Merge pull request #127 from shortdudey123/update_test

Update Rubocop, Foodcritic, and Chefspec coverage

.gitignore

@@ -1,8 +1,24 @@
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+coverage
 exp.*
-.kitchen
-Berksfile.lock
-.kitchen.local.yml
+pkg/
 shared_test_repo/
-test/integration
+
+# Berkshelf
+.vagrant
+/cookbooks
+Berksfile.lock
+
+# Bundler
 Gemfile.lock
-coverage
+bin/*
+.bundle/*
+
+# Test Kitchen
+.kitchen/
+.kitchen.local.yml

.rubocop.yml

@@ -1,32 +1,34 @@
 ---
 AllCops:
+  DisplayCopNames: true
   Exclude:
   - vendor/**/*
   - test/**/*
-  - metadata.rb
-  - Berksfile
-Documentation:
+Metrics/AbcSize:
+  Max: 29
+Metrics/LineLength:
+  Enabled: false
+Metrics/MethodLength:
+  Max: 40
+Style/Documentation:
   Enabled: false
-AlignParameters:
+Style/DotPosition:
+  EnforcedStyle: trailing
   Enabled: true
-Encoding:
+Style/Encoding:
+  EnforcedStyle: always
   Enabled: true
-HashSyntax:
+Style/ExtraSpacing:
+  Exclude:
+    - attributes/default.rb
+Style/HashSyntax:
   Enabled: true
-LineLength:
-  Enabled: false
-EmptyLinesAroundBlockBody:
+Style/NumericLiteralPrefix:
   Enabled: false
-MethodLength:
-  Max: 40
-NumericLiterals:
+Style/NumericLiterals:
   MinDigits: 10
-Metrics/CyclomaticComplexity:
-  Max: 10
-Metrics/PerceivedComplexity:
-  Max: 10
-Metrics/AbcSize:
-  Max: 29
-Style/DotPosition:
-  EnforcedStyle: trailing
-  Enabled: true
+Style/RegexpLiteral:
+  AllowInnerSlashes: true
+Style/SpaceAroundOperators:
+  Exclude:
+    - attributes/default.rb

Berksfile

@@ -1,3 +1,5 @@
-source "https://supermarket.getchef.com"
+# encoding: utf-8
+
+source 'https://supermarket.chef.io'
 
 metadata

Gemfile

@@ -15,8 +15,8 @@ end
 group :test do
   gem 'rake'
   gem 'chefspec',   '~> 4.2.0'
-  gem 'foodcritic', '~> 4.0'
-  gem 'rubocop',    '~> 0.28.0'
+  gem 'foodcritic', '~> 6.3'
+  gem 'rubocop',    '~> 0.43.0'
   gem 'coveralls',  require: false
   gem 'bundler', '~> 1.5'
   gem 'minitest', '~> 5.5'
@@ -26,7 +26,7 @@ end
 group :development do
   gem 'guard'
   gem 'guard-rspec'
-  gem 'guard-kitchen'
+  # gem 'guard-kitchen' # guard-kitchen is not compatable with Guard 2.x
   gem 'guard-rubocop'
   gem 'guard-foodcritic'
 end

Guardfile

@@ -17,16 +17,17 @@ end
 
 guard :rspec do
   watch(/^spec\/.+_spec\.rb$/)
-  watch(/^(recipes)\/(.+)\.rb$/)     { |m| "spec/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { 'spec' }
+  watch(/^(recipes)\/(.+)\.rb$/) { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb') { 'spec' }
 end
 
-guard :kitchen, all_on_start: false do
-  watch(/test\/.+/)
-  watch(/^recipes\/(.+)\.rb$/)
-  watch(/^attributes\/(.+)\.rb$/)
-  watch(/^files\/(.+)/)
-  watch(/^templates\/(.+)/)
-  watch(/^providers\/(.+)\.rb/)
-  watch(/^resources\/(.+)\.rb/)
-end
+# guard-kitchen is not compatable with Guard 2.x
+# guard :kitchen, all_on_start: false do
+#   watch(/test\/.+/)
+#   watch(/^recipes\/(.+)\.rb$/)
+#   watch(/^attributes\/(.+)\.rb$/)
+#   watch(/^files\/(.+)/)
+#   watch(/^templates\/(.+)/)
+#   watch(/^providers\/(.+)\.rb/)
+#   watch(/^resources\/(.+)\.rb/)
+# end

attributes/default.rb

@@ -19,7 +19,7 @@
 # limitations under the License.
 
 # Define the packages based on operating system
-case platform_family
+case node['platform_family']
 when 'rhel', 'fedora'
   default['os-hardening']['packages']['pam_ccreds'] = 'pam_ccreds'
   default['os-hardening']['packages']['pam_passwdqc'] = 'pam_passwdqc'

attributes/sysctl.rb

@@ -21,7 +21,7 @@
 default['sysctl']['params']['net']['ipv4']['ip_forward'] =
   node['os-hardening']['network']['forwarding'] ? 1 : 0
 default['sysctl']['params']['net']['ipv6']['conf']['all']['forwarding'] =
-  (node['os-hardening']['network']['ipv6']['enable'] && node['os-hardening']['network']['forwarding']) ? 1 : 0
+  node['os-hardening']['network']['ipv6']['enable'] && node['os-hardening']['network']['forwarding'] ? 1 : 0
 
 # Enable RFC-recommended source validation feature. It should not be used for
 # routers on complex networks, but is helpful for end hosts and routers serving
@@ -46,7 +46,7 @@
 
 # Disable or Enable IPv6 as it is needed.
 default['sysctl']['params']['net']['ipv6']['conf']['all']['disable_ipv6'] =
-    node['os-hardening']['network']['ipv6']['enable'] ? 0 : 1
+  node['os-hardening']['network']['ipv6']['enable'] ? 0 : 1
 
 # Protect against wrapping sequence numbers at gigabit speeds:
 default['sysctl']['params']['net']['ipv4']['tcp_timestamps'] = 0
@@ -76,7 +76,7 @@
 #           announce.
 #
 default['sysctl']['params']['net']['ipv4']['conf']['all']['arp_ignore'] =
-    node['os-hardening']['network']['arp']['restricted'] ? 1 : 0
+  node['os-hardening']['network']['arp']['restricted'] ? 1 : 0
 
 # Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
 #
@@ -92,7 +92,7 @@
 # * **4-7** - reserved
 # * **8** - do not reply for all local addresses
 default['sysctl']['params']['net']['ipv4']['conf']['all']['arp_announce'] =
-    node['os-hardening']['network']['arp']['restricted'] ? 2 : 0
+  node['os-hardening']['network']['arp']['restricted'] ? 2 : 0
 
 # RFC 1337 fix F1
 default['sysctl']['params']['net']['ipv4']['tcp_rfc1337'] = 1
@@ -179,7 +179,7 @@
 
 # ExecShield protection against buffer overflows
 # unless node['platform'] == "ubuntu" # ["nx"].include?(node['cpu'][0]['flags']) or
-case platform_family
+case node['platform_family']
 when 'rhel', 'fedora'
   default['sysctl']['params']['kernel']['exec-shield'] = 1
 end

gemfile.chef-11

@@ -16,7 +16,7 @@ group :test do
   gem 'chefspec',   '~> 4.1.1'
   gem 'foodcritic', '~> 3.0'
   gem 'thor-foodcritic'
-  gem 'rubocop',    '~> 0.28.0'
+  gem 'rubocop',    '~> 0.43.0'
   gem 'coveralls',  require: false
 end
 

libraries/apt_package_extras.rb

@@ -53,7 +53,7 @@ def self.get_providing_packages(package_name)
         # The provider functionality isn't easily exposed for consumption in other recipes
 
         unless virtual_package?(package_name)
-          fail("#{package_name} is not a virtual package, cannot remove providing packages.")
+          raise "#{package_name} is not a virtual package, cannot remove providing packages."
         end
 
         showpkg = Mixlib::ShellOut.new("apt-cache showpkg '#{package_name}'")

libraries/cookbook_version.rb

@@ -24,7 +24,7 @@ class Recipe
     def cookbook_version(cookbook_name, version_contraint)
       cb = run_context.cookbook_collection[cookbook_name]
       if cb.nil?
-        fail "Can't find cookbook #{cookbook_name}! Can't determine its version."
+        raise "Can't find cookbook #{cookbook_name}! Can't determine its version."
       end
 
       v = cb.metadata.version

libraries/suid_sgid.rb

@@ -47,21 +47,21 @@ def self.find_all_suid_sgid_files(start_at = '/')
       def self.remove_suid_sgid_from_blacklist(blacklist)
         blacklist.
           select { |file| File.exist?(file) }.
-          each do|file|
+          each do |file|
             Chef::Log.info "suid_sgid: Blacklist SUID/SGID for '#{file}', removing bit..."
             remove_suid_sgid_from(file)
           end
       end
 
       def self.remove_suid_sgid_from_unknown(whitelist = [], root = '/', dry_run = false)
-        all_suid_sgid_files = find_all_suid_sgid_files(root).select do|file|
+        all_suid_sgid_files = find_all_suid_sgid_files(root).select do |file|
           in_whitelist = whitelist.include?(file)
           Chef::Log.info "suid_sgid: Whitelisted file '#{file}', not altering SUID/SGID bit" if in_whitelist && !dry_run
           !in_whitelist
         end
 
-        all_suid_sgid_files.each do|file|
-          Chef::Log.info "suid_sgid: SUID/SGID on '#{file}'" + ((dry_run) ? ' (dry_run)' : ', removing bit...')
+        all_suid_sgid_files.each do |file|
+          Chef::Log.info "suid_sgid: SUID/SGID on '#{file}'" + dry_run ? ' (dry_run)' : ', removing bit...'
           remove_suid_sgid_from(file) unless dry_run
         end
       end

metadata.rb

@@ -1,4 +1,4 @@
-# encoding: utf-8
+# encoding: utf-8 # ~FC061
 #
 # Copyright 2014, Deutsche Telekom AG
 #
@@ -15,13 +15,13 @@
 # limitations under the License.
 #
 
-name             "os-hardening"
-maintainer       "Dominik Richter"
-maintainer_email "dominik.richter@googlemail.com"
-license          "Apache 2.0"
-description      "Installs and configures operating system hardening"
+name             'os-hardening'
+maintainer       'Dominik Richter'
+maintainer_email 'dominik.richter@googlemail.com'
+license          'Apache 2.0'
+description      'Installs and configures operating system hardening'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "2.0.0-beta"
+version          '2.0.0-beta'
 
 supports 'ubuntu', '>= 12.04'
 supports 'debian', '>= 6.0'

recipes/apt.rb

@@ -24,11 +24,9 @@
 # TODO: could check apt.conf to make sure this hasn't been disabled.
 
 if node['os-hardening']['security']['packages']['clean']
-
   # remove packages and handle virtual packages correctly.
   # this is the same package list as used for the redhat distro family
   node['os-hardening']['security']['packages']['list'].each do |pkg|
-
     if !AptPackageExtras.virtual_package?(pkg)
       package pkg do
         action :purge
@@ -40,7 +38,5 @@
         end
       end
     end
-
   end
-
 end

recipes/sysctl.rb

@@ -78,7 +78,7 @@
       owner 'root'
       group 'root'
       variables(
-        x86_64: (!(node['kernel']['machine'] =~ /x86_64/).nil?),
+        x86_64: !(node['kernel']['machine'] =~ /x86_64/).nil?,
         cpuVendor: node['os-hardening']['security']['cpu_vendor']
       )
     end

spec/recipes/default_spec.rb

@@ -18,22 +18,20 @@
 require_relative '../spec_helper'
 
 describe 'os-hardening::default' do
-
   # converge
   let(:chef_run) do
     ChefSpec::ServerRunner.new do |node|
       # sysctl/attributes/default.rb will set the config dir
       # on rhel and debian, but apply requires it for notification
       # therefore we set it manually here
-      node.set['sysctl']['conf_dir'] = '/etc/sysctl.d'
-      node.set['cpu']['0']['vendor_id'] = 'GenuineIntel'
-      node.set['env']['extra_user_paths'] = []
+      node.normal['sysctl']['conf_dir'] = '/etc/sysctl.d'
+      node.normal['cpu']['0']['vendor_id'] = 'GenuineIntel'
+      node.normal['env']['extra_user_paths'] = []
 
       paths = %w(/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin) + node['env']['extra_user_paths']
       paths.each do |folder|
         stub_command("find #{folder}  -perm -go+w -type f | wc -l | egrep '^0$'").and_return(false)
       end
-
     end.converge(described_recipe)
   end
 
@@ -48,5 +46,4 @@
     expect(chef_run).to include_recipe 'os-hardening::securetty'
     expect(chef_run).to include_recipe 'os-hardening::sysctl'
   end
-
 end

spec/recipes/limits_spec.rb

@@ -18,7 +18,6 @@
 require_relative '../spec_helper'
 
 describe 'os-hardening::limits' do
-
   let(:chef_run) do
     ChefSpec::ServerRunner.new.converge(described_recipe)
   end
@@ -31,4 +30,12 @@
     )
   end
 
+  it 'creates /etc/security/limits.d directory' do
+    expect(chef_run).to create_directory('/etc/security/limits.d').with(
+      user:   'root',
+      group:  'root',
+      mode: '0755',
+      recursive: true
+    )
+  end
 end