ci(appended): add second test suite

Author: noelmcloughlin

.gitlab-ci.yml

@@ -137,19 +137,19 @@ rubocop:
 # default-rockylinux-8-tiamat-py3: {extends: '.test_instance'}
 default-debian-11-master-py3: {extends: '.test_instance'}
 default-debian-10-master-py3: {extends: '.test_instance'}
-default-debian-9-master-py3: {extends: '.test_instance'}
+appended-debian-9-master-py3: {extends: '.test_instance'}
 default-ubuntu-2004-master-py3: {extends: '.test_instance'}
 default-ubuntu-1804-master-py3: {extends: '.test_instance'}
 default-centos-8-master-py3: {extends: '.test_instance'}
-default-centos-7-master-py3: {extends: '.test_instance'}
+appended-centos-7-master-py3: {extends: '.test_instance'}
 default-fedora-34-master-py3: {extends: '.test_instance'}
 default-fedora-33-master-py3: {extends: '.test_instance'}
 default-opensuse-leap-153-master-py3: {extends: '.test_instance'}
-default-opensuse-leap-152-master-py3: {extends: '.test_instance'}
+appended-opensuse-leap-152-master-py3: {extends: '.test_instance'}
 default-opensuse-tmbl-latest-master-py3: {extends: '.test_instance'}
 default-amazonlinux-2-master-py3: {extends: '.test_instance'}
 default-oraclelinux-8-master-py3: {extends: '.test_instance'}
-default-oraclelinux-7-master-py3: {extends: '.test_instance'}
+appended-oraclelinux-7-master-py3: {extends: '.test_instance'}
 default-arch-base-latest-master-py3: {extends: '.test_instance'}
 default-gentoo-stage3-latest-master-py3: {extends: '.test_instance'}
 default-gentoo-stage3-systemd-master-py3: {extends: '.test_instance'}

kitchen.yml

@@ -448,3 +448,23 @@ suites:
     verifier:
       inspec_tests:
         - path: test/integration/default
+  - name: appended
+    provisioner:
+      state_top:
+        base:
+          '*':
+            - sudoers._mapdata
+            - sudoers
+            - sudoers.included
+      pillars:
+        top.sls:
+          base:
+            '*':
+              - kitchen
+              - sudoers
+      pillars_from_files:
+        kitchen.sls: test/salt/pillar/kitchen.sls
+        sudoers.sls: test/salt/pillar/appended.sls
+    verifier:
+      inspec_tests:
+        - path: test/integration/appended

sudoers/included/install.sls

@@ -18,13 +18,13 @@ include:
 
 {% set included_files = sudoers.included_files %}
 {% for included_file, spec in included_files.items() -%}
+    {%- if '/' not in included_file %}
+        {%- set included_file = sudoers.includedir ~ '/' ~ included_file %}
+    {%- endif %}
+
 sudoers include {{ included_file }}:
   file.managed:
-    {% if '/' in included_file %}
     - name: {{ included_file }}
-    {% else %}
-    - name: {{ sudoers.includedir }}/{{ included_file }}
-    {% endif %}
     - user: root
     - group: {{ sudoers.group }}
     - mode: 440
@@ -40,9 +40,15 @@ sudoers include {{ included_file }}:
       - file: {{ sudoers.configpath }}/sudoers
     - require_in:
       - file: {{ sudoers.includedir }}
+
     {% elif sudoers.append_included_files_to_endof_main_config %}
+
+sudoers append {{ included_file }}:
   file.append:
     - name: {{ sudoers.configpath }}/sudoers
-    - text: '#include {{ sudoers.configpath }}/sudoers.d/{{ included_file }}'
+    - text: '#include {{ included_file }}'
+    - require:
+      - file: sudoers include {{ included_file }}
     {% endif %}
+
 {% endfor %}

test/integration/appended/README.md

@@ -0,0 +1,50 @@
+# InSpec Profile: `appended`
+
+This shows the implementation of the `appended` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
+
+## Verify a profile
+
+InSpec ships with built-in features to verify a profile structure.
+
+```bash
+$ inspec check appended
+Summary
+-------
+Location: appended
+Profile: profile
+Controls: 4
+Timestamp: 2019-06-24T23:09:01+00:00
+Valid: true
+
+Errors
+------
+
+Warnings
+--------
+```
+
+## Execute a profile
+
+To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.
+
+```bash
+$ inspec exec appended
+..
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+8 examples, 0 failures
+```
+
+## Execute a specific control from a profile
+
+To run one control from the profile use `inspec exec /path/to/profile --controls name`.
+
+```bash
+$ inspec exec appended --controls package
+.
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+1 examples, 0 failures
+```
+
+See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).

test/integration/appended/controls/_mapdata.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+control 'sudoers._mapdata' do
+  title '`map.jinja` should match the reference file'
+
+  ### Method
+  # The steps below for each file appear convoluted but they are both required
+  # and similar in nature:
+  # 1. The earliest method was to simply compare the files textually but this often
+  #    led to false positives due to inconsistencies (e.g. spacing, ordering)
+  # 2. The next method was to load the files back into YAML structures and then
+  #    compare but InSpec provided block diffs this way, unusable by end users
+  # 3. The final step was to dump the YAML structures back into a string to use
+  #    for the comparison; this both worked and provided human-friendly diffs
+
+  ### Comparison file for the specific platform
+  ### Static, adjusted as part of code contributions, as map data is changed
+  # Strip the `platform[:finger]` version number down to the "OS major release"
+  platform_finger = system.platform[:finger].split('.').first.to_s
+  # Use that to set the path to the file (relative to the InSpec suite directory)
+  mapdata_file_path = "_mapdata/#{platform_finger}.yaml"
+  # Load the mapdata from profile, into a YAML structure
+  # https://docs.chef.io/inspec/profiles/#profile-files
+  mapdata_file_yaml = YAML.load(inspec.profile.file(mapdata_file_path))
+  # Dump the YAML back into a string for comparison
+  mapdata_file_dump = YAML.dump(mapdata_file_yaml)
+
+  ### Output file produced by running the `_mapdata` state
+  ### Dynamic, generated during Kitchen's `converge` phase
+  # Derive the location of the dumped mapdata (differs for Windows)
+  output_dir = platform[:family] == 'windows' ? '/temp' : '/tmp'
+  # Use that to set the path to the file (absolute path, i.e. within the container)
+  output_file_path = "#{output_dir}/salt_mapdata_dump.yaml"
+  # Load the output into a YAML structure using InSpec's `yaml` resource
+  # https://github.com/inspec/inspec/blob/49b7d10/lib/inspec/resources/yaml.rb#L29
+  output_file_yaml = yaml(output_file_path).params
+  # Dump the YAML back into a string for comparison
+  output_file_dump = YAML.dump(output_file_yaml)
+
+  describe 'File content' do
+    it 'should match profile map data exactly' do
+      expect(output_file_dump).to eq(mapdata_file_dump)
+    end
+  end
+end

test/integration/appended/controls/config.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+control 'Sudoers configuration' do
+  title 'should match desired lines'
+
+  describe file('/etc/sudoers') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('content') { should include '#include /etc/sudoers.d/extra-file1' }
+    its('content') { should include '#include /etc/sudoers.d/extra-file2' }
+    its('content') { should include '#include /etc/sudoers.d/extra-file3' }
+  end
+
+  describe file('/etc/sudoers.d/extra-file1') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0440' }
+    its('content') { should include 'foo ALL=(ALL) ALL' }
+  end
+
+  describe file('/etc/sudoers.d/extra-file2') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0440' }
+    its('content') { should include '%bargroup ALL=(ALL) NOPASSWD: ALL' }
+  end
+
+  describe file('/etc/sudoers.d/extra-file3') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0440' }
+    its('content') { should include '+other_netgroup ALL=(ALL) ALL' }
+  end
+end

test/integration/appended/controls/package.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+control 'Sudo package' do
+  title 'should be installed'
+
+  describe package('sudo') do
+    it { should be_installed }
+  end
+end

test/integration/appended/files/_mapdata/almalinux-8.yaml

@@ -0,0 +1,29 @@
+# yamllint disable rule:indentation rule:line-length
+# AlmaLinux-8
+---
+values:
+  append_included_files_to_endof_main_config: true
+  arch: amd64
+  configpath: /etc
+  execprefix: /usr/sbin
+  group: root
+  included_files:
+    /etc/sudoers.d/extra-file1:
+      users:
+        foo:
+        - ALL=(ALL) ALL
+    /etc/sudoers.d/extra-file2:
+      groups:
+        bargroup:
+        - 'ALL=(ALL) NOPASSWD: ALL'
+    /etc/sudoers.d/extra-file3:
+      netgroups:
+        other_netgroup:
+        - ALL=(ALL) ALL
+  includedir: /etc/sudoers.d
+  manage_main_config: false
+  pkg: sudo
+  purge_includedir: false
+  users:
+    kitchen:
+    - 'ALL=(root) NOPASSWD: ALL'

test/integration/appended/files/_mapdata/amazonlinux-1.yaml

@@ -0,0 +1,29 @@
+# yamllint disable rule:indentation rule:line-length
+# AlmaLinux-8
+---
+values:
+  append_included_files_to_endof_main_config: true
+  arch: amd64
+  configpath: /etc
+  execprefix: /usr/sbin
+  group: root
+  included_files:
+    /etc/sudoers.d/extra-file1:
+      users:
+        foo:
+        - ALL=(ALL) ALL
+    /etc/sudoers.d/extra-file2:
+      groups:
+        bargroup:
+        - 'ALL=(ALL) NOPASSWD: ALL'
+    /etc/sudoers.d/extra-file3:
+      netgroups:
+        other_netgroup:
+        - ALL=(ALL) ALL
+  includedir: /etc/sudoers.d
+  manage_main_config: false
+  pkg: sudo
+  purge_includedir: false
+  users:
+    kitchen:
+    - 'ALL=(root) NOPASSWD: ALL'

test/integration/appended/files/_mapdata/amazonlinux-2.yaml

@@ -0,0 +1,29 @@
+# yamllint disable rule:indentation rule:line-length
+# AlmaLinux-8
+---
+values:
+  append_included_files_to_endof_main_config: true
+  arch: amd64
+  configpath: /etc
+  execprefix: /usr/sbin
+  group: root
+  included_files:
+    /etc/sudoers.d/extra-file1:
+      users:
+        foo:
+        - ALL=(ALL) ALL
+    /etc/sudoers.d/extra-file2:
+      groups:
+        bargroup:
+        - 'ALL=(ALL) NOPASSWD: ALL'
+    /etc/sudoers.d/extra-file3:
+      netgroups:
+        other_netgroup:
+        - ALL=(ALL) ALL
+  includedir: /etc/sudoers.d
+  manage_main_config: false
+  pkg: sudo
+  purge_includedir: false
+  users:
+    kitchen:
+    - 'ALL=(root) NOPASSWD: ALL'