From ae028f3e98265fa8d6284cbe647c8a44c90982e1 Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Thu, 29 May 2025 13:03:09 -0400 Subject: [PATCH 1/7] Add ability for users to specify subpolicies #24 Also removed dependency on simplib Fixes #24 --- CHANGELOG | 4 + lib/facter/crypto_policy_state.rb | 56 +++++++++++++ manifests/init.pp | 24 ++++-- manifests/install.pp | 2 +- manifests/update.pp | 4 +- metadata.json | 4 - .../suites/default/00_default_spec.rb | 37 +++++++-- spec/classes/init_spec.rb | 81 ++++++++++++++++++- 8 files changed, 191 insertions(+), 21 deletions(-) create mode 100644 lib/facter/crypto_policy_state.rb diff --git a/CHANGELOG b/CHANGELOG index c524312..ad9dee2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +* Thu May 29 2025 Mike Riddle - 1.0.0 +- Removed dependency on simplib +- Added ability for users to specify subpolicies + * Thu May 08 2025 Richard Gardner - 1.0.0 - Remove EOL OS's support (EL7, CentOS8) - Stardardize beaker nodesets diff --git a/lib/facter/crypto_policy_state.rb b/lib/facter/crypto_policy_state.rb new file mode 100644 index 0000000..8f6205a --- /dev/null +++ b/lib/facter/crypto_policy_state.rb @@ -0,0 +1,56 @@ +# frozen_string_literal: true + +# @summary Provides the state of the configured crypto policies +# +# @see update-crypto-policy(8) +# +# @return [Hash] +# +# @example Output Hash +# +# { +# 'global_policy' => 'POLICY_NAME', +# 'global_policy_applied' => BOOLEAN, +# 'global_policies_available' => ['POLICY_ONE', 'POLICY_TWO'] +# 'sub_policies_available' => ['SUB_POLICY_ONE', 'SUB_POLICY_TWO'] +# } +# +Facter.add('crypto_policy_state') do + confine kernel: 'Linux' + + crypto_policy_cmd = Facter::Util::Resolution.which('update-crypto-policies') + confine { crypto_policy_cmd } + + setcode do + system_state = nil + + output = Facter::Core::Execution.execute(%(#{crypto_policy_cmd} --no-reload --show), on_fail: false) + output = output.strip if output + + if output && !output.empty? + system_state = {} + + system_state['global_policy'] = output.strip + + output = Facter::Core::Execution.execute(%(#{crypto_policy_cmd} --no-reload --is-applied), on_fail: false) + + system_state['global_policy_applied'] = !Array(output).grep(%r{is applied}).empty? if output + + # This is everything past EL8.0 + global_policies = Dir.glob(['/usr/share/crypto-policies/policies/*.pol', '/etc/crypto-policies/policies/*.pol']) + + # Need available subpolicies to support users setting them + sub_policies = Dir.glob(['/usr/share/crypto-policies/policies/modules/*.pmod', '/etc/crypto-policies/policies/modules/*.pmod']) + + # Fallback for 8.0 + if global_policies.empty? + global_policies = Dir.glob('/usr/share/crypto-policies/*').select { |x| File.directory?(x) } + end + + system_state['global_policies_available'] = global_policies.map { |x| File.basename(x, '.pol') }.uniq + system_state['sub_policies_available'] = sub_policies.map {|x| File.basename(x, '.pmod') }.uniq + end + + system_state + end +end diff --git a/manifests/init.pp b/manifests/init.pp index c9deca7..0238ec8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,9 +1,10 @@ # @summary Configure the system crypto policy settings # # @param ensure -# The system crypto policy that you wish to enforce +# The system crypto policy and subpolicies that you wish to enforce # -# * Will be checked against `$facts['simplib__crypto_policy_state']['global_policies_available']` for validity +# * Will be checked against `$facts['crypto_policy_state']['global_policies_available']` +# and `$facts['crypto_policy_state']['sub_policies_available']`for validity # # @param validate_policy # Disables validation of the `$ensure` parameter prior to application @@ -20,7 +21,7 @@ # @author https://github.com/simp/pupmod-simp-crypto_policy/graphs/contributors # class crypto_policy ( - Optional[String] $ensure = simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }) ? { true => 'FIPS', default => undef }, + Optional[String] $ensure = pick($facts['fips_enabled'], false) ? { true => 'FIPS', default => undef }, Boolean $validate_policy = true, Boolean $force_fips_override = false, Boolean $manage_installation = true @@ -48,10 +49,14 @@ $_ensure = $ensure } - $global_policies_available = $facts.dig('simplib__crypto_policy_state', 'global_policies_available') + $global_policies_available = $facts.dig('crypto_policy_state', 'global_policies_available') + $sub_policies_available = $facts.dig('crypto_policy_state', 'sub_policies_available') - if $_ensure and $global_policies_available { - unless $_ensure in $global_policies_available { + if $_ensure and $global_policies_available and $sub_policies_available { + $_policy_components = $_ensure.split(':') + $_global_policy = $_policy_components[0] + $_sub_policies = $_policy_components.delete($_policy_components[0]) + unless $_global_policy in $global_policies_available { $_available_policies = join($global_policies_available,"', '") if $ensure == $_ensure { @@ -63,6 +68,13 @@ fail("${module_name}::ensure (${ensure_message}) must be one of '${_available_policies}'") } + unless $_sub_policies.empty or ($_sub_policies - $sub_policies_available).empty { + $_available_sub_policies = join($sub_policies_available, "', '") + # Any sub policies not available to use will be displayed back to the user + $_unknown_sub_policies = join(($_sub_policies - $sub_policies_available), "', '") + fail("${module_name}::ensure unknown sub_policies (${$_unknown_sub_policies}) must be one of '${_available_sub_policies}'") + } + $_crypto_config = @("CRYPTO_CONFIG") # This file managed by Puppet using ${module_name} # diff --git a/manifests/install.pp b/manifests/install.pp index effd2f1..59e6d67 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -13,7 +13,7 @@ # class crypto_policy::install ( Array[String[1]] $packages = ['crypto-policies', 'crypto-policies-scripts'], - String[1] $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'latest' }) + String[1] $package_ensure = 'latest' ) { assert_private() diff --git a/manifests/update.pp b/manifests/update.pp index 82acef3..5fe221e 100644 --- a/manifests/update.pp +++ b/manifests/update.pp @@ -11,13 +11,13 @@ class crypto_policy::update ( Stdlib::Absolutepath $command = '/usr/bin/update-crypto-policies' ) { - if $facts['simplib__crypto_policy_state'] { + if $facts['crypto_policy_state'] { exec { 'update global crypto policy': command => $command, refreshonly => true } } else { - warning("${module_name}: simplib__crypto_policy_state fact not found, updating not enabled") + warning("${module_name}: crypto_policy_state fact not found, updating not enabled") } } diff --git a/metadata.json b/metadata.json index 04c3018..7cbf21a 100644 --- a/metadata.json +++ b/metadata.json @@ -9,10 +9,6 @@ { "name": "puppetlabs/stdlib", "version_requirement": ">= 8.0.0 < 10.0.0" - }, - { - "name": "simp/simplib", - "version_requirement": ">= 4.9.0 < 5.0.0" } ], "tags": [ diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index f21cb33..5ca1fcc 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -28,17 +28,18 @@ apply_manifest_on(host, manifest, { catch_changes: true }) end - it 'has a valid simplib__crypto_policy_state fact' do - crypto_policy_state = pfact_on(host, 'simplib__crypto_policy_state') + it 'has a valid crypto_policy_state fact' do + crypto_policy_state = pfact_on(host, 'crypto_policy_state') expect(crypto_policy_state).not_to be_empty expect(crypto_policy_state['global_policy']).to eq default_policy expect(crypto_policy_state['global_policy_applied']).to eq true expect(crypto_policy_state['global_policies_available']).to include('DEFAULT', 'EMPTY', 'FIPS', 'FUTURE', 'LEGACY') + expect(crypto_policy_state['sub_policies_available']).to include('AD-SUPPORT', 'ECDHE-ONLY', 'NO-CAMELLIA', 'NO-SHA1', 'OSPP') end end - context 'when setting the config' do + context 'when setting the config to a global policy' do let(:hieradata) do { 'crypto_policy::ensure' => 'LEGACY' @@ -56,7 +57,7 @@ if pfact_on(host, 'fips_enabled') it 'has the global policy set to FIPS' do - crypto_policy_state = pfact_on(host, 'simplib__crypto_policy_state') + crypto_policy_state = pfact_on(host, 'crypto_policy_state') expect(crypto_policy_state).not_to be_empty expect(crypto_policy_state['global_policy']).to eq 'FIPS' @@ -64,7 +65,7 @@ end else it 'has the global policy set to LEGACY' do - crypto_policy_state = pfact_on(host, 'simplib__crypto_policy_state') + crypto_policy_state = pfact_on(host, 'crypto_policy_state') expect(crypto_policy_state).not_to be_empty expect(crypto_policy_state['global_policy']).to eq hieradata['crypto_policy::ensure'] @@ -72,5 +73,31 @@ end end end + + context 'when setting the config with a subpolicy' do + let(:hieradata) do + { + 'crypto_policy::ensure' => 'DEFAULT:NO-SHA1', + 'force_fips_override' => true + } + end + + it 'works without error' do + set_hieradata_on(host, hieradata) + apply_manifest_on(host, manifest, catch_failures: true) + end + + it 'is idempotent' do + apply_manifest_on(host, manifest, { catch_changes: true }) + end + + it 'has the global policy set to DEFAULT:NO-SHA1' do + crypto_policy_state = pfact_on(host, 'crypto_policy_state') + + expect(crypto_policy_state).not_to be_empty + expect(crypto_policy_state['global_policy']).to eq hieradata['crypto_policy::ensure'] + expect(crypto_policy_state['global_policy_applied']).to eq true + end + end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 2dbeb19..c4605fa 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -8,8 +8,9 @@ let(:fips_enabled) { false } let(:facts) do os_facts.merge( - simplib__crypto_policy_state: { - 'global_policies_available' => ['DEFAULT', 'FIPS', 'LEGACY', 'FUTURE', 'NONE'] + crypto_policy_state: { + 'global_policies_available' => ['DEFAULT', 'FIPS', 'LEGACY', 'FUTURE', 'NONE'], + 'sub_policies_available' => ['AD-SUPPORT', 'ECDHE-ONLY', 'NO-CAMELLIA', 'NO-SHA1', 'OSPP'] }, fips_enabled: fips_enabled, ) @@ -52,6 +53,80 @@ it { is_expected.to create_exec('update global crypto policy') } end + context 'with ensure set to DEFAULT:NO-SHA1:OSPP' do + let(:params) do + { + ensure: 'DEFAULT:NO-SHA1:OSPP', + } + end + + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to create_file('/etc/crypto-policies/config').with_content( + <<~CONTENT, + # This file managed by Puppet using crypto_policy + # + DEFAULT:NO-SHA1:OSPP + CONTENT + ).that_notifies('Class[crypto_policy::update]') + } + + it { is_expected.to create_exec('update global crypto policy') } + end + + context 'with ensure set to DEFAULT:NO-SHA1' do + let(:params) do + { + ensure: 'DEFAULT:NO-SHA1', + } + end + + it { is_expected.to compile.with_all_deps } + + it { + is_expected.to create_file('/etc/crypto-policies/config').with_content( + <<~CONTENT, + # This file managed by Puppet using crypto_policy + # + DEFAULT:NO-SHA1 + CONTENT + ).that_notifies('Class[crypto_policy::update]') + } + + it { is_expected.to create_exec('update global crypto policy') } + end + + context 'with ensure set to non-existent global policy' do + let(:params) do + { + ensure: 'FAKE', + } + end + + it { is_expected.not_to compile } + end + + context 'with ensure set to non-existent subpolicy' do + let(:params) do + { + ensure: 'DEFAULT:FAKE', + } + end + + it { is_expected.not_to compile } + end + + context 'with ensure set to real and non-existent subpolicy' do + let(:params) do + { + ensure: 'DEFAULT:NO-SHA1:FAKE', + } + end + + it { is_expected.not_to compile } + end + context 'with the system in FIPS mode' do let(:fips_enabled) { true } @@ -92,7 +167,7 @@ end context "on #{os} without required facts" do - let(:facts) { os_facts.reject { |k, _v| k == :simplib__crypto_policy_state } } + let(:facts) { os_facts.reject { |k, _v| k == :crypto_policy_state } } let(:params) { { ensure: 'DEFAULT' } } it { is_expected.to compile.with_all_deps } From e36f90ee890f8dd2c4e6d1cbf037f1d6fa24eda5 Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Thu, 29 May 2025 13:14:09 -0400 Subject: [PATCH 2/7] Fixed minor rubocop error --- lib/facter/crypto_policy_state.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/crypto_policy_state.rb b/lib/facter/crypto_policy_state.rb index 8f6205a..71a1a94 100644 --- a/lib/facter/crypto_policy_state.rb +++ b/lib/facter/crypto_policy_state.rb @@ -48,7 +48,7 @@ end system_state['global_policies_available'] = global_policies.map { |x| File.basename(x, '.pol') }.uniq - system_state['sub_policies_available'] = sub_policies.map {|x| File.basename(x, '.pmod') }.uniq + system_state['sub_policies_available'] = sub_policies.map { |x| File.basename(x, '.pmod') }.uniq end system_state From 36504b2fc3d342fd070499d9a54848bf6c20e138 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Mon, 2 Jun 2025 14:37:54 -0500 Subject: [PATCH 3/7] Test crypto_policy_state fact --- lib/facter/crypto_policy_state.rb | 5 +- spec/unit/facter/crypto_policy_state_spec.rb | 114 +++++++++++++++++++ 2 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 spec/unit/facter/crypto_policy_state_spec.rb diff --git a/lib/facter/crypto_policy_state.rb b/lib/facter/crypto_policy_state.rb index 71a1a94..addab29 100644 --- a/lib/facter/crypto_policy_state.rb +++ b/lib/facter/crypto_policy_state.rb @@ -16,7 +16,7 @@ # } # Facter.add('crypto_policy_state') do - confine kernel: 'Linux' + confine kernel: :linux crypto_policy_cmd = Facter::Util::Resolution.which('update-crypto-policies') confine { crypto_policy_cmd } @@ -52,5 +52,8 @@ end system_state + rescue => e + Facter.warn("Failed to retrieve crypto policy state: #{e.message}") + nil end end diff --git a/spec/unit/facter/crypto_policy_state_spec.rb b/spec/unit/facter/crypto_policy_state_spec.rb new file mode 100644 index 0000000..344ba9c --- /dev/null +++ b/spec/unit/facter/crypto_policy_state_spec.rb @@ -0,0 +1,114 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'facter' +require 'facter/crypto_policy_state' + +describe :crypto_policy_state, type: :fact do + subject(:fact) { Facter.fact(:crypto_policy_state) } + + on_supported_os.each do |os, os_facts| + before :each do + Facter.clear + + allow(Dir).to receive(:glob).and_call_original + end + + context "on #{os}" do + let(:facts) { os_facts } + + before :each do + allow(Facter.fact(:kernel)).to receive(:value).and_return(facts[:kernel]) + end + + context 'with a functional update-crypto-policies command' do + before :each do + allow(Facter::Util::Resolution).to receive(:which) + .with('update-crypto-policies') + .and_return('/usr/bin/update-crypto-policies') + allow(Facter::Core::Execution).to receive(:execute) + .with(%(/usr/bin/update-crypto-policies --no-reload --show), on_fail: false) + .and_return("DEFAULT\n") + allow(Dir).to receive(:glob) + .with(['/usr/share/crypto-policies/policies/*.pol', '/etc/crypto-policies/policies/*.pol']) + .and_return( + [ + '/usr/share/crypto-policies/policies/DEFAULT.pol', + '/usr/share/crypto-policies/policies/LEGACY.pol', + '/etc/crypto-policies/policies/DEFAULT.pol', + '/etc/crypto-policies/policies/CUSTOM.pol', + ], + ) + end + + context 'when applied' do + before :each do + allow(Facter::Core::Execution).to receive(:execute) + .with('/usr/bin/update-crypto-policies --no-reload --is-applied', on_fail: false) + .and_return("The configured policy is applied\n") + end + + it do + expect(Facter.fact('crypto_policy_state').value).to include( + { + 'global_policy' => 'DEFAULT', + 'global_policy_applied' => true, + 'global_policies_available' => ['DEFAULT', 'LEGACY', 'CUSTOM'], + }, + ) + end + + context 'with sub-policies' do + before :each do + allow(Dir).to receive(:glob) + .with(['/usr/share/crypto-policies/policies/modules/*.pmod', '/etc/crypto-policies/policies/modules/*.pmod']) + .and_return(['/usr/share/crypto-policies/policies/modules/sub_policy.pmod']) + end + + it 'returns the crypto policy state' do + expect(fact.value).to include({ 'sub_policies_available' => ['sub_policy'] }) + end + end + end + + context 'when not applied' do + before :each do + allow(Facter::Core::Execution).to receive(:execute) + .with('/usr/bin/update-crypto-policies --no-reload --is-applied', on_fail: false) + .and_return("The configured policy is NOT applied\n") + end + + it do + expect(Facter.fact('crypto_policy_state').value).to include( + { + 'global_policy' => 'DEFAULT', + 'global_policy_applied' => false, + 'global_policies_available' => ['DEFAULT', 'LEGACY', 'CUSTOM'], + }, + ) + end + end + end + + context 'when update-crypto-policies is not available' do + before :each do + allow(Facter::Util::Resolution).to receive(:which).with('update-crypto-policies').and_return(nil) + end + + it 'returns nil' do + expect(fact.value).to be_nil + end + end + end + end + + context 'on a non-Linux host' do + before :each do + allow(Facter.fact(:kernel)).to receive(:value).and_return('windows') + end + + it 'returns nil' do + expect(fact.value).to be_nil + end + end +end From 71649692e86766d05327b025ccb29d95274e7f33 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Mon, 2 Jun 2025 14:44:46 -0500 Subject: [PATCH 4/7] Remove additional references to simplib --- .fixtures.yml | 1 - REFERENCE.md | 9 +++++---- manifests/init.pp | 2 -- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index c689d1b..3a07824 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -4,4 +4,3 @@ fixtures: compliance_markup: https://github.com/simp/pupmod-simp-compliance_markup simp_options: https://github.com/simp/pupmod-simp-simp_options stdlib: https://github.com/simp/puppetlabs-stdlib - simplib: https://github.com/simp/pupmod-simp-simplib diff --git a/REFERENCE.md b/REFERENCE.md index 1693475..600775b 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -29,11 +29,12 @@ The following parameters are available in the `crypto_policy` class: Data type: `Optional[String]` -The system crypto policy that you wish to enforce +The system crypto policy and subpolicies that you wish to enforce -* Will be checked against `$facts['simplib__crypto_policy_state']['global_policies_available']` for validity +* Will be checked against `$facts['crypto_policy_state']['global_policies_available']` + and `$facts['crypto_policy_state']['sub_policies_available']`for validity -Default value: `simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }) ? { true => 'FIPS', default => undef` +Default value: `pick($facts['fips_enabled'], false) ? { true => 'FIPS', default => undef` ##### `validate_policy` @@ -90,7 +91,7 @@ The 'ensure' parameter for `$packages` * NOTE: There are issues with `crypto-policies < 20190000` which may render a FIPS system inaccessible. -Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value' => 'latest' })` +Default value: `'latest'` ### `crypto_policy::update` diff --git a/manifests/init.pp b/manifests/init.pp index 0238ec8..19efe05 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -26,8 +26,6 @@ Boolean $force_fips_override = false, Boolean $manage_installation = true ) { - simplib::assert_metadata($module_name) - include crypto_policy::update if $manage_installation { From 76fd09ead579fb12d765119ec72a05bbd88eed15 Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Thu, 5 Jun 2025 10:37:03 -0400 Subject: [PATCH 5/7] Made the acceptance tests a bit more flexible --- .../suites/default/00_default_spec.rb | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 5ca1fcc..31f09cc 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -35,7 +35,8 @@ expect(crypto_policy_state['global_policy']).to eq default_policy expect(crypto_policy_state['global_policy_applied']).to eq true expect(crypto_policy_state['global_policies_available']).to include('DEFAULT', 'EMPTY', 'FIPS', 'FUTURE', 'LEGACY') - expect(crypto_policy_state['sub_policies_available']).to include('AD-SUPPORT', 'ECDHE-ONLY', 'NO-CAMELLIA', 'NO-SHA1', 'OSPP') + expect(crypto_policy_state['sub_policies_available']).not_to be_empty + expect(crypto_policy_state['sub_policies_available']).to be_an(Array) end end @@ -74,6 +75,29 @@ end end + context 'with custom subpolicy' do + + # Create a custom subpolicy + on(host, "cp /etc/crypto-policies/policies/modules/NO-SHA1.pmod /usr/share/crypto-policies/policies/modules/TEST.pmod") + + # Using puppet_apply as a helper + it 'works without error' do + apply_manifest_on(host, manifest, catch_failures: true) + end + + it 'is idempotent' do + apply_manifest_on(host, manifest, { catch_changes: true }) + end + + it 'has a valid crypto_policy_state fact' do + crypto_policy_state = pfact_on(host, 'crypto_policy_state') + + expect(crypto_policy_state).not_to be_empty + expect(crypto_policy_state['sub_policies_available']).to be_an(Array) + expect(crypto_policy_state['sub_policies_available']).to include('TEST') + end + end + context 'when setting the config with a subpolicy' do let(:hieradata) do { From 49e7ded6ed2335e55ca1f5bda696e6f0448c08da Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Thu, 5 Jun 2025 10:41:50 -0400 Subject: [PATCH 6/7] Made the acceptance tests a bit more flexible --- spec/acceptance/suites/default/00_default_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 31f09cc..b86ae3a 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -78,7 +78,7 @@ context 'with custom subpolicy' do # Create a custom subpolicy - on(host, "cp /etc/crypto-policies/policies/modules/NO-SHA1.pmod /usr/share/crypto-policies/policies/modules/TEST.pmod") + on(host, "cp /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod /etc/crypto-policies/policies/modules/TEST.pmod") # Using puppet_apply as a helper it 'works without error' do From e5ad684c0930fb66bb28ab5bf54ee8edc248ad60 Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Thu, 5 Jun 2025 10:44:33 -0400 Subject: [PATCH 7/7] Fix style in new check --- spec/acceptance/suites/default/00_default_spec.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index b86ae3a..4c30ee7 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -76,9 +76,8 @@ end context 'with custom subpolicy' do - # Create a custom subpolicy - on(host, "cp /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod /etc/crypto-policies/policies/modules/TEST.pmod") + on(host, 'cp /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod /etc/crypto-policies/policies/modules/TEST.pmod') # Using puppet_apply as a helper it 'works without error' do