Merge pull request #13 from TelekomLabs/test

Fix Tests
dev-sec · Jan 14, 2015 · 97e7b92 · 97e7b92
2 parents bf4464a + b87ec5d
commit 97e7b92
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 8 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -24,11 +24,11 @@ platforms:
 - name: oracle-6.4
   driver_config:
     box: oracle-6.4
-    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
+    box_url: https://vagrantcloud.com/box-cutter/boxes/oel64/versions/1.0.8/providers/virtualbox.box
 - name: oracle-6.5
   driver_config:
     box: oracle-6.5
-    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
+    box_url: https://vagrantcloud.com/box-cutter/boxes/oel65/versions/1.0.8/providers/virtualbox.box
 - name: debian-6
   driver_config:
     box: debian-6
@@ -37,7 +37,38 @@ platforms:
   driver_config:
     box: debian-7
     box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-7.7.0-amd64_virtualbox.box
+
 suites:
 - name: default
   run_list:
-  - role[postgresql]
+    - recipe[chef-solo-search]
+    - recipe[apt]
+    - recipe[postgresql::server]
+    - recipe[postgres-hardening]
+  excludes: ["centos-6.4", "centos-6.5", "oracle-6.4", "oracle-6.5"]
+  attributes: {
+    postgresql: {
+      enable_pgdg_apt: true,
+      version: "9.3",
+      password: {
+        postgres: "iloverandompasswordsbutthiswilldo"
+      }
+    }
+  }
+- name: default-rhel
+  run_list:
+    - recipe[chef-solo-search]
+    - recipe[apt]
+    - recipe[postgresql::server]
+    - recipe[postgres-hardening]
+  excludes: ["debian-6", "debian-7", "ubuntu-12.04", "ubuntu-14.04"]
+  attributes: {
+    postgresql: {
+      enable_pgdg_yum: true,
+      version: "9.3",
+      password: {
+        postgres: "iloverandompasswordsbutthiswilldo"
+      }
+    }
+  }
+
diff --git a/README.md b/README.md
@@ -26,6 +26,28 @@ add the following to your runlist and customize security option attributes
   "recipe[postgres-hardening]"
 ```
 
+You should also use the official postgres packages, because those offer the latest fixes. Enable the suitable option for the [postgres cookbook](https://github.com/hw-cookbooks/postgresql).
+
+```bash
+"postgresql": {
+
+   # debian, ubuntu
+   "enable_pgdg_apt": true
+
+   # rhel
+   "enable_pgdg_yum": true
+
+}
+```
+
+The hardening cookbook is only optimized for Postgresql 9.3. This can be activated for [postgres cookbook](https://github.com/hw-cookbooks/postgresql).
+
+```bash
+"postgresql": {
+   version: "9.3"
+}
+```
+
 ### Enable SSL
 
 Please read http://www.postgresql.org/docs/9.1/static/ssl-tcp.html first. 

diff --git a/spec/default_spec.rb b/spec/default_spec.rb
@@ -4,7 +4,18 @@
 
 describe 'postgres-hardening::default' do
 
-  let(:chef_run) { ChefSpec::SoloRunner.converge(described_recipe) }
+  let(:chef_run) do
+    ChefSpec::SoloRunner.new do |node|
+      node.set['postgresql']['version'] = '9.3'
+    end.converge(described_recipe)
+  end
+
+  before do
+    @postgres_version = '9.3'
+    stub_command("ls /var/lib/postgresql/#{@postgres_version}/main/recovery.conf").and_return(true)
+    stub_command("ls -l /var/lib/postgresql/#{@postgres_version}/main/server.crt |grep /etc/ssl/certs/ssl-cert-snakeoil.pem").and_return(true)
+    stub_command("ls -l /var/lib/postgresql/#{@postgres_version}/main/server.key |grep /etc/ssl/private/ssl-cert-snakeoil.key").and_return(true)
+  end
 
   it 'includes postgres-hardening::hardening recipe' do
     expect(chef_run).to include_recipe('postgres-hardening::hardening')

diff --git a/spec/hardening_spec.rb b/spec/hardening_spec.rb
@@ -7,10 +7,10 @@
   context 'with platform_family debian' do
 
     platforms = [
-      { os_name: 'ubuntu', os_version: '12.04', postgres_version: '9.1' },
+      { os_name: 'ubuntu', os_version: '12.04', postgres_version: '9.3' },
       { os_name: 'ubuntu', os_version: '14.04', postgres_version: '9.3' },
-      { os_name: 'debian', os_version: '6.0.5', postgres_version: '8.4' },
-      { os_name: 'debian', os_version: '7.5', postgres_version: '9.1' }
+      { os_name: 'debian', os_version: '6.0.5', postgres_version: '9.3' },
+      { os_name: 'debian', os_version: '7.5', postgres_version: '9.3' }
     ]
 
     platforms.each do |platform|
@@ -20,11 +20,14 @@
         let(:chef_run) do
           ChefSpec::ServerRunner.new(
             platform: platform[:os_name], version: platform[:os_version]
-          ).converge('postgresql::server', 'postgres-hardening::hardening')
+          ) do |node|
+            node.set['postgresql']['version'] = '9.3'
+          end.converge('postgresql::server', 'postgres-hardening::hardening')
         end
 
         before do
           @postgres_version = platform[:postgres_version]
+          stub_command("ls /var/lib/postgresql/#{@postgres_version}/main/recovery.conf").and_return(true)
         end
 
         it 'creates necessary directories with correct mode' do