Add in configure and install resources.

- Start moving recipes out to the integration cookbook

Add in configure and install resources.
- Start moving recipes out to the integration cookbook
783a84f7 · Dan Webb · 80f69342 · 783a84f7 · 783a84f7 · 783a84f7
Unverified Commit 783a84f7 authored Jun 11, 2017 by Dan Webb
24 changed files
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -13,25 +13,21 @@ platforms:
  - name: centos-6.9
  - name: centos-7.3
  - name: debian-7.11
-    run_list: apt::default
  - name: debian-8.7
-    run_list: apt::default
  - name: fedora-25
  - name: ubuntu-14.04
-    run_list: apt::default
  - name: ubuntu-16.04
-    run_list: apt::default

 suites:
 - name: client
  run_list:
-    - recipe[ossec::client]
+    - recipe[test::client]
 - name: server
  run_list:
-    - recipe[ossec::server]
+    - recipe[test::server]
 - name: agent_auth
  run_list:
-    - recipe[ossec::agent_auth]
+    - recipe[test::agent_auth]
  attributes:
    ossec:
      agent_server_ip: 10.0.2.2

--- a/README.md
+++ b/README.md
@@ -20,18 +20,13 @@ Installs OSSEC from source in a server-agent installation. See:

 ### Cookbooks

- apt
 - yum-atomic

 ## Attributes

- `node['ossec']['dir']` - Installation directory for OSSEC, default `/var/ossec`. All existing packages use this directory so you should not change this.
 - `node['ossec']['server_role']` - When using server/agent setup, this role is used to search for the OSSEC server, default `ossec_server`.
 - `node['ossec']['server_env']` - When using server/agent setup, this value will scope the role search to the specified environment, default nil.
 - `node['ossec']['agent_server_ip']` - The IP of the OSSEC server. The client recipe will attempt to determine this value via search. Default is nil, only required for agent installations.
- `node['ossec']['data_bag']['encrypted']` - Boolean value which indicates whether or not the OSSEC data bag is encrypted
- `node['ossec']['data_bag']['name']` - The name of the data bag to use
- `node['ossec']['data_bag']['ssh']` - The name of the data bag item which contains the OSSEC keys

 ### ossec.conf

@@ -39,6 +34,14 @@ OSSEC's configuration is mainly read from an XML file called `ossec.conf`. You c

 Chef applies attributes from all attribute files regardless of which recipes were executed. In order to make wrapper cookbooks easier to write, `node['ossec']['conf']` is divided into the three installation types mentioned below, `local`, `server`, and `agent`. You can also set attributes under `all` to apply settings across all installation types. The typed attributes are automatically deep merged over the `all` attributes in the normal Chef manner.

+
+`ossec_conf_local`
+
+`ossec_conf_server`
+
+`ossec_conf_agent`
+
+
 `true` and `false` values are automatically mapped to `"yes"` and `"no"` as OSSEC expects the latter.

 `ossec.conf` makes little use of XML attributes so you can generally construct nested hashes in the usual fashion. Where an attribute is required, you can do it like this:

--- a/libraries/helpers.rb
+++ b/libraries/helpers.rb
@@ -15,16 +15,13 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#

 class Chef
  module OSSEC
    module Helpers
      # Gyoku looks for a symbol called :content! but Chef attributes
      # are always stringified. We can't just call symbolize_keys
-      # because we need to recurse through the hash structure. Doing
-      # this also gives us the opportunity to convert true/false to
-      # yes/no, which is handy.
+      # because we need to recurse through the hash structure.
      def self.object_to_ossec(object)
        case object
        when Hash
@@ -40,10 +37,6 @@ class Chef
          object.map! do |e|
            object_to_ossec(e)
          end
-        when TrueClass
-          'yes'
-        when FalseClass
-          'no'
        when NilClass
          ''
        else

--- a/metadata.rb
+++ b/metadata.rb
@@ -5,15 +5,12 @@ license          'Apache-2.0'
 description      'Installs and configures ossec'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '1.0.5'
+source_url       'https://github.com/sous-chefs/ossec'
+issues_url       'https://github.com/sous-chefs/ossec/issues'
+chef_version     '>= 12.5' if respond_to?(:chef_version)

-%w( apt yum-atomic ).each do |pkg|
-  depends pkg
-end
+depends 'yum-atomic'

 %w( debian ubuntu redhat centos fedora scientific oracle amazon ).each do |os|
  supports os
 end
-
-source_url 'https://github.com/sous-chefs/ossec'
-issues_url 'https://github.com/sous-chefs/ossec'
-chef_version '>= 12.5' if respond_to?(:chef_version)
--- a/recipes/agent.rb
+++ b/recipes/agent.rb
@@ -15,6 +15,5 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#

 include_recipe 'ossec::client'
--- a/recipes/agent_auth.rb
+++ b/recipes/agent_auth.rb
@@ -15,7 +15,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#

 include_recipe 'ossec::install_agent'


--- a/recipes/authd.rb
+++ b/recipes/authd.rb
@@ -17,7 +17,7 @@
 # limitations under the License.
 #

-include_recipe 'ossec::install_server'
+ossec_server_install 'server'
 include_recipe 'ossec::common'

 authd = node['ossec']['authd']

--- a/recipes/client.rb
+++ b/recipes/client.rb
-#
-# Cookbook:: ossec
-# Recipe:: client
-#
-# Copyright:: 2010-2017, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-ossec_server = []
-
-search_string = "role:#{node['ossec']['server_role']}"
-search_string << " AND chef_environment:#{node['ossec']['server_env']}" if node['ossec']['server_env']
-
-if node.run_list.roles.include?(node['ossec']['server_role'])
-  ossec_server << node['ipaddress']
-else
-  search(:node, search_string) do |n|
-    ossec_server << n['ipaddress']
-  end
-end
-
-node.normal['ossec']['agent_server_ip'] = ossec_server.first
-
-include_recipe 'ossec::install_agent'
-
-dbag_name = node['ossec']['data_bag']['name']
-dbag_item = node['ossec']['data_bag']['ssh']
-ossec_key = data_bag_item(dbag_name, dbag_item)
-
-directory "#{node['ossec']['dir']}/.ssh" do
-  owner 'ossec'
-  group 'ossec'
-  mode '0750'
-end
-
-template "#{node['ossec']['dir']}/.ssh/authorized_keys" do
-  source 'ssh_key.erb'
-  owner 'ossec'
-  group 'ossec'
-  mode '0600'
-  variables(key: ossec_key['pubkey'])
-end
-
-file "#{node['ossec']['dir']}/etc/client.keys" do
-  owner 'ossec'
-  group 'ossec'
-  mode '0660'
-end
-
-include_recipe 'ossec::common'
--- a/recipes/common.rb
+++ b/recipes/common.rb
@@ -15,9 +15,9 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#

-ruby_block 'ossec install_type' do # ~FC014
+# TODO: we don't want to do this anymore!
+ruby_block 'ossec install_type' do
  block do
    if node['recipes'].include?('ossec::default')
      type = 'local'

--- a/recipes/default.rb
+++ b/recipes/default.rb
-#
-# Cookbook:: ossec
-# Recipe:: default
-#
-# Copyright:: 2010-2017, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-include_recipe 'ossec::install_server'
-include_recipe 'ossec::common'
--- a/recipes/install_agent.rb
+++ b/recipes/install_agent.rb
@@ -17,8 +17,4 @@
 # limitations under the License.
 #

-include_recipe 'ossec::repository'
-
-package 'ossec' do
-  package_name value_for_platform_family('debian' => 'ossec-hids-agent', 'default' => 'ossec-hids-client')
-end
+ossec_client_install 'client'
--- a/recipes/install_server.rb
+++ b/recipes/install_server.rb
-#
-# Cookbook:: ossec
-# Recipe:: install_server
-#
-# Copyright:: 2015-2017, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-include_recipe 'ossec::repository'
-
-package 'ossec' do
-  package_name value_for_platform_family('debian' => 'ossec-hids', 'default' => 'ossec-hids-server')
-end
--- a/recipes/repository.rb
+++ b/recipes/repository.rb
-#
-# Cookbook:: ossec
-# Recipe:: repository
-#
-# Copyright:: 2015-2017, Chef Software, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-case node['platform_family']
-when %w(centos redhat scientific oracle fedora amazon)
-  include_recipe 'yum-atomic'
-when 'debian'
-  package 'lsb-release'
-
-  ohai 'reload lsb' do
-    plugin 'lsb'
-    action :nothing
-    subscribes :reload, 'package[lsb-release]', :immediately
-  end
-
-  apt_repository 'ossec' do
-    uri 'http://ossec.wazuh.com/repos/apt/' + node['platform']
-    key 'http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key'
-    distribution lazy { node['lsb']['codename'] }
-    components ['main']
-  end
-end
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -17,7 +17,7 @@
 # limitations under the License.
 #

-include_recipe 'ossec::install_server'
+ossec_server_install 'server'

 ssh_hosts = []


--- a/resources/client_config.rb
+++ b/resources/client_config.rb
+property :dir, String, default: '/var/ossec'
+property :ossec_key, String, default: lazy { ossec_key['pubkey'] }
+property :ossec_server, [String, Array]
+
+action :config do
+  directory "#{new_resource.dir}/.ssh" do
+    owner 'ossec'
+    group 'ossec'
+    mode '0750'
+  end
+
+  template "#{new_resource.dir}/.ssh/authorized_keys" do
+    source 'ssh_key.erb'
+    owner 'ossec'
+    group 'ossec'
+    mode '0600'
+    variables(
+      key: new_resource.ossec_key
+    )
+  end
+
+  file "#{new_resource.dir}/etc/client.keys" do
+    owner 'ossec'
+    group 'ossec'
+    mode '0660'
+  end
+end
--- a/resources/client_install.rb
+++ b/resources/client_install.rb
+property :name, String, name_property: true
+property :package_name, String, default: lazy {
+  case node['platform_family']
+  when 'debian'
+    'ossec-hids-agent'
+  else
+    'ossec-hids-client'
+  end
+}
+
+action :install do
+  case node['platform_family']
+  when %w(centos redhat scientific oracle fedora amazon)
+    include_recipe 'yum-atomic'
+  when 'debian'
+    package 'lsb-release'
+
+    ohai 'reload lsb' do
+      plugin 'lsb'
+      action :nothing
+      subscribes :reload, 'package[lsb-release]', :immediately
+    end
+
+    apt_repository 'ossec' do
+      uri 'http://ossec.wazuh.com/repos/apt/' + node['platform']
+      key 'http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key'
+      distribution lazy { node['lsb']['codename'] }
+      components ['main']
+    end
+  end
+
+  package new_resource.package_name.to_s
+end
--- a/resources/conf_agent.rb
+++ b/resources/conf_agent.rb
+property :name, String, name_property: true
+
+action :configure do
+end
--- a/resources/conf_local.rb
+++ b/resources/conf_local.rb
+property :name, String, name_property: true
+
+action :configure do
+end
--- a/resources/conf_server.rb
+++ b/resources/conf_server.rb
+property :name, String, name_property: true
+
+action :configure do
+end
--- a/resources/server_install.rb
+++ b/resources/server_install.rb
+property :name, String, name_property: true
+property :package_name, String, default: lazy {
+  case node['platform_family']
+  when 'debian'
+    'ossec-hids'
+  else
+    'ossec-hids-server'
+  end
+}
+
+default_action :install
+action :install do
+  case node['platform_family']
+  when %w(centos redhat scientific oracle fedora amazon)
+    include_recipe 'yum-atomic'
+  when 'debian'
+    package 'lsb-release'
+
+    ohai 'reload lsb' do
+      plugin 'lsb'
+      action :nothing
+      subscribes :reload, 'package[lsb-release]', :immediately
+    end
+
+    apt_repository 'ossec' do
+      uri 'http://ossec.wazuh.com/repos/apt/' + node['platform']
+      key 'http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key'
+      distribution new_resource.distribution
+      components ['main']
+    end
+  end
+
+  package new_resource.package_name
+end
--- a/attributes/authd.rb
+++ b/attributes/authd.rb
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -17,17 +17,6 @@
 # limitations under the License.
 #

-# general settings
-default['ossec']['dir']             = '/var/ossec'
-default['ossec']['server_role']     = 'ossec_server'
-default['ossec']['server_env']      = nil
-default['ossec']['agent_server_ip'] = nil
-
-# data bag configuration
-default['ossec']['data_bag']['encrypted']  = false
-default['ossec']['data_bag']['name']       = 'ossec'
-default['ossec']['data_bag']['ssh']        = 'ssh'
-
 # ossec-batch-manager.pl location varies
 default['ossec']['agent_manager'] = value_for_platform_family(
  %w( rhel fedora suse amazon ) => '/usr/share/ossec/contrib/ossec-batch-manager.pl',

--- a/test/fixtures/cookbooks/test/client_with_search.rb
+++ b/test/fixtures/cookbooks/test/client_with_search.rb
+server = []
+server_role = 'ossec_server'
+server_env = nil
+
+search_string = "role:#{server_role}"
+search_string << " AND chef_environment:#{server_env}" if server_env
+
+if node.run_list.roles.include?(node['ossec']['server_role'])
+  server << node['ipaddress']
+else
+  search(:node, search_string) do |n|
+    server << n['ipaddress']
+  end
+end
+
+agent_server_ip = ossec_server.first
+
+ossec_client_install 'client'
+
+key = data_bag_item('ossec', 'ssh')
+
+ossec_client_config '' do
+  ossec_key key
+  ossec_server agent_server_ip
+end
+
+include_recipe 'ossec::common'
--- a/test/fixtures/cookbooks/test/metadata.rb
+++ b/test/fixtures/cookbooks/test/metadata.rb