(SIMP-8597) Update simp-packer to match 6.5.0 (#35)

Changed: * Gemfile gems are now in line with SIMP 6.5.0's Puppet modules. * .travis.yml now in line with SIMP 6.5.0's Puppet modules. * supports env var secrets + diagnostic pipelines Fixed: * New Gemfile mitigates CVE-2020-10663 (updates json to >= 2.3.0) * YAML.safe_load Symbol errors in modules' spec_helper.rb files * Fixed a LOT of rubcop warnings (after updating Gemfile) SIMP-8597 #close SIMP-8598 #close
simp · Oct 22, 2020 · 41d2f27 · 41d2f27
1 parent f813796
commit 41d2f27
Show file tree

Hide file tree

Showing 52 changed files with 763 additions and 908 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
diff --git a/.travis.yml b/.travis.yml
@@ -8,6 +8,40 @@
 #
 # *** = Modules created for SIMP 6.2+ are not required to support Puppet < 4.10
 # ### = Modules created for SIMP 6.3+ are not required to support Puppet < 5.3
+# ==============================================================================
+#
+# Travis CI Repo options for this pipeline:
+#
+#   Travis CI Env Var      Type      Notes
+#   ---------------------  --------  -------------------------------------------
+#   GITHUB_OAUTH_TOKEN     Secure    Required for automated GitHub releases
+#   SKIP_GITHUB_PUBLISH    Optional  Skips publishing GitHub releases if "true"
+#
+#   The secure env vars will be filtered in Travis CI log output, and aren't
+#   provided to untrusted builds (i.e, triggered by PR from another repository)
+#
+# ------------------------------------------------------------------------------
+#
+# Travis CI Trigger options for this pipeline:
+#
+#   To validate if $GITHUB_OAUTH_TOKEN is able to publish a GitHub release,
+#   trigger a custom Travis CI build for this branch using the CUSTOM CONFIG:
+#
+#     env: VALIDATE_TOKENS=yes
+#
+# ------------------------------------------------------------------------------
+#
+# Release Engineering notes:
+#
+#   To automagically publish a release to GitHub and PuppetForge:
+#
+#   - Set GITHUB_OAUTH_TOKEN as a secure env variable in this repo's Travis CI
+#     settings
+#   - Push a git tag that matches the lates version in CHANGELOG.md
+#   - The tag SHOULD be annotated with release notes, but nothing enforces this
+#     convention at present
+#
+# ------------------------------------------------------------------------------
 ---
 language: ruby
 cache: bundler
@@ -17,10 +51,14 @@ notifications:
   email: false
 
 stages:
-  - validation
-  - 'Spec tests'
+  - name: 'validate tokens'
+    if: 'env(VALIDATE_TOKENS) = yes'
+  - name: validation
+    if: 'NOT env(VALIDATE_TOKENS) = yes'
+  - name: 'Spec tests'
+    if: 'NOT env(VALIDATE_TOKENS) = yes'
   - name: deploy
-    if: 'tag IS present'
+    if: 'tag IS present AND NOT env(VALIDATE_TOKENS) = yes'
 
 before_install:
   - rm -f Gemfile.lock
@@ -51,13 +89,13 @@ jobs:
       script: bundle exec rake packer:validate
 
     - stage: 'Spec tests'
-      rvm:    2.4.4
-      name:  'Ruby unit tests (Ruby 2.4.4)'
+      rvm:    2.4.9
+      name:  'Ruby unit tests (Ruby 2.4.9)'
       script: bundle exec rake spec
 
     - stage:  'Spec tests'
       name:   'Puppet 5.5 (SIMP 6.3+)'
-      rvm:    2.4.4
+      rvm:    2.4.9
       env:
         - 'PUPPET_VERSION="~> 5.5.6"'
       script: bundle exec rake test:puppet
@@ -69,9 +107,16 @@ jobs:
         - 'PUPPET_VERSION="~> 5.0"'
       script: bundle exec rake test:puppet
 
+    - stage:  'Spec tests'
+      name: 'Puppet 6.18 (PE 2019.2)'
+      rvm: 2.5.7
+      env: PUPPET_VERSION="~> 6.18.0"
+      script:
+        - bundle exec rake spec
+
     - stage:  'Spec tests'
       name:   'Latest Puppet 6.x (allowed to fail)'
-      rvm:    2.5.1
+      rvm:    2.5.7
       env:
         - 'PUPPET_VERSION="~> 6.0"'
       script: bundle exec rake test:puppet
@@ -81,9 +126,19 @@ jobs:
         - true
       deploy:
         - provider: releases
+          token: $GITHUB_OAUTH_TOKEN
           on:
             tags: true
-            condition: '($SKIP_FORGE_PUBLISH != true)'
-          skip_cleanup: true
-          api_key:
-            secure: "pjgpw5TbhG8JNEH8CEY06dUrBUtmi3D4uKS9PXrF03ejFG2TStY9qPC7hEUiEJVVSXhWdkSeVXn+/6vlDcKWKybVcI7sfzWGosXchlROxKwUSCWW4OUXqIYix+ek8rGLfSsojrX6ZiUcecq4a/cnbBZ3Ni+RUnkv5kSFFsT2u5L4xIBmSWxaTTTTlLc6Stk2NXDsF7ygMkIf9bbL9U10boa6g3EyYoPoNlSARfdDLBLQFMs9k2mfBax9b6XWSXi8gtGItyd9BbHT/4Z1KXa63pN7V+pOM5hG4ulJdwNWM73ChhuVYZxXbtsKQYAZxtf1P55DnjOf0VdArFf3LCO25s7/CtuMs7HrdgTgbqr7aNV+OZcD/YyWz7Oy+AcbUOfHRo/mT93qxoEsO9v7AbJKqTs1xM2cM10JI2CP19414VfxaMPxWITEIx6WVaLiLCfhQQJIPb7UvGgNxT2+MTDlW5a+Ly0C+rYvcpVikN5H4dQ/Kmrp7g/uBu2kRrR1IXZRtd3EgD7YTkvobgCxcTZ7qmYnO73BokLDmnpM6nZRVSeLKLGLA9dnPlqBiZogK750TNWTciua/LLmLi4HcWE52dPs6pH2SAXeJrzOgbqQNPDR/AUca4ZQqQ5/MFC6Xyy1QxrmTQLAlNXC3cck6D2lt6aTpi7u6oqYNladX6jH8rU="
+            condition: '($SKIP_GITHUB_PUBLISH != true)'
+
+    - stage: 'validate tokens'
+      language: shell
+      before_install: skip
+      install: skip
+      name:  'validate CI GitHub OAuth token has sufficient scope to release'
+      script:
+      - 'echo; echo "===== GITHUB_OAUTH_TOKEN validation";echo "  (TRAVIS_SECURE_ENV_VARS=$TRAVIS_SECURE_ENV_VARS)"; echo'
+      - 'OWNER="$(echo $TRAVIS_REPO_SLUG | cut -d/ -f1)"'
+      - 'curl -H "Authorization: token ${GITHUB_OAUTH_TOKEN}"
+          "https://api.github.com/users/$OWNER"
+          -I | grep ^X-OAuth-Scopes | egrep -w "repo|public_repo"'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,19 +11,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Support for SIMP 6.5.0 Alpha
 
 ### Changed
-- Use 'simp::classes' in lieu of 'classes' in hieradata.
-- Use 'rndc-key' in lieu of 'rndckey' in named.conf to match the generated
+- Use `simp::classes` in lieu of `classes` in hieradata.
+- Use `rndc-key` in lieu of `rndckey` in named.conf to match the generated
   key name. (In SIMP 6.5.0 we no longer deliver the sample rndc.key file,
-  whose key name is 'rndckey'.)
+  whose key name is `rndckey`.)
 - Examples explicitly target SIMP 6.5.0 (instead of "6.X")
-- 'site' module dependency version ranges now accomodate SIMP 6.5.0
+- 'site' module dependency version ranges now accommodate SIMP 6.5.0
 - Converted CHANGELOG into format documented at https://keepachangelog.com/
 - Refined regex used to check for puppetserver and puppetdb service status to
   support both Puppet 5 and Puppet 6.
-- Update JSON comments to work with Packer 1.5+
-
+- JSON comments work with Packer 1.5+
+- Project and Module Gemfile gems match SIMP 6.5.0 Puppet modules.
+  - Mitigated CVE-2020-10663 by updating `json` to >= 2.3
+- `.travis.yml` updated to use env var secrets + diagnostic pipelines
+- Puppet tests support clean env runs under both Bundler 2.1+ and older
+  versions.
+
 ### Removed
-- Dropped support for all SIMP releases older than 6.5.0
+- Dropped support for all SIMP releases older than 6.5.0.
   - Removed data -> hieradata cruft (for SIMP < 6.3.0
   - The named.conf rndc-key -> rndckey change is incompatible with
     SIMP 6.4.0 and earlier
@@ -38,6 +43,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed extraneous call to puppet-usersetup.sh from simp-bootstrap.sh.
   This script was called already called between `simp config` and
   `simp bootstrap`.
+- Fixed `YAML.safe_load` Symbol errors in pupmod' `spec_helper.rb` files.
+- A LOT of rubcop warnings that were enabled by the updated Gemfile.
+- puppet-lint warnings in site module
 
 ## [2.4.0] - 2019-07-05
 

diff --git a/Gemfile b/Gemfile
@@ -2,11 +2,12 @@
 # NOTE: SIMP Puppet rake tasks support ruby 2.1.9
 # ------------------------------------------------------------------------------
 gem_sources = ENV.fetch('GEM_SERVERS','https://rubygems.org').split(/[, ]+/)
-puppet_version =  ENV.fetch('PUPPET_VERSION', '~>5.0')
 
 gem_sources.each { |gem_source| source gem_source }
 
 group :test do
+  puppet_version = ENV['PUPPET_VERSION'] || '~> 5.5'
+  major_puppet_version = puppet_version.scan(/(\d+)(?:\.|\Z)/).flatten.first.to_i
   gem 'rake'
   gem 'puppet', puppet_version
   gem 'rspec'
@@ -18,14 +19,16 @@ group :test do
   gem 'puppet-strings'
   gem 'puppet-lint-empty_string-check',   :require => false
   gem 'puppet-lint-trailing_comma-check', :require => false
-  gem 'simp-rspec-puppet-facts', ENV.fetch('SIMP_RSPEC_PUPPET_FACTS_VERSION', '~> 2.2')
-  gem 'simp-rake-helpers', ENV.fetch('SIMP_RAKE_HELPERS_VERSION', '~> 5.6')
-  gem 'rubocop', '~> 0.57.0' # supports ruby 2.1
+  gem 'simp-rspec-puppet-facts', ENV.fetch('SIMP_RSPEC_PUPPET_FACTS_VERSION', '~> 3.1')
+  gem 'simp-rake-helpers', ENV.fetch('SIMP_RAKE_HELPERS_VERSION', '~> 5.11')
+  gem 'rubocop'
   gem 'rubocop-rspec'
+  gem 'rubocop-i18n'
   gem 'yard'
   gem 'redcarpet'
   gem 'github-markup'
   gem 'simplecov', require: false
+  gem('pdk', ENV['PDK_VERSION'] || '~> 1.0', :require => false) if major_puppet_version > 5
 end
 
 group :development do