Merge pull request #108 from Perceptyx/add-inspec-tests

test(default): add inspec for base and maps

Author: myii

docs/README.rst

@@ -53,7 +53,7 @@ Installs and starts postfix SMTP server
 ``postfix.config``
 ^^^^^^^^^^^^^^^^^^
 
-Manages postfix main.cf and optionally the master.cf configuration file
+Manages postfix main.cf and optionally the master.cf configuration file. Generates mappings.
 
 ``postfix.policyd-spf``
 ^^^^^^^^^^^^^^^^^^^^^^^

postfix/config.sls

@@ -101,3 +101,49 @@ postfix_{{ domain }}_ssl_key:
        - service: postfix
 
 {% endfor %}
+
+# manage various mappings
+{% for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
+  {%- set need_postmap = False %}
+  {%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
+  {%- if file_path.startswith('proxy:') %}
+    {#- Discard the proxy:-prefix #}
+    {%- set _, file_type, file_path = file_path.split(':') %}
+  {%- elif ':' in file_path %}
+    {%- set file_type, file_path = file_path.split(':') %}
+  {%- else %}
+    {%- set file_type = default_database_type %}
+  {%- endif %}
+  {%- if not file_path.startswith('/') %}
+    {%- set file_path = postfix.config_path ~ '/' ~ file_path %}
+  {%- endif %}
+  {%- if file_type in ("btree", "cdb", "dbm", "hash", "sdbm") %}
+    {%- set need_postmap = True %}
+  {%- endif %}
+postfix_{{ mapping }}:
+  file.managed:
+    - name: {{ file_path }}
+    - source: salt://postfix/files/mapping.j2
+    - user: root
+    - group: {{ postfix.root_grp }}
+    {%- if mapping.endswith('_sasl_password_maps') %}
+    - mode: 600
+    {%- else %}
+    - mode: 644
+    {%- endif %}
+    - template: jinja
+    - context:
+        data: {{ data|json() }}
+    - require:
+      - pkg: postfix
+      - file: {{ postfix.config_path }}/main.cf
+  {%- if need_postmap %}
+  cmd.wait:
+    - name: {{ postfix.xbin_prefix }}/sbin/postmap {{ file_path }}
+    - cwd: /
+    - watch:
+      - file: {{ file_path }}
+    - watch_in:
+      - service: postfix
+  {%- endif %}
+{% endfor %}

postfix/init.sls

@@ -94,48 +94,3 @@ postfix_alias_absent_{{ user }}:
   {%- endfor %}
 {% endif %}
 {% endif %}
-
-# manage various mappings
-{% for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
-  {%- set need_postmap = False %}
-  {%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
-  {%- if file_path.startswith('proxy:') %}
-    {#- Discard the proxy:-prefix #}
-    {%- set _, file_type, file_path = file_path.split(':') %}
-  {%- elif ':' in file_path %}
-    {%- set file_type, file_path = file_path.split(':') %}
-  {%- else %}
-    {%- set file_type = default_database_type %}
-  {%- endif %}
-  {%- if not file_path.startswith('/') %}
-    {%- set file_path = postfix.config_path ~ '/' ~ file_path %}
-  {%- endif %}
-  {%- if file_type in ("btree", "cdb", "dbm", "hash", "sdbm") %}
-    {%- set need_postmap = True %}
-  {%- endif %}
-postfix_{{ mapping }}:
-  file.managed:
-    - name: {{ file_path }}
-    - source: salt://postfix/files/mapping.j2
-    - user: root
-    - group: {{ postfix.root_grp }}
-    {%- if mapping.endswith('_sasl_password_maps') %}
-    - mode: 600
-    {%- else %}
-    - mode: 644
-    {%- endif %}
-    - template: jinja
-    - context:
-        data: {{ data|json() }}
-    - require:
-      - pkg: postfix
-  {%- if need_postmap %}
-  cmd.wait:
-    - name: {{ postfix.xbin_prefix }}/sbin/postmap {{ file_path }}
-    - cwd: /
-    - watch:
-      - file: {{ file_path }}
-    - watch_in:
-      - service: postfix
-  {%- endif %}
-{% endfor %}

test/integration/default/controls/postfix_maps_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+control 'Postfix maps' do
+  title 'maps have been generated properly'
+
+  describe command('postmap -q example.com /etc/postfix/transport') do
+    its('stdout') { should eq "10.1.1.1\n" }
+    its('exit_status') { should eq 0 }
+  end
+
+  describe command('postmap -q example.com /etc/postfix/tls_policy') do
+    its('stdout') { should eq "encrypt\n" }
+    its('exit_status') { should eq 0 }
+  end
+
+  describe command('postmap -q .example.com /etc/postfix/tls_policy') do
+    its('stdout') { should eq "encrypt\n" }
+    its('exit_status') { should eq 0 }
+  end
+end

test/integration/default/controls/postfix_spec.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+control 'Postfix config' do
+  title 'config is generated correctly'
+
+  describe postfix_conf do
+    its('biff') { should cmp 'no' }
+    its('compatibility_level') { should cmp '2' }
+    its('append_dot_mydomain') { should cmp 'no' }
+    its('readme_directory') { should cmp 'no' }
+    its('smtpd_sasl_auth_enable') { should cmp 'yes' }
+    its('smtpd_sasl_path') { should cmp '/var/run/dovecot/auth-client' }
+    its('smtpd_sasl_type') { should cmp 'dovecot' }
+    its('smtpd_sasl_security_options') { should cmp 'noanonymous' }
+    its('smtpd_sasl_tls_security_options') { should cmp '$smtpd_sasl_security_options' }
+    its('smtpd_tls_auth_only') { should cmp 'yes' }
+    its('smtpd_use_tls') { should cmp 'yes' }
+    its('smtpd_tls_loglevel') { should cmp '1' }
+    its('smtpd_tls_security_level') { should cmp 'may' }
+    its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' }
+    its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' }
+    its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' }
+    its('smtpd_tls_session_cache_database') do
+      should cmp 'btree:${data_directory}/smtpd_scache'
+    end
+    its('smtpd_tls_mandatory_ciphers') { should cmp 'high' }
+    its('tls_preempt_cipherlist') { should cmp 'yes' }
+    its('smtp_tls_loglevel') { should cmp '1' }
+    its('smtp_tls_security_level') { should cmp 'may' }
+    its('smtp_tls_session_cache_database') do
+      should cmp 'btree:${data_directory}/smtp_scache'
+    end
+    its('myhostname') { should cmp 'localhost' }
+    its('alias_maps') { should cmp 'hash:/etc/aliases' }
+    its('alias_database') { should cmp 'hash:/etc/aliases' }
+    its('mydestination') { should cmp 'localhost, localhost.localdomain' }
+    its('relayhost') { should cmp '' }
+    its('mynetworks') { should cmp '127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128' }
+    its('mailbox_size_limit') { should cmp '0' }
+    its('recipient_delimiter') { should cmp '+' }
+    its('inet_interfaces') { should cmp '127.0.0.1' }
+    its('inet_protocols') { should cmp 'all' }
+    its('message_size_limit') { should cmp '41943040' }
+    its('smtpd_recipient_restrictions') do
+      should cmp 'permit_mynetworks,'\
+                 ' permit_sasl_authenticated,'\
+                 ' reject_unauth_destination'
+    end
+    its('transport_maps') { should cmp 'hash:/etc/postfix/transport' }
+    its('smtp_tls_policy_maps') { should cmp 'hash:/etc/postfix/tls_policy' }
+    its('smtp_sasl_password_maps') { should cmp 'hash:/etc/postfix/sasl_passwd' }
+    its('sender_canonical_maps') { should cmp 'hash:/etc/postfix/sender_canonical' }
+    its('relay_recipient_maps') { should cmp 'hash:/etc/postfix/relay_domains' }
+    its('virtual_alias_maps') { should cmp 'hash:/etc/postfix/virtual' }
+    its('local_transport') { should cmp 'virtual' }
+    its('local_recipient_maps') { should cmp '$virtual_mailbox_maps' }
+    its('smtpd_relay_restrictions') do
+      should cmp 'permit_mynetworks, '\
+                 'permit_sasl_authenticated, '\
+                 'reject_unauth_destination'
+    end
+    its('smtpd_sasl_local_domain') { should cmp '$mydomain' }
+    its('smtpd_tls_session_cache_timeout') { should cmp '3600s' }
+    its('relay_domains') { should cmp '$mydestination' }
+    its('smtp_use_tls') { should cmp 'yes' }
+    its('smtp_tls_cert_file') do
+      should cmp '/etc/postfix/ssl/example.com-relay-client-cert.crt'
+    end
+    its('smtp_tls_key_file') do
+      should cmp '/etc/postfix/ssl/example.com-relay-client-cert.key'
+    end
+  end
+end

test/salt/pillar/default.sls

@@ -0,0 +1,160 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+postfix:
+  manage_master_config: true
+  master_config:
+    # Preferred way of managing services/processes. This allows for finegrained
+    # control over each service. See postfix/services.yaml for defaults that can
+    # be overridden.
+    services:
+      smtp:
+        # Limit to no more than 10 smtp processes
+        maxproc: 10
+      # Disable oldstyle TLS wrapped SMTP
+      smtps:
+        enable: false
+      # Enable submission service on port 587/tcp with custom options
+      submission:
+        enable: true
+        args:
+          - "-o smtpd_tls_security_level=encrypt"
+          - "-o smtpd_sasl_auth_enable=yes"
+          - "-o smtpd_client_restrictions=permit_sasl_authenticated,reject"
+      tlsproxy:
+        enable: true
+        chroot: true
+
+    # Backwards compatible definition of dovecot delivery in master.cf
+    enable_dovecot: false
+    # Backwards compatible definition of submission listener in master.cf
+    enable_submission: false
+
+  enable_service: true
+  reload_service: true
+
+  config:
+    smtpd_banner: $myhostname ESMTP $mail_name
+    smtp_tls_CApath: /etc/ssl/certs
+    biff: 'no'
+    append_dot_mydomain: 'no'
+    readme_directory: 'no'
+    myhostname: localhost
+    mydestination: localhost, localhost.localdomain
+    relayhost: ''
+    mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+    mailbox_size_limit: 0
+    recipient_delimiter: +
+    # using all has problems in centos with ipv6
+    inet_interfaces: 127.0.0.1
+    inet_protocols: all
+
+    # Alias
+    alias_maps: hash:/etc/aliases
+    # This is the list of files for the newaliases
+    # cmd to process (see postconf(5) for details).
+    # Only local hash/btree/dbm files:
+    alias_database: hash:/etc/aliases
+
+    local_transport: virtual
+    local_recipient_maps: $virtual_mailbox_maps
+    transport_maps: hash:/etc/postfix/transport
+
+    # SMTP server
+    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
+    smtpd_use_tls: 'yes'
+    smtpd_sasl_auth_enable: 'yes'
+    smtpd_sasl_type: dovecot
+    smtpd_sasl_path: /var/run/dovecot/auth-client
+    smtpd_recipient_restrictions: >-
+      permit_mynetworks,
+      permit_sasl_authenticated,
+      reject_unauth_destination
+    smtpd_relay_restrictions: >-
+      permit_mynetworks,
+      permit_sasl_authenticated,
+      reject_unauth_destination
+    smtpd_sasl_security_options: noanonymous
+    smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
+    smtpd_tls_auth_only: 'yes'
+    smtpd_sasl_local_domain: $mydomain
+    smtpd_tls_loglevel: 1
+    smtpd_tls_session_cache_timeout: 3600s
+
+    relay_domains: '$mydestination'
+
+    # SMTP server certificate and key (from pillar data)
+    smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
+    smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
+
+    # SMTP client
+    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
+    smtp_use_tls: 'yes'
+    smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
+    smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
+    smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
+
+    smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
+    sender_canonical_maps: hash:/etc/postfix/sender_canonical
+    relay_recipient_maps: hash:/etc/postfix/relay_domains
+    virtual_alias_maps: hash:/etc/postfix/virtual
+
+  aliases:
+    # manage single aliases
+    # this uses the aliases file defined in the minion config, /etc/aliases by default
+    use_file: false
+    present:
+      root: info@example.com
+    absent:
+      - root
+
+  certificates:
+    server-cert:
+      public_cert: |
+        -----BEGIN CERTIFICATE-----
+        (Your primary SSL certificate: smtp.example.com.crt)
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        (Your intermediate certificate: example-ca.crt)
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        (Your root certificate: trusted-root.crt)
+        -----END CERTIFICATE-----
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        (Your Private key)
+        -----END RSA PRIVATE KEY-----
+
+    example.com-relay-client-cert:
+      public_cert: |
+        -----BEGIN CERTIFICATE-----
+        (Your primary SSL certificate: smtp.example.com.crt)
+        -----END CERTIFICATE-----
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        (Your Private key)
+        -----END RSA PRIVATE KEY-----
+
+  mapping:
+    transport_maps:
+      - example.com: '10.1.1.1'
+
+    smtp_tls_policy_maps:
+      - example.com: encrypt
+      - .example.com: encrypt
+
+    smtp_sasl_password_maps:
+      - smtp.example.com: myaccount:somepassword
+
+    sender_canonical_maps:
+      - root: servers@example.com
+      - nagios: alerts@example.com
+
+    relay_recipient_maps:
+      - example.com: OK
+
+    virtual_alias_maps:
+      - groupaliasexample:
+          - someuser_1@example.com
+          - someuser_2@example.com
+      - singlealiasexample: someuser_3@example.com