feat(contributing): add SFTP configuration

saltstack-formulas · Jul 12, 2022 · 2211721 · 2211721
1 parent 0862407
commit 2211721
Show file tree

Hide file tree

Showing 20 changed files with 301 additions and 56 deletions.
diff --git a/.gitignore b/.gitignore
@@ -127,7 +127,7 @@ tmp/
 # `salt-formula` -- Vagrant Specific files
 .vagrant
 top.sls
-!test/salt/pillar/top.sls
+!test/salt/pillar/*/top.sls
 
 # `suricata-formula` -- Platform binaries
 *.rpm

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -145,26 +145,46 @@ rubocop:
 # default-almalinux-8-tiamat-py3: {extends: '.test_instance'}
 # default-rockylinux-8-tiamat-py3: {extends: '.test_instance'}
 default-debian-11-master-py3: {extends: '.test_instance'}
+sftp-debian-11-master-py3: {extends: '.test_instance'}
 default-debian-10-master-py3: {extends: '.test_instance'}
+sftp-debian-10-master-py3: {extends: '.test_instance'}
 default-debian-9-master-py3: {extends: '.test_instance'}
+sftp-debian-9-master-py3: {extends: '.test_instance'}
 default-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'}
+sftp-ubuntu-2204-master-py3: {extends: '.test_instance_failure_permitted'}
 default-ubuntu-2004-master-py3: {extends: '.test_instance'}
+sftp-ubuntu-2004-master-py3: {extends: '.test_instance'}
 default-ubuntu-1804-master-py3: {extends: '.test_instance'}
+sftp-ubuntu-1804-master-py3: {extends: '.test_instance'}
 default-centos-stream8-master-py3: {extends: '.test_instance_failure_permitted'}
+sftp-centos-stream8-master-py3: {extends: '.test_instance_failure_permitted'}
 default-centos-7-master-py3: {extends: '.test_instance'}
+sftp-centos-7-master-py3: {extends: '.test_instance'}
 default-fedora-36-master-py3: {extends: '.test_instance_failure_permitted'}
+sftp-fedora-36-master-py3: {extends: '.test_instance_failure_permitted'}
 default-fedora-35-master-py3: {extends: '.test_instance'}
+sftp-fedora-35-master-py3: {extends: '.test_instance'}
+default-fedora-34-master-py3: {extends: '.test_instance'}
+sftp-fedora-34-master-py3: {extends: '.test_instance'}
 default-opensuse-leap-153-master-py3: {extends: '.test_instance'}
+sftp-opensuse-leap-153-master-py3: {extends: '.test_instance'}
 default-opensuse-tmbl-latest-master-py3: {extends: '.test_instance_failure_permitted'}
+sftp-opensuse-tmbl-latest-master-py3: {extends: '.test_instance_failure_permitted'}
 default-amazonlinux-2-master-py3: {extends: '.test_instance'}
+sftp-amazonlinux-2-master-py3: {extends: '.test_instance'}
 default-oraclelinux-8-master-py3: {extends: '.test_instance'}
+sftp-oraclelinux-8-master-py3: {extends: '.test_instance'}
 default-oraclelinux-7-master-py3: {extends: '.test_instance'}
+sftp-oraclelinux-7-master-py3: {extends: '.test_instance'}
 # default-arch-base-latest-master-py3: {extends: '.test_instance'}
 # default-gentoo-stage3-latest-master-py3: {extends: '.test_instance'}
 default-gentoo-stage3-systemd-master-py3: {extends: '.test_instance'}
+sftp-gentoo-stage3-systemd-master-py3: {extends: '.test_instance'}
 default-almalinux-8-master-py3: {extends: '.test_instance'}
+sftp-almalinux-8-master-py3: {extends: '.test_instance'}
 default-rockylinux-8-master-py3: {extends: '.test_instance'}
-# default-debian-11-3004-1-py3: {extends: '.test_instance'}
+sftp-rockylinux-8-master-py3: {extends: '.test_instance'}
+# # default-debian-11-3004-1-py3: {extends: '.test_instance'}
 # default-debian-10-3004-1-py3: {extends: '.test_instance'}
 # default-debian-9-3004-1-py3: {extends: '.test_instance'}
 # default-ubuntu-2204-3004-1-py3: {extends: '.test_instance_failure_permitted'}

diff --git a/docs/README.rst b/docs/README.rst
@@ -61,9 +61,13 @@ Installs the proftpd package, and starts the associated proftpd service.
 
 ``proftpd.database``
 ^^^^^^^^^^^^^^^^^^^^
-
 Configures database authentication.
 
+``proftpd.sftp``
+^^^^^^^^^^^^^^^^
+Set sftp configuration.
+Require Modules pillar: mod_sftp
+
 Testing
 -------
 

diff --git a/kitchen.yml b/kitchen.yml
@@ -22,8 +22,6 @@ provisioner:
   salt_copy_filter:
     - .kitchen
     - .git
-  pillars_from_directories:
-    - test/salt/pillar
 
 platforms:
   ## SALT `tiamat`
@@ -276,6 +274,8 @@ verifier:
 suites:
   - name: default
     provisioner:
+      pillars_from_directories:
+        - test/salt/pillar/default
       dependencies:
         - name: epel
           repo: git
@@ -290,3 +290,27 @@ suites:
     verifier:
       inspec_tests:
         - path: test/integration/default
+  - name: sftp
+    provisioner:
+      pillars_from_directories:
+        - test/salt/pillar/default
+        - test/salt/pillar/sftp
+      dependencies:
+        - name: epel
+          repo: git
+          source: https://github.com/saltstack-formulas/epel-formula.git
+        - name: openssh
+          repo: git
+          source: https://github.com/saltstack-formulas/openssh-formula.git
+      state_top:
+        base:
+          'G@os:Amazon':
+            - epel
+          '*':
+            - proftpd._mapdata
+            - proftpd
+            - proftpd.sftp
+    verifier:
+      inspec_tests:
+        - path: test/integration/default
+        - path: test/integration/sftp
diff --git a/proftpd/files/proftpd.conf b/proftpd/files/proftpd.conf
@@ -3,6 +3,11 @@
 Include {{ modules_config }}
 {%- endif -%}
 
+{% if salt['pillar.get']('proftpd:Modules:mod_sftp') %}
+# Includes DSO sftp
+Include {{ sftp_config }}
+{% endif %}
+
 # Server settings
 ServerName                              {{ ServerName }}
 ServerType                              {{ ServerType }}

diff --git a/proftpd/files/sftp.conf b/proftpd/files/sftp.conf
@@ -0,0 +1,8 @@
+## File managed by Salt ##
+<IfModule mod_sftp.c>
+<VirtualHost 0.0.0.0>
+{% for param, value in sftp.items() -%}
+  {{param}} {{value }}
+{% endfor -%}
+</VirtualHost>
+</IfModule>
diff --git a/proftpd/init.sls b/proftpd/init.sls
@@ -29,54 +29,55 @@ proftpd_modules_service_restart:
 {% endif  %}
 
 {{ proftpd.config }}:
-    file.managed:
-        - source: salt://proftpd/files/proftpd.conf
-        - user: root
-        - group: root
-        - mode: 644
-        - template: jinja
-        - defaults:
-            modules_config: {{ salt['pillar.get']('proftpd:modules_config') }}
-            ServerName: {{ salt['pillar.get']('proftpd:ServerName') }}
-            ServerType: {{ salt['pillar.get']('proftpd:ServerType') }}
-            ServerIdent: {{ salt['pillar.get']('proftpd:ServerIdent', '"off"') }}
-            DefaultServer: {{ salt['pillar.get']('proftpd:DefaultServer') }}
-            Port: {{ salt['pillar.get']('proftpd:Port', 21) }}
-            MaxInstances: {{ salt['pillar.get']('proftpd:MaxInstances') }}
-            DeferWelcome: {{ salt['pillar.get']('proftpd:DeferWelcome') }}
-            MultilineRFC2228: {{ salt['pillar.get']('proftpd:MultilineRFC2228') }}
-            ShowSymlinks: {{ salt['pillar.get']('proftpd:ShowSymlinks') }}
-            AllowOverwrite: {{ salt['pillar.get']('proftpd:AllowOverwrite') }}
-            AllowStoreRestart: {{ salt['pillar.get']('proftpd:AllowStoreRestart') }}
-            AllowRetrieveRestart: {{ salt['pillar.get']('proftpd:AllowRetrieveRestart') }}
-            UseReverseDNS: {{ salt['pillar.get']('proftpd:UseReverseDNS') }}
-            IdentLookups: {{ salt['pillar.get']('proftpd:IdentLookups') }}
-            ListOptions: {{ salt['pillar.get']('proftpd:ListOptions') }}
-            DisplayChdir: {{ salt['pillar.get']('proftpd:DisplayChdir') }}
-            DelayEngine: {{ salt['pillar.get']('proftpd:DelayEngine') }}
-            TimeoutLogin: {{ salt['pillar.get']('proftpd:TimeoutLogin') }}
-            TimeoutNoTransfer: {{ salt['pillar.get']('proftpd:TimeoutNoTransfer') }}
-            TimeoutStalled: {{ salt['pillar.get']('proftpd:TimeoutStalled') }}
-            TimeoutIdle: {{ salt['pillar.get']('proftpd:TimeoutIdle') }}
-            RootLogin: {{ salt['pillar.get']('proftpd:RootLogin') }}
-            RequireValidShell: {{ salt['pillar.get']('proftpd:RequireValidShell') }}
-            User: {{ salt['pillar.get']('proftpd:User') }}
-            Group: {{ salt['pillar.get']('proftpd:Group') }}
-            Umask: {{ salt['pillar.get']('proftpd:Umask') }}
-            DefaultRoot: {{ salt['pillar.get']('proftpd:DefaultRoot') }}
-            DenyFilter: {{ salt['pillar.get']('proftpd:DenyFilter') }}
-            DirUmask: {{ salt['pillar.get']('proftpd:DirUmask') }}
-            DirAllowOverwrite: {{ salt['pillar.get']('proftpd:DirAllowOverwrite') }}
-            DirHideNoAccess: {{ salt['pillar.get']('proftpd:DirHideNoAccess') }}
-            DirLimit: {{ salt['pillar.get']('proftpd:DirLimit') }}
-            PathAllowFilter: {{ salt['pillar.get']('proftpd:PathAllowFilter') }}
-            PathDenyFilter: {{ salt['pillar.get']('proftpd:PathDenyFilter') }}
-            LogFormatDefault: {{ salt['pillar.get']('proftpd:LogFormat:default') }}
-            LogFormatAuth: {{ salt['pillar.get']('proftpd:LogFormat:auth') }}
-            LogFormatWrite: {{ salt['pillar.get']('proftpd:LogFormat:write') }}
-            SyslogLevel: {{ salt['pillar.get']('proftpd:SyslogLevel') }}
-            ExtendedLogAccess: {{ salt['pillar.get']('proftpd:ExtendedLog:Access') }}
-            ExtendedLogAuth: {{ salt['pillar.get']('proftpd:ExtendedLog:Auth') }}
-            ExtendedLogAll: {{ salt['pillar.get']('proftpd:ExtendedLog:All') }}
-            ClamAV: {{ salt['pillar.get']('proftpd:ClamAV') }}
-            ClamLocalSocket: {{ salt['pillar.get']('proftpd:ClamLocalSocket') }}
+  file.managed:
+    - source: salt://proftpd/files/proftpd.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - context:
+      modules_config: {{ proftpd.modules_config }}
+      sftp_config: {{ proftpd.sftp_config }}
+      ServerName: {{ salt['pillar.get']('proftpd:ServerName') }}
+      ServerType: {{ salt['pillar.get']('proftpd:ServerType') }}
+      ServerIdent: {{ salt['pillar.get']('proftpd:ServerIdent', '"off"') }}
+      DefaultServer: {{ salt['pillar.get']('proftpd:DefaultServer') }}
+      Port: {{ salt['pillar.get']('proftpd:Port', 21) }}
+      MaxInstances: {{ salt['pillar.get']('proftpd:MaxInstances') }}
+      DeferWelcome: {{ salt['pillar.get']('proftpd:DeferWelcome') }}
+      MultilineRFC2228: {{ salt['pillar.get']('proftpd:MultilineRFC2228') }}
+      ShowSymlinks: {{ salt['pillar.get']('proftpd:ShowSymlinks') }}
+      AllowOverwrite: {{ salt['pillar.get']('proftpd:AllowOverwrite') }}
+      AllowStoreRestart: {{ salt['pillar.get']('proftpd:AllowStoreRestart') }}
+      AllowRetrieveRestart: {{ salt['pillar.get']('proftpd:AllowRetrieveRestart') }}
+      UseReverseDNS: {{ salt['pillar.get']('proftpd:UseReverseDNS') }}
+      IdentLookups: {{ salt['pillar.get']('proftpd:IdentLookups') }}
+      ListOptions: {{ salt['pillar.get']('proftpd:ListOptions') }}
+      DisplayChdir: {{ salt['pillar.get']('proftpd:DisplayChdir') }}
+      DelayEngine: {{ salt['pillar.get']('proftpd:DelayEngine') }}
+      TimeoutLogin: {{ salt['pillar.get']('proftpd:TimeoutLogin') }}
+      TimeoutNoTransfer: {{ salt['pillar.get']('proftpd:TimeoutNoTransfer') }}
+      TimeoutStalled: {{ salt['pillar.get']('proftpd:TimeoutStalled') }}
+      TimeoutIdle: {{ salt['pillar.get']('proftpd:TimeoutIdle') }}
+      RootLogin: {{ salt['pillar.get']('proftpd:RootLogin') }}
+      RequireValidShell: {{ salt['pillar.get']('proftpd:RequireValidShell') }}
+      User: {{ salt['pillar.get']('proftpd:User') }}
+      Group: {{ salt['pillar.get']('proftpd:Group') }}
+      Umask: {{ salt['pillar.get']('proftpd:Umask') }}
+      DefaultRoot: {{ salt['pillar.get']('proftpd:DefaultRoot') }}
+      DenyFilter: {{ salt['pillar.get']('proftpd:DenyFilter') }}
+      DirUmask: {{ salt['pillar.get']('proftpd:DirUmask') }}
+      DirAllowOverwrite: {{ salt['pillar.get']('proftpd:DirAllowOverwrite') }}
+      DirHideNoAccess: {{ salt['pillar.get']('proftpd:DirHideNoAccess') }}
+      DirLimit: {{ salt['pillar.get']('proftpd:DirLimit') }}
+      PathAllowFilter: {{ salt['pillar.get']('proftpd:PathAllowFilter') }}
+      PathDenyFilter: {{ salt['pillar.get']('proftpd:PathDenyFilter') }}
+      LogFormatDefault: {{ salt['pillar.get']('proftpd:LogFormat:default') }}
+      LogFormatAuth: {{ salt['pillar.get']('proftpd:LogFormat:auth') }}
+      LogFormatWrite: {{ salt['pillar.get']('proftpd:LogFormat:write') }}
+      SyslogLevel: {{ salt['pillar.get']('proftpd:SyslogLevel') }}
+      ExtendedLogAccess: {{ salt['pillar.get']('proftpd:ExtendedLog:Access') }}
+      ExtendedLogAuth: {{ salt['pillar.get']('proftpd:ExtendedLog:Auth') }}
+      ExtendedLogAll: {{ salt['pillar.get']('proftpd:ExtendedLog:All') }}
+      ClamAV: {{ salt['pillar.get']('proftpd:ClamAV') }}
+      ClamLocalSocket: {{ salt['pillar.get']('proftpd:ClamLocalSocket') }}
diff --git a/proftpd/map.jinja b/proftpd/map.jinja
@@ -5,6 +5,7 @@
         'sql_config': '/etc/proftpd/sql.conf',
         'modules_config': '/etc/proftpd/modules.conf',
         'mysql': 'proftpd-mod-mysql',
+        'sftp_config': '/etc/proftpd/sftp.conf',
         'postgres': 'proftpd-mod-pgsql',
         'service': 'proftpd',
     },
@@ -13,6 +14,7 @@
         'config': '/etc/proftpd/proftpd.conf',
         'sql_config': '/etc/proftpd/sql.conf',
         'modules_config': '/etc/proftpd/modules.conf',
+        'sftp_config': '/etc/proftpd/sftp.conf',
         'mysql': 'proftpd-mod-mysql',
         'postgres': 'proftpd-mod-pgsql',
         'service': 'proftpd',
@@ -21,19 +23,28 @@
         'pkg': 'proftpd',
         'config': '/etc/proftpd.conf',
         'modules_config': '/etc/proftpd/modules.conf',
+        'sftp_config': '/etc/proftpd/sftp.conf',
         'service': 'proftpd',
     },
     'Suse': {
         'pkg': 'proftpd',
         'config': '/etc/proftpd/proftpd.conf',
         'modules_config': '/etc/proftpd/modules.conf',
+        'sftp_config': '/etc/proftpd/sftp.conf',
         'service': 'proftpd',
     },
     'Gentoo': {
         'pkg': 'net-ftp/proftpd',
         'config': '/etc/proftpd/proftpd.conf',
         'modules_config': '/etc/proftpd/modules.conf',
+        'sftp_config': '/etc/proftpd/sftp.conf',
         'service': 'proftpd',
     },
     }, merge=salt['pillar.get']('proftpd:lookup'))
 %}
+
+{# Merge the flavor_map to the default settings #}
+{% do default_settings.proftpd.update(os_family_map) %}
+
+{# Merge in proftpd:lookup pillar #}
+{% set proftpd = salt['pillar.get']('proftpd', default=default_settings.proftpd, merge=True) %}
diff --git a/proftpd/sftp.sls b/proftpd/sftp.sls
@@ -0,0 +1,26 @@
+{% from "proftpd/map.jinja" import proftpd with context %}
+
+{% if not salt['pillar.get']('proftpd:Modules:mod_sftp') %}
+missing_sftp_require_pillar:
+  test.fail_without_changes
+{% endif %}
+
+proftpd_sftp_config_file:
+  file.managed:
+    - name: {{ proftpd.sftp_config }}
+    - source: salt://proftpd/files/sftp.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: true
+    - show_changes: true
+    - template: jinja
+    - context:
+      sftp_config: {{ proftpd.sftp_config }}
+      sftp: {{ proftpd.SFTP }}
+
+proftpd_sftp_service_restart:
+  service.running:
+    - name: proftpd
+    - watch:
+      - file: {{ proftpd.sftp_config }}
diff --git a/test/integration/sftp/README.md b/test/integration/sftp/README.md
@@ -0,0 +1,50 @@
+# InSpec Profile: `sftp`
+
+This shows the implementation of the `sftp` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
+
+## Verify a profile
+
+InSpec ships with built-in features to verify a profile structure.
+
+```bash
+$ inspec check default
+Summary
+-------
+Location: sftp
+Profile: profile
+Controls: 1
+Timestamp: 2022-04-14T23:09:01+00:00
+Valid: true
+
+Errors
+------
+
+Warnings
+--------
+```
+
+## Execute a profile
+
+To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.
+
+```bash
+$ inspec exec default
+..
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+1 examples, 0 failures
+```
+
+## Execute a specific control from a profile
+
+To run one control from the profile use `inspec exec /path/to/profile --controls name`.
+
+```bash
+$ inspec exec default --controls package
+.
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+1 examples, 0 failures
+```
+
+See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).