search

indiana-university / puppet-duo_unix

The duo_unix module handles the deployment of duo_unix (login_duo or pam_duo) across a range of Linux distributions.
BSD 3-Clause "New" or "Revised" License
2 stars 14 forks source link

Augeas is potentially untestable #45

Closed thoughtful-explorer closed 2 months ago

thoughtful-explorer commented 5 months ago

To test the addition of AcceptEnv variables to sshd_config using augeas in manifests/ssh_config.pp, I have attempted to also properly apply unit tests to these augeas blocks (using rspec-puppet-augeas). This is because when we're unit testing, we're testing the contents of a Puppet catalog instead of the real sshd_config file. I therefore created an updated spec/classes/ssh_config_spec.rb with this content:

require 'spec_helper'
describe 'duo_unix::ssh_config' do
  let(:pre_condition) { "package { 'duo_unix': ensure => 'installed' } package { 'duo-unix': ensure => 'installed' }" }

  on_supported_os.each do |os, os_facts|
    let :pre_condition do
      "class { 'duo_unix':
        usage => 'login',
        ikey => 'testikey',
        skey => 'testskey',
        host => 'api-XXXXXXXX.duosecurity.com',
        accept_env_factor => 'yes' }"
    end

    context "on #{os}" do
      let(:facts) { os_facts }

      it { is_expected.to compile }
    end

    context 'with accept_env_factor => yes' do
      let(:facts) { os_facts }

      it {
        is_expected.to contain_file('/etc/duo/login_duo.conf')
          .with_content(%r{^accept_env_factor=yes$})
      }
      describe 'sshd' do
        it 'Finds duo_ssh_env augeas resource' do
          is_expected.to contain_augeas('duo_ssh_env')
        end

        # Expects Augeas['duo_ssh_env'] because sshd_config is a pre-existing and therefore not testable in the catalog by Rspec
        describe_augeas 'duo_ssh_env', lens: 'Sshd.lns', target: 'etc/ssh/sshd_config' do
          it 'Ensures DUO_PASSCODE is added to AcceptEnv' do

            # Check changes in the file with aug_get and aug_match
            aug_match('DUO_PASSCODE').is_expected.to include('DUO_PASSCODE')

            # Verify idempotence last to prevent false positive
            is_expected.to execute.idempotently
          end
        end
      end
    end
  end
end

However, when running the unit tests, I get (many copies of) this error:

Failures:

  1) duo_unix::ssh_config with accept_env_factor => yes sshd Augeas[duo_ssh_env] Ensures DUO_PASSCODE is added to AcceptEnv
     Failure/Error: aug_match('DUO_PASSCODE').is_expected.to include('DUO_PASSCODE')

     RuntimeError:
       Got 2 failure(s) while initializing: File[/tmp/d20240415-916643-c35377]: change from 'absent' to 'directory' failed: Failed to set owner to '0': Operation not permitted @ apply2files - /tmp/d20240415-916643-c35377; File[/tmp/d20240415-916643-nn2gev/ssl]: change from 'absent' to 'directory' failed: Failed to set owner to '0': Operation not permitted @ apply2files - /tmp/d20240415-916643-nn2gev/ssl
     # ./spec/classes/ssh_config_spec.rb:38:in `block (6 levels) in <top (required)>'
     # bin/rspec:29:in `load'
     # bin/rspec:29:in `<main>'

Unfortunately, there appears to be a number of very stale (and unlikely to change) official sources that indicate this error will not be resolved:

thoughtful-explorer commented 2 months ago

This is no longer relevant -- at least for now, as augeas is no longer used for sshd config as of 56658ab