#4 - [COOK-4715] - add upgrade recipe and complete test harness

Signed-off-by: Sean OMeara <[email protected]>

.gitignore

@@ -0,0 +1,17 @@
+.vagrant
+Berksfile.lock
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+/cookbooks
+
+# Bundler
+Gemfile.lock
+bin/*
+.bundle/*
+
+.kitchen/
+.kitchen.local.yml

.kitchen.yml

@@ -0,0 +1,25 @@
+---
+driver_plugin: vagrant
+
+driver_config:
+  require_chef_omnibus: true
+
+provisioner:
+  name: chef_zero
+
+platforms:
+  - name: ubuntu-12.04
+  - name: ubuntu-14.04
+  - name: debian-7.4
+  - name: centos-6.5
+
+suites:
+- name: upgrade
+  run_list:
+  - recipe[test]
+  - recipe[postfix]
+  - recipe[openssl::upgrade]
+  attributes:
+    openssl:
+      restart_services:
+      - postfix

.rubocop.yml

@@ -0,0 +1,28 @@
+AllCops:
+  Includes:
+    - Berksfile
+    - Gemfile
+    - Rakefile
+    - Thorfile
+    - Guardfile
+  Excludes:
+    - vendor/**
+
+ClassLength:
+  Enabled: false
+Documentation:
+  Enabled: false
+Encoding:
+  Enabled: false
+HashSyntax:
+  Enabled: false
+LineLength:
+  Enabled: false
+MethodLength:
+  Enabled: false
+SignalException:
+  Enabled: false
+TrailingComma:
+  Enabled: false
+WordArray:
+  Enabled: false

Berksfile

@@ -0,0 +1,8 @@
+source 'https://api.berkshelf.com'
+
+metadata
+
+group :integration do
+  cookbook 'test', :path => 'test/fixtures/cookbooks/test'
+  cookbook 'postfix'
+end

README.md

@@ -1,27 +1,55 @@
 openssl Cookbook
 ================
-Provide a library method to generate secure random passwords in recipes.
+
+This cookbook provides a library method to generate secure random passwords in recipes using the Ruby OpenSSL library.
+
+It also provides an attribute-driven recipe for upgrading OpenSSL packages.
 
 Requirements
 ------------
-Works on any platform with OpenSSL Ruby bindings installed, which are a requirement for Chef anyway.
 
+The `secure_password` works on any platform with OpenSSL Ruby bindings installed, which are a requirement for Chef anyway.
+
+The upgrade recipe works on the following tested platforms:
+
+* Ubuntu 12.04, 14.04
+* Debian 7.4
+* CentOS 6.5
+
+It may work on other platforms or versions of the above platforms with or without modification.
+
+[Chef Sugar](https://github.com/sethvargo/chef-sugar) was introduced as a dependency to provide helpers that make the default attribute settings (see Attributes) easier to reason about.
+
+Attributes
+----------
+
+* `node['openssl']['packages']` - An array of packages of openssl. The default attributes attempt to be smart about which packages are the default, but this may need to be changed by users of the `openssl::upgrade` recipe.
+* `node['openssl']['restart_services']` - An array of service resources that use the `node['openssl']['packages']`. This is empty by default as Chef has no reliably reasonable way to detect which applications or services are compiled against these packages. *Note* These each need to be "`service`" resources specified somewhere in the recipes in the node's run list.
+
+Recipes
+-------
+
+### upgrade
+
+The upgrade recipe iterates over the list of packages in the `node['openssl']['packages']` attribute and manages them with the `:upgrade` action. Each package will send `:restart` notification to service resources named by the `node['openssl']['restart_services']` attribute.
 
 Usage
 -----
-Most often this will be used to generate a secure password for an attribute.
+
+Most often this will be used to generate a secure password for an attribute. In a recipe:
 
 ```ruby
-include Opscode::OpenSSL::Password
-set_unless[:my_password] = secure_password
+::Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
+node.set_unless[:my_password] = secure_password
 ```
 
+To use the `openssl::upgrade` recipe, set the attributes as mentioned above. For example, we have a "stats_collector" service that uses openssl. It has a recipe that looks like this:
+
 LWRP
 ==== 
 
 This cookbook includes an LWRP for generating Self Signed Certificates
 
-
 ## openssl_x509
 generate a pem formatted x509 cert + key  
 
@@ -53,9 +81,25 @@ License and Author
 
 Author:: Jesse Nelson (<[email protected]>)
 Author:: Joshua Timberman (<[email protected]>)
+=======
+
+
+```ruby
+node.default['openssl']['restart_services'] = ['stats_collector']
+
+# other recipe code here...
+service 'stats_collector' do
+  action [:enable, :start]
+end
+
+include_recipe 'openssl::upgrade'
+```
+
+This will ensure that openssl is upgraded to the latest version so the `stats_collector` service won't be exploited (hopefully!).
 
 ```text
 Copyright:: 2009-2011, Opscode, Inc
+Copyright:: 2014, Chef Software, Inc <[email protected]>
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

attributes/default.rb

@@ -0,0 +1,21 @@
+#
+# Cookbook Name:: openssl
+# Attributes:: default
+#
+# Copyright 2014, Chef Software, Inc. <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+default['openssl']['packages'] = []
+default['openssl']['restart_services'] = []

metadata.rb

@@ -1,9 +1,13 @@
-name             "openssl"
-maintainer       "Opscode, Inc."
-maintainer_email "[email protected]"
-license          "Apache 2.0"
-description      "Provides a library with a method for generating secure random passwords."
+name             'openssl'
+maintainer       'Opscode, Inc.'
+maintainer_email '[email protected]'
+license          'Apache 2.0'
+description      'Provides a library with a method for generating secure random passwords.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "1.1.1"
+version          '1.1.1'
 
-recipe "openssl", "Empty, this cookbook provides a library, see README.md"
+recipe 'openssl', 'Empty, this cookbook provides a library, see README.md'
+
+# chef-sugar greatly reduces the amount of code required to check
+# conditionals for the attributes used in the upgrader recipe.
+depends 'chef-sugar'

recipes/default.rb

@@ -16,4 +16,3 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-

recipes/upgrade.rb

@@ -0,0 +1,39 @@
+#
+# Cookbook Name:: openssl
+# Recipe:: upgrade
+#
+# Copyright 2014, Chef Software, Inc. <[email protected]>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+include_recipe 'chef-sugar'
+
+node.default['openssl']['packages'] = case
+                                      when debian_before_or_at_squeeze?, ubuntu_before_or_at_lucid?
+                                        %w{libssl0.9.8 openssl}
+                                      when debian_after_or_at_wheezy?, ubuntu_after_or_at_precise?
+                                        %w{libssl1.0.0 openssl}
+                                      when rhel?
+                                        %w{openssl}
+                                      else
+                                        []
+                                      end
+
+node['openssl']['packages'].each do |ssl_pkg|
+  package ssl_pkg do
+    action :upgrade
+    node['openssl']['restart_services'].each do |ssl_svc|
+      notifies :restart, "service[#{ssl_svc}]"
+    end
+  end
+end

spec/recipes/upgrade_spec.rb

@@ -0,0 +1,68 @@
+require_relative '../spec_helper'
+
+describe 'openssl::upgrade' do
+  context 'notify restart on upgrade' do
+    let(:chef_run) do
+      ChefSpec::Runner.new(
+        :platform => 'debian',
+        :version => '7.4'
+      ) do |node|
+        node.set['openssl']['packages'] = ['openssl']
+        node.set['openssl']['restart_services'] = ['httpd']
+      end.converge('test::httpd', described_recipe)
+    end
+
+    let(:package) { chef_run.package('openssl') }
+
+    it 'restart httpd when upgrading openssl' do
+      expect(package).to notify('service[httpd]').to(:restart)
+    end
+
+  end
+  context 'ubuntu_before_or_at_lucid' do
+    let(:chef_run) do
+      ChefSpec::Runner.new(
+        :platform => 'ubuntu',
+        :version => '10.04'
+      ).converge(described_recipe)
+    end
+
+    it 'will upgrade the libssl0.9.8 package' do
+      expect(chef_run).to upgrade_package('libssl0.9.8')
+    end
+
+    it 'will upgrade the openssl package' do
+      expect(chef_run).to upgrade_package('openssl')
+    end
+
+  end
+
+  context 'ubuntu_after_or_at_precise' do
+    let(:chef_run) do
+      ChefSpec::Runner.new(
+        :platform => 'ubuntu',
+        :version => '12.04'
+      ).converge(described_recipe)
+    end
+
+    it 'will upgrade the libssl1.0.0 package' do
+      expect(chef_run).to upgrade_package('libssl1.0.0')
+    end
+
+    it 'will upgrade the openssl package' do
+      expect(chef_run).to upgrade_package('openssl')
+    end
+  end
+
+  context 'redhat_enterprise' do
+    let(:chef_run) do
+      ChefSpec::Runner.new(
+        :platform => 'redhat',
+        :version => '6.5'
+      ).converge(described_recipe)
+    end
+    it 'will upgrade the openssl package' do
+      expect(chef_run).to upgrade_package('openssl')
+    end
+  end
+end

spec/spec_helper.rb

@@ -0,0 +1,7 @@
+require 'chefspec'
+require 'chefspec/berkshelf'
+
+RSpec.configure do |config|
+  config.color_enabled = true
+  config.formatter = :documentation
+end

test/fixtures/cookbooks/test/metadata.rb

@@ -0,0 +1,4 @@
+name             'test'
+license          'Apache 2.0'
+description      'Installs/Configures test'
+version          '0.1.0'

test/fixtures/cookbooks/test/recipes/default.rb

@@ -0,0 +1,21 @@
+#
+# Cookbook Name:: test
+# Recipe:: default
+#
+# Copyright:: Copyright (c) 2014, Chef Software, Inc. <[email protected]>
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+execute 'apt-get update' if platform_family?('debian')

test/fixtures/cookbooks/test/recipes/httpd.rb

@@ -0,0 +1 @@
+service('httpd') { action :nothing }