Merge pull request #199 from myii/ci/add-vagrant-testing-via-github-actions

ci: enable Vagrant-based testing using GitHub Actions

Author: myii

.github/workflows/kitchen.vagrant.yml

@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+name: 'Kitchen Vagrant (FreeBSD & OpenBSD)'
+'on': ['push', 'pull_request']
+
+env:
+  KITCHEN_LOCAL_YAML: 'kitchen.vagrant.yml'
+
+jobs:
+  test:
+    runs-on: 'macos-10.15'
+    strategy:
+      fail-fast: false
+      matrix:
+        instance:
+          - default-freebsd-122-latest-py3
+          - default-freebsd-114-latest-py3
+          - default-openbsd-68-latest-py3
+    steps:
+      - name: 'Check out code'
+        uses: 'actions/checkout@v2'
+      - name: 'Set up Bundler cache'
+        uses: 'actions/cache@v1'
+        with:
+          path: 'vendor/bundle'
+          key: "${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}"
+          restore-keys: "${{ runner.os }}-gems-"
+      - name: 'Run Bundler'
+        run: |
+          ruby --version
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+      - name: 'Run Test Kitchen'
+        run: 'bundle exec kitchen verify ${{ matrix.instance }}'

.yamllint

@@ -16,6 +16,7 @@ ignore: |
   node_modules/
   test/**/states/**/*.sls
   .kitchen/
+  test/salt/pillar/default.sls
 
 yaml-files:
   # Default settings

docs/README.rst

@@ -266,7 +266,7 @@ e.g. ``debian-9-2019-2-py3``.
 ``bin/kitchen converge``
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
-Creates the docker instance and runs the ``template`` main state, ready for testing.
+Creates the docker instance and runs the ``openssh`` main states, ready for testing.
 
 ``bin/kitchen verify``
 ^^^^^^^^^^^^^^^^^^^^^^
@@ -288,3 +288,64 @@ Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``veri
 
 Gives you SSH access to the instance for manual testing.
 
+Testing with Vagrant
+--------------------
+
+Windows/FreeBSD/OpenBSD testing is done with ``kitchen-salt``.
+
+Requirements
+^^^^^^^^^^^^
+
+* Ruby
+* Virtualbox
+* Vagrant
+
+Setup
+^^^^^
+
+.. code-block:: bash
+
+   $ gem install bundler
+   $ bundle install --with=vagrant
+   $ bin/kitchen test [platform]
+
+Where ``[platform]`` is the platform name defined in ``kitchen.vagrant.yml``,
+e.g. ``windows-81-latest-py3``.
+
+Note
+^^^^
+
+When testing using Vagrant you must set the environment variable ``KITCHEN_LOCAL_YAML`` to ``kitchen.vagrant.yml``.  For example:
+
+.. code-block:: bash
+
+   $ KITCHEN_LOCAL_YAML=kitchen.vagrant.yml bin/kitchen test      # Alternatively,
+   $ export KITCHEN_LOCAL_YAML=kitchen.vagrant.yml
+   $ bin/kitchen test
+
+Then run the following commands as needed.
+
+``bin/kitchen converge``
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Creates the Vagrant instance and runs the ``openssh`` main states, ready for testing.
+
+``bin/kitchen verify``
+^^^^^^^^^^^^^^^^^^^^^^
+
+Runs the ``inspec`` tests on the actual instance.
+
+``bin/kitchen destroy``
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Removes the Vagrant instance.
+
+``bin/kitchen test``
+^^^^^^^^^^^^^^^^^^^^
+
+Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.
+
+``bin/kitchen login``
+^^^^^^^^^^^^^^^^^^^^^
+
+Gives you RDP/SSH access to the instance for manual testing.

kitchen.vagrant.yml

@@ -3,15 +3,26 @@
 ---
 driver:
   name: vagrant
+  cache_directory: false
+  customize:
+    usbxhci: 'off'
+  gui: false
+  linked_clone: true
+  ssh:
+    shell: /bin/sh
 
 platforms:
-  - name: freebsd-120-2019-2-py3
+  - name: freebsd-122-latest-py3
     driver:
-      box_url: https://freebsd.z.vstack.com/FreeBSD-12.0.box
-      cache_directory: false
-      customize:
-        usbxhci: 'off'
-      gui: false
-      linked_clone: true
+      box: bento/freebsd-12.2
+  - name: freebsd-114-latest-py3
+    driver:
+      box: bento/freebsd-11.4
+  - name: openbsd-68-latest-py3
+    driver:
+      box: generic/openbsd6
       ssh:
-        shell: '/bin/sh'
+        shell: /bin/ksh
+
+provisioner:
+  salt_install: bootstrap

kitchen.yml

@@ -310,6 +310,7 @@ suites:
   - name: default
     driver:
       hostname: example.net
+      vm_hostname: example.net
     provisioner:
       state_top:
         base:

openssh/known_hosts.sls

@@ -3,9 +3,13 @@
 {%- from tplroot ~ "/libtofs.jinja" import files_switch %}
 {%- set openssh = mapdata.openssh %}
 
+{%- if openssh.dig_pkg %}
 ensure dig is available:
   pkg.installed:
     - name: {{ openssh.dig_pkg }}
+    - require_in:
+      - file: manage ssh_known_hosts file
+{%- endif %}
 
 manage ssh_known_hosts file:
   file.managed:
@@ -19,5 +23,3 @@ manage ssh_known_hosts file:
     - user: root
     - group: {{ openssh.ssh_config_group }}
     - mode: 644
-    - require:
-      - pkg: ensure dig is available

openssh/parameters/os_family/OpenBSD.yaml

@@ -12,6 +12,8 @@
 values:
   openssh:
     service: sshd
+    # Already installed: `base68:/usr/bin/dig`
+    dig_pkg: ~
     sshd_config_group: wheel
     ssh_config_group: wheel
   sshd_config:

test/integration/default/controls/config_spec.rb

@@ -27,7 +27,9 @@
     its('content') { should include 'PrintMotd no' }
     its('content') { should include 'AcceptEnv LANG LC_*' }
     its('content') { should include 'Subsystem sftp /usr/lib/openssh/sftp-server' }
-    its('content') { should include 'UsePAM yes' }
+    unless %w[openbsd].include?(platform[:name])
+      its('content') { should include 'UsePAM yes' }
+    end
   end
 
   describe file('/etc/ssh/ssh_config') do
@@ -45,7 +47,7 @@
     it { should be_file }
     its('mode') { should cmp '0644' }
     it { should be_owned_by 'root' }
-    it { should be_grouped_into 'root' }
+    it { should be_grouped_into root_group }
     its('content') { should include github_known_host }
     its('content') { should match(gitlab_known_host_re) }
     its('content') { should include minion_rsa_known_host }

test/integration/default/files/_mapdata/freebsd-11.yaml

@@ -0,0 +1,183 @@
+# yamllint disable rule:indentation rule:line-length
+# FreeBSD-12
+---
+values:
+  map_jinja:
+    sources:
+    - Y:G@osarch
+    - Y:G@os_family
+    - Y:G@os
+    - Y:G@osfinger
+    - C:SUB@openssh:lookup
+    - C:SUB@openssh
+    - C:SUB@sshd_config:lookup
+    - C:SUB@sshd_config
+    - C:SUB@ssh_config:lookup
+    - C:SUB@ssh_config
+    - Y:G@id
+  openssh:
+    absent_dsa_keys: false
+    absent_ecdsa_keys: false
+    absent_ed25519_keys: false
+    absent_rsa_keys: false
+    auth:
+      joe-non-valid-ssh-key:
+      - comment: obsolete key - removed
+        enc: ssh-rsa
+        present: false
+        source: salt://ssh_keys/joe.no-valid.pub
+        user: joe
+      joe-valid-ssh-key-desktop:
+      - comment: main key - desktop
+        enc: ssh-rsa
+        present: true
+        source: salt://ssh_keys/joe.desktop.pub
+        user: joe
+      joe-valid-ssh-key-notebook:
+      - comment: main key - notebook
+        enc: ssh-rsa
+        present: true
+        source: salt://ssh_keys/joe.netbook.pub
+        user: joe
+    auth_map:
+      personal_keys:
+        source: salt://ssh_keys
+        users:
+          joe:
+            joe.desktop: {}
+            joe.netbook:
+              options: []
+            joe.no-valid:
+              present: false
+    banner: /etc/ssh/banner
+    banner_src: banner
+    banner_string: 'Welcome to example.net!
+  '
+    client_version: latest
+    dig_pkg: bind-tools
+    dsa:
+      private_key: '-----BEGIN DSA PRIVATE KEY-----
+
+        NOT_DEFINED
+
+        -----END DSA PRIVATE KEY-----
+  '
+      public_key: 'ssh-dss NOT_DEFINED
+  '
+    ecdsa:
+      private_key: '-----BEGIN EC PRIVATE KEY-----
+
+        NOT_DEFINED
+
+        -----END EC PRIVATE KEY-----
+  '
+      public_key: 'ecdsa-sha2-nistp256 NOT_DEFINED
+  '
+    ed25519:
+      private_key: '-----BEGIN OPENSSH PRIVATE KEY-----
+
+        NOT_DEFINED
+
+        -----END OPENSSH PRIVATE KEY-----
+  '
+      public_key: 'ssh-ed25519 NOT_DEFINED
+  '
+    enforce_rsa_size: false
+    generate_dsa_keys: false
+    generate_ecdsa_keys: false
+    generate_ed25519_keys: false
+    generate_rsa_keys: false
+    generate_rsa_size: 4096
+    host_key_algos: ecdsa,ed25519,rsa
+    known_hosts:
+      aliases:
+      - cname-to-minion.example.org
+      - alias.example.org
+      hostnames: false
+      include_localhost: false
+      mine_hostname_function: public_ssh_hostname
+      mine_keys_function: public_ssh_host_keys
+      omit_ip_address:
+      - github.com
+      salt_ssh:
+        public_ssh_host_keys:
+          minion.id: 'ssh-rsa [...]
+
+            ssh-ed25519 [...]
+  '
+        public_ssh_host_names:
+          minion.id:
+          - minion.id
+          - alias.of.minion.id
+        user: salt-master
+      static:
+        github.com: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]
+        gitlab.com: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]
+      target: '*'
+      tgt_type: glob
+    moduli: '# Time Type Tests Tries Size Generator Modulus
+
+      20120821045639 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C604293680B09D63
+
+      20120821045830 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C6042936814C2FFB
+
+      20120821050046 2 6 100 2047 2 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368214FC53
+
+      20120821050054 2 6 100 2047 5 DD2047CBDBB6F8E919BC63DE885B34D0FD6E3DB2887D8B46FE249886ACED6B46DFCD5553168185FD376122171CD8927E60120FA8D01F01D03E58281FEA9A1ABE97631C828E41815F34FDCDF787419FE13A3137649AA93D2584230DF5F24B5C00C88B7D7DE4367693428C730376F218A53E853B0851BAB7C53C15DA7839CBE1285DB63F6FA45C1BB59FE1C5BB918F0F8459D7EF60ACFF5C0FA0F3FCAD1C5F4CE4416D4F4B36B05CDCEBE4FB879E95847EFBC6449CD190248843BC7EDB145FBFC4EDBB1A3C959298F08F3BA2CFBE231BBE204BE6F906209D28BD4820AB3E7BE96C26AE8A809ADD8D1A5A0B008E9570FA4C4697E116B8119892C60429368218E83F
+  '
+    provide_dsa_keys: false
+    provide_ecdsa_keys: false
+    provide_ed25519_keys: false
+    provide_rsa_keys: false
+    root_group: root
+    rsa:
+      private_key: '-----BEGIN RSA PRIVATE KEY-----
+
+        NOT_DEFINED
+
+        -----END RSA PRIVATE KEY-----
+  '
+      public_key: 'ssh-rsa NOT_DEFINED
+  '
+    server_version: latest
+    service: sshd
+    ssh_config: /etc/ssh/ssh_config
+    ssh_config_backup: true
+    ssh_config_group: wheel
+    ssh_config_mode: '644'
+    ssh_config_src: ssh_config
+    ssh_config_user: root
+    ssh_known_hosts: /etc/ssh/ssh_known_hosts
+    ssh_known_hosts_src: ssh_known_hosts
+    ssh_moduli: /etc/ssh/moduli
+    sshd_binary: /usr/sbin/sshd
+    sshd_config: /etc/ssh/sshd_config
+    sshd_config_backup: true
+    sshd_config_group: wheel
+    sshd_config_mode: '644'
+    sshd_config_src: sshd_config
+    sshd_config_user: root
+    sshd_enable: true
+    tofs:
+      source_files:
+        manage ssh_known_hosts file:
+        - alt_ssh_known_hosts
+        ssh_config:
+        - alt_ssh_config
+        sshd_banner:
+        - fire_banner
+        sshd_config:
+        - alt_sshd_config
+  ssh_config:
+    Hosts:
+      '*':
+        GSSAPIAuthentication: 'yes'
+        HashKnownHosts: 'yes'
+        SendEnv: LANG LC_*
+  sshd_config:
+    AcceptEnv: LANG LC_*
+    ChallengeResponseAuthentication: 'no'
+    PrintMotd: 'no'
+    Subsystem: sftp /usr/lib/openssh/sftp-server
+    UsePAM: 'yes'
+    X11Forwarding: 'yes'