Merge pull request #17 from dev-sec/chris-rock/lint

Lint project

Author: chris-rock

.rubocop.yml

@@ -0,0 +1,31 @@
+---
+AllCops:
+  Exclude:
+  - vendor/**/*
+  TargetRubyVersion: 1.9
+Documentation:
+  Enabled: false
+AlignParameters:
+  Enabled: true
+HashSyntax:
+  Enabled: true
+LineLength:
+  Enabled: false
+EmptyLinesAroundBlockBody:
+  Enabled: false
+MethodLength:
+  Max: 40
+NumericLiterals:
+  MinDigits: 10
+Metrics/BlockLength:
+  Max: 35
+Metrics/CyclomaticComplexity:
+  Max: 10
+Metrics/PerceivedComplexity:
+  Max: 10
+Metrics/AbcSize:
+  Max: 30
+Style/FileName:
+  Enabled: false
+Style/WordArray:
+  Enabled: false

.travis.yml

@@ -0,0 +1,8 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.3.3
+
+bundler_args: --without integration
+script: bundle exec rake

Gemfile

@@ -1,3 +1,11 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem 'inspec'
+gem 'rake'
+gem 'rack', '1.6.4'
+gem 'inspec', '~> 1'
+gem 'rubocop', '~> 0.44.0'
+gem 'highline', '~> 1.6.0'
+
+group :tools do
+  gem 'github_changelog_generator', '~> 1.12.0'
+end

Rakefile

@@ -0,0 +1,42 @@
+#!/usr/bin/env rake
+# encoding: utf-8
+
+require 'rake/testtask'
+require 'rubocop/rake_task'
+
+# Rubocop
+desc 'Run Rubocop lint checks'
+task :rubocop do
+  RuboCop::RakeTask.new
+end
+
+# lint the project
+desc 'Run robocop linter'
+task lint: [:rubocop]
+
+# run tests
+task default: [:lint, 'test:check']
+
+namespace :test do
+  # run inspec check to verify that the profile is properly configured
+  task :check do
+    dir = File.join(File.dirname(__FILE__))
+    sh("bundle exec inspec check #{dir}")
+  end
+end
+
+# Automatically generate a changelog for this project. Only loaded if
+# the necessary gem is installed. By default its picking up the version from
+# inspec.yml. You can override that behavior with s`rake changelog to=1.2.0`
+begin
+  require 'yaml'
+  metadata = YAML.load_file('inspec.yml')
+  v = ENV['to'] || metadata['version']
+  puts "Generate changelog for version #{v}"
+  require 'github_changelog_generator/task'
+  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
+    config.future_release = v
+  end
+rescue LoadError
+  puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks'
+end

controls/check-block.rb

@@ -1,12 +1,11 @@
+# encoding: utf-8
 # All checks from http://docs.openstack.org/security-guide/block-storage/checklist.html
 
 cinder_conf_dir = '/etc/cinder'
 cinder_conf_file = "#{cinder_conf_dir}/cinder.conf"
 
 control 'check-block-01' do
-
   title 'Cinder config files should be owned by root user and cinder group.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-01-is-user-group-ownership-of-config-files-set-to-root-cinder'
 
   describe file(cinder_conf_file) do
@@ -25,13 +24,10 @@
     it { should be_owned_by 'root' }
     its('group') { should eq 'cinder' }
   end
-
 end
 
 control 'check-block-02' do
-
   title 'Strict permissions should be set for all Cinder config files.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-02-are-strict-permissions-set-for-configuration-files'
 
   describe file(cinder_conf_file) do
@@ -46,85 +42,67 @@
   describe file("#{cinder_conf_dir}/rootwrap.conf") do
     its('mode') { should cmp '0640' }
   end
-
 end
 
 control 'check-block-03' do
-
   title 'Cinder should use Keystone for authentication.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-03-is-keystone-used-for-authentication'
 
   # nil is acceptable as keystone is default value
   describe ini(cinder_conf_file) do
-    its(['DEFAULT','auth_strategy']) { should be_nil.or eq "keystone" }
+    its(['DEFAULT', 'auth_strategy']) { should be_nil.or eq 'keystone' }
   end
-
 end
 
 control 'check-block-04' do
-
   title 'Cinder should communicate with Keystone using TLS.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-04-is-tls-enabled-for-authentication'
 
   describe ini(cinder_conf_file) do
-    its(['keystone_authtoken','auth_uri']) { should match /^https:/ }
-
+    its(['keystone_authtoken', 'auth_uri']) { should match(/^https:/) }
     # nil is acceptable as false is the default value
-    its(['keystone_authtoken','insecure']) { should be_nil.or eq "False" }
+    its(['keystone_authtoken', 'insecure']) { should be_nil.or eq 'False' }
   end
-
 end
 
 control 'check-block-05' do
-
   title 'Cinder should communicate with Nova using TLS.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-05-does-cinder-communicate-with-nova-over-tls'
 
   # nil is acceptable as false is the default value
   describe ini(cinder_conf_file) do
-    its(['DEFAULT','nova_api_insecure']) { should be_nil.or eq "False" }
+    its(['DEFAULT', 'nova_api_insecure']) { should be_nil.or eq 'False' }
   end
-
 end
 
 control 'check-block-06' do
-
   title 'Cinder should communicate with Glance using TLS.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-06-does-cinder-communicate-with-glance-over-tls'
 
   describe ini(cinder_conf_file) do
     # nil is acceptable as the glance endpoint may be sourced from Keystone based on the value of glance_catalog_info
-    its(['DEFAULT','glance_api_servers']) { should be_nil.or match /^https:/ }
-
+    its(['DEFAULT', 'glance_api_servers']) { should be_nil.or match(/^https:/) }
     # nil is acceptable as false is the default value
-    its(['DEFAULT','glance_api_insecure']) { should be_nil.or eq "False" }
+    its(['DEFAULT', 'glance_api_insecure']) { should be_nil.or eq 'False' }
   end
 end
 
 control 'check-block-07' do
-
   title 'Cinder should use secure NAS permissions.'
-
   ref 'http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-07-is-nas-operating-in-a-secure-environment'
 
   cinder_conf = ini(cinder_conf_file)
 
   only_if do
-    cinder_conf.value(['DEFAULT','nas_host']) != nil
+    cinder_conf.value(['DEFAULT', 'nas_host']).nil?
   end
 
   describe ini(cinder_conf_file) do
     # nil is acceptable as auto is the default value
-    its(['DEFAULT','nas_secure_file_permissions']) { should be_nil.or eq("True").or eq("auto") }
-
+    its(['DEFAULT', 'nas_secure_file_permissions']) { should be_nil.or eq('True').or eq('auto') }
     # nil is acceptable as auto is the default value
-    its(['DEFAULT','nas_secure_file_operations']) { should be_nil.or eq("True").or eq("auto") }
+    its(['DEFAULT', 'nas_secure_file_operations']) { should be_nil.or eq('True').or eq('auto') }
   end
-
 end
 
 control 'check-block-08' do
@@ -135,6 +113,6 @@
 
   describe ini(cinder_conf_file) do
     # nil is acceptable as 114688 is the default value
-    its(['DEFAULT','osapi_max_request_body_size']) { should be_nil.or be >= 114688 }
+    its(['DEFAULT', 'osapi_max_request_body_size']) { should be_nil.or be >= 114688 }
   end
 end

controls/check-compute.rb

@@ -1,12 +1,11 @@
+# encoding: utf-8
 # All checks from http://docs.openstack.org/security-guide/compute/checklist.html
 
 nova_conf_dir = '/etc/nova'
 nova_conf_file = "#{nova_conf_dir}/nova.conf"
 
 control 'check-compute-01' do
-
   title 'Nova config files should be owned by root user and nova group.'
-
   ref 'http://docs.openstack.org/security-guide/compute/checklist.html#check-compute-01-is-user-group-ownership-of-config-files-set-to-root-nova'
 
   describe file(nova_conf_file) do
@@ -28,9 +27,7 @@
 end
 
 control 'check-compute-02' do
-
   title 'Strict permissions should be set for all Nova config files.'
-
   ref 'http://docs.openstack.org/security-guide/compute/checklist.html#check-compute-02-are-strict-permissions-set-for-configuration-files'
 
   describe file(nova_conf_file) do
@@ -48,41 +45,33 @@
 end
 
 control 'check-compute-03' do
-
   title 'Nova should use Keystone for authentication.'
-
   ref 'http://docs.openstack.org/security-guide/compute/checklist.html#check-compute-03-is-keystone-used-for-authentication'
 
   describe ini(nova_conf_file) do
     # nil is acceptable as "keystone" is the default value
-    its(['DEFAULT','auth_strategy']) { should be_nil.or eq "keystone" }
+    its(['DEFAULT', 'auth_strategy']) { should be_nil.or eq 'keystone' }
   end
 end
 
 control 'check-compute-04' do
-
   title 'Nova should communicate with Keystone using TLS.'
-
   ref 'http://docs.openstack.org/security-guide/compute/checklist.html#check-compute-04-is-secure-protocol-used-for-authentication'
 
   describe ini(nova_conf_file) do
-    its(['keystone_authtoken','auth_uri']) { should match /^https:/ }
-
+    its(['keystone_authtoken', 'auth_uri']) { should match(/^https:/) }
     # nil is acceptable as false is the default value
-    its(['keystone_authtoken','insecure']) { should be_nil.or eq "False" }
+    its(['keystone_authtoken', 'insecure']) { should be_nil.or eq 'False' }
   end
 end
 
 control 'check-compute-05' do
-
   title 'Nova should communicate with Glance using TLS.'
-
   ref 'http://docs.openstack.org/security-guide/compute/checklist.html#check-compute-05-does-nova-communicate-with-glance-securely'
 
   describe ini(nova_conf_file) do
-    its(['glance','api_servers']) { should match /^https:/ }
-
+    its(['glance', 'api_servers']) { should match(/^https:/) }
     # nil is acceptable as false is the default value
-    its(['glance','api_insecure']) { should be_nil.or eq "False" }
+    its(['glance', 'api_insecure']) { should be_nil.or eq 'False' }
   end
 end