libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-22 02:50:18 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix various linting issues

Browse source
This commit is contained in:
Matt Willsher 2022-06-03 11:22:17 +01:00
parent dc350e600f
commit 90338a3f0a
25 changed files with 197 additions and 187 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.pre-commit-config.yaml
View file

@ -1,14 +1,14 @@
--- ---
repos: repos:
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.24.2 rev: v1.26.3
hooks: hooks:
- id: yamllint - id: yamllint
files: \.(yaml|yml)$ files: \.(yaml|yml)$
types: [file, yaml] types: [file, yaml]
entry: yamllint --strict entry: yamllint --strict
- repo: https://github.com/ansible/ansible-lint.git - repo: https://github.com/ansible/ansible-lint.git
rev: v4.3.5 rev: v6.2.2
hooks: hooks:
- id: ansible-lint - id: ansible-lint
files: \.(yaml|yml)$ files: \.(yaml|yml)$

4
handlers/main.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Reload the SSH service - name: Reload the SSH service
service: ansible.builtin.service:
name: "{{ sshd_service }}" name: "{{ sshd_service }}"
state: reloaded state: reloaded
when: when:
@ -16,7 +16,7 @@
# Instead, use a dirty shell script: # Instead, use a dirty shell script:
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6 # https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
- name: Reload sshd Service (AIX) - name: Reload sshd Service (AIX)
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail

19
meta/main.yml
View file

@ -1,10 +1,11 @@
--- ---
galaxy_info: galaxy_info:
role_name: sshd
author: Matt Willsher author: Matt Willsher
description: OpenSSH SSH daemon configuration description: OpenSSH SSH daemon configuration
company: Willsher Systems company: Willsher Systems
license: LGPLv3 license: LGPLv3
min_ansible_version: 2.9 min_ansible_version: "2.10"
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
@ -23,23 +24,23 @@ galaxy_info:
- jammy - jammy
- name: FreeBSD - name: FreeBSD
version: version:
- 10.1 - "10.1"
- name: EL - name: EL
versions: versions:
- 6 - "6"
- 7 - "7"
- 8 - "8"
- 9 - "9"
- name: Fedora - name: Fedora
versions: versions:
- all - all
- name: OpenBSD - name: OpenBSD
versions: versions:
- 6.0 - "6.0"
- name: AIX - name: AIX
versions: versions:
- 7.1 - "7.1"
- 7.2 - "7.2"
galaxy_tags: galaxy_tags:
- networking - networking
- system - system

4
tasks/check_fips.yml
View file

@ -1,12 +1,12 @@
--- ---
- name: Check the kernel FIPS mode - name: Check the kernel FIPS mode
slurp: ansible.builtin.slurp:
src: /proc/sys/crypto/fips_enabled src: /proc/sys/crypto/fips_enabled
register: __sshd_kernel_fips_mode register: __sshd_kernel_fips_mode
failed_when: false failed_when: false
- name: Check the userspace FIPS mode - name: Check the userspace FIPS mode
slurp: ansible.builtin.slurp:
src: /etc/system-fips src: /etc/system-fips
register: __sshd_userspace_fips_mode register: __sshd_userspace_fips_mode
failed_when: false failed_when: false

30
tasks/install.yml
View file

@ -1,16 +1,16 @@
--- ---
- name: OS is supported - name: OS is supported
meta: end_host ansible.builtin.meta: end_host
when: when:
- not __sshd_os_supported|bool - not __sshd_os_supported|bool
- name: Install ssh packages - name: Install ssh packages
package: ansible.builtin.package:
name: "{{ sshd_packages }}" name: "{{ sshd_packages }}"
state: present state: present
- name: Sysconfig configuration - name: Sysconfig configuration
template: ansible.builtin.template:
src: sysconfig.j2 src: sysconfig.j2
dest: "/etc/sysconfig/sshd" dest: "/etc/sysconfig/sshd"
owner: "root" owner: "root"
@ -23,7 +23,7 @@
notify: reload_sshd notify: reload_sshd
- name: Check FIPS mode - name: Check FIPS mode
include_tasks: check_fips.yml ansible.builtin.include_tasks: check_fips.yml
when: when:
- __sshd_hostkeys_nofips | d([]) - __sshd_hostkeys_nofips | d([])
@ -70,7 +70,7 @@
{% endif %} {% endif %}
block: block:
- name: Make sure hostkeys are available - name: Make sure hostkeys are available
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -85,7 +85,7 @@
changed_when: false changed_when: false
- name: Make sure private hostkeys have expected permissions - name: Make sure private hostkeys have expected permissions
file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
owner: "{{ sshd_hostkey_owner }}" owner: "{{ sshd_hostkey_owner }}"
group: "{{ sshd_hostkey_group }}" group: "{{ sshd_hostkey_group }}"
@ -97,7 +97,7 @@
<<: *share_vars <<: *share_vars
block: block:
- name: Create a temporary hostkey for syntax verification if needed - name: Create a temporary hostkey for syntax verification if needed
tempfile: ansible.builtin.tempfile:
state: directory state: directory
register: sshd_test_hostkey register: sshd_test_hostkey
changed_when: false changed_when: false
@ -105,13 +105,13 @@
- __sshd_hostkeys_from_config | from_json == [] - __sshd_hostkeys_from_config | from_json == []
- name: Generate temporary hostkey - name: Generate temporary hostkey
command: > ansible.builtin.command: >
ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N '' ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
changed_when: false changed_when: false
when: sshd_test_hostkey.path is defined when: sshd_test_hostkey.path is defined
- name: Make sure sshd runtime directory is present - name: Make sure sshd runtime directory is present
file: ansible.builtin.file:
path: "{{ __sshd_runtime_directory }}" path: "{{ __sshd_runtime_directory }}"
state: directory state: directory
owner: root owner: root
@ -121,29 +121,29 @@
- __sshd_runtime_directory | d(false) - __sshd_runtime_directory | d(false)
- name: Create the complete configuration file - name: Create the complete configuration file
include_tasks: install_config.yml ansible.builtin.include_tasks: install_config.yml
when: sshd_config_namespace is none when: sshd_config_namespace is none
- name: Update configuration file snippet - name: Update configuration file snippet
include_tasks: install_namespace.yml ansible.builtin.include_tasks: install_namespace.yml
when: sshd_config_namespace is not none when: sshd_config_namespace is not none
rescue: rescue:
- name: re-raise the error - name: re-raise the error
fail: ansible.builtin.fail:
msg: "{{ ansible_failed_result }}" msg: "{{ ansible_failed_result }}"
always: always:
- name: Remove temporary host keys - name: Remove temporary host keys
file: ansible.builtin.file:
path: "{{ sshd_test_hostkey.path }}" path: "{{ sshd_test_hostkey.path }}"
state: absent state: absent
changed_when: false changed_when: false
when: sshd_test_hostkey.path is defined when: sshd_test_hostkey.path is defined
- name: Install and start systemd service - name: Install and start systemd service
include_tasks: install_service.yml ansible.builtin.include_tasks: install_service.yml
- name: Register that this role has run - name: Register that this role has run
set_fact: ansible.builtin.set_fact:
sshd_has_run: true sshd_has_run: true
when: sshd_has_run is not defined when: sshd_has_run is not defined

4
tasks/install_config.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Create the complete configuration file - name: Create the complete configuration file
template: ansible.builtin.template:
src: sshd_config.j2 src: sshd_config.j2
dest: "{{ sshd_config_file }}" dest: "{{ sshd_config_file }}"
owner: "{{ sshd_config_owner }}" owner: "{{ sshd_config_owner }}"
@ -16,7 +16,7 @@
notify: reload_sshd notify: reload_sshd
- name: Make sure the include path is present in the main sshd_config - name: Make sure the include path is present in the main sshd_config
lineinfile: ansible.builtin.template:
insertbefore: BOF insertbefore: BOF
line: "Include {{ __sshd_defaults['Include'] }}" line: "Include {{ __sshd_defaults['Include'] }}"
path: "{{ __sshd_main_config_file }}" path: "{{ __sshd_main_config_file }}"

2
tasks/install_namespace.yml
View file

@ -2,7 +2,7 @@
- name: Update configuration file snippet - name: Update configuration file snippet
vars: vars:
sshd_skip_defaults: true sshd_skip_defaults: true
blockinfile: ansible.builtin.blockinfile:
path: "{{ sshd_config_file }}" path: "{{ sshd_config_file }}"
owner: "{{ sshd_config_owner }}" owner: "{{ sshd_config_owner }}"
group: "{{ sshd_config_group }}" group: "{{ sshd_config_group }}"

10
tasks/install_service.yml
View file

@ -2,7 +2,7 @@
- name: Install systemd service files - name: Install systemd service files
block: block:
- name: Install service unit file - name: Install service unit file
template: ansible.builtin.template:
src: "{{ sshd_service_template_service }}" src: "{{ sshd_service_template_service }}"
dest: "/etc/systemd/system/{{ sshd_service }}.service" dest: "/etc/systemd/system/{{ sshd_service }}.service"
owner: root owner: root
@ -10,7 +10,7 @@
mode: "0644" mode: "0644"
notify: reload_sshd notify: reload_sshd
- name: Install instanced service unit file - name: Install instanced service unit file
template: ansible.builtin.template:
src: "{{ sshd_service_template_at_service }}" src: "{{ sshd_service_template_at_service }}"
dest: "/etc/systemd/system/{{ sshd_service }}@.service" dest: "/etc/systemd/system/{{ sshd_service }}@.service"
owner: root owner: root
@ -18,7 +18,7 @@
mode: "0644" mode: "0644"
notify: reload_sshd notify: reload_sshd
- name: Install socket unit file - name: Install socket unit file
template: ansible.builtin.template:
src: "{{ sshd_service_template_socket }}" src: "{{ sshd_service_template_socket }}"
dest: "/etc/systemd/system/{{ sshd_service }}.socket" dest: "/etc/systemd/system/{{ sshd_service }}.socket"
owner: root owner: root
@ -28,7 +28,7 @@
when: sshd_install_service|bool when: sshd_install_service|bool
- name: Service enabled and running - name: Service enabled and running
service: ansible.builtin.service:
name: "{{ sshd_service }}" name: "{{ sshd_service }}"
enabled: true enabled: true
state: started state: started
@ -39,7 +39,7 @@
# Due to ansible bug 21026, cannot use service module on RHEL 7 # Due to ansible bug 21026, cannot use service module on RHEL 7
- name: Enable service in chroot - name: Enable service in chroot
command: systemctl enable {{ sshd_service }} # noqa 303 ansible.builtin.command: systemctl enable {{ sshd_service }} # noqa 303
when: when:
- ansible_connection == 'chroot' - ansible_connection == 'chroot'
- ansible_os_family == 'RedHat' - ansible_os_family == 'RedHat'

2
tasks/main.yml
View file

@ -1,4 +1,4 @@
--- ---
- include_tasks: sshd.yml - ansible.builtin.include_tasks: sshd.yml
when: sshd_enable|bool when: sshd_enable|bool

4
tasks/set_common_vars.yml
View file

@ -1,9 +1,9 @@
--- ---
- name: Ensure ansible_facts used by role - name: Ensure ansible_facts used by role
setup: ansible.builtin.setup:
gather_subset: min gather_subset: min
when: not ansible_facts.keys() | list | when: not ansible_facts.keys() | list |
intersect(__sshd_required_facts) == __sshd_required_facts intersect(__sshd_required_facts) == __sshd_required_facts
- name: Include common vars - name: Include common vars
include_vars: vars/common.yml ansible.builtin.include_vars: vars/common.yml

6
tasks/sshd.yml
View file

@ -1,9 +1,9 @@
--- ---
- name: Set common variables and ensure basic facts are gathered - name: Set common variables and ensure basic facts are gathered
include_tasks: set_common_vars.yml ansible.builtin.include_tasks: set_common_vars.yml
- name: Set platform/version specific variables - name: Set platform/version specific variables
include_tasks: variables.yml ansible.builtin.include_tasks: variables.yml
- name: Execute the actual role tasks - name: Execute the actual role tasks
include_tasks: install.yml ansible.builtin.include_tasks: install.yml

4
tasks/variables.yml
View file

@ -1,9 +1,9 @@
--- ---
- name: Set common vars - name: Set common vars
include_vars: vars/common.yml ansible.builtin.include_vars: vars/common.yml
- name: Set OS dependent variables - name: Set OS dependent variables
include_vars: "{{ lookup('first_found', params) }}" ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars: vars:
ansible_distribution_lts_offset: >- ansible_distribution_lts_offset: >-
{{ {{

6
tests/tasks/backup.yml
View file

@ -1,9 +1,9 @@
--- ---
- name: Setup - name: Setup
include_tasks: setup.yml ansible.builtin.include_tasks: setup.yml
- name: Create a temporary directory for backup files - name: Create a temporary directory for backup files
tempfile: ansible.builtin.tempfile:
state: directory state: directory
register: __sshd_test_backup register: __sshd_test_backup
changed_when: false changed_when: false
@ -11,7 +11,7 @@
- sshd_test_backup_skip is not defined - sshd_test_backup_skip is not defined
- name: Backup files - name: Backup files
shell: | ansible.builtin.shell: |
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
fi fi

8
tests/tasks/restore.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Restore backed up files and remove what was not present - name: Restore backed up files and remove what was not present
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -17,7 +17,7 @@
- __sshd_test_backup.path is defined - __sshd_test_backup.path is defined
- name: Remove temporary directory for backup files - name: Remove temporary directory for backup files
file: ansible.builtin.file:
path: "{{ __sshd_test_backup.path }}" path: "{{ __sshd_test_backup.path }}"
state: absent state: absent
changed_when: false changed_when: false
@ -26,13 +26,13 @@
- __sshd_test_backup.path is defined - __sshd_test_backup.path is defined
- name: Include common variables - name: Include common variables
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
tasks_from: set_common_vars.yml tasks_from: set_common_vars.yml
public: true public: true
- name: Restart sshd service - name: Restart sshd service
service: ansible.builtin.service:
name: sshd name: sshd
state: reloaded state: reloaded
changed_when: false changed_when: false

8
tests/tasks/setup.yml
View file

@ -1,11 +1,11 @@
--- ---
- name: Make sure openssh is installed before creating backup - name: Make sure openssh is installed before creating backup
package: ansible.builtin.package:
name: openssh-server name: openssh-server
state: present state: present
- name: Make sure openssh has runtime directory on debian - name: Make sure openssh has runtime directory on debian
file: ansible.builtin.file:
path: /run/sshd path: /run/sshd
state: directory state: directory
owner: root owner: root
@ -15,13 +15,13 @@
- ansible_facts['os_family'] == 'Debian' - ansible_facts['os_family'] == 'Debian'
- name: Define common variables - name: Define common variables
set_fact: ansible.builtin.set_fact:
main_sshd_config: /etc/ssh/sshd_config main_sshd_config: /etc/ssh/sshd_config
main_sshd_config_name: sshd_config main_sshd_config_name: sshd_config
main_sshd_config_path: /etc/ssh/ main_sshd_config_path: /etc/ssh/
- name: Define specific variables - name: Define specific variables
set_fact: ansible.builtin.set_fact:
main_sshd_config: /etc/ssh/sshd_config.d/00-ansible_system_role.conf main_sshd_config: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
main_sshd_config_name: 00-ansible_system_role.conf main_sshd_config_name: 00-ansible_system_role.conf
main_sshd_config_path: /etc/ssh/sshd_config.d/ main_sshd_config_path: /etc/ssh/sshd_config.d/

51
tests/tests_alternative_file.yml
View file

@ -9,14 +9,14 @@
- /tmp/ssh_host_ecdsa_key - /tmp/ssh_host_ecdsa_key
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Ensure group 'nobody' exists - name: Ensure group 'nobody' exists
group: ansible.builtin.group:
name: nobody name: nobody
- name: Ensure the user 'nobody' exists - name: Ensure the user 'nobody' exists
user: ansible.builtin.user:
name: nobody name: nobody
group: nobody group: nobody
comment: nobody comment: nobody
@ -24,7 +24,7 @@
shell: /sbin/nologin shell: /sbin/nologin
- name: Configure alternative sshd_config file - name: Configure alternative sshd_config file
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# just anything -- will not get processed by sshd # just anything -- will not get processed by sshd
@ -36,10 +36,10 @@
AcceptEnv: LANG AcceptEnv: LANG
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes256-ctr Ciphers: aes256-ctr
sshd_Compression: no sshd_Compression: no # noqa var-naming
- name: Configure second alternative sshd_config file - name: Configure second alternative sshd_config file
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# just anything -- will not get processed by sshd # just anything -- will not get processed by sshd
@ -48,10 +48,10 @@
sshd: sshd:
Banner: /etc/issue2 Banner: /etc/issue2
Ciphers: aes128-ctr Ciphers: aes128-ctr
sshd_MaxStartups: 100 sshd_MaxStartups: 100 # noqa var-naming
- name: Now configure the main sshd_config file - name: Now configure the main sshd_config file
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
@ -60,34 +60,35 @@
Ciphers: aes192-ctr Ciphers: aes192-ctr
HostKey: HostKey:
- /tmp/ssh_host_ecdsa_key - /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no sshd_PasswordAuthentication: no # noqa var-naming
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom src: /etc/ssh/sshd_config_custom
register: config register: config
- name: Get stat of the configuration file - name: Get stat of the configuration file
stat: ansible.builtin.stat:
path: /etc/ssh/sshd_config_custom path: /etc/ssh/sshd_config_custom
register: config_stat register: config_stat
- name: Print second configuration file - name: Print second configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom_second src: /etc/ssh/sshd_config_custom_second
register: config2 register: config2
- name: Print the main configuration file - name: Print the main configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config3 register: config3
- name: Check content of first configuration file - name: Check content of first configuration file
assert: ansible.builtin.assert:
that: that:
- "'AcceptEnv LANG' in config.content | b64decode" - "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode"
@ -95,7 +96,7 @@
- "'Compression no' in config.content | b64decode" - "'Compression no' in config.content | b64decode"
- name: Check Fedora/RHEL9+ defaults are present in the first configuration file - name: Check Fedora/RHEL9+ defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -104,7 +105,7 @@
- ansible_facts['distribution_major_version']|int > 8 - ansible_facts['distribution_major_version']|int > 8
- name: Check RHEL7 and RHEL8 defaults are present in the first configuration file - name: Check RHEL7 and RHEL8 defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'X11Forwarding yes' in config.content | b64decode" - "'X11Forwarding yes' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -115,7 +116,7 @@
- ansible_facts['distribution_major_version']|int < 9 - ansible_facts['distribution_major_version']|int < 9
- name: Check RHEL6 defaults are present in the first configuration file - name: Check RHEL6 defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'Protocol 2' in config.content | b64decode" - "'Protocol 2' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
@ -124,7 +125,7 @@
- ansible_facts['distribution_major_version'] == '6' - ansible_facts['distribution_major_version'] == '6'
- name: Check Debian defaults are present in the first configuration file - name: Check Debian defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'PrintMotd no' in config.content | b64decode" - "'PrintMotd no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
@ -133,7 +134,7 @@
- ansible_facts['distribution_major_version']|int < 22 - ansible_facts['distribution_major_version']|int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file - name: Check Ubuntu 22 defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode" - "'KbdInteractiveAuthentication no' in config.content | b64decode"
@ -143,7 +144,7 @@
- ansible_facts['distribution_major_version']|int >= 22 - ansible_facts['distribution_major_version']|int >= 22
- name: Check content of second configuration file - name: Check content of second configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/issue2' in config2.content | b64decode" - "'Banner /etc/issue2' in config2.content | b64decode"
- "'Ciphers aes128-ctr' in config2.content | b64decode" - "'Ciphers aes128-ctr' in config2.content | b64decode"
@ -152,7 +153,7 @@
- "'Compression no' not in config2.content | b64decode" - "'Compression no' not in config2.content | b64decode"
- name: Check content of the main configuration file - name: Check content of the main configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/issue' in config3.content | b64decode" - "'Banner /etc/issue' in config3.content | b64decode"
- "'Ciphers aes192-ctr' in config3.content | b64decode" - "'Ciphers aes192-ctr' in config3.content | b64decode"
@ -162,7 +163,7 @@
- "'Compression no' not in config3.content | b64decode" - "'Compression no' not in config3.content | b64decode"
- name: Check the main configuration file contains some default values for RHEL 9 or Fedora - name: Check the main configuration file contains some default values for RHEL 9 or Fedora
assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode"
@ -172,7 +173,7 @@
- ansible_facts['distribution_major_version']|int > 8 - ansible_facts['distribution_major_version']|int > 8
- name: Check the generated config has requested properties - name: Check the generated config has requested properties
assert: ansible.builtin.assert:
that: that:
- config_stat.stat.exists - config_stat.stat.exists
- config_stat.stat.gr_name == 'nobody' - config_stat.stat.gr_name == 'nobody'
@ -181,4 +182,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

45
tests/tests_alternative_file_role.yml
View file

@ -9,14 +9,14 @@
- /tmp/ssh_host_ecdsa_key - /tmp/ssh_host_ecdsa_key
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Ensure group 'nobody' exists - name: Ensure group 'nobody' exists
group: ansible.builtin.group:
name: nobody name: nobody
- name: Ensure the user 'nobody' exists - name: Ensure the user 'nobody' exists
user: ansible.builtin.user:
name: nobody name: nobody
group: nobody group: nobody
comment: nobody comment: nobody
@ -37,7 +37,7 @@
AcceptEnv: LANG AcceptEnv: LANG
Banner: /etc/issue Banner: /etc/issue
Ciphers: aes256-ctr Ciphers: aes256-ctr
sshd_Compression: no sshd_Compression: no # noqa var-naming
# Configure second alternative sshd_config file # Configure second alternative sshd_config file
- hosts: all - hosts: all
@ -50,7 +50,7 @@
sshd: sshd:
Banner: /etc/issue2 Banner: /etc/issue2
Ciphers: aes128-ctr Ciphers: aes128-ctr
sshd_MaxStartups: 100 sshd_MaxStartups: 100 # noqa var-naming
# Now configure the main sshd_config file # Now configure the main sshd_config file
- hosts: all - hosts: all
@ -63,7 +63,7 @@
Ciphers: aes192-ctr Ciphers: aes192-ctr
HostKey: HostKey:
- /tmp/ssh_host_ecdsa_key - /tmp/ssh_host_ecdsa_key
sshd_PasswordAuthentication: no sshd_PasswordAuthentication: no # noqa var-naming
- hosts: all - hosts: all
vars: vars:
@ -78,30 +78,31 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom src: /etc/ssh/sshd_config_custom
register: config register: config
- name: Get stat of the configuration file - name: Get stat of the configuration file
stat: ansible.builtin.stat:
path: /etc/ssh/sshd_config_custom path: /etc/ssh/sshd_config_custom
register: config_stat register: config_stat
- name: Print second configuration file - name: Print second configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config_custom_second src: /etc/ssh/sshd_config_custom_second
register: config2 register: config2
- name: Print the main configuration file - name: Print the main configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config3 register: config3
- name: Check content of first configuration file - name: Check content of first configuration file
assert: ansible.builtin.assert:
that: that:
- "'AcceptEnv LANG' in config.content | b64decode" - "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode"
@ -109,7 +110,7 @@
- "'Compression no' in config.content | b64decode" - "'Compression no' in config.content | b64decode"
- name: Check Fedora/RHEL9+ defaults are present in the first configuration file - name: Check Fedora/RHEL9+ defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -118,7 +119,7 @@
- ansible_facts['distribution_major_version']|int > 8 - ansible_facts['distribution_major_version']|int > 8
- name: Check RHEL7 and RHEL8 defaults are present in the first configuration file - name: Check RHEL7 and RHEL8 defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'X11Forwarding yes' in config.content | b64decode" - "'X11Forwarding yes' in config.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode"
@ -129,7 +130,7 @@
- ansible_facts['distribution_major_version']|int < 9 - ansible_facts['distribution_major_version']|int < 9
- name: Check RHEL6 defaults are present in the first configuration file - name: Check RHEL6 defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'Protocol 2' in config.content | b64decode" - "'Protocol 2' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
@ -138,7 +139,7 @@
- ansible_facts['distribution_major_version'] == '6' - ansible_facts['distribution_major_version'] == '6'
- name: Check Debian defaults are present in the first configuration file - name: Check Debian defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'PrintMotd no' in config.content | b64decode" - "'PrintMotd no' in config.content | b64decode"
- "'UsePAM yes' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode"
@ -147,7 +148,7 @@
- ansible_facts['distribution_major_version']|int < 22 - ansible_facts['distribution_major_version']|int < 22
- name: Check Ubuntu 22 defaults are present in the first configuration file - name: Check Ubuntu 22 defaults are present in the first configuration file
assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'KbdInteractiveAuthentication no' in config.content | b64decode" - "'KbdInteractiveAuthentication no' in config.content | b64decode"
@ -158,7 +159,7 @@
- name: Check content of second configuration file - name: Check content of second configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/issue2' in config2.content | b64decode" - "'Banner /etc/issue2' in config2.content | b64decode"
- "'Ciphers aes128-ctr' in config2.content | b64decode" - "'Ciphers aes128-ctr' in config2.content | b64decode"
@ -167,7 +168,7 @@
- "'Compression no' not in config2.content | b64decode" - "'Compression no' not in config2.content | b64decode"
- name: Check content of the main configuration file - name: Check content of the main configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/issue' in config3.content | b64decode" - "'Banner /etc/issue' in config3.content | b64decode"
- "'Ciphers aes192-ctr' in config3.content | b64decode" - "'Ciphers aes192-ctr' in config3.content | b64decode"
@ -177,7 +178,7 @@
- "'Compression no' not in config3.content | b64decode" - "'Compression no' not in config3.content | b64decode"
- name: Check the main configuration file contains some default values for RHEL 9 or Fedora - name: Check the main configuration file contains some default values for RHEL 9 or Fedora
assert: ansible.builtin.assert:
that: that:
- "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode"
- "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode"
@ -187,7 +188,7 @@
- ansible_facts['distribution_major_version']|int > 8 - ansible_facts['distribution_major_version']|int > 8
- name: Check the generated config has requested properties - name: Check the generated config has requested properties
assert: ansible.builtin.assert:
that: that:
- config_stat.stat.exists - config_stat.stat.exists
- config_stat.stat.gr_name == 'nobody' - config_stat.stat.gr_name == 'nobody'
@ -196,4 +197,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

20
tests/tests_backup.yml
View file

@ -6,50 +6,50 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: Backup configuration files - name: Backup configuration files
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Find old backups files - name: Find old backups files
find: ansible.builtin.find:
paths: "{{ main_sshd_config_path }}" paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config_name }}.*@*~" patterns: "{{ main_sshd_config_name }}.*@*~"
register: backup_files register: backup_files
- name: Remove old backup files - name: Remove old backup files
file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
state: absent state: absent
with_items: "{{ backup_files.files }}" with_items: "{{ backup_files.files }}"
- name: Configure sshd without creating backup - name: Configure sshd without creating backup
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_backup: false sshd_backup: false
- name: Find new backups files - name: Find new backups files
find: ansible.builtin.find:
paths: "{{ main_sshd_config_path }}" paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config_name }}.*@*~" patterns: "{{ main_sshd_config_name }}.*@*~"
register: no_backup register: no_backup
- name: Configure sshd again with different configuration and with backup - name: Configure sshd again with different configuration and with backup
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_Banner: /tmp/banner sshd_Banner: /tmp/banner # noqa var-naming
register: second_run register: second_run
- name: Find new backups files - name: Find new backups files
find: ansible.builtin.find:
paths: "{{ main_sshd_config_path }}" paths: "{{ main_sshd_config_path }}"
patterns: "{{ main_sshd_config_name }}.*@*~" patterns: "{{ main_sshd_config_name }}.*@*~"
register: new_backup register: new_backup
- name: Verify the backup was not done in the first attempt, but in the second one - name: Verify the backup was not done in the first attempt, but in the second one
assert: ansible.builtin.assert:
that: that:
- no_backup.files == [] - no_backup.files == []
- new_backup.files != [] - new_backup.files != []
- name: Restore configuration files - name: Restore configuration files
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

31
tests/tests_config_namespace.yml
View file

@ -7,10 +7,10 @@
- /etc/ssh/ssh_host_rsa_key.pub - /etc/ssh/ssh_host_rsa_key.pub
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Add configuration block to default configuration file - name: Add configuration block to default configuration file
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
@ -23,7 +23,7 @@
AllowAgentForwarding: no AllowAgentForwarding: no
- name: Add second configuration block to default configuration file - name: Add second configuration block to default configuration file
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
@ -37,15 +37,16 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config register: config
- name: List effective configuration using sshd -T (matching) - name: List effective configuration using sshd -T (matching) # noqa no-changed-when
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -56,12 +57,12 @@
sshd -T -Cuser=root,host=localhost,addr=127.0.0.1 sshd -T -Cuser=root,host=localhost,addr=127.0.0.1
register: runtime register: runtime
- name: List effective configuration using sshd -T (non-matching) - name: List effective configuration using sshd -T (non-matching) # noqa no-changed-when
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
register: nonmatching register: nonmatching
- name: Check content of configuration file (blocks) - name: Check content of configuration file (blocks)
assert: ansible.builtin.assert:
that: that:
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')" - "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')" - "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
@ -69,7 +70,7 @@
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6' - ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
- name: Check content of configuration file (blocks for RHEL 6) - name: Check content of configuration file (blocks for RHEL 6)
assert: ansible.builtin.assert:
that: that:
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')" - "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')" - "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
@ -78,7 +79,7 @@
- ansible_facts['distribution_major_version'] == '6' - ansible_facts['distribution_major_version'] == '6'
- name: Check content of configuration file - name: Check content of configuration file
assert: ansible.builtin.assert:
that: that:
- "'PermitRootLogin yes' in config.content | b64decode" - "'PermitRootLogin yes' in config.content | b64decode"
- "'PasswordAuthentication yes' in config.content | b64decode" - "'PasswordAuthentication yes' in config.content | b64decode"
@ -93,7 +94,7 @@
- name: Check the configuration values are effective - name: Check the configuration values are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'permitrootlogin yes' in runtime.stdout" - "'permitrootlogin yes' in runtime.stdout"
- "'allowagentforwarding no' in runtime.stdout" - "'allowagentforwarding no' in runtime.stdout"
@ -102,7 +103,7 @@
- name: Check the configuration values are not effective for non-matching connection - name: Check the configuration values are not effective for non-matching connection
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'permitrootlogin yes' in runtime.stdout" - "'permitrootlogin yes' in runtime.stdout"
- "'allowAgentforwarding no' not in nonmatching.stdout" - "'allowAgentforwarding no' not in nonmatching.stdout"
@ -111,4 +112,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

4
tests/tests_default.yml
View file

@ -6,7 +6,7 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- hosts: all - hosts: all
roles: roles:
@ -19,4 +19,4 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

6
tests/tests_default_include.yml
View file

@ -6,11 +6,11 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: "Configure sshd" - name: "Configure sshd"
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

50
tests/tests_hostkeys_fips.yml
View file

@ -9,33 +9,34 @@
- /etc/system-fips - /etc/system-fips
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Run the role with default parameters without FIPS mode - name: Run the role with default parameters without FIPS mode
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Get stat of private key - name: Get stat of private key
stat: ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key path: /etc/ssh/ssh_host_ed25519_key
register: privkey register: privkey
- name: Get stat of public key - name: Get stat of public key
stat: ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key.pub path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey register: pubkey
- name: Check the key is in configuration file (without include) - name: Check the key is in configuration file (without include)
assert: ansible.builtin.assert:
that: that:
- "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode" - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode"
when: when:
@ -43,7 +44,7 @@
- ansible_facts['distribution_major_version']|int < 9 - ansible_facts['distribution_major_version']|int < 9
- name: Check host key was generated - name: Check host key was generated
assert: ansible.builtin.assert:
that: that:
- privkey.stat.exists - privkey.stat.exists
- pubkey.stat.exists - pubkey.stat.exists
@ -55,22 +56,24 @@
- name: Fake FIPS mode - name: Fake FIPS mode
block: block:
- name: Create temporary directory - name: Create temporary directory
tempfile: ansible.builtin.tempfile:
state: directory state: directory
register: fips_directory register: fips_directory
- name: Create a /etc/system-fips - name: Create a /etc/system-fips
copy: ansible.builtin.copy:
dest: /etc/system-fips dest: /etc/system-fips
content: userspace fips content: userspace fips
mode: "0644"
- name: Create a fips_enabled file - name: Create a fips_enabled file
copy: ansible.builtin.copy:
dest: "{{ fips_directory.path }}/fips_enabled" dest: "{{ fips_directory.path }}/fips_enabled"
content: 1 content: 1
mode: "0644"
- name: Bind mount the file where we need it - name: Bind mount the file where we need it
mount: ansible.builtin.mount:
path: /proc/sys/crypto/fips_enabled path: /proc/sys/crypto/fips_enabled
src: "{{ fips_directory.path }}/fips_enabled" src: "{{ fips_directory.path }}/fips_enabled"
opts: bind opts: bind
@ -79,47 +82,48 @@
failed_when: false failed_when: false
- name: Remove the Ed25519 hostkey - name: Remove the Ed25519 hostkey
file: ansible.builtin.file:
path: path:
/etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key
state: absent state: absent
- name: Remove the Ed25519 pubkey - name: Remove the Ed25519 pubkey
file: ansible.builtin.file:
path: path:
/etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ed25519_key.pub
state: absent state: absent
- name: Run the role with default parameters - name: Run the role with default parameters
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Get stat of private key - name: Get stat of private key
stat: ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key path: /etc/ssh/ssh_host_ed25519_key
register: privkey register: privkey
- name: Get stat of public key - name: Get stat of public key
stat: ansible.builtin.stat:
path: /etc/ssh/ssh_host_ed25519_key.pub path: /etc/ssh/ssh_host_ed25519_key.pub
register: pubkey register: pubkey
- name: Check the key is not in configuration file - name: Check the key is not in configuration file
assert: ansible.builtin.assert:
that: that:
- "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode" - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode"
- name: Check no host key was generated - name: Check no host key was generated
assert: ansible.builtin.assert:
that: that:
- not privkey.stat.exists - not privkey.stat.exists
- not pubkey.stat.exists - not pubkey.stat.exists
@ -137,9 +141,9 @@
failed_when: false failed_when: false
- name: Remove the temporary directory - name: Remove the temporary directory
file: ansible.builtin.file:
path: "{{ fips_directory.path }}" path: "{{ fips_directory.path }}"
state: absent state: absent
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

14
tests/tests_hostkeys_missing.yml
View file

@ -7,12 +7,12 @@
- /tmp/missing_ssh_host_rsa_key - /tmp/missing_ssh_host_rsa_key
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with missing host keys and prevent their creation - name: Configure sshd with missing host keys and prevent their creation
block: block:
- name: Configure missing hostkey - name: Configure missing hostkey
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_verify_hostkeys: [] sshd_verify_hostkeys: []
@ -22,12 +22,12 @@
register: role_result register: role_result
- name: unreachable task - name: unreachable task
fail: ansible.builtin.fail:
msg: UNREACH msg: UNREACH
rescue: rescue:
- name: Check that we failed in the role - name: Check that we failed in the role
assert: ansible.builtin.assert:
that: that:
- ansible_failed_result.msg != 'UNREACH' - ansible_failed_result.msg != 'UNREACH'
- not role_result.changed - not role_result.changed
@ -38,7 +38,7 @@
tags: tests::verify tags: tests::verify
- name: Make sure the key was not created - name: Make sure the key was not created
file: ansible.builtin.file:
path: /tmp/missing_ssh_host_rsa_key path: /tmp/missing_ssh_host_rsa_key
state: absent state: absent
register: key register: key
@ -46,7 +46,7 @@
tags: tests::verify tags: tests::verify
- name: Make sure service is still running - name: Make sure service is still running
service: ansible.builtin.service:
name: sshd name: sshd
state: started state: started
register: result register: result
@ -56,4 +56,4 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

25
tests/tests_hostkeys_role.yml
View file

@ -7,19 +7,19 @@
- /tmp/ssh_host_rsa_key2 - /tmp/ssh_host_rsa_key2
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove host key before the test - name: Remove host key before the test
file: ansible.builtin.file:
path: /tmp/ssh_host_rsa_key2 path: /tmp/ssh_host_rsa_key2
state: absent state: absent
- name: Ensure group 'nobody' exists - name: Ensure group 'nobody' exists
group: ansible.builtin.group:
name: nobody name: nobody
- name: Ensure the user 'nobody' exists - name: Ensure the user 'nobody' exists
user: ansible.builtin.user:
name: nobody name: nobody
group: nobody group: nobody
comment: nobody comment: nobody
@ -47,34 +47,35 @@
- /tmp/ssh_host_rsa_key2 - /tmp/ssh_host_rsa_key2
tasks: tasks:
- name: Setup variables - name: Setup variables
include_tasks: tasks/setup.yml ansible.builtin.include_tasks: tasks/setup.yml
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush metadata
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Get stat of private key - name: Get stat of private key
stat: ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2 path: /tmp/ssh_host_rsa_key2
register: privkey register: privkey
- name: Get stat of public key - name: Get stat of public key
stat: ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2.pub path: /tmp/ssh_host_rsa_key2.pub
register: pubkey register: pubkey
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
- name: Check the generated host key has requested properties - name: Check the generated host key has requested properties
assert: ansible.builtin.assert:
that: that:
- privkey.stat.exists - privkey.stat.exists
- privkey.stat.gr_name == 'nobody' - privkey.stat.gr_name == 'nobody'
@ -84,4 +85,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

23
tests/tests_precedence.yml
View file

@ -7,15 +7,15 @@
- /tmp/ssh_host_rsa_key - /tmp/ssh_host_rsa_key
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove host key before the test - name: Remove host key before the test
file: ansible.builtin.file:
path: /tmp/ssh_host_rsa_key path: /tmp/ssh_host_rsa_key
state: absent state: absent
- name: Configure sshd - name: Configure sshd # noqa var-naming
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
@ -28,27 +28,28 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush metadata
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T - name: List effective configuration using sshd -T # noqa no-changed-when
command: sshd -T ansible.builtin.command: sshd -T
register: runtime register: runtime
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the sshd_* values are effective in runtime - name: Check the sshd_* values are effective in runtime
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'banner /etc/good-issue' in runtime.stdout" - "'banner /etc/good-issue' in runtime.stdout"
- "'ciphers aes128-ctr' in runtime.stdout" - "'ciphers aes128-ctr' in runtime.stdout"
- "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/good-issue' in config.content | b64decode" - "'Banner /etc/good-issue' in config.content | b64decode"
- "'Ciphers aes128-ctr' in config.content | b64decode" - "'Ciphers aes128-ctr' in config.content | b64decode"
@ -56,4 +57,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml