Merge 87d0afe into e30e8c4

.gitignore

@@ -1,7 +1,26 @@
+test/integration
+
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+coverage
 exp.*
-.kitchen
-Gemfile.lock
+pkg/
+shared_test_repo/
+
+# Berkshelf
+.vagrant
+/cookbooks
 Berksfile.lock
+
+# Bundler
+Gemfile.lock
+bin/*
+.bundle/*
+
+# Test Kitchen
+.kitchen/
 .kitchen.local.yml
-shared_test_repo/
-test/integration

.rubocop.yml

@@ -1,20 +1,23 @@
 AllCops:
+  DisplayCopNames: true
   Exclude:
     - vendor/**
-    - metadata.rb
-    - '**/Puppetfile'
-
-Documentation:
+Metrics/LineLength:
   Enabled: false
-AlignParameters:
-  Enabled: true
-Encoding:
-  Enabled: true
-HashSyntax:
-  Enabled: true
-LineLength:
-  Enabled: false
-MethodLength:
+Metrics/MethodLength:
   Max: 30
-NumericLiterals:
+Style/Documentation:
+  Enabled: false
+Style/Encoding:
+  EnforcedStyle: always
+  Enabled: true
+Style/ExtraSpacing:
+  Exclude:
+    - attributes/hardening.rb
+Style/NumericLiterals:
   MinDigits: 10
+Style/RegexpLiteral:
+  AllowInnerSlashes: true
+Style/SpaceAroundOperators:
+  Exclude:
+    - attributes/hardening.rb

.travis.yml

@@ -1,5 +1,4 @@
 rvm:
-  - 1.9.3
-  - 2.0.0
+  - 2.3.1
 language: ruby
 bundler_args: --without development integration openstack

Berksfile

@@ -1,7 +1,8 @@
-source "https://supermarket.getchef.com"
+# encoding: utf-8
 
-metadata
+source 'https://supermarket.chef.io'
 
-cookbook "apt"
-cookbook "chef-solo-search", :git => "https://github.com/edelight/chef-solo-search"
+metadata
 
+cookbook 'apt'
+cookbook 'chef-solo-search', git: 'https://github.com/edelight/chef-solo-search'

Gemfile

@@ -2,18 +2,23 @@
 
 source 'https://rubygems.org'
 
-gem 'berkshelf',  '~> 3.0'
-gem 'chef',       '~> 11.12'
-gem 'chefspec',   '~> 3.4'
-gem 'foodcritic', '~> 3.0'
-gem 'thor-foodcritic'
-gem 'rake'
-gem 'rubocop',    '~> 0.23'
+gem 'berkshelf',  '~> 5.0'
+gem 'chef',       '~> 12.14'
+
+group :test do
+  gem 'chefspec', '~> 5.0'
+  gem 'coveralls', require: false
+  gem 'foodcritic', '~> 6.3'
+  gem 'rake'
+  gem 'rubocop', '~> 0.43.0'
+  gem 'thor-foodcritic'
+  gem 'simplecov', '~> 0.10'
+end
 
 group :development do
   gem 'guard'
   gem 'guard-rspec'
-  gem 'guard-kitchen'
+  # gem 'guard-kitchen' # guard-kitchen is not compatable with Guard 2.x
   gem 'guard-rubocop'
   gem 'guard-foodcritic'
 end

Guardfile

@@ -17,16 +17,17 @@ end
 
 guard :rspec do
   watch(/^spec\/.+_spec\.rb$/)
-  watch(/^(recipes)\/(.+)\.rb$/)     { |m| "spec/#{m[1]}_spec.rb" }
-  watch('spec/spec_helper.rb')  { 'spec' }
+  watch(/^(recipes)\/(.+)\.rb$/) { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb') { 'spec' }
 end
 
-guard :kitchen, all_on_start: false do
-  watch(/test\/.+/)
-  watch(/^recipes\/(.+)\.rb$/)
-  watch(/^attributes\/(.+)\.rb$/)
-  watch(/^files\/(.+)/)
-  watch(/^templates\/(.+)/)
-  watch(/^providers\/(.+)\.rb/)
-  watch(/^resources\/(.+)\.rb/)
-end
+# guard-kitchen is not compatable with Guard 2.x
+# guard :kitchen, all_on_start: false do
+#   watch(/test\/.+/)
+#   watch(/^recipes\/(.+)\.rb$/)
+#   watch(/^attributes\/(.+)\.rb$/)
+#   watch(/^files\/(.+)/)
+#   watch(/^templates\/(.+)/)
+#   watch(/^providers\/(.+)\.rb/)
+#   watch(/^resources\/(.+)\.rb/)
+# end

README.md

@@ -1,5 +1,11 @@
 # percona-hardening (Chef cookbook)
 
+[![Supermarket](http://img.shields.io/cookbook/v/percona-hardening.svg)][https://supermarket.getchef.com/cookbooks/percona-hardening]
+[![Build Status](http://img.shields.io/travis/dev-sec/chef-percona-hardening.svg)][http://travis-ci.org/dev-sec/chef-percona-hardening]
+[![Code Coverage](http://img.shields.io/coveralls/dev-sec/chef-percona-hardening.svg)][https://coveralls.io/r/dev-sec/chef-percona-hardening]
+[![Dependencies](http://img.shields.io/gemnasium/dev-sec/chef-percona-hardening.svg)][https://gemnasium.com/dev-sec/chef-percona-hardening]
+[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][https://gitter.im/dev-sec/general]
+
 ## Description
 
 Provides security configurations for [Percona](http://www.percona.com/). It is intended to set up production-ready Percona instances that are configured with minimal surface for attackers.
@@ -57,7 +63,7 @@ Add the following to your run list and customize security option attributes
 
 ## Security Options
 
-Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) 
+Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
 
  * default['percona']['security']['chroot'] - [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
  * default['percona']['security']['safe_user_create'] - [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)

metadata.rb

@@ -15,22 +15,25 @@
 # limitations under the License.
 #
 
-name             "percona-hardening"
-maintainer       "Christoph Hartmann"
-maintainer_email "chris@lollyrock.com"
-license          "Apache v2.0"
-description      "Installs and configures a secure percona server"
+name             'percona-hardening'
+maintainer       'Christoph Hartmann'
+maintainer_email 'chris@lollyrock.com'
+license          'Apache v2.0'
+description      'Installs and configures a secure percona server'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "1.0.0"
+version          '1.0.0'
 
-depends 'percona' , ">= 0.15.5"
+depends 'percona', '>= 0.15.5'
 
 recipe 'percona-hardening::default', 'installs a hardened percona server'
 recipe 'percona-hardening::server', 'installs a hardened percona server'
 
 supports 'amazon'
-supports 'redhat'
 supports 'centos'
-supports 'fedora'
 supports 'debian'
-supports 'ubuntu'
+supports 'fedora'
+supports 'redhat'
+supports 'ubuntu'
+
+source_url 'https://github.com/dev-sec/chef-percona-hardening'
+issues_url 'https://github.com/dev-sec/chef-percona-hardening/issues'

recipes/hardening.rb

@@ -20,7 +20,7 @@
 #
 
 # protect my.cnf
-File node['percona']['main_config_file'] do
+file node['percona']['main_config_file'] do
   mode '600'
   owner node['percona']['server']['username']
   group 'root'
@@ -35,8 +35,13 @@
 end
 
 # ensure permissions
-directory node["percona"]["server"]["datadir"]  do
+directory node['percona']['server']['datadir'] do
   mode '755'
   owner node['percona-hardening']['user']
   action :create
 end
+
+# need to stub the mysql service for chefspec since it is from a different cookbook
+service 'mysql' do
+  action :nothing
+end if defined?(ChefSpec)

spec/recipes/default_spec.rb

@@ -0,0 +1,45 @@
+# encoding: UTF-8
+#
+# Copyright 2016, Grant Ridder
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+
+describe 'percona-hardening::default' do
+  before do
+    allow_any_instance_of(Chef::Recipe).to receive(:include_recipe).and_call_original
+    allow_any_instance_of(Chef::Recipe).to receive(:include_recipe).with('percona-hardening::hardening')
+  end
+
+  cached(:chef_run) do
+    ChefSpec::ServerRunner.new(platform: 'ubuntu', version: '16.04').converge(described_recipe)
+  end
+
+  # check that the recipes are executed
+  it 'includes hardening recipe' do
+    expect_any_instance_of(Chef::Recipe).to receive(:include_recipe).with('percona-hardening::hardening')
+    chef_run
+  end
+
+  context 'chef-solo' do
+    cached(:chef_run) do
+      ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '16.04').converge(described_recipe)
+    end
+
+    it 'does not raise an error' do
+      expect { chef_run }.not_to raise_error
+    end
+  end
+end

spec/recipes/hardening_spec.rb

@@ -0,0 +1,63 @@
+# encoding: UTF-8
+#
+# Copyright 2016, Grant Ridder
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+
+describe 'percona-hardening::hardening' do
+  cached(:chef_run) do
+    ChefSpec::ServerRunner.new(platform: 'ubuntu', version: '16.04').converge(described_recipe)
+  end
+
+  it 'create /etc/mysql/my.cnf file' do
+    expect(chef_run).to create_file('/etc/mysql/my.cnf').with(
+      mode: '600',
+      owner: 'mysql',
+      group: 'root'
+    )
+  end
+
+  it 'create /etc/mysql/conf.d/hardening.cnf template' do
+    expect(chef_run).to create_template('/etc/mysql/conf.d/hardening.cnf').with(
+      owner: 'mysql',
+      mode: '750',
+      source: 'hardening.cnf.erb'
+    )
+    resource = chef_run.template('/etc/mysql/conf.d/hardening.cnf')
+    expect(resource).to notify('service[mysql]').to(:restart).immediately
+  end
+
+  it 'create /var/lib/mysql directory' do
+    expect(chef_run).to create_directory('/var/lib/mysql').with(
+      owner: 'mysql',
+      mode: '755'
+    )
+  end
+
+  it 'stubbing mysql service for chefspec' do
+    expect(chef_run).to_not enable_service('mysql')
+  end
+
+  context 'chef-solo' do
+    cached(:chef_run) do
+      ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '16.04').converge(described_recipe)
+    end
+
+    it 'does not raise an error' do
+      expect { chef_run }.not_to raise_error
+    end
+  end
+end

spec/spec_helper.rb

@@ -17,3 +17,9 @@
 
 require 'chefspec'
 require 'chefspec/berkshelf'
+require 'chefspec/cacher'
+require 'coveralls'
+
+# coverage report
+Coveralls.wear!
+at_exit { ChefSpec::Coverage.report! }