X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=blobdiff_plain;f=3rdparty%2Fmodules%2Fapache%2Fspec%2Facceptance%2Fmod_security_spec.rb;fp=3rdparty%2Fmodules%2Fapache%2Fspec%2Facceptance%2Fmod_security_spec.rb;h=60295787e0412805fc674d3c9713a2ea0e8f7a8e;hp=0000000000000000000000000000000000000000;hb=29c25a2dd54b818d590063af535221f98af7d6c8;hpb=943dd63ceab3c595cfdff25de2631d5b74f19dc9 diff --git a/3rdparty/modules/apache/spec/acceptance/mod_security_spec.rb b/3rdparty/modules/apache/spec/acceptance/mod_security_spec.rb new file mode 100644 index 00000000..60295787 --- /dev/null +++ b/3rdparty/modules/apache/spec/acceptance/mod_security_spec.rb @@ -0,0 +1,228 @@ +require 'spec_helper_acceptance' + +describe 'apache::mod::security class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise'))) do + case fact('osfamily') + when 'Debian' + mod_dir = '/etc/apache2/mods-available' + service_name = 'apache2' + package_name = 'apache2' + when 'RedHat' + mod_dir = '/etc/httpd/conf.d' + service_name = 'httpd' + package_name = 'httpd' + end + + context "default mod_security config" do + if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/ + it 'adds epel' do + pp = "class { 'epel': }" + apply_manifest(pp, :catch_failures => true) + end + end + + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + } + file { '/var/www/html/index.html': + ensure => file, + content => 'Index page', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service(service_name) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe package(package_name) do + it { is_expected.to be_installed } + end + + describe file("#{mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + + end #default mod_security config + + context "mod_security should allow disabling by vhost" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + } + file { '/var/www/html/index.html': + ensure => file, + content => 'Index page', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service(service_name) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe file("#{mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + modsec_disable_vhost => true, + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + end #mod_security should allow disabling by vhost + + context "mod_security should allow disabling by ip" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + } + file { '/var/www/html/index.html': + ensure => file, + content => 'Index page', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service(service_name) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe file("#{mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + modsec_disable_ips => [ '127.0.0.1' ], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + end #mod_security should allow disabling by ip + + context "mod_security should allow disabling by id" do + it 'succeeds in puppeting mod_security' do + pp= <<-EOS + host { 'modsec.example.com': ip => '127.0.0.1', } + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + } + file { '/var/www/html/index.html': + ensure => file, + content => 'Index page', + } + file { '/var/www/html/index2.html': + ensure => file, + content => 'Page 2', + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + describe service(service_name) do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + + describe file("#{mod_dir}/security.conf") do + it { is_expected.to contain "mod_security2.c" } + end + + it 'should block query with SQL' do + shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22] + end + + it 'should disable mod_security per vhost' do + pp= <<-EOS + class { 'apache': } + class { 'apache::mod::security': } + apache::vhost { 'modsec.example.com': + port => '80', + docroot => '/var/www/html', + modsec_disable_ids => [ '950007' ], + } + EOS + apply_manifest(pp, :catch_failures => true) + end + + it 'should return index page' do + shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r| + expect(r.stdout).to match(/Index page/) + expect(r.exit_code).to eq(0) + end + end + + end #mod_security should allow disabling by id + + +end #apache::mod::security class