diff --git a/manifests/mod/dav_svn.pp b/manifests/mod/dav_svn.pp index 35d5417b52..c8b05f4a9e 100644 --- a/manifests/mod/dav_svn.pp +++ b/manifests/mod/dav_svn.pp @@ -13,7 +13,7 @@ ::apache::mod { 'dav_svn': } - if $::osfamily == 'Debian' and ($::operatingsystemmajrelease != '6' and $::operatingsystemmajrelease != '10.04' and $::operatingsystemrelease != '10.04' and $::operatingsystemmajrelease != '16.04') { + if $::osfamily == 'Debian' and ! ($::operatingsystemmajrelease in ['6', '16.04', '9']) { $loadfile_name = undef } else { $loadfile_name = 'dav_svn_authz_svn.load' diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index 95c58a0330..89a166261f 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -128,6 +128,9 @@ } } - unless $::operatingsystem == 'SLES' { apache::security::rule_link { $activated_rules: } } + # Debian 9 has a different rule setup + unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) { + apache::security::rule_link { $activated_rules: } + } } diff --git a/manifests/params.pp b/manifests/params.pp index 690539f534..68162cc77e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -263,6 +263,34 @@ 'wsgi' => 'libapache2-mod-wsgi', 'xsendfile' => 'libapache2-mod-xsendfile', } + } elsif ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) { + # Debian stretch uses a different dav_svn from Ubuntu Xenial + $php_version = '7.0' + $mod_packages = { + 'auth_cas' => 'libapache2-mod-auth-cas', + 'auth_kerb' => 'libapache2-mod-auth-kerb', + 'auth_gssapi' => 'libapache2-mod-auth-gssapi', + 'auth_mellon' => 'libapache2-mod-auth-mellon', + 'authnz_pam' => 'libapache2-mod-authnz-pam', + 'dav_svn' => 'libapache2-mod-svn', + 'fastcgi' => 'libapache2-mod-fastcgi', + 'fcgid' => 'libapache2-mod-fcgid', + 'geoip' => 'libapache2-mod-geoip', + 'intercept_form_submit' => 'libapache2-mod-intercept-form-submit', + 'lookup_identity' => 'libapache2-mod-lookup-identity', + 'nss' => 'libapache2-mod-nss', + 'pagespeed' => 'mod-pagespeed-stable', + 'passenger' => 'libapache2-mod-passenger', + 'perl' => 'libapache2-mod-perl2', + 'phpXXX' => 'libapache2-mod-phpXXX', + 'python' => 'libapache2-mod-python', + 'rpaf' => 'libapache2-mod-rpaf', + 'security' => 'libapache2-mod-security2', + 'shib2' => 'libapache2-mod-shib2', + 'suphp' => 'libapache2-mod-suphp', + 'wsgi' => 'libapache2-mod-wsgi', + 'xsendfile' => 'libapache2-mod-xsendfile', + } } else { # major.minor version used since Debian stretch and Ubuntu Xenial $php_version = '7.0' @@ -326,28 +354,52 @@ $secpcrematchlimit = 1500 $secpcrematchlimitrecursion = 1500 $modsec_secruleengine = 'On' - $modsec_default_rules = [ - 'base_rules/modsecurity_35_bad_robots.data', - 'base_rules/modsecurity_35_scanners.data', - 'base_rules/modsecurity_40_generic_attacks.data', - 'base_rules/modsecurity_50_outbound.data', - 'base_rules/modsecurity_50_outbound_malware.data', - 'base_rules/modsecurity_crs_20_protocol_violations.conf', - 'base_rules/modsecurity_crs_21_protocol_anomalies.conf', - 'base_rules/modsecurity_crs_23_request_limits.conf', - 'base_rules/modsecurity_crs_30_http_policy.conf', - 'base_rules/modsecurity_crs_35_bad_robots.conf', - 'base_rules/modsecurity_crs_40_generic_attacks.conf', - 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf', - 'base_rules/modsecurity_crs_41_xss_attacks.conf', - 'base_rules/modsecurity_crs_42_tight_security.conf', - 'base_rules/modsecurity_crs_45_trojans.conf', - 'base_rules/modsecurity_crs_47_common_exceptions.conf', - 'base_rules/modsecurity_crs_49_inbound_blocking.conf', - 'base_rules/modsecurity_crs_50_outbound.conf', - 'base_rules/modsecurity_crs_59_outbound_blocking.conf', - 'base_rules/modsecurity_crs_60_correlation.conf', - ] + if $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0 { + $modsec_default_rules = [ + 'crawlers-user-agents.data', + 'iis-errors.data', + 'java-code-leakages.data', + 'java-errors.data', + 'lfi-os-files.data', + 'php-config-directives.data', + 'php-errors.data', + 'php-function-names-933150.data', + 'php-function-names-933151.data', + 'php-variables.data', + 'restricted-files.data', + 'scanners-headers.data', + 'scanners-urls.data', + 'scanners-user-agents.data', + 'scripting-user-agents.data', + 'sql-errors.data', + 'sql-function-names.data', + 'unix-shell.data', + 'windows-powershell-commands.data', + ] + } else { + $modsec_default_rules = [ + 'base_rules/modsecurity_35_bad_robots.data', + 'base_rules/modsecurity_35_scanners.data', + 'base_rules/modsecurity_40_generic_attacks.data', + 'base_rules/modsecurity_50_outbound.data', + 'base_rules/modsecurity_50_outbound_malware.data', + 'base_rules/modsecurity_crs_20_protocol_violations.conf', + 'base_rules/modsecurity_crs_21_protocol_anomalies.conf', + 'base_rules/modsecurity_crs_23_request_limits.conf', + 'base_rules/modsecurity_crs_30_http_policy.conf', + 'base_rules/modsecurity_crs_35_bad_robots.conf', + 'base_rules/modsecurity_crs_40_generic_attacks.conf', + 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf', + 'base_rules/modsecurity_crs_41_xss_attacks.conf', + 'base_rules/modsecurity_crs_42_tight_security.conf', + 'base_rules/modsecurity_crs_45_trojans.conf', + 'base_rules/modsecurity_crs_47_common_exceptions.conf', + 'base_rules/modsecurity_crs_49_inbound_blocking.conf', + 'base_rules/modsecurity_crs_50_outbound.conf', + 'base_rules/modsecurity_crs_59_outbound_blocking.conf', + 'base_rules/modsecurity_crs_60_correlation.conf', + ] + } $alias_icons_path = '/usr/share/apache2/icons' $error_documents_path = '/usr/share/apache2/error' if ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '13.10') >= 0) or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') >= 0) { diff --git a/metadata.json b/metadata.json index 3c57cc55fd..e31fc1b1c3 100644 --- a/metadata.json +++ b/metadata.json @@ -51,7 +51,8 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "8" + "8", + "9" ] }, { diff --git a/spec/acceptance/mod_dav_svn_spec.rb b/spec/acceptance/mod_dav_svn_spec.rb index 4ee0d60d08..2032837cd9 100644 --- a/spec/acceptance/mod_dav_svn_spec.rb +++ b/spec/acceptance/mod_dav_svn_spec.rb @@ -4,7 +4,7 @@ describe 'apache::mod::dav_svn class', unless: (fact('operatingsystem') == 'OracleLinux' && fact('operatingsystemmajrelease') == '7') do authz_svn_load_file = case fact('osfamily') when 'Debian' - if fact('operatingsystemmajrelease') == '16.04' + if fact('operatingsystemmajrelease') == '16.04' || fact('operatingsystemmajrelease') == '9' 'dav_svn_authz_svn.load' else 'authz_svn.load' diff --git a/spec/acceptance/mod_passenger_spec.rb b/spec/acceptance/mod_passenger_spec.rb index 6c00256679..67cfd8313b 100644 --- a/spec/acceptance/mod_passenger_spec.rb +++ b/spec/acceptance/mod_passenger_spec.rb @@ -23,8 +23,11 @@ passenger_ruby = '/usr/bin/ruby' end when 'Debian' - case fact('lsbdistcodename') - when 'jessie' + case fact('operatingsystemmajrelease') + when '8' + passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' + passenger_default_ruby = '/usr/bin/ruby' + when '9' passenger_root = '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini' passenger_default_ruby = '/usr/bin/ruby' else @@ -76,11 +79,11 @@ when 'Debian' context 'passenger config with passenger_installed_version set' do pp_one = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::passenger': - passenger_installed_version => '4.0.0', - passenger_instance_registry_dir => '/some/path/to/nowhere' - } + class { 'apache': } + class { 'apache::mod::passenger': + passenger_installed_version => '4.0.0', + passenger_instance_registry_dir => '/some/path/to/nowhere' + } MANIFEST it 'fails when an option is not valid for $passenger_installed_version' do apply_manifest(pp_one, expect_failures: true) do |r| @@ -88,11 +91,11 @@ class { 'apache::mod::passenger': end end pp_two = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::passenger': - passenger_installed_version => '5.0.0', - rails_autodetect => 'on' - } + class { 'apache': } + class { 'apache::mod::passenger': + passenger_installed_version => '5.0.0', + rails_autodetect => 'on' + } MANIFEST it 'fails when an option is removed' do apply_manifest(pp_two, expect_failures: true) do |r| @@ -100,11 +103,11 @@ class { 'apache::mod::passenger': end end pp_three = <<-MANIFEST - class { 'apache': } - class { 'apache::mod::passenger': - passenger_installed_version => '5.0.0', - rails_ruby => '/some/path/to/ruby' - } + class { 'apache': } + class { 'apache::mod::passenger': + passenger_installed_version => '5.0.0', + rails_ruby => '/some/path/to/ruby' + } MANIFEST it 'warns when an option is deprecated' do apply_manifest(pp_three, catch_failures: true) do |r| @@ -113,12 +116,23 @@ class { 'apache::mod::passenger': end end context 'default passenger config' do - pp = <<-MANIFEST - /* stock apache and mod_passenger */ - class { 'apache': } - class { 'apache::mod::passenger': } - #{pp_rackapp} - MANIFEST + pp = if ['7', '9', '16.04', '18.04'].include?(fact('operatingsystemmajrelease')) + <<-MANIFEST + /* stock apache and mod_passenger */ + class { 'apache': } + class { 'apache::mod::passenger': + passenger_instance_registry_dir => '/var/run', + } + #{pp_rackapp} + MANIFEST + else + <<-MANIFEST + /* stock apache and mod_passenger */ + class { 'apache': } + class { 'apache::mod::passenger': } + #{pp_rackapp} + MANIFEST + end it 'succeeds in puppeting passenger' do apply_manifest(pp, catch_failures: true) end @@ -150,8 +164,11 @@ class { 'apache::mod::passenger': } it { is_expected.not_to contain '/PassengerDefaultRuby/' } end when 'Debian' - case fact('lsbdistcodename') - when 'jessie' + case fact('operatingsystemmajrelease') + when '8' + it { is_expected.to contain %(PassengerDefaultRuby "#{passenger_default_ruby}") } + it { is_expected.not_to contain '/PassengerRuby/' } + when '9' it { is_expected.to contain %(PassengerDefaultRuby "#{passenger_default_ruby}") } it { is_expected.not_to contain '/PassengerRuby/' } else @@ -173,7 +190,8 @@ class { 'apache::mod::passenger': } # these two lines unless (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') || (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') || - (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') expected_one << [%r{### Processes: [0-9]+}, %r{### Total private dirty RSS: [0-9\.]+ MB}] end it 'outputs status via passenger-memory-stats #stdout' do @@ -193,27 +211,28 @@ class { 'apache::mod::passenger': } # even when the passenger process is successfully installed and running unless fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '12.04' it 'outputs status via passenger-status #General information' do - shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r| + shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r| # spacing may vary expect(r.stdout).to match(%r{[\-]+ General information [\-]+}) end end - expected_two = if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04' || + expected_two = if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '14.04') || (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') == '16.04') || - fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8' + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8') || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') [%r{Max pool size[ ]+: [0-9]+}, %r{Processes[ ]+: [0-9]+}, %r{Requests in top-level queue[ ]+: [0-9]+}] else [%r{max[ ]+= [0-9]+}, %r{count[ ]+= [0-9]+}, %r{active[ ]+= [0-9]+}, %r{inactive[ ]+= [0-9]+}, %r{Waiting on global queue: [0-9]+}] end it 'outputs status via passenger-status #stdout' do - shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r| + shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r| expected_two.each do |expect| expect(r.stdout).to match(expect) end end end it 'outputs status via passenger-status #exit_code' do - shell('PATH=/usr/bin:$PATH /usr/sbin/passenger-status') do |r| + shell('PATH=/usr/bin:$PATH PASSENGER_INSTANCE_REGISTRY_DIR=/var/run /usr/sbin/passenger-status') do |r| expect(r.exit_code).to eq(0) end end diff --git a/spec/acceptance/mod_php_spec.rb b/spec/acceptance/mod_php_spec.rb index f6f8fcdbd4..fa9e5d8195 100644 --- a/spec/acceptance/mod_php_spec.rb +++ b/spec/acceptance/mod_php_spec.rb @@ -32,7 +32,8 @@ class { 'apache::mod::php': } it { is_expected.to be_running } end - if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04' + if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') describe file("#{$mod_dir}/php7.0.conf") do it { is_expected.to contain 'DirectoryIndex index.php' } end @@ -120,7 +121,8 @@ class {'apache::mod::php': it 'succeeds in puppeting php' do apply_manifest(pp, catch_failures: true) end - if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04' + if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') describe file("#{$mod_dir}/php7.0.conf") do it { is_expected.to contain '# somecontent' } end @@ -145,7 +147,8 @@ class {'apache::mod::php': apply_manifest(pp, catch_failures: true) end - if fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04' + if (fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemmajrelease') == '16.04') || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') describe file("#{$mod_dir}/php7.0.conf") do it { is_expected.to contain '# somecontent' } end diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb index e14694e7da..bc25b742c4 100644 --- a/spec/acceptance/mod_security_spec.rb +++ b/spec/acceptance/mod_security_spec.rb @@ -75,7 +75,8 @@ class { 'apache::mod::security': } end end - unless fact('operatingsystem') == 'SLES' + unless fact('operatingsystem') == 'SLES' || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') it 'blocks query with SQL' do shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22] end @@ -114,7 +115,8 @@ class { 'apache::mod::security': } it { is_expected.to contain 'mod_security2.c' } end - unless fact('operatingsystem') == 'SLES' + unless fact('operatingsystem') == 'SLES' || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') it 'blocks query with SQL' do shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22] end @@ -176,7 +178,8 @@ class { 'apache::mod::security': } it { is_expected.to contain 'mod_security2.c' } end - unless fact('operatingsystem') == 'SLES' + unless fact('operatingsystem') == 'SLES' || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') it 'blocks query with SQL' do shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22] end @@ -242,7 +245,8 @@ class { 'apache::mod::security': } it { is_expected.to contain 'mod_security2.c' } end - unless fact('operatingsystem') == 'SLES' + unless fact('operatingsystem') == 'SLES' || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') it 'blocks query with SQL' do shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22] end @@ -308,7 +312,8 @@ class { 'apache::mod::security': } it { is_expected.to contain 'mod_security2.c' } end - unless fact('operatingsystem') == 'SLES' + unless fact('operatingsystem') == 'SLES' || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') it 'blocks query with SQL' do shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22] end @@ -374,7 +379,8 @@ class { 'apache::mod::security': } it { is_expected.to contain 'mod_security2.c' } end - unless fact('operatingsystem') == 'SLES' + unless fact('operatingsystem') == 'SLES' || + (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9') it 'blocks query with SQL' do shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', acceptable_exit_codes: [22] end diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 0fdd15ef30..49b554aa2a 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -966,6 +966,7 @@ class { 'apache': } if fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') == '7' || fact('operatingsystem') == 'Ubuntu' && fact('operatingsystemrelease') =~ %r{(14\.04|16\.04)} || fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8' || + fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '9' || fact('operatingsystem') == 'SLES' && fact('operatingsystemrelease') >= '12' it { is_expected.not_to contain 'NameVirtualHost test.server' } else @@ -1567,6 +1568,7 @@ class { 'apache': } # Limit testing to Debian, since Centos does not have fastcgi package. case fact('osfamily') when 'Debian' + next if fact('operatingsystemmajrelease') == '9' # Debian 9 does not support this fastcgi describe 'fastcgi' do pp_one = <<-MANIFEST $_os = $::operatingsystem diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 88dad9e68b..b2115947d7 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -34,7 +34,8 @@ c.before :suite do run_puppet_access_login(user: 'admin') if pe_install? && (Gem::Version.new(puppet_version) >= Gem::Version.new('5.0.0')) # net-tools required for netstat utility being used by be_listening - if fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') == '7' + if (fact('osfamily') == 'RedHat' && fact('operatingsystemmajrelease') == '7') || + (fact('osfamily') == 'Debian' && fact('operatingsystemmajrelease') == '9') pp = <<-EOS package { 'net-tools': ensure => installed } EOS