diff --git a/cookbooks/sshd/.github/workflows/chef.yml b/cookbooks/sshd/.github/workflows/chef.yml new file mode 100644 index 00000000..be5020b9 --- /dev/null +++ b/cookbooks/sshd/.github/workflows/chef.yml @@ -0,0 +1,31 @@ +name: Chef + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + dokken: + runs-on: ubuntu-latest + strategy: + matrix: + os: ['centos-6', 'centos-7', 'centos-8', 'debian-8', 'debian-9', 'debian-10', 'ubuntu-1604', 'ubuntu-1804', 'ubuntu-2004'] + suite: ['default', 'sshd-config'] + fail-fast: false + steps: + - name: Check out code + uses: actions/checkout@master + - name: Install Chef + uses: actionshub/chef-install@main + - name: Linting + run: cookstyle -f simple || (echo "Run 'cookstyle -a' to correct cookstyle errors." && exit 1) + - name: test-kitchen + uses: actionshub/test-kitchen@main + with: + suite: ${{ matrix.suite }} + os: ${{ matrix.os }} + env: + CHEF_LICENSE: accept-no-persist + KITCHEN_LOCAL_YAML: .kitchen.dokken.yml diff --git a/cookbooks/sshd/.kitchen.dokken.yml b/cookbooks/sshd/.kitchen.dokken.yml new file mode 100644 index 00000000..399c9f67 --- /dev/null +++ b/cookbooks/sshd/.kitchen.dokken.yml @@ -0,0 +1,80 @@ +driver: + name: dokken + privileged: true # because Docker and SystemD/Upstart + chef_version: current + +transport: + name: dokken + +provisioner: + name: dokken + client_rb: + chef_license: "accept-silent" + deprecations_as_errors: false + +platforms: + - name: centos-6 + driver: + image: dokken/centos-6 + pid_one_command: /sbin/init + - name: centos-7 + driver: + image: dokken/centos-7 + pid_one_command: /usr/lib/systemd/systemd + - name: centos-8 + driver: + image: dokken/centos-8 + pid_one_command: /usr/lib/systemd/systemd + + - name: debian-8 + driver: + image: dokken/debian-8 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + - name: debian-9 + driver: + image: dokken/debian-9 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + - name: debian-10 + driver: + image: dokken/debian-10 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + + - name: ubuntu-16.04 + driver: + image: dokken/ubuntu-16.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + - name: ubuntu-18.04 + driver: + image: dokken/ubuntu-18.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + - name: ubuntu-20.04 + driver: + image: dokken/ubuntu-20.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update + +suites: + - name: default + run_list: + - recipe[sshd-test::default] + + - name: sshd_config + run_list: + - recipe[sshd-test::default] + attributes: + sshd: + sshd_config: + ServerKeyBits: 2048 + ListenAddress: 0.0.0.0 + PasswordAuthentication: 'no' diff --git a/cookbooks/sshd/.kitchen.yml b/cookbooks/sshd/.kitchen.yml index 175f48d0..19e9afe8 100644 --- a/cookbooks/sshd/.kitchen.yml +++ b/cookbooks/sshd/.kitchen.yml @@ -9,13 +9,15 @@ verifier: name: inspec platforms: -- name: ubuntu-18.04 +- name: centos-6.10 +- name: centos-7.8 +- name: centos-8.2 +- name: debian-8.8 +- name: debian-9.12 +- name: debian-10.4 - name: ubuntu-16.04 -- name: ubuntu-14.04 -- name: debian-8.5 -- name: debian-9.0 -- name: centos-7.2 -- name: centos-6.6 +- name: ubuntu-18.04 +- name: ubuntu-20.04 suites: - name: default diff --git a/cookbooks/sshd/.rubocop.yml b/cookbooks/sshd/.rubocop.yml deleted file mode 100644 index 57ca81c9..00000000 --- a/cookbooks/sshd/.rubocop.yml +++ /dev/null @@ -1,34 +0,0 @@ -Metrics/BlockLength: - Exclude: - - 'Rakefile' - - '**/*.rake' - - 'test/**/*.rb' - - spec/**/* - -LineLength: - Max: 200 - -HashSyntax: - EnforcedStyle: ruby19 - -CaseIndentation: - EnforcedStyle: end - -MethodLength: - Max: 50 - -Documentation: - Enabled: false - -ClassAndModuleChildren: - Enabled: false - -SpaceBeforeFirstArg: - Enabled: false - -AbcSize: - Enabled: false - -# In the case of libraries/helpers.rb, parallel assignment just looks so much nicer -ParallelAssignment: - Enabled: false diff --git a/cookbooks/sshd/CHANGELOG.md b/cookbooks/sshd/CHANGELOG.md index 8a4eaf86..6bf7adda 100644 --- a/cookbooks/sshd/CHANGELOG.md +++ b/cookbooks/sshd/CHANGELOG.md @@ -3,6 +3,42 @@ sshd CHANGELOG This file is used to list changes made in each version of the sshd cookbook. +3.1.1 +----- + +- Enable `unify_mode`, for Chef-18 support + + +3.1.0 +----- + +- Add Arch and Amazon linux platforms. Replace foodcritic in Gemfile in favor of cookstyle - [@jhboricua](https://github.com/jhboricua) + + +3.0.0 +----- + +- Rename resource from `openssh_server` to `sshd_server` +- Add platforms: centos-8 debian-10 and ubuntu-20 +- Apply cookstyle linting + +```ruby +# Old notation +sshd_server '/etc/sshd_config' do + Port 1234 + X11Forward 'no' +end + +# New notation +sshd_server '/etc/sshd_config' do + sshd_config( + Port: 1234, + X11Forward: 'no' + ) +end +``` + + 2.0.0 ----- @@ -14,7 +50,7 @@ This file is used to list changes made in each version of the sshd cookbook. ```ruby # Old notation -openssh_server '/etc/sshd_config' do +open_server '/etc/sshd_config' do Port 1234 X11Forward 'no' end diff --git a/cookbooks/sshd/Gemfile b/cookbooks/sshd/Gemfile index f4bac386..9001ebcb 100644 --- a/cookbooks/sshd/Gemfile +++ b/cookbooks/sshd/Gemfile @@ -1,8 +1,7 @@ source 'https://rubygems.org' group :lint do - gem 'foodcritic' - gem 'rubocop' + gem 'cookstyle' end group :unit do diff --git a/cookbooks/sshd/README.md b/cookbooks/sshd/README.md index 230dfdfc..ac9290de 100644 --- a/cookbooks/sshd/README.md +++ b/cookbooks/sshd/README.md @@ -91,13 +91,13 @@ depends 'sshd' To install and configure openssh-server from other recipes, use the following resource: ```ruby -openssh_server node['sshd']['config_file'] +sshd_server node['sshd']['config_file'] ``` or, if you need a configuration which differs from the default ```ruby -openssh_server '/etc/sshd_config' do +sshd_server '/etc/sshd_config' do sshd_config( Port: 1234, X11Forward: 'no' @@ -108,7 +108,7 @@ end The resource accepts all configuration options `sshd_config` supports. ```ruby -openssh_server node['sshd']['config_file'] do +sshd_server node['sshd']['config_file'] do sshd_config( Port: 1234 X11Forward: 'yes' @@ -132,7 +132,7 @@ end In case you need it, you can also use a custom template to use for `sshd_config` ```ruby -openssh_server node['sshd']['config_file'] do +sshd_server node['sshd']['config_file'] do cookbook 'mycookbook' source 'mytemplate.erb' end @@ -189,4 +189,4 @@ Contributions of any sort are very welcome! # License and Authors Authors: Chris Aumann -Contributors: Jeremy Olliver, Andy Thompson, Peter Walz, Kevin Olbrich, Johnny Martin +Contributors: Jeremy Olliver, Andy Thompson, Peter Walz, Kevin Olbrich, Johnny Martin, Renato Covarrubias, Jose A. Hernandez diff --git a/cookbooks/sshd/attributes/default.rb b/cookbooks/sshd/attributes/default.rb index 0463c2f0..54788911 100644 --- a/cookbooks/sshd/attributes/default.rb +++ b/cookbooks/sshd/attributes/default.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: sshd +# Cookbook:: sshd # Attributes:: default # -# Copyright 2012, Chris Aumann +# Copyright:: 2012, Chris Aumann # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ # The package to install default['sshd']['package'] = - case node['platform'] - when 'archlinux', 'suse' + if platform?('arch', 'suse') 'openssh' else 'openssh-server' @@ -29,8 +28,7 @@ # Path to 'sshd' executable default['sshd']['sshd_path'] = - case node['platform'] - when 'redhat', 'centos' + if platform?('redhat', 'centos') node['platform_version'].to_i >= 7 ? '/sbin/sshd' : '/usr/sbin/sshd' else '/usr/sbin/sshd' @@ -38,8 +36,7 @@ # Path to 'sshd_config' configuration file default['sshd']['config_file'] = - case node['platform_family'] - when 'mac_os_x' + if platform_family?('mac_os_x') '/etc/sshd_config' else '/etc/ssh/sshd_config' @@ -47,8 +44,7 @@ # OpenSSH service name default['sshd']['service_name'] = - case node['platform_family'] - when 'debian' + if platform_family?('debian') 'ssh' else 'sshd' @@ -76,22 +72,32 @@ case node['platform_family'] when 'debian', 'mac_os_x' '0o644' - when 'rhel', 'fedora' + when 'amazon', 'arch', 'fedora', 'rhel' '0o600' end # Initialize sftp subsystem default['sshd']['sshd_config']['Subsystem'] = case node['platform_family'] + when 'arch' + 'sftp /usr/lib/ssh/sftp-server' when 'debian' 'sftp /usr/lib/openssh/sftp-server' - when 'rhel', 'fedora' + when 'amazon', 'fedora', 'rhel' 'sftp /usr/libexec/openssh/sftp-server' when 'mac_os_x' 'sftp /usr/libexec/sftp-server' end case node['platform_family'] +when 'amazon' + default['sshd']['sshd_config']['SyslogFacility'] = 'AUTHPRIV' + default['sshd']['sshd_config']['AcceptEnv'] = 'LANG LANGUAGE LC_* XMODIFIERS' + +when 'arch' + default['sshd']['sshd_config']['SyslogFacility'] = 'AUTH' + default['sshd']['sshd_config']['X11Forwarding'] = 'no' + when 'debian' # On debian-like systems, pam takes care of the motd default['sshd']['sshd_config']['PrintMotd'] = 'no' diff --git a/cookbooks/sshd/libraries/helpers.rb b/cookbooks/sshd/libraries/helpers.rb index 0e6b8b4d..ee970abd 100644 --- a/cookbooks/sshd/libraries/helpers.rb +++ b/cookbooks/sshd/libraries/helpers.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: sshd +# Cookbook:: sshd # Library:: helpers # -# Copyright 2012, Chris Aumann +# Copyright:: 2012, Chris Aumann # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -35,12 +35,14 @@ def generate_sshd_config(config) # Generate the configuration file. # Sort the hash, so Chef doesn't restart if nothing changed but the order config.sort.each do |e| - key, value = e[0], e[1] + key = e[0] + value = e[1] # Hashes are conditional blocks, which have to be placed at the end of the file if value.is_a? Hash value.sort.each do |se| - k, v = se[0], se[1] + k = se[0] + v = se[1] conditional_blocks << "#{key} #{k}\n" Array(v).each { |x, y| conditional_blocks << " #{x} #{y}\n" } end diff --git a/cookbooks/sshd/libraries/matchers.rb b/cookbooks/sshd/libraries/matchers.rb index b9f0c478..8b137891 100644 --- a/cookbooks/sshd/libraries/matchers.rb +++ b/cookbooks/sshd/libraries/matchers.rb @@ -1,5 +1 @@ -if defined?(ChefSpec) - def create_opensshd_server(resource_name) - ChefSpec::Matchers::ResourceMatcher.new(:openssh_server, :create, resource_name) - end -end + diff --git a/cookbooks/sshd/metadata.rb b/cookbooks/sshd/metadata.rb index 1f0efd25..2536d609 100644 --- a/cookbooks/sshd/metadata.rb +++ b/cookbooks/sshd/metadata.rb @@ -3,13 +3,12 @@ maintainer_email 'me@chr4.org' license 'GPL-3.0-or-later' description 'Installs/Configures sshd' -long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '2.0.0' -source_url 'https://github.com/chr4-cookbooks/sshd' if respond_to?(:source_url) -issues_url 'https://github.com/chr4-cookbooks/sshd/issues' if respond_to?(:issues_url) +version '3.1.1' +source_url 'https://github.com/chr4-cookbooks/sshd' +issues_url 'https://github.com/chr4-cookbooks/sshd/issues' -%w(ubuntu debian redhat centos).each do |os| +%w(amazon centos debian fedora redhat ubuntu).each do |os| supports os end -chef_version '>= 12.7' if respond_to?(:chef_version) +chef_version '>= 15.3' diff --git a/cookbooks/sshd/recipes/default.rb b/cookbooks/sshd/recipes/default.rb index 57aa00e0..e9a81a2c 100644 --- a/cookbooks/sshd/recipes/default.rb +++ b/cookbooks/sshd/recipes/default.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: sshd +# Cookbook:: sshd # Recipe:: default # -# Copyright 2012, Chris Aumann +# Copyright:: 2012, Chris Aumann # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -26,12 +26,11 @@ directory File.dirname(node['sshd']['config_file']) do owner 'root' group node['root_group'] - mode 0o755 + mode '755' end # Configure service -openssh_server node['sshd']['config_file'] do - name node['sshd']['config_file'] +sshd_server node['sshd']['config_file'] do cookbook 'sshd' source 'sshd_config.erb' action :create diff --git a/cookbooks/sshd/resources/openssh_server.rb b/cookbooks/sshd/resources/server.rb similarity index 85% rename from cookbooks/sshd/resources/openssh_server.rb rename to cookbooks/sshd/resources/server.rb index 8dced675..52d2d104 100644 --- a/cookbooks/sshd/resources/openssh_server.rb +++ b/cookbooks/sshd/resources/server.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: sshd -# Definition:: openssh_server +# Cookbook:: sshd +# Definition:: sshd_server # -# Copyright 2012, Chris Aumann +# Copyright:: 2012, Chris Aumann # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -17,10 +17,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . # +unified_mode true -resource_name :openssh_server - -property :name, String property :sshd_config, Hash, default: {} property :template_action, default: :create property :cookbook, String, default: 'sshd' @@ -44,6 +42,7 @@ # Check sshd_config execute 'check_sshd_config' do command "#{node['sshd']['sshd_path']} -t -f #{filename}" + only_if { node['sshd']['sshd_config']['HostKey'].map { |f| ::File.exist?(f) }.include?(true) } action :nothing end @@ -52,6 +51,14 @@ action :nothing end + directory '/run/sshd' do + owner 'root' + group 'root' + mode '0755' + action :create + only_if { platform?('debian', 'ubuntu') } + end + template filename do owner 'root' group node['root_group'] diff --git a/cookbooks/sshd/spec/unit/recipes/default_spec.rb b/cookbooks/sshd/spec/unit/recipes/default_spec.rb index 308ed82f..8290e7cb 100644 --- a/cookbooks/sshd/spec/unit/recipes/default_spec.rb +++ b/cookbooks/sshd/spec/unit/recipes/default_spec.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: sshd +# Cookbook:: sshd # Spec:: default # -# Copyright (c) 2016 The Authors, All Rights Reserved. +# Copyright:: (c) 2016 The Authors, All Rights Reserved. require 'spec_helper' @@ -28,7 +28,7 @@ end it 'executes custom resource' do - expect(chef_run).to create_openssh_server('/etc/ssh/sshd_config') + expect(chef_run).to create_sshd_server('/etc/ssh/sshd_config') end end end diff --git a/cookbooks/sshd/test/cookbooks/sshd-test/attributes/default.rb b/cookbooks/sshd/test/cookbooks/sshd-test/attributes/default.rb index 0463c2f0..e24bcfe7 100644 --- a/cookbooks/sshd/test/cookbooks/sshd-test/attributes/default.rb +++ b/cookbooks/sshd/test/cookbooks/sshd-test/attributes/default.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: sshd +# Cookbook:: sshd # Attributes:: default # -# Copyright 2012, Chris Aumann +# Copyright:: 2012, Chris Aumann # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,8 +20,7 @@ # The package to install default['sshd']['package'] = - case node['platform'] - when 'archlinux', 'suse' + if platform?('arch', 'suse') 'openssh' else 'openssh-server' @@ -29,8 +28,7 @@ # Path to 'sshd' executable default['sshd']['sshd_path'] = - case node['platform'] - when 'redhat', 'centos' + if platform?('redhat', 'centos') node['platform_version'].to_i >= 7 ? '/sbin/sshd' : '/usr/sbin/sshd' else '/usr/sbin/sshd' @@ -38,8 +36,7 @@ # Path to 'sshd_config' configuration file default['sshd']['config_file'] = - case node['platform_family'] - when 'mac_os_x' + if platform_family?('mac_os_x') '/etc/sshd_config' else '/etc/ssh/sshd_config' @@ -47,8 +44,7 @@ # OpenSSH service name default['sshd']['service_name'] = - case node['platform_family'] - when 'debian' + if platform_family?('debian') 'ssh' else 'sshd'