Remove use of File.exists? (#53)

Also: * Clean up for rubocop * Drop tests for EL < 7 * Bump version * Add CHANGELOG entry Fixes #48
simp · Jul 16, 2024 · 3bdfb52 · 3bdfb52
1 parent e7658b5
commit 3bdfb52
Show file tree

Hide file tree

Showing 14 changed files with 320 additions and 315 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+* Mon Jul 15 2024 Steven Pritchard <[email protected]> - 0.8.1
+- Fixes for Puppet 8 compatibility
+
 * Mon Oct 23 2023 Steven Pritchard <[email protected]> - 0.8.0
 - [puppetsync] Add EL9 support
 

diff --git a/lib/facter/ima_log_size.rb b/lib/facter/ima_log_size.rb
@@ -1,7 +1,7 @@
 # Detects the size of the IMA log in bytes
 Facter.add('ima_log_size') do
   confine do
-    File.exists? '/sys/kernel/security/ima/ascii_runtime_measurements'
+    File.exist? '/sys/kernel/security/ima/ascii_runtime_measurements'
   end
 
   setcode do

diff --git a/lib/facter/ima_security_attr.rb b/lib/facter/ima_security_attr.rb
@@ -12,21 +12,21 @@
 #
 Facter.add('ima_security_attr') do
   confine do
-    Facter.value(:cmdline) && Facter.value(:cmdline).has_key?('ima_appraise_tcb')
+    Facter.value(:cmdline)&.key?('ima_appraise_tcb')
   end
 
   setcode do
     vardir = Facter.value(:puppet_vardir)
 
-  # Check if the script to update the attributes is still running
+    # Check if the script to update the attributes is still running
     isrunning = Facter::Core::Execution.execute('ps -ef')
     if isrunning['ima_security_attr_update.sh'].nil?
       relabel_file = "#{vardir}/simp/.ima_relabel"
-      if File.exists?("#{relabel_file}")
-        status = 'need_relabel'
-      else
-        status = 'inactive'
-      end
+      status = if File.exist?(relabel_file)
+                 'need_relabel'
+               else
+                 'inactive'
+               end
     else
       status = 'active'
     end

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-ima",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "author": "SIMP Team",
   "summary": "Manages IMA",
   "license": "Apache-2.0",

diff --git a/spec/acceptance/suites/default/00_ima_spec.rb b/spec/acceptance/suites/default/00_ima_spec.rb
@@ -5,7 +5,7 @@
 
 describe 'ima class' do
   hosts.each do |host|
-    it 'should set a root password' do
+    it 'sets a root password' do
       on(host, "sed -i 's/enforce_for_root//g' /etc/pam.d/*")
       on(host, 'echo "root:password" | chpasswd --crypt-method SHA256')
     end
@@ -22,16 +22,15 @@
         # }
       EOF
 
-      it 'should run puppet' do
+      it 'runs puppet' do
         apply_manifest_on(host, manifest, catch_failures: true)
       end
 
-      it 'should run puppet idempotently' do
+      it 'runs puppet idempotently' do
         apply_manifest_on(host, manifest, catch_changes: true)
       end
 
-
-      it 'should run puppet idempotently after a reboot' do
+      it 'runs puppet idempotently after a reboot' do
         # reboot to apply kernel_parameter settings
         host.reboot
         # the mount will need to be reset
@@ -40,7 +39,7 @@
         apply_manifest_on(host, manifest, catch_changes: true)
       end
 
-      it 'should not lock up the filesystem' do
+      it 'does not lock up the filesystem' do
         on(host, "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 1000 | head -n 10000 > /root/hugefile")
         on(host, 'head -15 /sys/kernel/security/ima/ascii_runtime_measurements')
         on(host, 'ls -la ~')
@@ -49,7 +48,7 @@
   end
 
   context 'stricter rules' do
-    if true
+    if true # rubocop:disable Lint/LiteralAsCondition
       it 'fails to allow puppet to function in strict enforcing mode'
     else
       # This is kept around to show what *should* happen (and what did happen
@@ -68,30 +67,30 @@ class { 'ima::policy':
           }
         EOF
 
-        it 'should run puppet' do
+        it 'runs puppet' do
           apply_manifest_on(host, manifest, catch_failures: true)
         end
 
-        it 'should run puppet idempotently' do
+        it 'runs puppet idempotently' do
           apply_manifest_on(host, manifest, catch_changes: true)
         end
 
         it 'locks up the filesystem after a reboot and new policy is applied' do
           on(host, 'yum install -y telnet')
           ssh_config = File.readlines(host[:ssh][:config])
-          ssh_port   = ssh_config.grep(/port/i).first.split(' ')[1]
+          ssh_port   = ssh_config.grep(%r{port}i).first.split(' ')[1]
 
           expect(on(host, 'ls')).to be_truthy
 
-          tel = Net::Telnet::new("Port" => ssh_port)
+          tel = Net::Telnet.new('Port' => ssh_port)
           result = tel.cmd('echo echo')
           tel.close
-          expect(result).to match(/OpenSSH/)
+          expect(result).to match(%r{OpenSSH})
 
           host.reboot
           sleep 30
 
-          tel2 = Net::Telnet::new("Port" => ssh_port)
+          tel2 = Net::Telnet.new('Port' => ssh_port)
           begin
             result2 = tel.cmd('echo echo')
           rescue IOError => e

diff --git a/spec/classes/appraise/fixmode_spec.rb b/spec/classes/appraise/fixmode_spec.rb
@@ -6,43 +6,47 @@
 describe 'ima::appraise' do
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-
-      let (:facts) do
-        os_facts.merge({
-          :cmdline => { 'ima' => 'on' },
-        })
+      let(:facts) do
+        os_facts.merge(cmdline: { 'ima' => 'on' })
       end
 
       context 'with relabel false' do
-        let (:params) {{
-          relabel_file: '/tmp/simp/.ima_relabel',
-          force_fixmode: true
-        }}
+        let(:params) do
+          {
+            relabel_file: '/tmp/simp/.ima_relabel',
+            force_fixmode: true,
+          }
+        end
 
-        it { is_expected.to contain_kernel_parameter('ima_appraise').with({
-          'value'    => 'fix',
-          'bootmode' => 'normal',
-        }).that_notifies('Reboot_notify[ima_appraise_fix_reboot]')}
-        it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({'ensure' => 'absent' })}
-        it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]')}
+        it do
+          is_expected.to contain_kernel_parameter('ima_appraise')
+            .with(
+              'value'    => 'fix',
+              'bootmode' => 'normal',
+            ).that_notifies('Reboot_notify[ima_appraise_fix_reboot]')
+        end
+        it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({ 'ensure' => 'absent' }) }
+        it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]') }
       end
 
       context 'with relabel true' do
-        let (:facts) do
-          os_facts.merge({
-            :cmdline => { 'ima' => 'on', 'foo' => 'bar', 'ima_appraise' => 'off' }
-          })
+        let(:facts) do
+          os_facts.merge(cmdline: { 'ima' => 'on', 'foo' => 'bar', 'ima_appraise' => 'off' })
+        end
+        let(:params) do
+          {
+            relabel_file: '/tmp/simp/.ima_relabel',
+          }
         end
-        let (:params) {{
-          relabel_file: '/tmp/simp/.ima_relabel',
-        }}
 
-        it { is_expected.to contain_kernel_parameter('ima_appraise').with({
-          'value'    => 'fix',
-          'bootmode' => 'normal',
-        }).that_notifies('Reboot_notify[ima_appraise_fix_reboot]')}
-        it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({'ensure' => 'file' })}
-        it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]')}
+        it do
+          is_expected.to contain_kernel_parameter('ima_appraise').with(
+            'value'    => 'fix',
+            'bootmode' => 'normal',
+          ).that_notifies('Reboot_notify[ima_appraise_fix_reboot]')
+        end
+        it { is_expected.to contain_file('/tmp/simp/.ima_relabel').with({ 'ensure' => 'file' }) }
+        it { is_expected.to contain_reboot_notify('ima_appraise_fix_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]') }
       end
     end
   end

diff --git a/spec/classes/appraise/relabel_spec.rb b/spec/classes/appraise/relabel_spec.rb
@@ -6,53 +6,56 @@
 describe 'ima::appraise' do
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
-      let (:params) {{
-        relabel_file: '/tmp/simp/.ima_relabel',
-        scriptdir: '/myscripts'
-      }}
-
-      let (:default_facts) do
-        os_facts.merge({
-          :cmdline => { 'ima' => 'on', 'ima_appraise' => 'fix' }
-        })
+      let(:params) do
+        {
+          relabel_file: '/tmp/simp/.ima_relabel',
+          scriptdir: '/myscripts',
+        }
+      end
+
+      let(:default_facts) do
+        os_facts.merge(cmdline: { 'ima' => 'on', 'ima_appraise' => 'fix' })
       end
 
       context 'with ima_security_attr inactive' do
-        let (:facts) do
-          default_facts.merge({
-            :ima_security_attr => 'inactive'
-          })
+        let(:facts) do
+          default_facts.merge(ima_security_attr: 'inactive')
         end
-        it { is_expected.to contain_kernel_parameter('ima_appraise').with({
-          'value'    => 'enforce',
-          'bootmode' => 'normal',
-        }).that_notifies('Exec[dracut ima appraise rebuild]')}
-        it { is_expected.to contain_exec('dracut ima appraise rebuild').with({
-          'command'     => '/sbin/dracut -f',
-          'refreshonly' => true
-        }).that_subscribes_to('Kernel_parameter[ima_appraise]')}
-        it { is_expected.to contain_reboot_notify('ima_appraise_enforce_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]')}
+
+        it {
+          is_expected.to contain_kernel_parameter('ima_appraise')
+            .with(
+              'value'    => 'enforce',
+              'bootmode' => 'normal',
+            ).that_notifies('Exec[dracut ima appraise rebuild]')
+        }
+        it {
+          is_expected.to contain_exec('dracut ima appraise rebuild').with(
+            'command'     => '/sbin/dracut -f',
+            'refreshonly' => true,
+          ).that_subscribes_to('Kernel_parameter[ima_appraise]')
+        }
+        it { is_expected.to contain_reboot_notify('ima_appraise_enforce_reboot').that_subscribes_to('Kernel_parameter[ima_appraise]') }
       end
 
       context 'with ima_security_attr active' do
-        let (:facts) do
-          default_facts.merge({
-            :ima_security_attr => 'active'
-          })
+        let(:facts) do
+          default_facts.merge(ima_security_attr: 'active')
         end
-        it { is_expected.to contain_notify('IMA updates running')}
+
+        it { is_expected.to contain_notify('IMA updates running') }
       end
 
       context 'with ima_security_attr relabel' do
-        let (:facts) do
-          default_facts.merge({
-            :ima_security_attr => 'relabel'
-          })
+        let(:facts) do
+          default_facts.merge(ima_security_attr: 'relabel')
+        end
+
+        it { is_expected.to contain_notify('IMA updates started') }
+        it do
+          is_expected.to contain_exec('ima_security_attr_update')
+            .with('command' => '/myscripts/ima_security_attr_update.sh /tmp/simp/.ima_relabel &')
         end
-        it { is_expected.to contain_notify('IMA updates started')}
-        it { is_expected.to contain_exec('ima_security_attr_update').with({
-          'command'    => '/myscripts/ima_security_attr_update.sh /tmp/simp/.ima_relabel &',
-        })}
       end
     end
   end