Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removal of deprecated attributes #145

Merged
merged 1 commit into from
Dec 20, 2016
+0 −284
Merged

Removal of deprecated attributes #145

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 0 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -160,16 +160,6 @@ This is a ChrootDirectory ownership problem. sshd will reject SFTP connections t

See [https://wiki.archlinux.org/index.php/SFTP_chroot](https://wiki.archlinux.org/index.php/SFTP_chroot)

## Deprecation Notices

* `node['ssh-hardening']['ssh']['cbc_required']` has been deprecated in favour of `node['ssh-hardening']['ssh']['client']['cbc_required']` and `node['ssh-hardening']['ssh']['server']['cbc_required']`.

* `node['ssh-hardening']['ssh']['weak_hmac']` has been deprecated in favour of `node['ssh-hardening']['ssh']['client']['weak_hmac']` and `node['ssh-hardening']['ssh']['server']['weak_hmac']`.

* `node['ssh-hardening']['ssh']['weak_kex']` has been deprecated in favour of `node['ssh-hardening']['ssh']['client']['weak_kex']` and `node['ssh-hardening']['ssh']['server']['weak_kex']`.

* The old attributes are still supported but will be removed in the future. In case one of the legacy attributes is set, it still precedes the newly added attributes to allow for backward compatibility.

## Contributors + Kudos

* Dominik Richter [arlimus](https://github.com/arlimus)
26 changes: 0 additions & 26 deletions recipes/client.rb
View file
Original file line number Diff line number Diff line change
@@ -30,32 +30,6 @@
group 'root'
end

# warn about cipher depreciations and support legacy attributes
%w(weak_hmac weak_kex cbc_required).each do |setting|
next unless node['ssh-hardening']['ssh'][setting]
# If at least one of the specific client/server attributes was used,
# we assume the global attribute to be a leftover from previous runs and
# just ignore it.
#
# If both client and server settings are default (false) we use the global
# value for both client and server for backward compatibility - the user may
# not have noticed the new attributes yet and did request the weak settings
# in the past. We don't want to break too many things.
if !node['ssh-hardening']['ssh']['client'][setting] && !node['ssh-hardening']['ssh']['server'][setting]
log "deprecated-ssh/#{setting}_client" do
message "ssh/client/#{setting} set from deprecated ssh/#{setting}"
level :warn
end
node.default['ssh-hardening']['ssh']['client'][setting] = node['ssh-hardening']['ssh'][setting]
else
log "ignored-ssh/#{setting}_client" do
message "Ignoring ssh/#{setting}:true for client"
only_if { !node['ssh-hardening']['ssh']['client'][setting] }
level :warn
end
end
end

template '/etc/ssh/ssh_config' do
source 'openssh.conf.erb'
mode '0644'
26 changes: 0 additions & 26 deletions recipes/server.rb
View file
Original file line number Diff line number Diff line change
@@ -60,32 +60,6 @@
group 'root'
end

# warn about cipher depreciations and support legacy attributes
%w(weak_hmac weak_kex cbc_required).each do |setting|
next unless node['ssh-hardening']['ssh'][setting]
# If at least one of the specific client/server attributes was used,
# we assume the global attribute to be a leftover from previous runs and
# just ignore it.
#
# If both client and server settings are default (false) we use the global
# value for both client and server for backward compatibility - the user may
# not have noticed the new attributes yet and did request the weak settings
# in the past. We don't want to break too many things.
if !node['ssh-hardening']['ssh']['server'][setting] && !node['ssh-hardening']['ssh']['client'][setting]
log "deprecated-ssh/#{setting}_server" do
message "ssh/server/#{setting} set from deprecated ssh/#{setting}"
level :warn
end
node.default['ssh-hardening']['ssh']['server'][setting] = node['ssh-hardening']['ssh'][setting]
else
log "ignored-ssh/#{setting}_server" do
message "Ignoring ssh/#{setting}:true for server"
only_if { !node['ssh-hardening']['ssh']['server'][setting] }
level :warn
end
end
end

template '/etc/ssh/sshd_config' do
source 'opensshd.conf.erb'
mode '0600'
111 changes: 0 additions & 111 deletions spec/recipes/client_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -69,10 +69,6 @@
end

include_examples 'allow weak hmacs'

it 'does not warn about depreciation' do
expect(chef_run).not_to write_log('deprecated-ssh/weak_hmac_cliet')
end
end

context 'weak_hmac enabled only for the server' do
@@ -93,10 +89,6 @@
end

include_examples 'allow weak kexs'

it 'does not warn about depreciation' do
expect(chef_run).not_to write_log('deprecated-ssh/weak_kex_client')
end
end

context 'weak_kexs enabled for the server only' do
@@ -117,10 +109,6 @@
end

include_examples 'allow weak ciphers'

it 'does not warn about depreciation' do
expect(chef_run).not_to write_log('deprecated-ssh/cbc_required_client')
end
end

context 'cbc_required set for the server only' do
@@ -133,105 +121,6 @@
include_examples 'does not allow weak ciphers'
end

describe 'backward compatibility' do
context 'legacy attribute ssl/weak_hmac set' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['weak_hmac'] = true
end.converge(described_recipe)
end

include_examples 'allow weak hmacs'
include_examples 'does not allow weak kexs'
include_examples 'does not allow weak ciphers'

it 'warns about depreciation' do
expect(chef_run).to write_log('deprecated-ssh/weak_hmac_client').with(
message: 'ssh/client/weak_hmac set from deprecated ssh/weak_hmac',
level: :warn
)
end
end

context 'legacy attribute weak_kex set' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['weak_kex'] = true
end.converge(described_recipe)
end

include_examples 'allow weak kexs'
include_examples 'does not allow weak hmacs'
include_examples 'does not allow weak ciphers'

it 'warns about depreciation' do
expect(chef_run).to write_log('deprecated-ssh/weak_kex_client').with(
message: 'ssh/client/weak_kex set from deprecated ssh/weak_kex',
level: :warn
)
end
end

context 'legacy attribute cbc_required set' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['cbc_required'] = true
end.converge(described_recipe)
end

include_examples 'allow weak ciphers'
include_examples 'does not allow weak hmacs'
include_examples 'does not allow weak kexs'
include_examples 'allow ctr ciphers'

it 'warns about depreciation' do
expect(chef_run).to write_log('deprecated-ssh/cbc_required_client').with(
message: 'ssh/client/cbc_required set from deprecated ssh/cbc_required',
level: :warn
)
end
end
end

%w(weak_hmac weak_kex cbc_required).each do |attr|
describe "transition logic for #{attr}" do
context "global #{attr}:true, client:false and server:true" do
# don't use cache, log persists
let(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh'][attr] = true
node.normal['ssh-hardening']['ssh']['client'][attr] = false
node.normal['ssh-hardening']['ssh']['server'][attr] = true
end.converge(described_recipe)
end

it "warns about ignoring the global #{attr} value for the client" do
expect(chef_run).to write_log("ignored-ssh/#{attr}_client").with(
message: "Ignoring ssh/#{attr}:true for client",
level: :warn
)
end
end

context "global #{attr}:true, client:true and server:false" do
# don't use cache, log persists
let(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh'][attr] = true
node.normal['ssh-hardening']['ssh']['client'][attr] = true
node.normal['ssh-hardening']['ssh']['server'][attr] = false
end.converge(described_recipe)
end

it "does not warn about ignoring the global #{attr}" do
expect(chef_run).not_to write_log("ignored-ssh/#{attr}_client").with(
level: :warn
)
end
end
end
end

context 'chef-solo' do
cached(:chef_run) do
ChefSpec::SoloRunner.new.converge(described_recipe)
111 changes: 0 additions & 111 deletions spec/recipes/server_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -68,10 +68,6 @@
end

include_examples 'allow weak hmacs'

it 'does not warn about depreciation' do
expect(chef_run).not_to write_log('deprecated-ssh/weak_hmac_server')
end
end

context 'with weak hmacs enabled for only the client' do
@@ -92,10 +88,6 @@
end

include_examples 'allow weak kexs'

it 'does not warn about depreciation' do
expect(chef_run).not_to write_log('deprecated-ssh/weak_kex_server')
end
end

context 'weak_kex enabled for only the client' do
@@ -116,10 +108,6 @@
end

include_examples 'allow weak ciphers'

it 'does not warn about depreciation' do
expect(chef_run).not_to write_log('deprecated-ssh/weak_kex_server')
end
end

context 'cbc_required for the client only' do
@@ -132,105 +120,6 @@
include_examples 'does not allow weak ciphers'
end

describe 'backward compatibility' do
context 'legacy attribute weak hmac set' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['weak_hmac'] = true
end.converge(described_recipe)
end

include_examples 'allow weak hmacs'
include_examples 'does not allow weak kexs'
include_examples 'does not allow weak ciphers'

it 'warns about depreciation' do
expect(chef_run).to write_log('deprecated-ssh/weak_hmac_server').with(
message: 'ssh/server/weak_hmac set from deprecated ssh/weak_hmac',
level: :warn
)
end
end

context 'legacy attribute weak_kex set' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['weak_kex'] = true
end.converge(described_recipe)
end

include_examples 'allow weak kexs'
include_examples 'does not allow weak hmacs'
include_examples 'does not allow weak ciphers'

it 'warns about depreciation' do
expect(chef_run).to write_log('deprecated-ssh/weak_kex_server').with(
message: 'ssh/server/weak_kex set from deprecated ssh/weak_kex',
level: :warn
)
end
end

context 'legacy attribute cbc_required set' do
cached(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh']['cbc_required'] = true
end.converge(described_recipe)
end

include_examples 'allow weak ciphers'
include_examples 'does not allow weak hmacs'
include_examples 'does not allow weak kexs'
include_examples 'allow ctr ciphers'

it 'warns about depreciation' do
expect(chef_run).to write_log('deprecated-ssh/cbc_required_server').with(
message: 'ssh/server/cbc_required set from deprecated ssh/cbc_required',
level: :warn
)
end
end

%w(weak_hmac weak_kex cbc_required).each do |attr|
describe "transition logic for #{attr}" do
context "global #{attr} true, client true and server false" do
# don't use cache, log persists
let(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh'][attr] = true
node.normal['ssh-hardening']['ssh']['client'][attr] = true
node.normal['ssh-hardening']['ssh']['server'][attr] = false
end.converge(described_recipe)
end

it "warns about ignoring the global #{attr} value for the server" do
expect(chef_run).to write_log("ignored-ssh/#{attr}_server").with(
message: "Ignoring ssh/#{attr}:true for server",
level: :warn
)
end
end

context "global #{attr} true, client false and server true" do
# don't use cache, log persists
let(:chef_run) do
ChefSpec::ServerRunner.new do |node|
node.normal['ssh-hardening']['ssh'][attr] = true
node.normal['ssh-hardening']['ssh']['client'][attr] = false
node.normal['ssh-hardening']['ssh']['server'][attr] = true
end.converge(described_recipe)
end

it "does not warn about ignoring the global #{attr}" do
expect(chef_run).not_to write_log("ignored-ssh/#{attr}_server").with(
level: :warn
)
end
end
end
end
end

it 'restarts the ssh server on config changes' do
resource = chef_run.template('/etc/ssh/sshd_config')
expect(resource).to notify('service[sshd]').to(:restart).delayed