From 6887864d2c8d62a33602152ff41a0d07c6d98959 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Wed, 7 Apr 2021 11:12:03 -0700 Subject: [PATCH 1/2] Fix issues found by linters - enable all tests on all repos - remove suppressions Cleaning up yamllint errors. - Use .yamllint.yml and .yamllint_defaults.yml instead of .yamllint.yaml. - Fix the invalid indentations. Cleaning up ansible-lint errors. - Add "name" to every task. - Use command rather than shell - Add "changed_when: false". - Use '|' instead of '>' for the shell module. - Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'. - Add "set -eu" and "set -o pipefail" if pipefail is available. Note: "pipefail" is not available in "sh" and "dash". - Add "- '306' # Shells that use pipes should set the pipefail option" to .ansible-lint since ansible-lint does not recognize it if it's set in "if set -o | grep pipefail". RHELPLAN-73804 --- .ansible-lint | 1 + .github/workflows/ansible-centos7.yml | 15 +- .github/workflows/ansible-centos8.yml | 15 +- .github/workflows/ansible-debian-buster.yml | 17 +- .github/workflows/ansible-debian-stretch.yml | 17 +- .github/workflows/ansible-debian.yml | 17 +- .github/workflows/ansible-fedora.yml | 17 +- .github/workflows/ansible-lint.yml | 49 +++--- .github/workflows/ansible-ubuntu.yml | 17 +- .yamllint.yaml | 21 --- .yamllint.yml | 18 ++ .yamllint_defaults.yml | 16 ++ examples/example-root-login.yml | 6 +- handlers/main.yml | 7 +- tasks/install.yml | 20 ++- tests/tasks/backup.yml | 12 +- tests/tasks/restore.yml | 14 +- tests/tests_alternative_file.yml | 172 +++++++++---------- tests/tests_backup.yml | 80 ++++----- tests/tests_default.yml | 10 +- tests/tests_default_include.yml | 14 +- tests/tests_hostkeys.yml | 126 +++++++------- tests/tests_hostkeys_missing.yml | 86 +++++----- tests/tests_match.yml | 148 ++++++++-------- tests/tests_match_iterate.yml | 144 ++++++++-------- tests/tests_os_defaults.yml | 60 ++++--- tests/tests_precedence.yml | 100 +++++------ tests/tests_set_common.yml | 80 ++++----- tests/tests_set_uncommon.yml | 100 +++++------ tests/tests_sshd_enable.yml | 75 ++++---- tests/tests_sysconfig.yml | 122 +++++++------ 31 files changed, 831 insertions(+), 765 deletions(-) delete mode 100644 .yamllint.yaml create mode 100644 .yamllint.yml create mode 100644 .yamllint_defaults.yml diff --git a/.ansible-lint b/.ansible-lint index 6d6011d..c1b572f 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,2 +1,3 @@ warn_list: # or 'skip_list' to silence them completely │ - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern + - '306' # Shells that use pipes should set the pipefail option diff --git a/.github/workflows/ansible-centos7.yml b/.github/workflows/ansible-centos7.yml index 9eebd2b..ce89cd5 100644 --- a/.github/workflows/ansible-centos7.yml +++ b/.github/workflows/ansible-centos7.yml @@ -6,11 +6,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with centos:7 - uses: roles-ansible/check-ansible-centos-centos7-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with centos:7 + uses: roles-ansible/check-ansible-centos-centos7-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.github/workflows/ansible-centos8.yml b/.github/workflows/ansible-centos8.yml index 9afa024..734eab8 100644 --- a/.github/workflows/ansible-centos8.yml +++ b/.github/workflows/ansible-centos8.yml @@ -6,11 +6,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with centos:8 - uses: roles-ansible/check-ansible-centos-centos8-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with centos:8 + uses: roles-ansible/check-ansible-centos-centos8-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.github/workflows/ansible-debian-buster.yml b/.github/workflows/ansible-debian-buster.yml index 2bd9696..c237077 100644 --- a/.github/workflows/ansible-debian-buster.yml +++ b/.github/workflows/ansible-debian-buster.yml @@ -6,12 +6,13 @@ jobs: build: runs-on: ubuntu-latest steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + # Important: This sets up your GITHUB_WORKSPACE environment variable + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with debian:buster (10) - uses: roles-ansible/check-ansible-debian-buster-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with debian:buster (10) + uses: roles-ansible/check-ansible-debian-buster-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.github/workflows/ansible-debian-stretch.yml b/.github/workflows/ansible-debian-stretch.yml index 8ae0ccf..b353d3a 100644 --- a/.github/workflows/ansible-debian-stretch.yml +++ b/.github/workflows/ansible-debian-stretch.yml @@ -6,12 +6,13 @@ jobs: build: runs-on: ubuntu-latest steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + # Important: This sets up your GITHUB_WORKSPACE environment variable + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with debian:stretch (9) - uses: roles-ansible/check-ansible-debian-stretch-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with debian:stretch (9) + uses: roles-ansible/check-ansible-debian-stretch-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.github/workflows/ansible-debian.yml b/.github/workflows/ansible-debian.yml index fd439e2..62752f1 100644 --- a/.github/workflows/ansible-debian.yml +++ b/.github/workflows/ansible-debian.yml @@ -6,12 +6,13 @@ jobs: build: runs-on: ubuntu-latest steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + # Important: This sets up your GITHUB_WORKSPACE environment variable + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with debian:latest - uses: roles-ansible/check-ansible-debian-latest-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with debian:latest + uses: roles-ansible/check-ansible-debian-latest-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.github/workflows/ansible-fedora.yml b/.github/workflows/ansible-fedora.yml index 6162807..0474fc1 100644 --- a/.github/workflows/ansible-fedora.yml +++ b/.github/workflows/ansible-fedora.yml @@ -6,12 +6,13 @@ jobs: build: runs-on: ubuntu-latest steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + # Important: This sets up your GITHUB_WORKSPACE environment variable + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with fedora:latest - uses: roles-ansible/check-ansible-fedora-latest-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with fedora:latest + uses: roles-ansible/check-ansible-fedora-latest-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 50f0665..42374fd 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -3,32 +3,35 @@ name: Ansible Lint # feel free to pick your own name on: [push, pull_request] jobs: -# test-ansible28: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@v2 -# - name: Lint Ansible Playbook -# uses: ansible/ansible-lint-action@master -# with: -# targets: "tests/test_*.yml" -# override-deps: | -# ansible==2.8 -# args: "" -# test-ansible29: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/checkout@v2 -# - name: Lint Ansible Playbook -# uses: ansible/ansible-lint-action@master -# with: -# targets: "tests/test_*.yml" -# override-deps: | -# ansible==2.9 -# args: "" + # test-ansible28: + # runs-on: ubuntu-latest + # steps: + # - name: checkout PR + # uses: actions/checkout@v2 + # - name: Lint Ansible Playbook + # uses: ansible/ansible-lint-action@master + # with: + # targets: "tests/test_*.yml" + # override-deps: | + # ansible==2.8 + # args: "" + # test-ansible29: + # runs-on: ubuntu-latest + # steps: + # - name: checkout PR + # uses: actions/checkout@v2 + # - name: Lint Ansible Playbook + # uses: ansible/ansible-lint-action@master + # with: + # targets: "tests/test_*.yml" + # override-deps: | + # ansible==2.9 + # args: "" test-ansible210: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: checkout PR + uses: actions/checkout@v2 - name: Lint Ansible Playbook uses: ansible/ansible-lint-action@master with: diff --git a/.github/workflows/ansible-ubuntu.yml b/.github/workflows/ansible-ubuntu.yml index 27b4b99..bd9a415 100644 --- a/.github/workflows/ansible-ubuntu.yml +++ b/.github/workflows/ansible-ubuntu.yml @@ -6,12 +6,13 @@ jobs: build: runs-on: ubuntu-latest steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 + # Important: This sets up your GITHUB_WORKSPACE environment variable + - name: checkout PR + uses: actions/checkout@v2 - - name: ansible check with ubuntu:latest - uses: roles-ansible/check-ansible-ubuntu-latest-action@master - with: - group: local - hosts: localhost - targets: "tests/*.yml" + - name: ansible check with ubuntu:latest + uses: roles-ansible/check-ansible-ubuntu-latest-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml" diff --git a/.yamllint.yaml b/.yamllint.yaml deleted file mode 100644 index 1708d26..0000000 --- a/.yamllint.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# Based on ansible-lint config -extends: default - -rules: - braces: {max-spaces-inside: 1, level: error} - brackets: {max-spaces-inside: 1, level: error} - colons: {max-spaces-after: -1, level: error} - commas: {max-spaces-after: -1, level: error} - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: {max: 3, level: error} - hyphens: {level: error} - indentation: disable - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: disable - new-lines: {type: unix} - trailing-spaces: disable - truthy: disable diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 0000000..53121d9 --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: MIT +--- +extends: .yamllint_defaults.yml +# possible customizations over the base yamllint config +# skip the yaml files in the /tests/ directory +# NOTE: If you want to customize `ignore` you'll have to +# copy in all of the config from .yamllint.yml, then +# add your own - so if you want to just add /tests/ to +# be ignored, you'll have to add the ignores from the base +ignore: | + /.tox/ + /.github/ +# /tests/ +# skip checking line length +# NOTE: the above does not apply to `rules` - you do not +# have to copy all of the rules from the base config +rules: + line-length: disable diff --git a/.yamllint_defaults.yml b/.yamllint_defaults.yml new file mode 100644 index 0000000..be0b697 --- /dev/null +++ b/.yamllint_defaults.yml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: MIT +--- +ignore: | + /.tox/ +extends: default +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + truthy: + allowed-values: ["yes", "no", "true", "false"] + level: error + document-start: disable diff --git a/examples/example-root-login.yml b/examples/example-root-login.yml index 156e629..ba7a3b0 100644 --- a/examples/example-root-login.yml +++ b/examples/example-root-login.yml @@ -10,6 +10,6 @@ PermitRootLogin: no PasswordAuthentication: no Match: - - Condition: "Address 192.0.2.0/24" - PermitRootLogin: yes - PasswordAuthentication: yes + - Condition: "Address 192.0.2.0/24" + PermitRootLogin: yes + PasswordAuthentication: yes diff --git a/handlers/main.yml b/handlers/main.yml index 2b89cdc..4808ace 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -8,7 +8,7 @@ - sshd_allow_reload|bool - ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'podman' - - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions + - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions - ansible_connection != 'chroot' - ansible_os_family != 'AIX' listen: reload_sshd @@ -19,10 +19,15 @@ # https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6 - name: Reload sshd Service (AIX) shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi stopsrc -s sshd until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done startsrc -s sshd listen: reload_sshd + changed_when: false when: - sshd_allow_reload|bool - ansible_os_family == 'AIX' diff --git a/tasks/install.yml b/tasks/install.yml index e08508a..f5023d2 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -50,14 +50,19 @@ {% endif %} block: - name: Make sure hostkeys are available - shell: > + shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi {% if sshd_sysconfig %} - source /etc/sysconfig/sshd; + source /etc/sysconfig/sshd {% endif %} ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N '' args: creates: "{{ item }}" loop: "{{ __sshd_verify_hostkeys | from_json | list }}" + changed_when: false - name: Make sure private hostkeys have expected permissions file: @@ -75,14 +80,15 @@ tempfile: state: directory register: sshd_test_hostkey - changed_when: False + changed_when: false when: - __sshd_hostkeys_from_config | from_json == [] - sshd_config_file != "/etc/ssh/sshd_config" - name: Generate temporary hostkey - shell: "ssh-keygen -q -t rsa -f {{ sshd_test_hostkey.path }}/rsa_key -C '' -N ''" - changed_when: False + command: > + ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N '' + changed_when: false when: sshd_test_hostkey.path is defined - name: Make sure sshd runtime directory is present @@ -119,7 +125,7 @@ file: path: "{{ sshd_test_hostkey.path }}" state: absent - changed_when: False + changed_when: false when: sshd_test_hostkey.path is defined - name: Install systemd service files @@ -159,7 +165,7 @@ - sshd_manage_service|bool - ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'podman' - - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions + - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions - ansible_connection != 'chroot' # Due to ansible bug 21026, cannot use service module on RHEL 7 diff --git a/tests/tasks/backup.yml b/tests/tasks/backup.yml index 16d3e22..bc17c14 100644 --- a/tests/tasks/backup.yml +++ b/tests/tasks/backup.yml @@ -6,17 +6,21 @@ tempfile: state: directory register: __sshd_test_backup - changed_when: False + changed_when: false when: - sshd_test_backup_skip is not defined - name: Backup files - shell: > + shell: | + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi + set -eu if test -f {{ item }}; then - mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }}); + mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }}) cp {{ item }} {{ __sshd_test_backup.path }}/$(dirname {{ item }}) fi - changed_when: False + changed_when: false loop: "{{ __sshd_test_backup_files | d([]) }}" when: - __sshd_test_backup is defined diff --git a/tests/tasks/restore.yml b/tests/tasks/restore.yml index 7c955b3..46d0511 100644 --- a/tests/tasks/restore.yml +++ b/tests/tasks/restore.yml @@ -1,12 +1,16 @@ --- - name: Restore backed up files and remove what was not present - shell: > + shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi if test -f {{ __sshd_test_backup.path }}/{{ item }}; then cp {{ __sshd_test_backup.path }}/{{ item }} $(dirname {{ item }}) elif test -f {{ item }}; then rm {{ item }} fi - changed_when: False + changed_when: false loop: "{{ __sshd_test_backup_files | d([]) }}" when: - __sshd_test_backup is defined @@ -16,7 +20,7 @@ file: path: "{{ __sshd_test_backup.path }}" state: absent - changed_when: False + changed_when: false when: - __sshd_test_backup is defined - __sshd_test_backup.path is defined @@ -25,11 +29,11 @@ service: name: sshd state: reloaded - changed_when: False + changed_when: false when: - __sshd_test_backup is defined - ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'podman' - - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions + - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions - ansible_connection != 'chroot' - ansible_os_family != 'AIX' diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index aca4c6e..173f88d 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -7,98 +7,98 @@ - /etc/ssh/sshd_config_custom - /etc/ssh/sshd_config_custom_second tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure alternative sshd_config file - include_role: - name: ansible-sshd - vars: - # just anything -- will not get processed by sshd - sshd_config_file: /etc/ssh/sshd_config_custom - sshd_skip_defaults: true - sshd: - AcceptEnv: LANG - Banner: /etc/issue - Ciphers: aes256-ctr - sshd_Compression: no - - name: Configure second alternative sshd_config file - include_role: - name: ansible-sshd - vars: - # just anything -- will not get processed by sshd - sshd_config_file: /etc/ssh/sshd_config_custom_second - sshd_skip_defaults: true - sshd: - Banner: /etc/issue2 - Ciphers: aes128-ctr - sshd_MaxStartups: 100 - - name: Now configure the main sshd_config file - include_role: - name: ansible-sshd - vars: - sshd: - Banner: /etc/issue - Ciphers: aes192-ctr - HostKey: - - /tmp/ssh_host_ecdsa_key - sshd_PasswordAuthentication: no + - name: Configure alternative sshd_config file + include_role: + name: ansible-sshd + vars: + # just anything -- will not get processed by sshd + sshd_config_file: /etc/ssh/sshd_config_custom + sshd_skip_defaults: true + sshd: + AcceptEnv: LANG + Banner: /etc/issue + Ciphers: aes256-ctr + sshd_Compression: no + - name: Configure second alternative sshd_config file + include_role: + name: ansible-sshd + vars: + # just anything -- will not get processed by sshd + sshd_config_file: /etc/ssh/sshd_config_custom_second + sshd_skip_defaults: true + sshd: + Banner: /etc/issue2 + Ciphers: aes128-ctr + sshd_MaxStartups: 100 + - name: Now configure the main sshd_config file + include_role: + name: ansible-sshd + vars: + sshd: + Banner: /etc/issue + Ciphers: aes192-ctr + HostKey: + - /tmp/ssh_host_ecdsa_key + sshd_PasswordAuthentication: no - - name: Verify the options are correctly set - vars: - main_sshd_config: >- - {{ - "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" - if ansible_facts['distribution'] == 'Fedora' - else "/etc/ssh/sshd_config" - }} - block: - - meta: flush_handlers + - name: Verify the options are correctly set + vars: + main_sshd_config: >- + {{ + "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" + if ansible_facts['distribution'] == 'Fedora' + else "/etc/ssh/sshd_config" + }} + block: + - meta: flush_handlers - - name: Print current configuration file - slurp: - src: /etc/ssh/sshd_config_custom - register: config + - name: Print current configuration file + slurp: + src: /etc/ssh/sshd_config_custom + register: config - - name: Print second configuration file - slurp: - src: /etc/ssh/sshd_config_custom_second - register: config2 + - name: Print second configuration file + slurp: + src: /etc/ssh/sshd_config_custom_second + register: config2 - - name: Print the main configuration file - slurp: - src: "{{ main_sshd_config }}" - register: config3 + - name: Print the main configuration file + slurp: + src: "{{ main_sshd_config }}" + register: config3 - - name: Check content of first configuration file - assert: - that: - - "'AcceptEnv LANG' in config.content | b64decode" - - "'Banner /etc/issue' in config.content | b64decode" - - "'Ciphers aes256-ctr' in config.content | b64decode" - - "'HostKey' not in config.content | b64decode" - - "'Compression no' in config.content | b64decode" - - "'MaxStartups 100' not in config.content | b64decode" + - name: Check content of first configuration file + assert: + that: + - "'AcceptEnv LANG' in config.content | b64decode" + - "'Banner /etc/issue' in config.content | b64decode" + - "'Ciphers aes256-ctr' in config.content | b64decode" + - "'HostKey' not in config.content | b64decode" + - "'Compression no' in config.content | b64decode" + - "'MaxStartups 100' not in config.content | b64decode" - - name: Check content of second configuration file - assert: - that: - - "'Banner /etc/issue2' in config2.content | b64decode" - - "'Ciphers aes128-ctr' in config2.content | b64decode" - - "'HostKey' not in config2.content | b64decode" - - "'MaxStartups 100' in config2.content | b64decode" - - "'Compression no' not in config2.content | b64decode" + - name: Check content of second configuration file + assert: + that: + - "'Banner /etc/issue2' in config2.content | b64decode" + - "'Ciphers aes128-ctr' in config2.content | b64decode" + - "'HostKey' not in config2.content | b64decode" + - "'MaxStartups 100' in config2.content | b64decode" + - "'Compression no' not in config2.content | b64decode" - - name: Check content of the main configuration file - assert: - that: - - "'Banner /etc/issue' in config3.content | b64decode" - - "'Ciphers aes192-ctr' in config3.content | b64decode" - - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode" - - "'PasswordAuthentication no' in config3.content | b64decode" - - "'MaxStartups 100' not in config3.content | b64decode" - - "'Compression no' not in config3.content | b64decode" - tags: tests::verify + - name: Check content of the main configuration file + assert: + that: + - "'Banner /etc/issue' in config3.content | b64decode" + - "'Ciphers aes192-ctr' in config3.content | b64decode" + - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode" + - "'PasswordAuthentication no' in config3.content | b64decode" + - "'MaxStartups 100' not in config3.content | b64decode" + - "'Compression no' not in config3.content | b64decode" + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_backup.yml b/tests/tests_backup.yml index 40fe281..e449a27 100644 --- a/tests/tests_backup.yml +++ b/tests/tests_backup.yml @@ -17,51 +17,51 @@ else "/etc/ssh/" }} tasks: - - name: Backup configuration files - include_tasks: tasks/backup.yml + - name: Backup configuration files + include_tasks: tasks/backup.yml - - name: Find old backups files - find: - paths: "{{ main_sshd_config_path }}" - patterns: "{{ main_sshd_config }}.*@*~" - register: backup_files + - name: Find old backups files + find: + paths: "{{ main_sshd_config_path }}" + patterns: "{{ main_sshd_config }}.*@*~" + register: backup_files - - name: Remove old backup files - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ backup_files.files }}" + - name: Remove old backup files + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ backup_files.files }}" - - name: Configure sshd without creating backup - include_role: - name: ansible-sshd - vars: - sshd_backup: false + - name: Configure sshd without creating backup + include_role: + name: ansible-sshd + vars: + sshd_backup: false - - name: Find new backups files - find: - paths: "{{ main_sshd_config_path }}" - patterns: "{{ main_sshd_config }}.*@*~" - register: no_backup + - name: Find new backups files + find: + paths: "{{ main_sshd_config_path }}" + patterns: "{{ main_sshd_config }}.*@*~" + register: no_backup - - name: Configure sshd again with different configuration and with backup - include_role: - name: ansible-sshd - vars: - sshd_Banner: /tmp/banner - register: second_run + - name: Configure sshd again with different configuration and with backup + include_role: + name: ansible-sshd + vars: + sshd_Banner: /tmp/banner + register: second_run - - name: Find new backups files - find: - paths: "{{ main_sshd_config_path }}" - patterns: "{{ main_sshd_config }}.*@*~" - register: new_backup + - name: Find new backups files + find: + paths: "{{ main_sshd_config_path }}" + patterns: "{{ main_sshd_config }}.*@*~" + register: new_backup - - name: Verify the backup was not done in the first attempt, but in the second one - assert: - that: - - no_backup.files == [] - - new_backup.files != [] + - name: Verify the backup was not done in the first attempt, but in the second one + assert: + that: + - no_backup.files == [] + - new_backup.files != [] - - name: Restore configuration files - include_tasks: tasks/restore.yml + - name: Restore configuration files + include_tasks: tasks/restore.yml diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 2400fee..e9a6631 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -5,12 +5,12 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - hosts: all roles: - - ansible-sshd + - ansible-sshd - hosts: all vars: @@ -18,5 +18,5 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_default_include.yml b/tests/tests_default_include.yml index 8c0333f..68d6cf3 100644 --- a/tests/tests_default_include.yml +++ b/tests/tests_default_include.yml @@ -5,12 +5,12 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: "Configure sshd" - include_role: - name: ansible-sshd + - name: "Configure sshd" + include_role: + name: ansible-sshd - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_hostkeys.yml b/tests/tests_hostkeys.yml index 4ccbdba..79e6ef1 100644 --- a/tests/tests_hostkeys.yml +++ b/tests/tests_hostkeys.yml @@ -6,76 +6,78 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /tmp/ssh_host_rsa_key2 tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Remove host key before the test - file: - path: /tmp/ssh_host_rsa_key2 - state: absent + - name: Remove host key before the test + file: + path: /tmp/ssh_host_rsa_key2 + state: absent - - name: Ensure group 'nobody' exists - group: - name: nobody + - name: Ensure group 'nobody' exists + group: + name: nobody - - name: Ensure the user 'nobody' exists - user: - name: nobody - group: nobody - comment: nobody - create_home: no - shell: /sbin/nologin + - name: Ensure the user 'nobody' exists + user: + name: nobody + group: nobody + comment: nobody + create_home: no + shell: /sbin/nologin - - name: Configure sshd with alternative host keys - include_role: - name: ansible-sshd - vars: - # very BAD example - sshd_hostkey_owner: "nobody" - sshd_hostkey_group: "nobody" - sshd_hostkey_mode: "0664" - sshd: - HostKey: - - /tmp/ssh_host_rsa_key2 + - name: Configure sshd with alternative host keys + include_role: + name: ansible-sshd + vars: + # very BAD example + sshd_hostkey_owner: "nobody" + sshd_hostkey_group: "nobody" + sshd_hostkey_mode: "0664" + sshd: + HostKey: + - /tmp/ssh_host_rsa_key2 - - name: Verify the options are correctly set - vars: - main_sshd_config: >- - {{ - "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" - if ansible_facts['distribution'] == 'Fedora' - else "/etc/ssh/sshd_config" - }} - block: - - meta: flush_handlers + - name: Verify the options are correctly set + vars: + main_sshd_config: >- + {{ + "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" + if ansible_facts['distribution'] == 'Fedora' + else "/etc/ssh/sshd_config" + }} + block: + - meta: flush_handlers - - name: Print current configuration file - slurp: - src: "{{ main_sshd_config }}" - register: config + - name: Print current configuration file + slurp: + src: "{{ main_sshd_config }}" + register: config - - stat: - path: /tmp/ssh_host_rsa_key2 - register: privkey + - name: Get stat of private key + stat: + path: /tmp/ssh_host_rsa_key2 + register: privkey - - stat: - path: /tmp/ssh_host_rsa_key2.pub - register: pubkey + - name: Get stat of public key + stat: + path: /tmp/ssh_host_rsa_key2.pub + register: pubkey - - name: Check the options are in configuration file - assert: - that: - - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" + - name: Check the options are in configuration file + assert: + that: + - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - - name: Check the generated host key has requested properties - assert: - that: - - privkey.stat.exists - - privkey.stat.gr_name == 'nobody' - - privkey.stat.pw_name == 'nobody' - - privkey.stat.mode == '0664' - - pubkey.stat.exists - tags: tests::verify + - name: Check the generated host key has requested properties + assert: + that: + - privkey.stat.exists + - privkey.stat.gr_name == 'nobody' + - privkey.stat.pw_name == 'nobody' + - privkey.stat.mode == '0664' + - pubkey.stat.exists + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_hostkeys_missing.yml b/tests/tests_hostkeys_missing.yml index 5790684..e4cee9f 100644 --- a/tests/tests_hostkeys_missing.yml +++ b/tests/tests_hostkeys_missing.yml @@ -6,52 +6,52 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /tmp/missing_ssh_host_rsa_key tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd with missing host keys and prevent their creation - block: - - name: Configure missing hostkey - include_role: - name: ansible-sshd - vars: - sshd_verify_hostkeys: [] - sshd: - HostKey: - - /tmp/missing_ssh_host_rsa_key - register: role_result + - name: Configure sshd with missing host keys and prevent their creation + block: + - name: Configure missing hostkey + include_role: + name: ansible-sshd + vars: + sshd_verify_hostkeys: [] + sshd: + HostKey: + - /tmp/missing_ssh_host_rsa_key + register: role_result - - name: unreachable task - fail: - msg: UNREACH + - name: unreachable task + fail: + msg: UNREACH - rescue: - - name: Check that we failed in the role - assert: - that: - - ansible_failed_result.msg != 'UNREACH' - - not role_result.changed - msg: "Role has not failed when it should have" - when: - - ansible_facts['os_family'] != 'Debian' - - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - tags: tests::verify + rescue: + - name: Check that we failed in the role + assert: + that: + - ansible_failed_result.msg != 'UNREACH' + - not role_result.changed + msg: "Role has not failed when it should have" + when: + - ansible_facts['os_family'] != 'Debian' + - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') + tags: tests::verify - - name: Make sure the key was not created - file: - path: /tmp/missing_ssh_host_rsa_key - state: absent - register: key - failed_when: key.changed - tags: tests::verify + - name: Make sure the key was not created + file: + path: /tmp/missing_ssh_host_rsa_key + state: absent + register: key + failed_when: key.changed + tags: tests::verify - - name: Make sure service is still running - service: - name: sshd - state: started - register: result - failed_when: result.changed - tags: tests::verify + - name: Make sure service is still running + service: + name: sshd + state: started + register: result + failed_when: result.changed + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_match.yml b/tests/tests_match.yml index f47418f..de6a860 100644 --- a/tests/tests_match.yml +++ b/tests/tests_match.yml @@ -5,87 +5,87 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd - include_role: - name: ansible-sshd - vars: - # For Fedora containers, we need to make sure we have keys for sshd -T below - sshd_verify_hostkeys: - - /etc/ssh/ssh_host_rsa_key - sshd: - Match: - Condition: "User xusers" - X11Forwarding: yes - Banner: /tmp/xusers-banner - sshd_match: - - Condition: "User bot" - AllowTcpForwarding: no - Banner: /tmp/bot-banner - sshd_match_1: - - Condition: "User sftponly" - ForceCommand: "internal-sftp" - ChrootDirectory: "/var/uploads/" - sshd_match_2: - - Condition: "User root" - PasswordAuthentication: no - AllowTcpForwarding: yes + - name: Configure sshd + include_role: + name: ansible-sshd + vars: + # For Fedora containers, we need to make sure we have keys for sshd -T below + sshd_verify_hostkeys: + - /etc/ssh/ssh_host_rsa_key + sshd: + Match: + Condition: "User xusers" + X11Forwarding: yes + Banner: /tmp/xusers-banner + sshd_match: + - Condition: "User bot" + AllowTcpForwarding: no + Banner: /tmp/bot-banner + sshd_match_1: + - Condition: "User sftponly" + ForceCommand: "internal-sftp" + ChrootDirectory: "/var/uploads/" + sshd_match_2: + - Condition: "User root" + PasswordAuthentication: no + AllowTcpForwarding: yes - - name: Verify the options are correctly set - vars: - main_sshd_config: >- - {{ - "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" - if ansible_facts['distribution'] == 'Fedora' - else "/etc/ssh/sshd_config" - }} - block: - - meta: flush_handlers + - name: Verify the options are correctly set + vars: + main_sshd_config: >- + {{ + "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" + if ansible_facts['distribution'] == 'Fedora' + else "/etc/ssh/sshd_config" + }} + block: + - meta: flush_handlers - - name: List effective configuration using sshd -T for xusers - command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com - register: xusers_effective + - name: List effective configuration using sshd -T for xusers + command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com + register: xusers_effective - - name: List effective configuration using sshd -T for bot - command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com - register: bot_effective + - name: List effective configuration using sshd -T for bot + command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com + register: bot_effective - - name: List effective configuration using sshd -T for sftponly - command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com - register: sftponly_effective + - name: List effective configuration using sshd -T for sftponly + command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com + register: sftponly_effective - - name: List effective configuration using sshd -T for root - command: sshd -T -C user=root,addr=127.0.0.1,host=example.com - register: root_effective + - name: List effective configuration using sshd -T for root + command: sshd -T -C user=root,addr=127.0.0.1,host=example.com + register: root_effective - - name: Print current configuration file - slurp: - src: "{{ main_sshd_config }}" - register: config + - name: Print current configuration file + slurp: + src: "{{ main_sshd_config }}" + register: config - - name: Check the options are effective - # note, the options are in lower-case here - assert: - that: - - "'x11forwarding yes' in xusers_effective.stdout" - - "'banner /tmp/xusers-banner' in xusers_effective.stdout" - - "'allowtcpforwarding no' in bot_effective.stdout" - - "'banner /tmp/bot-banner' in bot_effective.stdout" - - "'forcecommand internal-sftp' in sftponly_effective.stdout" - - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" - - "'passwordauthentication no' in root_effective.stdout" - - "'allowtcpforwarding yes' in root_effective.stdout" + - name: Check the options are effective + # note, the options are in lower-case here + assert: + that: + - "'x11forwarding yes' in xusers_effective.stdout" + - "'banner /tmp/xusers-banner' in xusers_effective.stdout" + - "'allowtcpforwarding no' in bot_effective.stdout" + - "'banner /tmp/bot-banner' in bot_effective.stdout" + - "'forcecommand internal-sftp' in sftponly_effective.stdout" + - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" + - "'passwordauthentication no' in root_effective.stdout" + - "'allowtcpforwarding yes' in root_effective.stdout" - - name: Check the options are in configuration file - assert: - that: - - "'Match User xusers' in config.content | b64decode" - - "'Match User bot' in config.content | b64decode" - - "'Match User sftponly' in config.content | b64decode" - - "'Match User root' in config.content | b64decode" - tags: tests::verify + - name: Check the options are in configuration file + assert: + that: + - "'Match User xusers' in config.content | b64decode" + - "'Match User bot' in config.content | b64decode" + - "'Match User sftponly' in config.content | b64decode" + - "'Match User root' in config.content | b64decode" + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_match_iterate.yml b/tests/tests_match_iterate.yml index c010258..14a9a05 100644 --- a/tests/tests_match_iterate.yml +++ b/tests/tests_match_iterate.yml @@ -5,85 +5,85 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd - include_role: - name: ansible-sshd - vars: - # For Fedora containers, we need to make sure we have keys for sshd -T below - sshd_verify_hostkeys: - - /etc/ssh/ssh_host_rsa_key - sshd: - Match: - - Condition: "User xusers" - X11Forwarding: yes - Banner: /tmp/xusers-banner - - Condition: "User bot" - AllowTcpForwarding: no - Banner: /tmp/bot-banner - sshd_match: - - Condition: "User sftponly" - ForceCommand: "internal-sftp" - ChrootDirectory: "/var/uploads/" - - Condition: "User root" - PasswordAuthentication: no - AllowTcpForwarding: yes + - name: Configure sshd + include_role: + name: ansible-sshd + vars: + # For Fedora containers, we need to make sure we have keys for sshd -T below + sshd_verify_hostkeys: + - /etc/ssh/ssh_host_rsa_key + sshd: + Match: + - Condition: "User xusers" + X11Forwarding: yes + Banner: /tmp/xusers-banner + - Condition: "User bot" + AllowTcpForwarding: no + Banner: /tmp/bot-banner + sshd_match: + - Condition: "User sftponly" + ForceCommand: "internal-sftp" + ChrootDirectory: "/var/uploads/" + - Condition: "User root" + PasswordAuthentication: no + AllowTcpForwarding: yes - - name: Verify the options are correctly set - vars: - main_sshd_config: >- - {{ - "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" - if ansible_facts['distribution'] == 'Fedora' - else "/etc/ssh/sshd_config" - }} - block: - - meta: flush_handlers + - name: Verify the options are correctly set + vars: + main_sshd_config: >- + {{ + "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" + if ansible_facts['distribution'] == 'Fedora' + else "/etc/ssh/sshd_config" + }} + block: + - meta: flush_handlers - - name: List effective configuration using sshd -T for xusers - command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com - register: xusers_effective + - name: List effective configuration using sshd -T for xusers + command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com + register: xusers_effective - - name: List effective configuration using sshd -T for bot - command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com - register: bot_effective + - name: List effective configuration using sshd -T for bot + command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com + register: bot_effective - - name: List effective configuration using sshd -T for sftponly - command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com - register: sftponly_effective + - name: List effective configuration using sshd -T for sftponly + command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com + register: sftponly_effective - - name: List effective configuration using sshd -T for root - command: sshd -T -C user=root,addr=127.0.0.1,host=example.com - register: root_effective + - name: List effective configuration using sshd -T for root + command: sshd -T -C user=root,addr=127.0.0.1,host=example.com + register: root_effective - - name: Print current configuration file - slurp: - src: "{{ main_sshd_config }}" - register: config + - name: Print current configuration file + slurp: + src: "{{ main_sshd_config }}" + register: config - - name: Check the options are effective - # note, the options are in lower-case here - assert: - that: - - "'x11forwarding yes' in xusers_effective.stdout" - - "'banner /tmp/xusers-banner' in xusers_effective.stdout" - - "'allowtcpforwarding no' in bot_effective.stdout" - - "'banner /tmp/bot-banner' in bot_effective.stdout" - - "'forcecommand internal-sftp' in sftponly_effective.stdout" - - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" - - "'passwordauthentication no' in root_effective.stdout" - - "'allowtcpforwarding yes' in root_effective.stdout" + - name: Check the options are effective + # note, the options are in lower-case here + assert: + that: + - "'x11forwarding yes' in xusers_effective.stdout" + - "'banner /tmp/xusers-banner' in xusers_effective.stdout" + - "'allowtcpforwarding no' in bot_effective.stdout" + - "'banner /tmp/bot-banner' in bot_effective.stdout" + - "'forcecommand internal-sftp' in sftponly_effective.stdout" + - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout" + - "'passwordauthentication no' in root_effective.stdout" + - "'allowtcpforwarding yes' in root_effective.stdout" - - name: Check the options are in configuration file - assert: - that: - - "'Match User xusers' in config.content | b64decode" - - "'Match User bot' in config.content | b64decode" - - "'Match User sftponly' in config.content | b64decode" - - "'Match User root' in config.content | b64decode" - tags: tests::verify + - name: Check the options are in configuration file + assert: + that: + - "'Match User xusers' in config.content | b64decode" + - "'Match User bot' in config.content | b64decode" + - "'Match User sftponly' in config.content | b64decode" + - "'Match User root' in config.content | b64decode" + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_os_defaults.yml b/tests/tests_os_defaults.yml index dde76d9..bdcf087 100644 --- a/tests/tests_os_defaults.yml +++ b/tests/tests_os_defaults.yml @@ -7,32 +7,38 @@ - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key.pub tasks: - - name: Backup configuration files - include_tasks: tasks/backup.yml + - name: Backup configuration files + include_tasks: tasks/backup.yml - - name: Show effective configuration before running role (system defaults) - shell: > - if test ! -f /etc/ssh/ssh_host_rsa_key; then - ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' - fi; - sshd -T - register: runtime_before - - name: Configure sshd - include_role: - name: ansible-sshd - - name: Show effective configuration after running role (role defaults) - shell: sshd -T - register: runtime_after - - debug: - var: ansible_facts['distribution'] - - debug: - var: ansible_facts['distribution_major_version'] - - name: Check that the effective configuration did not change from OS defaults - assert: - that: - - runtime_before.stdout == runtime_after.stdout - when: - - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') + - name: Show effective configuration before running role (system defaults) + shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi + if test ! -f /etc/ssh/ssh_host_rsa_key; then + ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' + fi + sshd -T + register: runtime_before + changed_when: false + - name: Configure sshd + include_role: + name: ansible-sshd + - name: Show effective configuration after running role (role defaults) + command: sshd -T + register: runtime_after + changed_when: false + - debug: + var: ansible_facts['distribution'] + - debug: + var: ansible_facts['distribution_major_version'] + - name: Check that the effective configuration did not change from OS defaults + assert: + that: + - runtime_before.stdout == runtime_after.stdout + when: + - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - - name: Restore configuration files - include_tasks: tasks/restore.yml + - name: Restore configuration files + include_tasks: tasks/restore.yml diff --git a/tests/tests_precedence.yml b/tests/tests_precedence.yml index 8d6b82a..cac4566 100644 --- a/tests/tests_precedence.yml +++ b/tests/tests_precedence.yml @@ -6,61 +6,61 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /tmp/ssh_host_rsa_key tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Remove host key before the test - file: - path: /tmp/ssh_host_rsa_key - state: absent + - name: Remove host key before the test + file: + path: /tmp/ssh_host_rsa_key + state: absent - - name: Configure sshd - include_role: - name: ansible-sshd - vars: - sshd: - Banner: /etc/issue - Ciphers: aes256-ctr - HostKey: /etc/ssh/ssh_host_rsa_key - sshd_Ciphers: aes128-ctr - sshd_Banner: /etc/good-issue - sshd_HostKey: /tmp/ssh_host_rsa_key + - name: Configure sshd + include_role: + name: ansible-sshd + vars: + sshd: + Banner: /etc/issue + Ciphers: aes256-ctr + HostKey: /etc/ssh/ssh_host_rsa_key + sshd_Ciphers: aes128-ctr + sshd_Banner: /etc/good-issue + sshd_HostKey: /tmp/ssh_host_rsa_key - - name: Verify the options are correctly set - vars: - main_sshd_config: >- - {{ - "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" - if ansible_facts['distribution'] == 'Fedora' - else "/etc/ssh/sshd_config" - }} - block: - - meta: flush_handlers + - name: Verify the options are correctly set + vars: + main_sshd_config: >- + {{ + "/etc/ssh/sshd_config.d/00-ansible_system_role.conf" + if ansible_facts['distribution'] == 'Fedora' + else "/etc/ssh/sshd_config" + }} + block: + - meta: flush_handlers - - name: List effective configuration using sshd -T - command: sshd -T - register: runtime + - name: List effective configuration using sshd -T + command: sshd -T + register: runtime - - name: Print current configuration file - slurp: - src: "{{ main_sshd_config }}" - register: config + - name: Print current configuration file + slurp: + src: "{{ main_sshd_config }}" + register: config - - name: Check the sshd_* values are effective in runtime - # note, the options are in lower-case here - assert: - that: - - "'banner /etc/good-issue' in runtime.stdout" - - "'ciphers aes128-ctr' in runtime.stdout" - - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" + - name: Check the sshd_* values are effective in runtime + # note, the options are in lower-case here + assert: + that: + - "'banner /etc/good-issue' in runtime.stdout" + - "'ciphers aes128-ctr' in runtime.stdout" + - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" - - name: Check the options are in configuration file - assert: - that: - - "'Banner /etc/good-issue' in config.content | b64decode" - - "'Ciphers aes128-ctr' in config.content | b64decode" - - "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode" - tags: tests::verify + - name: Check the options are in configuration file + assert: + that: + - "'Banner /etc/good-issue' in config.content | b64decode" + - "'Ciphers aes128-ctr' in config.content | b64decode" + - "'HostKey /tmp/ssh_host_rsa_key' in config.content | b64decode" + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_set_common.yml b/tests/tests_set_common.yml index 7bed95d..5532a70 100644 --- a/tests/tests_set_common.yml +++ b/tests/tests_set_common.yml @@ -5,50 +5,50 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd - include_role: - name: ansible-sshd - vars: - sshd: - AcceptEnv: LANG - Banner: /etc/issue - Ciphers: aes256-ctr - Subsystem: "sftp internal-sftp" - sshd_config_file: /etc/ssh/sshd_config + - name: Configure sshd + include_role: + name: ansible-sshd + vars: + sshd: + AcceptEnv: LANG + Banner: /etc/issue + Ciphers: aes256-ctr + Subsystem: "sftp internal-sftp" + sshd_config_file: /etc/ssh/sshd_config - - name: Verify the options are correctly set - block: - - meta: flush_handlers + - name: Verify the options are correctly set + block: + - meta: flush_handlers - - name: List effective configuration using sshd -T - command: sshd -T - register: runtime + - name: List effective configuration using sshd -T + command: sshd -T + register: runtime - - name: Print current configuration file - slurp: - src: /etc/ssh/sshd_config - register: config + - name: Print current configuration file + slurp: + src: /etc/ssh/sshd_config + register: config - - name: Check the options are effective - # note, the options are in lower-case here - assert: - that: - - "'acceptenv LANG' in runtime.stdout" - - "'banner /etc/issue' in runtime.stdout" - - "'ciphers aes256-ctr' in runtime.stdout" - - "'subsystem sftp internal-sftp' in runtime.stdout" + - name: Check the options are effective + # note, the options are in lower-case here + assert: + that: + - "'acceptenv LANG' in runtime.stdout" + - "'banner /etc/issue' in runtime.stdout" + - "'ciphers aes256-ctr' in runtime.stdout" + - "'subsystem sftp internal-sftp' in runtime.stdout" - - name: Check the options are in configuration file - assert: - that: - - "'AcceptEnv LANG' in config.content | b64decode" - - "'Banner /etc/issue' in config.content | b64decode" - - "'Ciphers aes256-ctr' in config.content | b64decode" - - "'Subsystem sftp internal-sftp' in config.content | b64decode" - tags: tests::verify + - name: Check the options are in configuration file + assert: + that: + - "'AcceptEnv LANG' in config.content | b64decode" + - "'Banner /etc/issue' in config.content | b64decode" + - "'Ciphers aes256-ctr' in config.content | b64decode" + - "'Subsystem sftp internal-sftp' in config.content | b64decode" + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_set_uncommon.yml b/tests/tests_set_uncommon.yml index 7e3b4eb..bf5ee58 100644 --- a/tests/tests_set_uncommon.yml +++ b/tests/tests_set_uncommon.yml @@ -5,57 +5,57 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd with uncommon options, making sure it keeps running - block: - - name: Configure ssh with unsupported options - include_role: - name: ansible-sshd - vars: - sshd: - # Unsupported in new versions, but ignored ? - Protocol: 1 - UsePrivilegeSeparation: no - UseLogin: yes - # Debian only - DebianBanner: /etc/motd - # Used in FreeBSD ? - VersionAddendum: FreeBSD-20180909 - # HPN only - HPNDisabled: yes - HPNBufferSize: 2MB - TcpRcvBufPoll: yes - NoneEnabled: yes - # some builds might be without kerberos/GSSAPI - KerberosAuthentication: yes - GSSAPIStoreCredentialsOnRekey: yes - # SSHv1 options - KeyRegenerationInterval: 1h - ServerKeyBits: 1024 - # This one is pretty new, but works on OpenBSD only - RDomain: 2 - register: role_result + - name: Configure sshd with uncommon options, making sure it keeps running + block: + - name: Configure ssh with unsupported options + include_role: + name: ansible-sshd + vars: + sshd: + # Unsupported in new versions, but ignored ? + Protocol: 1 + UsePrivilegeSeparation: no + UseLogin: yes + # Debian only + DebianBanner: /etc/motd + # Used in FreeBSD ? + VersionAddendum: FreeBSD-20180909 + # HPN only + HPNDisabled: yes + HPNBufferSize: 2MB + TcpRcvBufPoll: yes + NoneEnabled: yes + # some builds might be without kerberos/GSSAPI + KerberosAuthentication: yes + GSSAPIStoreCredentialsOnRekey: yes + # SSHv1 options + KeyRegenerationInterval: 1h + ServerKeyBits: 1024 + # This one is pretty new, but works on OpenBSD only + RDomain: 2 + register: role_result - - name: unreachable task - fail: - msg: UNREACH - rescue: - - name: Check that we failed in the role - assert: - that: - - ansible_failed_result.msg != 'UNREACH' - - not role_result.changed - msg: "Role has not failed when it should have" + - name: unreachable task + fail: + msg: UNREACH + rescue: + - name: Check that we failed in the role + assert: + that: + - ansible_failed_result.msg != 'UNREACH' + - not role_result.changed + msg: "Role has not failed when it should have" - - name: Make sure service is still running - service: - name: sshd - state: started - register: result - failed_when: result.changed - tags: tests::verify + - name: Make sure service is still running + service: + name: sshd + state: started + register: result + failed_when: result.changed + tags: tests::verify - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_sshd_enable.yml b/tests/tests_sshd_enable.yml index 7a09d13..e4385ce 100644 --- a/tests/tests_sshd_enable.yml +++ b/tests/tests_sshd_enable.yml @@ -5,43 +5,48 @@ - /etc/ssh/sshd_config - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd with the role disabled - include_role: - name: ansible-sshd - vars: - sshd_enable: false - sshd: - AcceptEnv: XDG_* - Banner: /etc/issue - Ciphers: aes256-ctr,aes128-ctr - sshd_config_file: /etc/ssh/sshd_config + - name: Configure sshd with the role disabled + include_role: + name: ansible-sshd + vars: + sshd_enable: false + sshd: + AcceptEnv: XDG_* + Banner: /etc/issue + Ciphers: aes256-ctr,aes128-ctr + sshd_config_file: /etc/ssh/sshd_config - - name: Print current configuration file - slurp: - src: /etc/ssh/sshd_config - register: config + - name: Print current configuration file + slurp: + src: /etc/ssh/sshd_config + register: config - - name: Print effective configuration - shell: > - if test ! -f /etc/ssh/ssh_host_rsa_key; then - ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' - fi; - sshd -T - register: runtime + - name: Print effective configuration + shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi + if test ! -f /etc/ssh/ssh_host_rsa_key; then + ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' + fi + sshd -T + register: runtime + changed_when: false - - name: Check the options were not applied - # note, the options are in lower-case here - assert: - that: - - "'Acceptenv XDG_*' not in config.content | b64decode" - - "'Banner /etc/issue' not in config.content | b64decode" - - "'Ciphers aes256-ctr,aes128-ctr' not in config.content | b64decode" - - "'acceptenv XDG_*' not in runtime.stdout" - - "'banner /etc/issue' not in runtime.stdout" - - "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout" + - name: Check the options were not applied + # note, the options are in lower-case here + assert: + that: + - "'Acceptenv XDG_*' not in config.content | b64decode" + - "'Banner /etc/issue' not in config.content | b64decode" + - "'Ciphers aes256-ctr,aes128-ctr' not in config.content | b64decode" + - "'acceptenv XDG_*' not in runtime.stdout" + - "'banner /etc/issue' not in runtime.stdout" + - "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout" - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml diff --git a/tests/tests_sysconfig.yml b/tests/tests_sysconfig.yml index 009740b..71ff3cc 100644 --- a/tests/tests_sysconfig.yml +++ b/tests/tests_sysconfig.yml @@ -6,67 +6,77 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/sysconfig/sshd tasks: - - name: "Backup configuration files" - include_tasks: tasks/backup.yml + - name: "Backup configuration files" + include_tasks: tasks/backup.yml - - name: Configure sshd - include_role: - name: ansible-sshd - vars: - sshd_sysconfig: true - sshd_sysconfig_override_crypto_policy: true - sshd_sysconfig_use_strong_rng: 32 + - name: Configure sshd + include_role: + name: ansible-sshd + vars: + sshd_sysconfig: true + sshd_sysconfig_override_crypto_policy: true + sshd_sysconfig_use_strong_rng: 32 - - name: Verify the options are correctly set - block: - - meta: flush_handlers + - name: Verify the options are correctly set + block: + - meta: flush_handlers - - name: Print current configuration file - slurp: - src: /etc/sysconfig/sshd - register: config + - name: Print current configuration file + slurp: + src: /etc/sysconfig/sshd + register: config - - name: Evaluate sysconfig similarly as systemd - shell: | - source /etc/sysconfig/sshd - echo "CP=|$CRYPTO_POLICY|" - echo "RNG=|$SSH_USE_STRONG_RNG|" - register: evaluation + - name: Evaluate sysconfig similarly as systemd + shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi + source /etc/sysconfig/sshd + echo "CP=|${CRYPTO_POLICY:-}|" + echo "RNG=|${SSH_USE_STRONG_RNG:-}|" + register: evaluation + changed_when: false - - name: Evaluate sysconfig similarly as systemd on RHEL 8 - shell: | - source /etc/crypto-policies/back-ends/opensshserver.config - source /etc/sysconfig/sshd - echo "CP=|$CRYPTO_POLICY|" - echo "RNG=|$SSH_USE_STRONG_RNG|" - register: evaluation8 - when: - - ansible_facts['os_family'] == "RedHat" - - ansible_facts['distribution_major_version'] == "8" + - name: Evaluate sysconfig similarly as systemd on RHEL 8 + shell: | + set -eu + if set -o | grep pipefail 2>&1 /dev/null ; then + set -o pipefail + fi + source /etc/crypto-policies/back-ends/opensshserver.config + source /etc/sysconfig/sshd + echo "CP=|${CRYPTO_POLICY:-}|" + echo "RNG=|${SSH_USE_STRONG_RNG:-}|" + register: evaluation8 + changed_when: false + when: + - ansible_facts['os_family'] == "RedHat" + - ansible_facts['distribution_major_version'] == "8" - - name: Check the crypto policies is overridden in RHEL 8 - assert: - that: - - "'CRYPTO_POLICY=' in config.content | b64decode" - # these are string variants in default configuration file - - "'# CRYPTO_POLICY=' not in config.content | b64decode" - - "'CP=||' in evaluation8.stdout" - when: - - ansible_facts['os_family'] == "RedHat" - - ansible_facts['distribution_major_version'] == "8" + - name: Check the crypto policies is overridden in RHEL 8 + assert: + that: + - "'CRYPTO_POLICY=' in config.content | b64decode" + # these are string variants in default configuration file + - "'# CRYPTO_POLICY=' not in config.content | b64decode" + - "'CP=||' in evaluation8.stdout" + when: + - ansible_facts['os_family'] == "RedHat" + - ansible_facts['distribution_major_version'] == "8" - - name: Check the RNG options are in configuration file - assert: - that: - - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode" - # these are string variants in default configuration file - - "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode" - - "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode" - - "'RNG=|32|' in evaluation.stdout" - tags: tests::verify - when: - - ansible_facts['os_family'] == "RedHat" - - ansible_facts['distribution'] != 'Fedora' + - name: Check the RNG options are in configuration file + assert: + that: + - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode" + # these are string variants in default configuration file + - "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode" + - "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode" + - "'RNG=|32|' in evaluation.stdout" + tags: tests::verify + when: + - ansible_facts['os_family'] == "RedHat" + - ansible_facts['distribution'] != 'Fedora' - - name: "Restore configuration files" - include_tasks: tasks/restore.yml + - name: "Restore configuration files" + include_tasks: tasks/restore.yml From fe0146b8a08136ebeb4ea39b08eafc3078152add Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Sat, 10 Apr 2021 09:11:13 -0700 Subject: [PATCH 2/2] Fixing issues found by @jakure in his reviews. --- tests/tasks/backup.yml | 2 +- tests/tests_os_defaults.yml | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/tasks/backup.yml b/tests/tasks/backup.yml index bc17c14..8f7004f 100644 --- a/tests/tasks/backup.yml +++ b/tests/tasks/backup.yml @@ -13,7 +13,7 @@ - name: Backup files shell: | if set -o | grep pipefail 2>&1 /dev/null ; then - set -o pipefail + set -o pipefail fi set -eu if test -f {{ item }}; then diff --git a/tests/tests_os_defaults.yml b/tests/tests_os_defaults.yml index bdcf087..6409a5f 100644 --- a/tests/tests_os_defaults.yml +++ b/tests/tests_os_defaults.yml @@ -29,10 +29,6 @@ command: sshd -T register: runtime_after changed_when: false - - debug: - var: ansible_facts['distribution'] - - debug: - var: ansible_facts['distribution_major_version'] - name: Check that the effective configuration did not change from OS defaults assert: that: