Add tofs, use pre-salted images

.travis.yml

@@ -11,14 +11,31 @@ language: ruby
 services:
   - docker
 
+# Make sure the instances listed below match up with
+# the `platforms` defined in `kitchen.yml`
 env:
   matrix:
-    - DISTRIB=debian:stretch/9
-    - DISTRIB=ubuntu:xenial/16.04
-    - DISTRIB=ubuntu:bionic/18.04
+    - INSTANCE: default-debian-9-2019-2-py3
+    - INSTANCE: default-ubuntu-1804-2019-2-py3
+    - INSTANCE: default-centos-7-2019-2-py3
+    - INSTANCE: default-fedora-29-2019-2-py3
+    - INSTANCE: default-opensuse-leap-15-2019-2-py3
+    # - INSTANCE: default-debian-9-2018-3-py2
+    # - INSTANCE: default-ubuntu-1604-2018-3-py2
+    # - INSTANCE: default-centos-7-2018-3-py2
+    # - INSTANCE: default-fedora-29-2018-3-py2
+    # TODO: Use this when fixed instead of `opensuse-leap-42`
+    # Ref: https://github.com/netmanagers/salt-image-builder/issues/2
+    # - INSTANCE: default-opensuse-leap-15-2018-3-py2
+    # - INSTANCE: default-opensuse-leap-42-2018-3-py2
+    # - INSTANCE: default-debian-8-2017-7-py2
+    # - INSTANCE: default-ubuntu-1604-2017-7-py2
+    # - INSTANCE: default-centos-6-2017-7-py2
+    # - INSTANCE: default-fedora-28-2017-7-py2
+    # - INSTANCE: default-opensuse-leap-42-2017-7-py2
 
 script:
-  - bundle exec kitchen test
+  - bundle exec kitchen verify ${INSTANCE}
 
 jobs:
   include:

kitchen.yml

@@ -1,32 +1,103 @@
-<%
-distrib, infos    = ENV.fetch('DISTRIB', 'debian:stretch/9').split(':')
-codename, version = infos.split('/')
-%>
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
 ---
+# For help on this file's format, see https://kitchen.ci/
 driver:
   name: docker
   use_sudo: false
   privileged: true
+  run_command: /lib/systemd/systemd
 
-provisioner:
-  name: salt_solo
-  formula: ufw
+# Make sure the platforms listed below match up with
+# the `env.matrix` instances defined in `.travis.yml`
+platforms:
+  ## SALT 2019.2
+  - name: debian-9-2019-2-py3
+    driver:
+      image: netmanagers/salt-2019.2-py3:debian-9
+      provision_command:
+        - apt-get update && apt-get install -y locales
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+  - name: ubuntu-1804-2019-2-py3
+    driver:
+      image: netmanagers/salt-2019.2-py3:ubuntu-18.04
+  - name: centos-7-2019-2-py3
+    driver:
+      image: netmanagers/salt-2019.2-py3:centos-7
+  - name: fedora-29-2019-2-py3
+    driver:
+      image: netmanagers/salt-2019.2-py3:fedora-29
+  - name: opensuse-leap-15-2019-2-py3
+    driver:
+      image: netmanagers/salt-2019.2-py3:opensuse-leap-15
+      run_command: /usr/lib/systemd/systemd
 
-  # Install Salt from official repositories
-  salt_install: apt
-  salt_version: latest
-  salt_apt_repo: https://repo.saltstack.com/apt/<%= distrib %>/<%= version %>/amd64
-  salt_apt_repo_key: https://repo.saltstack.com/apt/<%= distrib %>/<%= version %>/amd64/latest/SALTSTACK-GPG-KEY.pub
+  ## SALT 2018.3
+  - name: debian-9-2018-3-py2
+    driver:
+      image: netmanagers/salt-2018.3-py2:debian-9
+      provision_command:
+        - apt-get update && apt-get install -y locales
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+  - name: ubuntu-1604-2018-3-py2
+    driver:
+      image: netmanagers/salt-2018.3-py2:ubuntu-16.04
+  - name: centos-7-2018-3-py2
+    driver:
+      image: netmanagers/salt-2018.3-py2:centos-7
+  - name: fedora-29-2018-3-py2
+    driver:
+      image: netmanagers/salt-2018.3-py2:fedora-29
+  # TODO: Use this when fixed instead of `opensuse-leap-42`
+  # Ref: https://github.com/netmanagers/salt-image-builder/issues/2
+  # - name: opensuse-leap-15-2018-3-py2
+  #   driver:
+  #     image: netmanagers/salt-2018.3-py2:opensuse-leap-15
+  #     run_command: /usr/lib/systemd/systemd
+  - name: opensuse-leap-42-2018-3-py2
+    driver:
+      image: netmanagers/salt-2018.3-py2:opensuse-leap-42
+      run_command: /usr/lib/systemd/systemd
 
-  # Don't install Chef
-  require_chef: false
+  ## SALT 2017.7
+  - name: debian-8-2017-7-py2
+    driver:
+      image: netmanagers/salt-2017.7-py2:debian-8
+      provision_command:
+        - apt-get update && apt-get install -y locales
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+  - name: ubuntu-1604-2017-7-py2
+    driver:
+      image: netmanagers/salt-2017.7-py2:ubuntu-16.04
+  - name: centos-6-2017-7-py2
+    driver:
+      image: netmanagers/salt-2017.7-py2:centos-6
+      run_command: /sbin/init
+      run_options: -v /lib/modules:/lib/modules:ro
+  - name: fedora-28-2017-7-py2
+    driver:
+      image: netmanagers/salt-2017.7-py2:fedora-28
+  - name: opensuse-leap-42-2017-7-py2
+    driver:
+      image: netmanagers/salt-2017.7-py2:opensuse-leap-42
+      run_command: /usr/lib/systemd/systemd
 
-  # Configure Salt
+provisioner:
+  name: salt_solo
+  log_level: info
+  salt_install: none
+  require_chef: false
+  formula: ufw
+  salt_copy_filter:
+    - .kitchen
+    - .git
   state_top:
     base:
       '*':
         - ufw
-
   pillars:
     top.sls:
       base:
@@ -67,21 +138,15 @@ provisioner:
             protocol: tcp
             comment: Allow HTTPS
 
-platforms:
-  - name: <%= distrib %>-<%= codename %>
-    driver_config:
-      image: "<%= distrib %>:<%= codename %>"
-      platform: <%= distrib %>
-      provision_command:
-        - apt-get update && apt-get install -y locales
-        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
-        - locale-gen en_US.UTF-8
-      run_command: /lib/systemd/systemd
-
 verifier:
+  # https://www.inspec.io/
   name: inspec
+  sudo: true
+  # cli, documentation, html, progress, json, json-min, json-rspec, junit
   reporter:
-    - progress
+    - cli
+  inspec_tests:
+    - path: test/integration/default
 
 suites:
-  - name: ufw
+  - name: default

test/integration/default/controls/config_spec.rb

@@ -0,0 +1,68 @@
+control 'UFW configuration' do
+
+  title 'Test UFW configuration'
+
+  describe directory('/etc/ufw') do
+    it { should exist }
+  end
+
+  describe file('/etc/ufw/ufw.conf') do
+    its('content') { should include 'ENABLED=' }
+    its('content') { should include 'LOGLEVEL=' }
+  end
+
+  describe command('ufw status verbose | grep Status') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /active/ }
+  end
+
+  describe command('ufw status verbose | grep Logging') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /low/ }
+  end
+
+  describe command('ufw status | grep MySQL') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /ALLOW/ }
+  end
+
+  describe command('ufw status | grep Postgresql') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /LIMIT/ }
+  end
+
+  describe command('ufw status | grep SSH223') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 10.0.0.0') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 22/tcp') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /LIMIT/ }
+  end
+
+  describe command('ufw status | grep 80/tcp') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 443/tcp') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /ALLOW/ }
+  end
+
+  describe command('ufw status | grep 10.0.0.1') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+
+  describe command('ufw status | grep 10.0.0.2') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match /DENY/ }
+  end
+end

test/integration/default/controls/package_spec.rb

@@ -0,0 +1,7 @@
+control 'UFW package' do
+  title 'should be installed'
+
+  describe package('ufw') do
+    it { should be_installed }
+  end
+end

test/integration/default/inspec.yml

@@ -0,0 +1,12 @@
+name: ufw
+title: UFW Formula
+maintainer: Alexandre Anriot
+license: Apache-2.0
+summary: Verify that the ufw formula is setup and configured correctly
+supports:
+  - os-name: debian
+  - os-name: ubuntu
+  - os-name: centos
+  - os-name: fedora
+  - os-name: opensuse
+  - os-name: suse