Last active
June 5, 2020 09:15
-
-
Save deanwilson/1f156e2537319486b3ee2accb72d62a4 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## command | |
| conftest test -i ini samples/multiple-repos-broken.repo | |
| ## Policy | |
| cat policy/yum-repo-security-settings.rego | |
| package main | |
| deny[msg] { | |
| reponame := input[_] # gets the contents of the structure, not the [foo] value. | |
| not input[reponame].gpgcheck = 1 | |
| msg = sprintf("gpgcheck should be enabled in %s", [reponame]) | |
| } | |
| ## Source data | |
| [fedora] | |
| name=Fedora $releasever - $basearch | |
| #baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ | |
| metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch | |
| enabled=1 | |
| metadata_expire=7d | |
| repo_gpgcheck=0 | |
| type=rpm | |
| gpgcheck=0 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch | |
| skip_if_unavailable=False | |
| [fedora-debuginfo] | |
| name=Fedora $releasever - $basearch - Debug | |
| #baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/debug/tree/ | |
| metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch | |
| enabled=0 | |
| metadata_expire=7d | |
| repo_gpgcheck=0 | |
| type=rpm | |
| gpgcheck=0 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch | |
| skip_if_unavailable=False | |
| [fedora-source] | |
| name=Fedora $releasever - Source | |
| #baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/source/tree/ | |
| metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch | |
| enabled=0 | |
| metadata_expire=7d | |
| repo_gpgcheck=0 | |
| type=rpm | |
| gpgcheck=0 | |
| gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch | |
| skip_if_unavailable=False | |
| ## Output | |
| ../conftest test -i ini samples/multiple-repos-broken.repo | |
| FAIL - samples/multiple-repos-broken.repo - gpgcheck should be enabled in {"skip_if_unavailable": false, "type": "rpm", "enabled": 1, "gpgcheck": 0, "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch", "name": "Fedora $releasever - $basearch", "repo_gpgcheck": 0, "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch", "metadata_expire": "7d"} | |
| FAIL - samples/multiple-repos-broken.repo - gpgcheck should be enabled in {"gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch", "metadata_expire": "7d", "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch", "name": "Fedora $releasever - $basearch - Debug", "skip_if_unavailable": false, "type": "rpm", "enabled": 0, "gpgcheck": 0, "repo_gpgcheck": 0} | |
| FAIL - samples/multiple-repos-broken.repo - gpgcheck should be enabled in {"enabled": 0, "skip_if_unavailable": false, "metalink": "https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch", "name": "Fedora $releasever - Source", "repo_gpgcheck": 0, "type": "rpm", "gpgcheck": 0, "gpgkey": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch", "metadata_expire": "7d"} | |
| 3 tests, 0 passed, 0 warnings, 3 failures | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment