Skip to content

Commit

Permalink
(MODULES-8108) - Support added for Debian 9
Browse files Browse the repository at this point in the history 
Updated default params added.
Exclusions added for certain features.
Removed some code for Ubuntu 10.04
  • Loading branch information
@david22swan
david22swan committed Nov 21, 2018
1 parent a828647 commit 36392e4
Show file tree
Hide file tree
Showing 10 changed files with 154 additions and 67 deletions.
2 changes: 1 addition & 1 deletion manifests/mod/dav_svn.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

::apache::mod { 'dav_svn': }

if $::osfamily == 'Debian' and ($::operatingsystemmajrelease != '6' and $::operatingsystemmajrelease != '10.04' and $::operatingsystemrelease != '10.04' and $::operatingsystemmajrelease != '16.04') {
if $::osfamily == 'Debian' and ! ($::operatingsystemmajrelease in ['6', '16.04', '9']) {
$loadfile_name = undef
} else {
$loadfile_name = 'dav_svn_authz_svn.load'
Expand Down
5 changes: 4 additions & 1 deletion manifests/mod/security.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@
}
}

unless $::operatingsystem == 'SLES' { apache::security::rule_link { $activated_rules: } }
# Debian 9 has a different rule setup
unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) {
apache::security::rule_link { $activated_rules: }
}

}
96 changes: 74 additions & 22 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,34 @@
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
}
} elsif ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) {
# Debian stretch uses a different dav_svn from Ubuntu Xenial
$php_version = '7.0'
$mod_packages = {
'auth_cas' => 'libapache2-mod-auth-cas',
'auth_kerb' => 'libapache2-mod-auth-kerb',
'auth_gssapi' => 'libapache2-mod-auth-gssapi',
'auth_mellon' => 'libapache2-mod-auth-mellon',
'authnz_pam' => 'libapache2-mod-authnz-pam',
'dav_svn' => 'libapache2-mod-svn',
'fastcgi' => 'libapache2-mod-fastcgi',
'fcgid' => 'libapache2-mod-fcgid',
'geoip' => 'libapache2-mod-geoip',
'intercept_form_submit' => 'libapache2-mod-intercept-form-submit',
'lookup_identity' => 'libapache2-mod-lookup-identity',
'nss' => 'libapache2-mod-nss',
'pagespeed' => 'mod-pagespeed-stable',
'passenger' => 'libapache2-mod-passenger',
'perl' => 'libapache2-mod-perl2',
'phpXXX' => 'libapache2-mod-phpXXX',
'python' => 'libapache2-mod-python',
'rpaf' => 'libapache2-mod-rpaf',
'security' => 'libapache2-mod-security2',
'shib2' => 'libapache2-mod-shib2',
'suphp' => 'libapache2-mod-suphp',
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
}
} else {
# major.minor version used since Debian stretch and Ubuntu Xenial
$php_version = '7.0'
Expand Down Expand Up @@ -326,28 +354,52 @@
$secpcrematchlimit = 1500
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
if $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0 {
$modsec_default_rules = [
'crawlers-user-agents.data',
'iis-errors.data',
'java-code-leakages.data',
'java-errors.data',
'lfi-os-files.data',
'php-config-directives.data',
'php-errors.data',
'php-function-names-933150.data',
'php-function-names-933151.data',
'php-variables.data',
'restricted-files.data',
'scanners-headers.data',
'scanners-urls.data',
'scanners-user-agents.data',
'scripting-user-agents.data',
'sql-errors.data',
'sql-function-names.data',
'unix-shell.data',
'windows-powershell-commands.data',
]
} else {
$modsec_default_rules = [
'base_rules/modsecurity_35_bad_robots.data',
'base_rules/modsecurity_35_scanners.data',
'base_rules/modsecurity_40_generic_attacks.data',
'base_rules/modsecurity_50_outbound.data',
'base_rules/modsecurity_50_outbound_malware.data',
'base_rules/modsecurity_crs_20_protocol_violations.conf',
'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
'base_rules/modsecurity_crs_23_request_limits.conf',
'base_rules/modsecurity_crs_30_http_policy.conf',
'base_rules/modsecurity_crs_35_bad_robots.conf',
'base_rules/modsecurity_crs_40_generic_attacks.conf',
'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
'base_rules/modsecurity_crs_41_xss_attacks.conf',
'base_rules/modsecurity_crs_42_tight_security.conf',
'base_rules/modsecurity_crs_45_trojans.conf',
'base_rules/modsecurity_crs_47_common_exceptions.conf',
'base_rules/modsecurity_crs_49_inbound_blocking.conf',
'base_rules/modsecurity_crs_50_outbound.conf',
'base_rules/modsecurity_crs_59_outbound_blocking.conf',
'base_rules/modsecurity_crs_60_correlation.conf',
]
}
$alias_icons_path = '/usr/share/apache2/icons'
$error_documents_path = '/usr/share/apache2/error'
if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) {
Expand Down
3 changes: 2 additions & 1 deletion metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@
{
"operatingsystem": "Debian",
"operatingsystemrelease": [
"8"
"8",
"9"
]
},
{
Expand Down
2 changes: 1 addition & 1 deletion spec/acceptance/mod_dav_svn_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
describe 'apache::mod::dav_svn class', unless: (fact('operatingsystem') == 'OracleLinux' && fact('operatingsystemmajrelease') == '7') do
authz_svn_load_file = case fact('osfamily')
when 'Debian'
if fact('operatingsystemmajrelease') == '16.04'
if fact('operatingsystemmajrelease') == '16.04' || fact('operatingsystemmajrelease') == '9'
'dav_svn_authz_svn.load'
else
'authz_svn.load'
Expand Down
81 changes: 50 additions & 31 deletions spec/acceptance/mod_passenger_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,11 @@
passenger_ruby = '/usr/bin/ruby'
end
when 'Debian'
case fact('lsbdistcodename')
when 'jessie'
case fact('operatingsystemmajrelease')
when '8'
passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
passenger_default_ruby = '/usr/bin/ruby'
when '9'
passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini'
passenger_default_ruby = '/usr/bin/ruby'
else
Expand Down Expand Up @@ -76,35 +79,35 @@
when 'Debian'
context 'passenger config with passenger_installed_version set' do
pp_one = <<-MANIFEST
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '4.0.0',
passenger_instance_registry_dir => '/some/path/to/nowhere'
}
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '4.0.0',
passenger_instance_registry_dir => '/some/path/to/nowhere'
}
MANIFEST
it 'fails when an option is not valid for $passenger_installed_version' do
apply_manifest(pp_one, expect_failures: true) do |r|
expect(r.stderr).to match(%r{passenger_instance_registry_dir is not introduced until version 5.0.0})
end
end
pp_two = <<-MANIFEST
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_autodetect => 'on'
}
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_autodetect => 'on'
}
MANIFEST
it 'fails when an option is removed' do
apply_manifest(pp_two, expect_failures: true) do |r|
expect(r.stderr).to match(%r{REMOVED PASSENGER OPTION})
end
end
pp_three = <<-MANIFEST
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_ruby => '/some/path/to/ruby'
}
class { 'apache': }
class { 'apache::mod::passenger':
passenger_installed_version => '5.0.0',
rails_ruby => '/some/path/to/ruby'
}
MANIFEST
it 'warns when an option is deprecated' do
apply_manifest(pp_three, catch_failures: true) do |r|
Expand All @@ -113,12 +116,23 @@ class { 'apache::mod::passenger':
end
end
context 'default passenger config' do
pp = <<-MANIFEST
/* stock apache and mod_passenger */
class { 'apache': }
class { 'apache::mod::passenger': }
#{pp_rackapp}
MANIFEST
pp = if ['7', '9', '16.04', '18.04'].include?(fact('operatingsystemmajrelease'))
<<-MANIFEST
/* stock apache and mod_passenger */
class { 'apache': }
class { 'apache::mod::passenger':
passenger_instance_registry_dir => '/var/run',
}
#{pp_rackapp}
MANIFEST
else
<<-MANIFEST
/* stock apache and mod_passenger */
class { 'apache': }
class { 'apache::mod::passenger': }
#{pp_rackapp}
MANIFEST
end
it 'succeeds in puppeting passenger' do
apply_manifest(pp, catch_failures: true)
end
Expand Down Expand Up @@ -150,8 +164,11 @@ class { 'apache::mod::passenger': }
it { is_expected.not_to contain '/PassengerDefaultRuby/' }
end
when 'Debian'
case fact('lsbdistcodename')
when 'jessie'
case fact('operatingsystemmajrelease')
when '8'
it { is_expected.to contain %(PassengerDefaultRuby "#{passenger_default_ruby}") }
it { is_expected.not_to contain '/PassengerRuby/' }
when '9'
it { is_expected.to contain %(PassengerDefaultRuby "#{passenger_default_ruby}") }
it { is_expected.not_to contain '/PassengerRuby/' }
else
Expand All @@ -173,7 +190,8 @@ class { 'apache::mod::passenger': }
# these two lines
unless (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') ||
(fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8')
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
expected_one << [%r{### Processes: [0-9]+}, %r{### Total private dirty RSS: [0-9\.]+ MB}]
end
it 'outputs status via passenger-memory-stats #stdout' do
Expand All @@ -193,27 +211,28 @@ class { 'apache::mod::passenger': }
# even when the passenger process is successfully installed and running
unless fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '12.04'
it 'outputs status via passenger-status #General information' do
shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r|
shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r|
# spacing may vary
expect(r.stdout).to match(%r{[\-]+ General information [\-]+})
end
end
expected_two = if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04' ||
expected_two = if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') ||
(fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') ||
fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8'
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
[%r{Max pool size[ ]+: [0-9]+}, %r{Processes[ ]+: [0-9]+}, %r{Requests in top-level queue[ ]+: [0-9]+}]
else
[%r{max[ ]+= [0-9]+}, %r{count[ ]+= [0-9]+}, %r{active[ ]+= [0-9]+}, %r{inactive[ ]+= [0-9]+}, %r{Waiting on global queue: [0-9]+}]
end
it 'outputs status via passenger-status #stdout' do
shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r|
shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r|
expected_two.each do |expect|
expect(r.stdout).to match(expect)
end
end
end
it 'outputs status via passenger-status #exit_code' do
shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r|
shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r|
expect(r.exit_code).to eq(0)
end
end
Expand Down
9 changes: 6 additions & 3 deletions spec/acceptance/mod_php_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ class { 'apache::mod::php': }
it { is_expected.to be_running }
end

if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04'
if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
describe file("#{$mod_dir}/php7.0.conf") do
it { is_expected.to contain 'DirectoryIndex index.php' }
end
Expand Down Expand Up @@ -120,7 +121,8 @@ class {'apache::mod::php':
it 'succeeds in puppeting php' do
apply_manifest(pp, catch_failures: true)
end
if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04'
if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
describe file("#{$mod_dir}/php7.0.conf") do
it { is_expected.to contain '# somecontent' }
end
Expand All @@ -145,7 +147,8 @@ class {'apache::mod::php':
apply_manifest(pp, catch_failures: true)
end

if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04'
if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
describe file("#{$mod_dir}/php7.0.conf") do
it { is_expected.to contain '# somecontent' }
end
Expand Down
18 changes: 12 additions & 6 deletions spec/acceptance/mod_security_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ class { 'apache::mod::security': }
end
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -114,7 +115,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -176,7 +178,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -242,7 +245,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -308,7 +312,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down Expand Up @@ -374,7 +379,8 @@ class { 'apache::mod::security': }
it { is_expected.to contain 'mod_security2.c' }
end

unless fact('operatingsystem') == 'SLES'
unless fact('operatingsystem') == 'SLES' ||
(fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9')
it 'blocks query with SQL' do
shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22]
end
Expand Down
Loading

0 comments on commit 36392e4

Please sign in to comment.