it { is_expected.not_to contain_package(policycoreutils_package) } it { is_expected.not_to create_service('restorecond') } else - it { is_expected.to contain_package(policycoreutils_package).with_ensure(/\A(present|installed)\Z/) } - it { is_expected.to create_service('restorecond').with({ - enable: true, + it { is_expected.to contain_package(policycoreutils_package).with_ensure(%r{\A(present|installed)\Z}) } + it { + is_expected.to create_service('restorecond').with({ + enable: true, ensure: 'running' - }) } + }) + } end end context 'when managing mcstrans' do let(:params) do { - :manage_mcstrans_package => true, - :manage_mcstrans_service => true + manage_mcstrans_package: true, + manage_mcstrans_service: true } end - it { is_expected.to contain_package('mcstrans').with_ensure(/\A(present|installed)\Z/) } + it { is_expected.to contain_package('mcstrans').with_ensure(%r{\A(present|installed)\Z}) } - it { is_expected.to create_service(mcstrans_service).with({ - enable: true, + it { + is_expected.to create_service(mcstrans_service).with({ + enable: true, ensure: 'running' - }) } + }) + } if Array(os_facts[:init_systems]).include?('systemd') context 'when hidepid=2 on /proc' do let(:facts) do os_facts.merge( { - :simplib__mountpoints => { + simplib__mountpoints: { '/proc' => { 'options_hash' => { 'hidepid' => 2 } } } - } + }, ) end @@ -107,7 +113,7 @@ def mock_selinux_enforcing_facts(os_facts) let(:facts) do os_facts.merge( { - :simplib__mountpoints => { + simplib__mountpoints: { '/proc' => { 'options_hash' => { 'hidepid' => 2, @@ -115,7 +121,7 @@ def mock_selinux_enforcing_facts(os_facts) } } } - } + }, ) end @@ -123,7 +129,7 @@ def mock_selinux_enforcing_facts(os_facts) it do is_expected.to create_systemd__dropin_file('selinux_mcstransd_hidepid_add_gid.conf') .with_unit("#{mcstrans_service}.service") - .with_content(/SupplementaryGroups=#{proc_gid}/) + .with_content(%r{SupplementaryGroups=#{proc_gid}}) .that_notifies("Service[#{mcstrans_service}]") end end @@ -132,9 +138,11 @@ def mock_selinux_enforcing_facts(os_facts) end context 'with ensure set to a non-boolean' do - let(:params) {{ ensure: 'permissive' }} + let(:params) { { ensure: 'permissive' } } + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(/^\s+/,'') + it { + is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(%r{^\s+}, ''), # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. @@ -146,17 +154,22 @@ def mock_selinux_enforcing_facts(os_facts) # strict - Full SELinux protection. SELINUXTYPE=targeted EOF - ) } + ) + } end context 'with ensure set to false and restorecond enabled' do - let(:params) {{ - ensure: false, - manage_restorecond_package: true, - manage_restorecond_service: true - }} + let(:params) do + { + ensure: false, + manage_restorecond_package: true, + manage_restorecond_service: true + } + end + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(/^\s+/,'') + it { + is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(%r{^\s+}, ''), # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. @@ -168,20 +181,25 @@ def mock_selinux_enforcing_facts(os_facts) # strict - Full SELinux protection. SELINUXTYPE=targeted EOF - ) } + ) + } - it { is_expected.to contain_package(policycoreutils_package).with_ensure(/\A(present|installed)\Z/) } + it { is_expected.to contain_package(policycoreutils_package).with_ensure(%r{\A(present|installed)\Z}) } - it { is_expected.to create_service('restorecond').with( + it { + is_expected.to create_service('restorecond').with( enable: true, - ensure: 'stopped' - ) } + ensure: 'stopped', + ) + } end context 'with mode set' do - let(:params) {{ mode: 'mls' }} + let(:params) { { mode: 'mls' } } + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(/^\s+/,'') + it { + is_expected.to create_file('/etc/selinux/config').with_content(<<-EOF.gsub(%r{^\s+}, ''), # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. @@ -193,12 +211,14 @@ def mock_selinux_enforcing_facts(os_facts) # strict - Full SELinux protection. SELINUXTYPE=mls EOF - ) } + ) + } end context 'with manage_utils_package => false' do - let(:params) {{ manage_utils_package: false }} - it { is_expected.to_not contain_package('checkpolicy') } + let(:params) { { manage_utils_package: false } } + + it { is_expected.not_to contain_package('checkpolicy') } end context 'modifying kernel state' do @@ -206,16 +226,19 @@ def mock_selinux_enforcing_facts(os_facts) it { is_expected.to compile.with_all_deps } it { is_expected.to create_reboot_notify('selinux') } it { is_expected.to create_selinux_state('set_selinux_state').that_notifies('Reboot_notify[selinux]') } - it { is_expected.to_not create_kernel_parameter('selinux') } - it { is_expected.to_not create_kernel_parameter('enforcing') } + it { is_expected.not_to create_kernel_parameter('selinux') } + it { is_expected.not_to create_kernel_parameter('enforcing') } end context 'with kernel enforcement' do context 'ensure -> enforcing' do - let(:params) {{ - ensure: 'enforcing', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'enforcing', + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(1).that_notifies('Reboot_notify[selinux]') } it { is_expected.to create_kernel_parameter('enforcing').with_value(1).that_notifies('Reboot_notify[selinux]') } @@ -224,34 +247,43 @@ def mock_selinux_enforcing_facts(os_facts) let(:facts) do os_facts end - let(:params) {{ - ensure: 'disabled', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'disabled', + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(0).that_notifies('Reboot_notify[selinux]') } - it { is_expected.to_not create_kernel_parameter('enforcing') } + it { is_expected.not_to create_kernel_parameter('enforcing') } end context 'ensure -> false' do let(:facts) do os_facts end - let(:params) {{ - ensure: false, - kernel_enforce: true - }} + let(:params) do + { + ensure: false, + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(0).that_notifies('Reboot_notify[selinux]') } - it { is_expected.to_not create_kernel_parameter('enforcing') } + it { is_expected.not_to create_kernel_parameter('enforcing') } end context 'ensure -> permissive' do let(:facts) do os_facts end - let(:params) {{ - ensure: 'permissive', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'permissive', + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(1).that_notifies('Reboot_notify[selinux]') } it { is_expected.to create_kernel_parameter('enforcing').with_value(0).that_notifies('Reboot_notify[selinux]') } @@ -263,13 +295,16 @@ def mock_selinux_enforcing_facts(os_facts) os_facts = mock_selinux_false_facts(os_facts) os_facts end - let(:params) {{ - ensure: 'disabled', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'disabled', + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(0).that_notifies('Reboot_notify[selinux]') } - it { is_expected.to_not create_kernel_parameter('enforcing') } + it { is_expected.not_to create_kernel_parameter('enforcing') } end context 'ensure -> enforcing' do let(:facts) do @@ -278,10 +313,13 @@ def mock_selinux_enforcing_facts(os_facts) os_facts = mock_selinux_false_facts(os_facts) os_facts end - let(:params) {{ - ensure: 'enforcing', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'enforcing', + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(1).that_notifies('Reboot_notify[selinux]') } it { is_expected.to create_kernel_parameter('enforcing').with_value(1).that_notifies('Reboot_notify[selinux]') } @@ -292,10 +330,13 @@ def mock_selinux_enforcing_facts(os_facts) os_facts = mock_selinux_false_facts(os_facts) os_facts end - let(:params) {{ - ensure: true, - kernel_enforce: true - }} + let(:params) do + { + ensure: true, + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(1).that_notifies('Reboot_notify[selinux]') } it { is_expected.to create_kernel_parameter('enforcing').with_value(1).that_notifies('Reboot_notify[selinux]') } @@ -306,10 +347,13 @@ def mock_selinux_enforcing_facts(os_facts) os_facts = mock_selinux_false_facts(os_facts) os_facts end - let(:params) {{ - ensure: 'permissive', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'permissive', + kernel_enforce: true + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to create_kernel_parameter('selinux').with_value(1).that_notifies('Reboot_notify[selinux]') } it { is_expected.to create_kernel_parameter('enforcing').with_value(0).that_notifies('Reboot_notify[selinux]') } @@ -320,33 +364,38 @@ def mock_selinux_enforcing_facts(os_facts) os_facts[:selinux] = true os_facts end - let(:params) {{ - ensure: 'enforcing', - kernel_enforce: true - }} + let(:params) do + { + ensure: 'enforcing', + kernel_enforce: true + } + end let(:pre_condition) do <<~END vox_selinux::boolean { 'use_nfs_home_dirs': } END end + it { is_expected.to compile.with_all_deps } end end end context 'with login_resources set' do - let(:params) {{ - :login_resources => { - '__default__' => { - 'seuser' => 'user_u', - 'mls_range' => 'SystemLow' - }, - 'vagrant' => { - 'seuser' => 'staff_u', - 'mls_range' => 'SystemLow-SystemHigh' + let(:params) do + { + login_resources: { + '__default__' => { + 'seuser' => 'user_u', + 'mls_range' => 'SystemLow' + }, + 'vagrant' => { + 'seuser' => 'staff_u', + 'mls_range' => 'SystemLow-SystemHigh' + } } } - }} + end context 'when selinux disabled' do let(:facts) do @@ -356,8 +405,8 @@ def mock_selinux_enforcing_facts(os_facts) end it { is_expected.to compile.with_all_deps } - it { is_expected.to_not create_selinux_login('__default__') } - it { is_expected.to_not create_selinux_login('vagrant') } + it { is_expected.not_to create_selinux_login('__default__') } + it { is_expected.not_to create_selinux_login('vagrant') } end context 'when selinux is not disabled' do @@ -368,12 +417,14 @@ def mock_selinux_enforcing_facts(os_facts) end it { is_expected.to compile.with_all_deps } - it { is_expected.to create_selinux_login('__default__') - .with_seuser('user_u').with_mls_range('SystemLow') + it { + is_expected.to create_selinux_login('__default__') + .with_seuser('user_u').with_mls_range('SystemLow') } - it { is_expected.to create_selinux_login('vagrant') - .with_seuser('staff_u').with_mls_range('SystemLow-SystemHigh') + it { + is_expected.to create_selinux_login('vagrant') + .with_seuser('staff_u').with_mls_range('SystemLow-SystemHigh') } end end diff --git a/spec/classes/install_spec.rb b/spec/classes/install_spec.rb index 95d4b25..787381f 100644 --- a/spec/classes/install_spec.rb +++ b/spec/classes/install_spec.rb @@ -8,14 +8,14 @@ end let(:mcstrans_service) do - os_facts[:os][:release][:major].to_i >= 7 ? 'mcstransd' : 'mcstrans' + (os_facts[:os][:release][:major].to_i >= 7) ? 'mcstransd' : 'mcstrans' end let(:policycoreutils_package) do - os_facts[:os][:release][:major].to_i >= 7 ? 'policycoreutils-restorecond' : 'policycoreutils' + (os_facts[:os][:release][:major].to_i >= 7) ? 'policycoreutils-restorecond' : 'policycoreutils' end - it { is_expected.to contain_package('checkpolicy').with(ensure: /\A(present|installed)\Z/) } + it { is_expected.to contain_package('checkpolicy').with(ensure: %r{\A(present|installed)\Z}) } it { is_expected.not_to contain_package('mcstrans') } if os_facts[:os][:release][:major].to_i >= 7 @@ -27,11 +27,11 @@ context 'when managing mcstrans' do let(:params) do { - :manage_mcstrans_package => true, + manage_mcstrans_package: true, } end - it { is_expected.to contain_package('mcstrans').with_ensure(/\A(present|installed)\Z/) } + it { is_expected.to contain_package('mcstrans').with_ensure(%r{\A(present|installed)\Z}) } end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index ef4fe64..acc4013 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true + # # ------------------------------------------------------------------------------ # NOTICE: **This file is maintained with puppetsync** @@ -90,7 +91,7 @@ def set_hieradata(hieradata) # If nothing else... c.default_facts = { production: { - #:fqdn => 'production.rspec.test.localdomain', + # :fqdn => 'production.rspec.test.localdomain', path: '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin', concat_basedir: '/tmp' } @@ -150,9 +151,9 @@ def set_hieradata(hieradata) # sanitize hieradata if defined?(hieradata) - set_hieradata(hieradata.gsub(':', '_')) + set_hieradata(hieradata.tr(':', '_')) elsif defined?(class_name) - set_hieradata(class_name.gsub(':', '_')) + set_hieradata(class_name.tr(':', '_')) end end @@ -164,9 +165,7 @@ def set_hieradata(hieradata) end Dir.glob("#{RSpec.configuration.module_path}/*").each do |dir| - begin - Pathname.new(dir).realpath - rescue StandardError - raise "ERROR: The module '#{dir}' is not installed. Tests cannot continue." - end + Pathname.new(dir).realpath +rescue StandardError + raise "ERROR: The module '#{dir}' is not installed. Tests cannot continue." end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 8708db2..3ce063d 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -15,7 +15,6 @@ end end - RSpec.configure do |c| # ensure that environment OS is ready on each host fix_errata_on hosts @@ -29,21 +28,17 @@ # Configure all nodes in nodeset c.before :suite do - begin - # Install modules and dependencies from spec/fixtures/modules - copy_fixture_modules_to( hosts ) + # Install modules and dependencies from spec/fixtures/modules + copy_fixture_modules_to(hosts) - # Generate and install PKI certificates on each SUT - Dir.mktmpdir do |cert_dir| - run_fake_pki_ca_on( default, hosts, cert_dir ) - hosts.each{ |sut| copy_pki_to( sut, cert_dir, '/etc/pki/simp-testing' )} - end - rescue StandardError, ScriptError => e - if ENV['PRY'] - require 'pry'; binding.pry - else - raise e - end + # Generate and install PKI certificates on each SUT + Dir.mktmpdir do |cert_dir| + run_fake_pki_ca_on(default, hosts, cert_dir) + hosts.each { |sut| copy_pki_to(sut, cert_dir, '/etc/pki/simp-testing') } end + rescue StandardError, ScriptError => e + raise e unless ENV['PRY'] + require 'pry' + binding.pry end end diff --git a/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb b/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb index efa2042..772d3a3 100644 --- a/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb +++ b/spec/unit/compliance_engine/compliance_engine_enforce_spec.rb @@ -7,10 +7,9 @@ # This is the class that needs to be added to the catalog last to make the # reporting work. describe 'compliance_markup', type: :class do - compliance_profiles = [ 'disa_stig', - 'nist_800_53:rev4' + 'nist_800_53:rev4', ] # A list of classes that we expect to be included for compliance @@ -18,53 +17,53 @@ # This needs to be well defined since we can also manipulate defined type # defaults expected_classes = [ - 'selinux' + 'selinux', ] allowed_failures = { 'documented_missing_parameters' => [ - ] + expected_classes.map{|c| Regexp.new("^(?!#{c}(::.*)?)")}, + ] + expected_classes.map { |c| Regexp.new("^(?!#{c}(::.*)?)") }, 'documented_missing_resources' => [ - ] + expected_classes.map{|c| Regexp.new("^(?!#{c}(::.*)?)")} + ] + expected_classes.map { |c| Regexp.new("^(?!#{c}(::.*)?)") } } on_supported_os.each do |os, os_facts| context "on #{os}" do compliance_profiles.each do |target_profile| context "with compliance profile '#{target_profile}'" do - let(:facts){ + let(:facts) do os_facts.merge({ - :target_compliance_profile => target_profile - }) - } - - let(:pre_condition) {%( - #{expected_classes.map{|c| %{include #{c}}}.join("\n")} - )} - - let(:hieradata){ 'compliance-engine' } - - it { is_expected.to compile } - - let(:compliance_report) { - @compliance_report ||= JSON.load( - catalogue.resource("File[#{facts[:puppet_vardir]}/compliance_report.json]")[:content] + target_compliance_profile: target_profile + }) + end + let(:compliance_report) do + @compliance_report ||= JSON.parse( + catalogue.resource("File[#{facts[:puppet_vardir]}/compliance_report.json]")[:content], ) @compliance_report - } - - let(:compliance_profile_data) { + end + let(:compliance_profile_data) do @compliance_profile_data ||= compliance_report['compliance_profiles'][target_profile] @compliance_profile_data - } + end + + let(:pre_condition) do + %( + #{expected_classes.map { |c| %(include #{c}) }.join("\n")} + ) + end + + let(:hieradata) { 'compliance-engine' } + + it { is_expected.to compile } - it 'should have a compliance profile report' do - expect(compliance_profile_data).to_not be_nil + it 'has a compliance profile report' do + expect(compliance_profile_data).not_to be_nil end - it 'should have a 100% compliant report' do + it 'has a 100% compliant report' do expect(compliance_profile_data['summary']['percent_compliant']).to eq(100) end @@ -84,29 +83,29 @@ # classes included, this report may be useless and is disabled by # default. # - 'documented_missing_resources' + 'documented_missing_resources', ] report_validators.each do |report_section| - it "should have no issues with the '#{report_section}' report" do + it "has no issues with the '#{report_section}' report" do if compliance_profile_data[report_section] # This just gets us a good print out of what went wrong - compliance_profile_data[report_section].delete_if{ |item| - rm = false - - Array(allowed_failures[report_section]).each do |allowed| - if allowed.is_a?(Regexp) - if allowed.match?(item) - rm = true - break - end - else - rm = (allowed == item) + compliance_profile_data[report_section].delete_if do |item| + rm = false + + Array(allowed_failures[report_section]).each do |allowed| + if allowed.is_a?(Regexp) + if allowed.match?(item) + rm = true + break end + else + rm = (allowed == item) end + end - rm - } + rm + end expect(compliance_profile_data[report_section]).to eq([]) end diff --git a/spec/unit/puppet/provider/selinux_login/semanage_spec.rb b/spec/unit/puppet/provider/selinux_login/semanage_spec.rb index 7b7224d..bcc22a0 100644 --- a/spec/unit/puppet/provider/selinux_login/semanage_spec.rb +++ b/spec/unit/puppet/provider/selinux_login/semanage_spec.rb @@ -1,19 +1,20 @@ require 'spec_helper' describe Puppet::Type.type(:selinux_login).provider(:semanage) do + let(:resource_hash) do + { + name: 'test_user', + seuser: 'user_u' + } + end - let(:resource_hash) {{ - :name => 'test_user', - :seuser => 'user_u' - }} - - let(:resource) { + let(:resource) do Puppet::Type.type(:selinux_login).new(resource_hash) - } + end - let(:provider) { + let(:provider) do Puppet::Type.type(:selinux_login).provider(:semanage).new(resource) - } + end before(:each) do allow(Facter).to receive(:value).with(:selinux).and_return(true) @@ -25,7 +26,7 @@ allow(provider.class).to receive(:commands).with(:touch).and_return('/bin/touch') allow(provider.class).to receive(:semanage).with('login', '-l', '-n').and_return( - <<-EOM + <<-EOM, __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * EOM @@ -39,20 +40,20 @@ it 'collects all instances' do instances = provider.class.instances - expect(instances.map{|x| x.instance_variable_get('@property_hash')}).to eq([ - { - :ensure => :present, - :name => '__default__', - :seuser => 'unconfined_u', - :mls_range => 's0-s0:c0.c1023' - }, - { - :ensure => :present, - :name => 'root', - :seuser => 'unconfined_u', - :mls_range => 's0-s0:c0.c1023' - } - ]) + expect(instances.map { |x| x.instance_variable_get('@property_hash') }).to eq([ + { + ensure: :present, + name: '__default__', + seuser: 'unconfined_u', + mls_range: 's0-s0:c0.c1023' + }, + { + ensure: :present, + name: 'root', + seuser: 'unconfined_u', + mls_range: 's0-s0:c0.c1023' + }, + ]) end end @@ -65,12 +66,12 @@ end context 'destroy' do - let(:resource) { + let(:resource) do Puppet::Type.type(:selinux_login).new( name: resource_hash[:name], - ensure: 'absent' + ensure: 'absent', ) - } + end it 'can destroy a resource' do allow(provider.class).to receive(:semanage).with('login', '-d', resource_hash[:name]).and_return('') @@ -84,7 +85,7 @@ before(:each) do allow(File).to receive(:exist?).with('/etc/selinux/targeted/setrans.conf').and_return(true) allow(File).to receive(:read).with('/etc/selinux/targeted/setrans.conf').and_return( - <<-EOM + <<-EOM, # s0:c1,c3=CompanyConfidentialBob s0=SystemLow s0-s0:c0.c1023=SystemLow-SystemHigh @@ -94,12 +95,12 @@ end context 'does not need translation' do - let(:resource) { + let(:resource) do Puppet::Type.type(:selinux_login).new( name: resource_hash[:name], - mls_range: 's0-s0:c0.c1023' + mls_range: 's0-s0:c0.c1023', ) - } + end it 'is in sync' do allow(provider).to receive(:mls_range).and_return('s0-s0:c0.c1023') @@ -108,12 +109,12 @@ end context 'needs translation' do - let(:resource) { + let(:resource) do Puppet::Type.type(:selinux_login).new( name: resource_hash[:name], - mls_range: 'SystemLow-SystemHigh' + mls_range: 'SystemLow-SystemHigh', ) - } + end it 'translates valid MLS ranges' do allow(provider).to receive(:mls_range).and_return('s0-s0:c0.c1023') @@ -133,12 +134,12 @@ end context 'ignores the :mls_range setting' do - let(:resource) { + let(:resource) do Puppet::Type.type(:selinux_login).new( name: resource_hash[:name], - mls_range: 'bob' + mls_range: 'bob', ) - } + end it 'is in sync' do allow(provider).to receive(:mls_range).and_return(nil) @@ -159,10 +160,12 @@ end context 'when :mls_range is specified' do - let(:resource_hash) {{ - :name => 'test_user', - :mls_range => 'SystemLow' - }} + let(:resource_hash) do + { + name: 'test_user', + mls_range: 'SystemLow' + } + end it 'modifies the :mls_range' do allow(provider.class).to receive(:semanage).with(['login', '-m', '-r', resource_hash[:mls_range], resource_hash[:name]]).and_return('') @@ -172,11 +175,13 @@ end context 'when :seuser and :mls_range are specified' do - let(:resource_hash) {{ - :name => 'test_user', - :seuser => 'user_u', - :mls_range => 'SystemLow' - }} + let(:resource_hash) do + { + name: 'test_user', + seuser: 'user_u', + mls_range: 'SystemLow' + } + end it 'modifies :seuser and :mls_range' do allow(provider.class).to receive(:semanage).with(['login', '-m', '-s', resource_hash[:seuser], '-r', resource_hash[:mls_range], resource_hash[:name]]).and_return('') diff --git a/spec/unit/puppet/provider/selinux_state/selinux_state_spec.rb b/spec/unit/puppet/provider/selinux_state/selinux_state_spec.rb index db1e9ff..575d2ba 100644 --- a/spec/unit/puppet/provider/selinux_state/selinux_state_spec.rb +++ b/spec/unit/puppet/provider/selinux_state/selinux_state_spec.rb @@ -1,17 +1,15 @@ require 'spec_helper' describe Puppet::Type.type(:selinux_state).provider(:selinux_state) do - - let(:resource) { + let(:resource) do Puppet::Type.type(:selinux_state).new( name: 'set_selinux_state', - autorelabel: true + autorelabel: true, ) - } - let(:provider) { + end + let(:provider) do Puppet::Type.type(:selinux_state).provider(:selinux_state).new(resource) - } - + end describe 'relabel?' do context 'enforcing -> enforcing' do diff --git a/spec/unit/puppet/type/selinux_login_spec.rb b/spec/unit/puppet/type/selinux_login_spec.rb index fa9a577..79b1870 100755 --- a/spec/unit/puppet/type/selinux_login_spec.rb +++ b/spec/unit/puppet/type/selinux_login_spec.rb @@ -5,26 +5,26 @@ it 'requires either :seuser or :mls_range' do expect { Puppet::Type.type(described_class.name).new({ - :name => 'test_user' - }) - }.to raise_error(/must specify either :seuser or :mls_range/) + name: 'test_user' + }) + }.to raise_error(%r{must specify either :seuser or :mls_range}) end it 'accepts a login and seuser' do expect { Puppet::Type.type(described_class.name).new({ - :name => 'test_user', - :seuser => 'user_u' - }) + name: 'test_user', + seuser: 'user_u' + }) }.not_to raise_error end it 'accepts a login and mls_range' do expect { Puppet::Type.type(described_class.name).new({ - :name => 'test_user', - :mls_range => 'SystemLow' - }) + name: 'test_user', + mls_range: 'SystemLow' + }) }.not_to raise_error end @@ -35,29 +35,29 @@ it 'allows creation' do expect { Puppet::Type.type(described_class.name).new({ - :name => unsafe_login, - :seuser => 'user_u' - }) - }.to_not raise_error + name: unsafe_login, + seuser: 'user_u' + }) + }.not_to raise_error end it 'refuses to destroy' do expect { Puppet::Type.type(described_class.name).new({ - :name => unsafe_login, - :ensure => 'absent' - }) - }.to raise_error(/Refusing to remove.+#{unsafe_login}/) + name: unsafe_login, + ensure: 'absent' + }) + }.to raise_error(%r{Refusing to remove.+#{unsafe_login}}) end it 'destroys when forced' do expect { Puppet::Type.type(described_class.name).new({ - :name => unsafe_login, - :ensure => 'absent', - :force => true - }) - }.to_not raise_error + name: unsafe_login, + ensure: 'absent', + force: true + }) + }.not_to raise_error end end end