Add Support for Extra Configuration Options #173
Conversation
There was a problem hiding this comment.
@bdwyertech thanks for this PR! It makes definitely sense, open points from my POV:
- Documentation in README.md
- Tests - if something is configured and not, please see Tests for GH-131 and GH-132 #155 if you want an example
- See the suggestions on the implementation in the template and attributes, this would allow to have such tests
attributes/default.rb
Outdated
| @@ -1,4 +1,5 @@ | |||
| # encoding: utf-8 | |||
| # rubocop: disable BlockLength | |||
There was a problem hiding this comment.
Can we have it for a particular block and not for the entire file?
There was a problem hiding this comment.
Yeah, I can swap that to just cover the two blocks
| # http://undeadly.org/cgi?action=article&sid=20160114142733 | ||
| default['ssh-hardening']['ssh']['client']['roaming'] = false | ||
| default['ssh-hardening']['ssh']['client']['send_env'] = ['LANG', 'LC_*', 'LANGUAGE'] | ||
| default['ssh-hardening']['ssh']['client'].tap do |client| |
There was a problem hiding this comment.
.tap is a cool idea and improvement :-)
attributes/default.rb
Outdated
| client['send_env'] = ['LANG', 'LC_*', 'LANGUAGE'] | ||
|
|
||
| # Extra Client Configuration Options | ||
| client['extras'].tap do |extra| |
There was a problem hiding this comment.
I think we should have this in the documentation (and maybe add an example chapter/code 'how to add extra options'). As we do not use/fill it with defaults, I would expect to have only client['extras'] = {} here
templates/default/openssh.conf.erb
Outdated
| @@ -117,3 +117,8 @@ UseRoaming <%= @node['ssh-hardening']['ssh']['client']['roaming'] ? 'yes' : 'no' | |||
| # Send locale environment variables | |||
| SendEnv <%= @node['ssh-hardening']['ssh']['client']['send_env'].join(' ') %> | |||
| <% end %> | |||
|
|
|||
| # Extra Configuration Options | |||
There was a problem hiding this comment.
Maybe we should do here something like
<% if @node['ssh-hardening']['ssh']['client']['extras'].empty? %>
# Extra Configuration Options
<%- @node['ssh-hardening']['ssh']['client']['extras'].each do |key, value| %>
<%= key %> <%= value %>
<% end -%>
<% end -%>
This would allow us two tests:
- Test if something configured - additional option will be added and '# Extra Configuration Options' is included in the file
- Test if nothing is configured - there should be no '# Extra Configuration Options' in the file
bdwyertech
force-pushed
the
extras
branch
2 times, most recently
from
741635f to
71e661c
Compare
|
Should be good to go @artem-sidorenko I am traveling and having trouble getting the coveralls gem to install, but here is what I think a test might look like: context 'without custom extraconfig value' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['server']['extras'] = {}
end.converge(described_recipe)
end
it 'does not have any extraconfig options' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').
without_content(/^# Extra Configuration Options/)
end
end
context 'with custom extraconfig value' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['server']['extras']['#ExtraConfig'] = 'Value'
end.converge(described_recipe)
end
it 'uses the extraconfig attributes' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').
with_content(/^# Extra Configuration Options/).
with_content(/^#ExtraConfig Value/)
end
end |
attributes/default.rb
Outdated
| client['send_env'] = ['LANG', 'LC_*', 'LANGUAGE'] | ||
|
|
||
| # extra client configuration options | ||
| client['extras'].tap = {} |
templates/default/openssh.conf.erb
Outdated
| @@ -117,3 +117,10 @@ UseRoaming <%= @node['ssh-hardening']['ssh']['client']['roaming'] ? 'yes' : 'no' | |||
| # Send locale environment variables | |||
| SendEnv <%= @node['ssh-hardening']['ssh']['client']['send_env'].join(' ') %> | |||
| <% end %> | |||
|
|
|||
| <%- unless Array(@node['ssh-hardening']['ssh']['client']['extras']).empty? %> | |||
There was a problem hiding this comment.
@bdwyertech you don't have to use Array(), the value is defined as Hash in the default attributes. You can do unless @node[...].empty?
|
@bdwyertech looks great, some suggestions: describe 'extra configuration values' do # <---- describe would be a cool container here
context 'without custom extra config value' do
cached(:chef_run) do
ChefSpec::ServerRunner.new.converge(described_recipe) # <----- you can work with defaults here
end
it 'does not have any extra config options' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').
without_content(/^# Extra Configuration Options/)
end
end
context 'with custom extra config value' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['server']['extras']['#ExtraConfig'] = 'Value'
end.converge(described_recipe)
end
it 'uses the extra config attributes' do
expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^# Extra Configuration Options/)
expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^#ExtraConfig Value/) # <----- as far I remember chefspec has some problems with chained matchers (`.with_content.with_content`), so its better to have two expects
end
end
end
|
|
Should be good to go @artem-sidorenko Thanks for the lesson in ChefSpec! Right now I'm only using Inspec |
| @@ -124,6 +124,24 @@ Configure attributes: | |||
|
|
|||
| This will enable the SFTP Server and chroot every user in the `sftpusers` group to the `/home/sftp/%u` directory. | |||
|
|
|||
| ## Extra Configuration Options | |||
There was a problem hiding this comment.
@bdwyertech cool, thanks for adding this to the docs. Can you please add something like
....
* `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
....
* `['ssh-hardening']['ssh']['client']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
to the attribute documentation above?
Can you do me a favor and cleanup a commit history by squashing the commits?
Then we can merge it :-)
|
@atomic111 any remarks? |
…ith block syntax Signed-off-by: Brian Dwyer <[email protected]>
|
Alrighty @artem-sidorenko , I think it's finally good! |
There was a problem hiding this comment.
@bdwyertech many thanks for very good collaboration! :)
@atomic111 LGTM
Add support for extra configuration options at the end of the config files for override support.
This assists with the flexibility issue discussed in #89
The block syntax swap is somewhat opinionated, but is more readable for long hash's