diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..81943d2 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1,3 @@ +Layout/BlockLength: + Exclude: + - '**/*' diff --git a/README.md b/README.md index 8356f1d..ef87428 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ ## redborder-serverspec-manager -Infrastructure integration testing for redborder-manager +Infrastructure integration testing for a redborder manager machine. The idea is to run the tests in a machine that is the validator local machine, so the target machine is affected by the tests. ## Installation -On your workstation, execute the following command in your terminal: +First, clone this repository on your workstation. Then install the gemes by executing this: ```ssh bundle install ``` -Also make sure to share your public ssh key to target machine: +Sometimes you need to make sure that you share your public ssh key to target machine: ``` ssh-copy-id root@ ``` @@ -21,6 +21,7 @@ Optional parameters: * TARGET_HOST: Machine where the tests will run via SSH. * LOGIN_USERNAME: Username for SSH connection to the test machine. * LOGIN_PASSWORD: Password for SSH connection to the test machine. +* IS_CLUSTER: Boolean to indicate if the target machine is a cluster. * -j 10 -m: To run tests in pararell Example with optional parameters: ``` diff --git a/Rakefile b/Rakefile index cfb21bf..fdc75d1 100644 --- a/Rakefile +++ b/Rakefile @@ -20,7 +20,7 @@ end namespace :spec do host = ENV['TARGET_HOST'] || '10.1.209.20' - task all: %i[services configuration] + task all: %i[services configuration users] desc 'run configuration tests' RSpec::Core::RakeTask.new(:configuration) do |t| @@ -42,4 +42,11 @@ namespace :spec do t.pattern = 'spec/modules/monitor/*_spec.rb' t.rspec_opts = '--format documentation' # O "--format progress" end + + desc 'run user tests' + RSpec::Core::RakeTask.new(:users) do |t| + puts "Running user tests on #{host} ..." + t.pattern = 'spec/users/*_spec.rb' + t.rspec_opts = '--format documentation' # O "--format progress" + end end diff --git a/spec/configuration/ale_spec.rb b/spec/configuration/ale_spec.rb index 6b41647..b638374 100644 --- a/spec/configuration/ale_spec.rb +++ b/spec/configuration/ale_spec.rb @@ -15,12 +15,36 @@ describe file('/etc/redborder-ale/config.yml') do it { should exist } it { should be_file } + it { should_not be_empty } end describe file('/etc/redborder-ale/rb_ale_aps.conf') do it { should exist } it { should be_file } end + + # Additional dependencies + describe file('/usr/lib64/libzmq.so') do + it { should exist } + it { should be_file } + end + + describe package('zeromq-devel') do + it { should be_installed } + end + end + + describe file('/var/rb-ale/bin/rb_ale.rb') do + it { should exist } + it { should be_file } + it { should be_executable.by(:owner) } + it { should be_executable.by(:group) } + its(:content) { should match(%r{^(\s*#.*|)#!/usr/bin/env\s+ruby.*$}) } + end + + describe file('/usr/bin/rb_scan_ale.rb') do + it { should exist } + it { should be_file } end describe file('/var/rb-ale/bin/rb_ale.rb') do @@ -37,4 +61,10 @@ it { should be_executable.by(:owner) } it { should be_executable.by(:group) } end + + describe 'Redborder-Ale user config' do + describe command('sudo -u redborder-ale bash -lc "ruby -v"') do + its(:stdout) { should match(/ruby 2.7.5/) } + end + end end diff --git a/spec/configuration/geoip_spec.rb b/spec/configuration/geoip_spec.rb index b8bdd70..98ed982 100644 --- a/spec/configuration/geoip_spec.rb +++ b/spec/configuration/geoip_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' set :os, family: 'redhat', release: '9', arch: 'x86_64' packages = %w[ - GeoIP GeoIP-GeoLite-data GeoIP-GeoLite-data-extra geoipupdate geoipupdate-cron + GeoIP GeoIP-GeoLite-data GeoIP-GeoLite-data-extra geoipupdate ] describe 'Checking geoip packages family' do diff --git a/spec/configuration/memcached_spec.rb b/spec/configuration/memcached_spec.rb new file mode 100644 index 0000000..3a01264 --- /dev/null +++ b/spec/configuration/memcached_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'json' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +describe 'Memcached config in webui' do + describe file('/var/www/rb-rails/config/memcached_config.yml') do + it { should exist } + it { should be_file } + it { should_not contain 'localhost' } + end +end diff --git a/spec/configuration/motd_spec.rb b/spec/configuration/motd_spec.rb new file mode 100644 index 0000000..67ca650 --- /dev/null +++ b/spec/configuration/motd_spec.rb @@ -0,0 +1,16 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +# Verificar que existe un script MOTD en el sistema +describe file('/usr/lib/redborder/bin/motd') do + it { should exist } + it { should be_executable } +end + +# Verificar la existencia del archivo MOTD en /etc/motd y su contenido +describe file('/etc/motd') do + it { should exist } + its('content') { should match(/.*redborder-repo.*/) } +end diff --git a/spec/services/ale_spec.rb b/spec/services/ale_spec.rb index 4958de0..652a16c 100644 --- a/spec/services/ale_spec.rb +++ b/spec/services/ale_spec.rb @@ -2,48 +2,68 @@ require 'spec_helper' require 'set' +require 'json' set :os, family: 'redhat', release: '9', arch: 'x86_64' -service = 'redborder-ale' -package = 'redborder-ale' +service = serv_consul = pkg = 'redborder-ale' +# port = 7779 +API_ENDPOINT = 'http://localhost:8500/v1' describe "Checking packages for #{service}..." do - describe package(package) do + describe package(pkg) do before do - skip("#{package} is not installed, skipping...") unless package(package).installed? + skip("#{pkg} is not installed, skipping...") unless package(pkg).installed? end it 'is expected to be installed' do - expect(package(package).installed?).to be true + expect(package(pkg).installed?).to be true end end end service_status = command("systemctl is-enabled #{service}").stdout.strip describe "Checking #{service_status} service for #{service}..." do - describe service(service) do - if service_status == 'enabled' + if service_status == 'enabled' + describe service(service) do it { should be_enabled } it { should be_running } end - end -end -describe 'Redborder-ale is using correct ruby setup' do - if service_status == 'enabled' - describe command('sudo -u redborder-ale which ruby') do - its(:stdout) { should match %r{/usr/lib/rvm/rubies/ruby-2.7.5/bin/ruby} } + # describe port(port) do + # it { should be_listening } + # end + + describe 'Registered in consul' do + service_json_cluster = command("curl -s #{API_ENDPOINT}/catalog/service/#{serv_consul} | jq -c 'group_by(.ID)[]'") + service_json_cluster = service_json_cluster.stdout.chomp.split("\n") + health_cluster = command("curl -s #{API_ENDPOINT}/health/service/#{serv_consul} | jq -r '.[].Checks[0].Status'") + health_cluster = health_cluster.stdout.chomp.split("\n") + it 'Should be at least in one node' do + # expect(service_json_cluster.size).to be > 0 # redundant check + expect(health_cluster.size).to be > 0 + end + service_and_health = service_json_cluster.zip(health_cluster) + service_and_health.each do |service, health| + registered = JSON.parse(service)[0].key?('Address') && health == 'passing' # ? true : false + it 'Should be registered and enabled' do + expect(registered).to be true + end + end end + elsif service_status == 'disabled' - describe "Checking #{service_status} service for #{service}..." do - describe service(service) do - it { should_not be_enabled } - it { should_not be_running } - end + describe service(service) do + it { should_not be_enabled } + it { should_not be_running } + end - describe port(port) do - it { should_not be_listening } - end + # describe port(port) do + # it { should_not be_listening } + # end + + it 'Should be registered and enabled' do + registered = JSON.parse(service)[0].key?('Address') && health == 'passing' # ? true : false + expect(registered).to be true end end end diff --git a/spec/services/chef_spec.rb b/spec/services/chef_spec.rb index a908e80..4e25af6 100644 --- a/spec/services/chef_spec.rb +++ b/spec/services/chef_spec.rb @@ -28,54 +28,32 @@ end end -service_status = command("systemctl is-enabled #{service}").stdout -service_status = service_status.strip - -if service_status == 'enabled' - describe "Checking #{service_status} service for #{service}..." do - describe service(service) do - it { should be_enabled } - it { should be_running } - end - - describe file(config_file) do - it { should exist } - it { should be_file } - end - - describe port(port) do - it { should be_listening } - end - - describe 'Registered in consul' do - service_json_cluster = command("curl -s #{api_endpoint}/catalog/service/#{serv_consul} | jq -c 'group_by(.ID)[]'") - service_json_cluster = service_json_cluster.stdout.chomp.split("\n") - health_cluster = command("curl -s #{api_endpoint}/health/service/#{serv_consul} | jq -r '.[].Checks[0].Status'") - health_cluster = health_cluster.stdout.chomp.split("\n") - service_and_health = service_json_cluster.zip(health_cluster) - service_and_health.each do |service, health| - registered = JSON.parse(service)[0].key?('Address') && health == 'passing' # ? true : false - it 'Should be registered and enabled' do - expect(registered).to be true - end - end - end +describe "Checking service_status for #{service}..." do + describe service(service) do + it { should be_enabled } + it { should be_running } end -end -if service_status == 'disabled' - describe "Checking #{service_status} service for #{service}..." do - describe service(service) do - it { should_not be_enabled } - it { should_not be_running } - end + describe file(config_file) do + it { should exist } + it { should be_file } + end - describe file(config_file) do - it { should_not exist } - end + describe port(port) do + it { should be_listening } + end - describe port(port) do - it { should_not be_listening } + describe 'Registered in consul' do + service_json_cluster = command("curl -s #{api_endpoint}/catalog/service/#{serv_consul} | jq -c 'group_by(.ID)[]'") + service_json_cluster = service_json_cluster.stdout.chomp.split("\n") + health_cluster = command("curl -s #{api_endpoint}/health/service/#{serv_consul} | jq -r '.[].Checks[0].Status'") + health_cluster = health_cluster.stdout.chomp.split("\n") + service_and_health = service_json_cluster.zip(health_cluster) + service_and_health.each do |sv, health| + registered = JSON.parse(sv)[0].key?('Address') && health == 'passing' # ? true : false + it 'Should be registered and enabled' do + expect(registered).to be true + end end end end diff --git a/spec/services/consul_spec.rb b/spec/services/consul_spec.rb index be324de..838e9ef 100644 --- a/spec/services/consul_spec.rb +++ b/spec/services/consul_spec.rb @@ -40,9 +40,13 @@ it { should be_listening } end - describe 'Registered in consul' do + # Use this block to test other services that need to be registered in consul + describe "#{service} Registered in consul" do service_json_cluster = command("curl -s #{api_endpoint}/catalog/service/#{service} | jq -c 'group_by(.ID)[]'") service_json_cluster = service_json_cluster.stdout.chomp.split("\n") + it "API response for #{service} should not be empty" do + expect(service_json_cluster).not_to be_empty + end health_cluster = command("curl -s #{api_endpoint}/health/service/#{service} | jq -r '.[].Checks[0].Status'") health_cluster = health_cluster.stdout.chomp.split("\n") service_and_health = service_json_cluster.zip(health_cluster) diff --git a/spec/services/logstash_spec.rb b/spec/services/logstash_spec.rb index a9191e3..cb8b9c8 100644 --- a/spec/services/logstash_spec.rb +++ b/spec/services/logstash_spec.rb @@ -13,38 +13,37 @@ HOSTNAME = command('hostname -s').stdout.chomp PIPELINES_PATH = '/etc/logstash/pipelines.yml' -describe "Checking packages for #{service}..." do - packages.each do |package| - describe package(package) do - before do - skip("#{package} is not installed, skipping...") unless package(package).installed? - end - it 'is expected to be installed' do - expect(package(package).installed?).to be true - end - end - end -end - describe "Checking service status for #{service}..." do - pipelines = command("knife node show #{HOSTNAME} --attribute default.pipelines -F json").stdout.strip - parsed_pipelines = JSON.parse(pipelines) + regex = '^- pipeline\.id: .*-pipeline$' + has_pipelines = command("grep --perl-regex '#{regex}' #{PIPELINES_PATH}").exit_status == 0 - if parsed_pipelines.empty? || parsed_pipelines.nil? + if has_pipelines describe service(service) do - it { should_not be_enabled } - it { should_not be_running } + it { should be_enabled } + it { should be_running } end describe port(port) do - it { should_not be_listening } + it { should be_listening } end - elsif !parsed_pipelines.empty? || !parsed_pipelines.nil? + + packages.each do |package| + describe package(package) do + it { should be_installed } + end + end + else describe service(service) do - it { should be_enabled } - it { should be_running } + it { should_not be_enabled } + it { should_not be_running } end describe port(port) do - it { should be_listening } + it { should_not be_listening } + end + + packages.each do |package| + describe package(package) do + it { should_not be_installed } + end end end end diff --git a/spec/services/nfacctd_spec.rb b/spec/services/nfacctd_spec.rb index 0c895f0..7631e4b 100644 --- a/spec/services/nfacctd_spec.rb +++ b/spec/services/nfacctd_spec.rb @@ -33,6 +33,9 @@ it { should be_listening } end end + describe file("/etc/pmacct/#{service}.conf") do + it { should exist } + end end if service_status == 'disabled' @@ -46,10 +49,7 @@ it { should_not be_listening } end end -end - -describe "Checking #{service} for config file" do describe file("/etc/pmacct/#{service}.conf") do - it { should exist } + it { should_not exist } end end diff --git a/spec/services/redborder_ai_spec.rb b/spec/services/redborder_ai_spec.rb new file mode 100644 index 0000000..46bc1bf --- /dev/null +++ b/spec/services/redborder_ai_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'set' +require 'json' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +service = serv_consul = pkg = 'redborder-ai' +CONSUL_API_ENDPOINT = 'http://localhost:8500/v1' +describe "Checking packages for #{service}..." do + describe package(pkg) do + before do + skip("#{pkg} is not installed, skipping...") unless package(pkg).installed? + end + + it 'is expected to be installed' do + expect(package(pkg).installed?).to be true + end + end +end + +service_status = command("systemctl is-enabled #{service}").stdout.strip +describe "Checking #{service_status} service for #{service}..." do + if service_status == 'enabled' + describe service(service) do + it { should be_enabled } + it { should be_running } + end + + describe 'Registered in consul' do + catalog_cmd = "curl -s #{CONSUL_API_ENDPOINT}/catalog/service/#{serv_consul} | jq -c 'group_by(.ID)[]'" + service_json_cluster = command(catalog_cmd) + service_json_cluster = service_json_cluster.stdout.chomp.split("\n") + health_cmd = "curl -s #{CONSUL_API_ENDPOINT}/health/service/#{serv_consul} | jq -r '.[].Checks[0].Status'" + health_cluster = command(health_cmd) + health_cluster = health_cluster.stdout.chomp.split("\n") + it 'Should be at least in one node' do + # expect(service_json_cluster.size).to be > 0 # redundant check + expect(health_cluster.size).to be > 0 + end + service_and_health = service_json_cluster.zip(health_cluster) + service_and_health.each do |service, health| + registered = JSON.parse(service)[0].key?('Address') && health == 'passing' # ? true : false + it 'Should be registered and enabled' do + expect(registered).to be true + end + end + end + + describe 'Checking consul sync address' do + hostname = command('hostname').stdout.strip.split('.')[0] + param = 'ipaddress_sync' + sync_address = command("knife node show #{hostname} -l --attr #{param} | awk '/#{param}:/ {print $2}'") + ip_address = command("curl -s #{CONSUL_API_ENDPOINT}/catalog/service/#{serv_consul} | jq -r '.[0].Address'") + sync_address = sync_address.stdout.strip + ip_address = ip_address.stdout.strip + it 'should match sync address' do + expect(ip_address).to eq(sync_address) + end + end + + elsif service_status == 'disabled' + describe service(service) do + it { should_not be_enabled } + it { should_not be_running } + end + + it 'Should be registered and enabled' do + registered = JSON.parse(service)[0].key?('Address') && health == 'passing' # ? true : false + expect(registered).to be true + end + end +end diff --git a/spec/services/redborder_cep_spec.rb b/spec/services/redborder_cep_spec.rb new file mode 100644 index 0000000..e993f1b --- /dev/null +++ b/spec/services/redborder_cep_spec.rb @@ -0,0 +1,61 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'json' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +packages = %w[ + redborder-cep +] + +service = 'redborder-cep' +config_file = '/etc/redborder-cep/config.yml' +port = 443 + +describe "Checking packages for #{service}..." do + packages.each do |package| + describe package(package) do + before do + skip("#{package} is not installed, skipping...") unless package(package).installed? + end + + it 'is expected to be installed' do + expect(package(package).installed?).to be true + end + end + end +end + +service_status = command("systemctl is-enabled #{service}").stdout +service_status = service_status.strip + +if service_status == 'enabled' + describe "Checking #{service_status} service for #{service}..." do + describe service(service) do + it { should be_enabled } + it { should be_running } + end + + describe port(port) do + it { should be_listening } + end + + describe file(config_file) do + it { should exist } + it { should be_file } + end + end +end + +if service_status == 'disabled' + describe "Checking #{service_status} service for #{service}..." do + describe service(service) do + it { should_not be_enabled } + it { should_not be_running } + end + + describe file(config_file) do + it { should_not exist } + end + end +end diff --git a/spec/users/f2k_spec.rb b/spec/users/f2k_spec.rb new file mode 100644 index 0000000..3857fef --- /dev/null +++ b/spec/users/f2k_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'f2k' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/http2k_spec.rb b/spec/users/http2k_spec.rb new file mode 100644 index 0000000..9aeb00e --- /dev/null +++ b/spec/users/http2k_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = 'redborder-http2k' +usr = 'http2k' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/kafka_spec.rb b/spec/users/kafka_spec.rb new file mode 100644 index 0000000..b363457 --- /dev/null +++ b/spec/users/kafka_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = 'redborder-kafka' +usr = 'kafka' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/memcached_spec.rb b/spec/users/memcached_spec.rb new file mode 100644 index 0000000..30a76d1 --- /dev/null +++ b/spec/users/memcached_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'memcached' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/minio_spec.rb b/spec/users/minio_spec.rb new file mode 100644 index 0000000..391999a --- /dev/null +++ b/spec/users/minio_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'minio' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/bin/bash') } +end diff --git a/spec/users/pmacct_spec.rb b/spec/users/pmacct_spec.rb new file mode 100644 index 0000000..31711d2 --- /dev/null +++ b/spec/users/pmacct_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'pmacct' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/postfix_spec.rb b/spec/users/postfix_spec.rb new file mode 100644 index 0000000..0d2221b --- /dev/null +++ b/spec/users/postfix_spec.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +describe user('postfix') do + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/postgres_spec.rb b/spec/users/postgres_spec.rb new file mode 100644 index 0000000..4fe6ed3 --- /dev/null +++ b/spec/users/postgres_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = 'postgresql' +usr = 'postgres' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell '/bin/bash' } +end diff --git a/spec/users/redborder_ai_spec.rb b/spec/users/redborder_ai_spec.rb new file mode 100644 index 0000000..4dbce7e --- /dev/null +++ b/spec/users/redborder_ai_spec.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' +pkg = usr = 'redborder-ai' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/redborder_dswatcher_spec.rb b/spec/users/redborder_dswatcher_spec.rb new file mode 100644 index 0000000..3ae608a --- /dev/null +++ b/spec/users/redborder_dswatcher_spec.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' +pkg = usr = 'redborder-dswatcher' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/redborder_events_counter_spec.rb b/spec/users/redborder_events_counter_spec.rb new file mode 100644 index 0000000..50d27a7 --- /dev/null +++ b/spec/users/redborder_events_counter_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'redborder-events-counter' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/redborder_monitor_spec.rb b/spec/users/redborder_monitor_spec.rb new file mode 100644 index 0000000..fb5c8ea --- /dev/null +++ b/spec/users/redborder_monitor_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'redborder-monitor' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/redborder_spec.rb b/spec/users/redborder_spec.rb new file mode 100644 index 0000000..8586e86 --- /dev/null +++ b/spec/users/redborder_spec.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +describe user('redborder') do + it { should exist } + it { should have_login_shell '/bin/bash' } +end diff --git a/spec/users/root_spec.rb b/spec/users/root_spec.rb new file mode 100644 index 0000000..5b8f5b8 --- /dev/null +++ b/spec/users/root_spec.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +describe user('root') do + it { should exist } + it { should have_login_shell '/bin/bash' } +end diff --git a/spec/users/users_spec.rb b/spec/users/users_spec.rb new file mode 100644 index 0000000..0782fcf --- /dev/null +++ b/spec/users/users_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +# This file is for system users in general + +require 'spec_helper' +require 'set' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +describe 'Checking only these users has login permission' do + passwd = command('cat /etc/passwd').stdout.split("\n") + bash_users = passwd.select { |p| p.include? '/bin/bash' } + bash_users.map! { |p| p.split(':').first } + bash_users = Set.new bash_users + + allowed_users = Set.new %w[root redborder postgres minio] + not_allowed_users = bash_users - allowed_users + + describe 'users with login permissions' do + it 'should only allow specified users' do + expect(not_allowed_users.to_a).to be_empty, "Unexpected users with login permissions: #{not_allowed_users.to_a}" + end + end +end diff --git a/spec/users/webui.rb b/spec/users/webui.rb new file mode 100644 index 0000000..0f899c2 --- /dev/null +++ b/spec/users/webui.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'webui' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end diff --git a/spec/users/zookeeper.rb b/spec/users/zookeeper.rb new file mode 100644 index 0000000..96548b2 --- /dev/null +++ b/spec/users/zookeeper.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' +set :os, family: 'redhat', release: '9', arch: 'x86_64' + +pkg = usr = 'zookeeper' +describe user(usr) do + before(:all) do + skip("Package #{pkg} is not installed") unless package(pkg).installed? + end + it { should exist } + it { should have_login_shell('/sbin/nologin') } +end