1 require 'spec_helper_acceptance'
3 describe 'apache::mod::security class', :unless => (UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) or (fact('osfamily') == 'Debian' and (fact('lsbdistcodename') == 'squeeze' or fact('lsbdistcodename') == 'lucid' or fact('lsbdistcodename') == 'precise'))) do
6 mod_dir = '/etc/apache2/mods-available'
7 service_name = 'apache2'
8 package_name = 'apache2'
10 mod_dir = '/etc/httpd/conf.d'
11 service_name = 'httpd'
12 package_name = 'httpd'
15 context "default mod_security config" do
16 if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/
18 pp = "class { 'epel': }"
19 apply_manifest(pp, :catch_failures => true)
23 it 'succeeds in puppeting mod_security' do
25 host { 'modsec.example.com': ip => '127.0.0.1', }
27 class { 'apache::mod::security': }
28 apache::vhost { 'modsec.example.com':
30 docroot => '/var/www/html',
32 file { '/var/www/html/index.html':
34 content => 'Index page',
37 apply_manifest(pp, :catch_failures => true)
40 describe service(service_name) do
41 it { is_expected.to be_enabled }
42 it { is_expected.to be_running }
45 describe package(package_name) do
46 it { is_expected.to be_installed }
49 describe file("#{mod_dir}/security.conf") do
50 it { is_expected.to contain "mod_security2.c" }
53 it 'should return index page' do
54 shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r|
55 expect(r.stdout).to match(/Index page/)
56 expect(r.exit_code).to eq(0)
60 it 'should block query with SQL' do
61 shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
64 end #default mod_security config
66 context "mod_security should allow disabling by vhost" do
67 it 'succeeds in puppeting mod_security' do
69 host { 'modsec.example.com': ip => '127.0.0.1', }
71 class { 'apache::mod::security': }
72 apache::vhost { 'modsec.example.com':
74 docroot => '/var/www/html',
76 file { '/var/www/html/index.html':
78 content => 'Index page',
81 apply_manifest(pp, :catch_failures => true)
84 describe service(service_name) do
85 it { is_expected.to be_enabled }
86 it { is_expected.to be_running }
89 describe file("#{mod_dir}/security.conf") do
90 it { is_expected.to contain "mod_security2.c" }
93 it 'should block query with SQL' do
94 shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
97 it 'should disable mod_security per vhost' do
100 class { 'apache::mod::security': }
101 apache::vhost { 'modsec.example.com':
103 docroot => '/var/www/html',
104 modsec_disable_vhost => true,
107 apply_manifest(pp, :catch_failures => true)
110 it 'should return index page' do
111 shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
112 expect(r.stdout).to match(/Index page/)
113 expect(r.exit_code).to eq(0)
116 end #mod_security should allow disabling by vhost
118 context "mod_security should allow disabling by ip" do
119 it 'succeeds in puppeting mod_security' do
121 host { 'modsec.example.com': ip => '127.0.0.1', }
123 class { 'apache::mod::security': }
124 apache::vhost { 'modsec.example.com':
126 docroot => '/var/www/html',
128 file { '/var/www/html/index.html':
130 content => 'Index page',
133 apply_manifest(pp, :catch_failures => true)
136 describe service(service_name) do
137 it { is_expected.to be_enabled }
138 it { is_expected.to be_running }
141 describe file("#{mod_dir}/security.conf") do
142 it { is_expected.to contain "mod_security2.c" }
145 it 'should block query with SQL' do
146 shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
149 it 'should disable mod_security per vhost' do
152 class { 'apache::mod::security': }
153 apache::vhost { 'modsec.example.com':
155 docroot => '/var/www/html',
156 modsec_disable_ips => [ '127.0.0.1' ],
159 apply_manifest(pp, :catch_failures => true)
162 it 'should return index page' do
163 shell('/usr/bin/curl -A beaker modsec.example.com:80') do |r|
164 expect(r.stdout).to match(/Index page/)
165 expect(r.exit_code).to eq(0)
168 end #mod_security should allow disabling by ip
170 context "mod_security should allow disabling by id" do
171 it 'succeeds in puppeting mod_security' do
173 host { 'modsec.example.com': ip => '127.0.0.1', }
175 class { 'apache::mod::security': }
176 apache::vhost { 'modsec.example.com':
178 docroot => '/var/www/html',
180 file { '/var/www/html/index.html':
182 content => 'Index page',
184 file { '/var/www/html/index2.html':
189 apply_manifest(pp, :catch_failures => true)
192 describe service(service_name) do
193 it { is_expected.to be_enabled }
194 it { is_expected.to be_running }
197 describe file("#{mod_dir}/security.conf") do
198 it { is_expected.to contain "mod_security2.c" }
201 it 'should block query with SQL' do
202 shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
205 it 'should disable mod_security per vhost' do
208 class { 'apache::mod::security': }
209 apache::vhost { 'modsec.example.com':
211 docroot => '/var/www/html',
212 modsec_disable_ids => [ '950007' ],
215 apply_manifest(pp, :catch_failures => true)
218 it 'should return index page' do
219 shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
220 expect(r.stdout).to match(/Index page/)
221 expect(r.exit_code).to eq(0)
225 end #mod_security should allow disabling by id
228 end #apache::mod::security class