diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml index 2b1c022..d0e2ac6 100644 --- a/tests/tests_config_namespace.yml +++ b/tests/tests_config_namespace.yml @@ -45,7 +45,7 @@ src: /etc/ssh/sshd_config register: config - - name: List effective configuration using sshd -T (matching) # noqa no-changed-when + - name: List effective configuration using sshd -T (matching) ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then @@ -56,10 +56,12 @@ fi sshd -T -Cuser=root,host=localhost,addr=127.0.0.1 register: runtime + changed_when: false - - name: List effective configuration using sshd -T (non-matching) # noqa no-changed-when + - name: List effective configuration using sshd -T (non-matching) ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 register: nonmatching + changed_when: false - name: Check content of configuration file (blocks) ansible.builtin.assert: diff --git a/tests/tests_hostkeys.yml b/tests/tests_hostkeys.yml index 6748472..0ec8394 100644 --- a/tests/tests_hostkeys.yml +++ b/tests/tests_hostkeys.yml @@ -7,19 +7,19 @@ - /tmp/ssh_host_rsa_key2 tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Remove host key before the test - file: + ansible.builtin.file: path: /tmp/ssh_host_rsa_key2 state: absent - name: Ensure group 'nobody' exists - group: + ansible.builtin.group: name: nobody - name: Ensure the user 'nobody' exists - user: + ansible.builtin.user: name: nobody group: nobody comment: nobody @@ -27,7 +27,7 @@ shell: /sbin/nologin - name: Configure sshd with alternative host keys - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # very BAD example @@ -40,30 +40,31 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key - stat: + ansible.builtin.stat: path: /tmp/ssh_host_rsa_key2 register: privkey - name: Get stat of public key - stat: + ansible.builtin.stat: path: /tmp/ssh_host_rsa_key2.pub register: pubkey - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - name: Check the generated host key has requested properties - assert: + ansible.builtin.assert: that: - privkey.stat.exists - privkey.stat.gr_name == 'nobody' @@ -73,4 +74,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_include_present.yml b/tests/tests_include_present.yml index 428308c..69cabc5 100644 --- a/tests/tests_include_present.yml +++ b/tests/tests_include_present.yml @@ -7,10 +7,10 @@ tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Remove include directory from the main config file - lineinfile: + ansible.builtin.lineinfile: path: "/etc/ssh/sshd_config" regexp: "^Include" state: absent @@ -19,7 +19,7 @@ (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) - name: Create a new configuration in drop-in directory - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf @@ -32,20 +32,21 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print drop-in configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf register: config - name: Print the main configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config_main - name: Check content of drop-in configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/include-issue' in config.content | b64decode" - "'Ciphers aes192-ctr' in config.content | b64decode" @@ -54,20 +55,20 @@ - "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode" - name: Check common content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/include-issue' not in config_main.content | b64decode" - "'Ciphers aes192-ctr' not in config_main.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode" - name: Check RHEL content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode" when: ansible_facts['os_family'] == 'RedHat' - name: Check Ubuntu content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode" when: ansible_facts['os_family'] == 'Ubuntu' @@ -79,4 +80,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_indent.yml b/tests/tests_indent.yml index 0caa2f5..c29f0a4 100644 --- a/tests/tests_indent.yml +++ b/tests/tests_indent.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with simple config options - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -21,15 +21,16 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are correctly indented in configuration file - assert: + ansible.builtin.assert: that: - "config.content | b64decode | regex_search('^PasswordAuthentication yes$', multiline=True)" - "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)" @@ -38,4 +39,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_match.yml b/tests/tests_match.yml index b3d4dde..8ccbefa 100644 --- a/tests/tests_match.yml +++ b/tests/tests_match.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # For Fedora containers, we need to make sure we have keys for sshd -T below @@ -35,32 +35,37 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T for xusers - command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com register: xusers_effective + changed_when: false - name: List effective configuration using sshd -T for bot - command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com register: bot_effective + changed_when: false - name: List effective configuration using sshd -T for sftponly - command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com register: sftponly_effective + changed_when: false - name: List effective configuration using sshd -T for root - command: sshd -T -C user=root,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com register: root_effective + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'x11forwarding yes' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout" @@ -72,7 +77,7 @@ - "'allowtcpforwarding yes' in root_effective.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'Match User xusers' in config.content | b64decode" - "'Match User bot' in config.content | b64decode" @@ -81,4 +86,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_match_iterate.yml b/tests/tests_match_iterate.yml index 96664cd..77210ca 100644 --- a/tests/tests_match_iterate.yml +++ b/tests/tests_match_iterate.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # For Fedora containers, we need to make sure we have keys for sshd -T below @@ -33,32 +33,37 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T for xusers - command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com register: xusers_effective + changed_when: false - name: List effective configuration using sshd -T for bot - command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com register: bot_effective + changed_when: false - name: List effective configuration using sshd -T for sftponly - command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com register: sftponly_effective + changed_when: false - name: List effective configuration using sshd -T for root - command: sshd -T -C user=root,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com register: root_effective + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'x11forwarding yes' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout" @@ -70,7 +75,7 @@ - "'allowtcpforwarding yes' in root_effective.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'Match User xusers' in config.content | b64decode" - "'Match User bot' in config.content | b64decode" @@ -79,4 +84,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_os_defaults.yml b/tests/tests_os_defaults.yml index df66526..3d7e38f 100644 --- a/tests/tests_os_defaults.yml +++ b/tests/tests_os_defaults.yml @@ -9,10 +9,10 @@ tasks: - name: Backup configuration files - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Show effective configuration before running role (system defaults) - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -25,16 +25,16 @@ changed_when: false - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd - name: Show effective configuration after running role (role defaults) - command: sshd -T + ansible.builtin.command: sshd -T register: runtime_after changed_when: false - name: Check that the effective configuration did not change from OS defaults - assert: + ansible.builtin.assert: that: - runtime_before.stdout == runtime_after.stdout when: @@ -42,4 +42,4 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: Restore configuration files - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_precedence.yml b/tests/tests_precedence.yml index 13a5907..d658acf 100644 --- a/tests/tests_precedence.yml +++ b/tests/tests_precedence.yml @@ -31,9 +31,10 @@ - name: Flush metadata ansible.builtin.meta: flush_handlers - - name: List effective configuration using sshd -T # noqa no-changed-when + - name: List effective configuration using sshd -T ansible.builtin.command: sshd -T register: runtime + changed_when: false - name: Print current configuration file ansible.builtin.slurp: diff --git a/tests/tests_set_common.yml b/tests/tests_set_common.yml index 5532a70..373c41e 100644 --- a/tests/tests_set_common.yml +++ b/tests/tests_set_common.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -21,20 +21,22 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T - command: sshd -T + ansible.builtin.command: sshd -T register: runtime + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config - name: Check the options are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'acceptenv LANG' in runtime.stdout" - "'banner /etc/issue' in runtime.stdout" @@ -42,7 +44,7 @@ - "'subsystem sftp internal-sftp' in runtime.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" @@ -51,4 +53,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_set_uncommon.yml b/tests/tests_set_uncommon.yml index 0660da4..8f71646 100644 --- a/tests/tests_set_uncommon.yml +++ b/tests/tests_set_uncommon.yml @@ -6,12 +6,12 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with uncommon options, making sure it keeps running block: - name: Configure ssh with unsupported options - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -39,11 +39,11 @@ register: role_result - name: unreachable task - fail: + ansible.builtin.fail: msg: UNREACH rescue: - name: Check that we failed in the role - assert: + ansible.builtin.assert: that: - ansible_failed_result.msg != 'UNREACH' - not role_result.changed @@ -52,7 +52,7 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: Make sure service is still running - service: + ansible.builtin.service: name: sshd state: started register: result @@ -62,4 +62,4 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_sshd_enable.yml b/tests/tests_sshd_enable.yml index b076f6b..51a90c0 100644 --- a/tests/tests_sshd_enable.yml +++ b/tests/tests_sshd_enable.yml @@ -8,10 +8,10 @@ - /etc/ssh/ssh_host_rsa_key.pub tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with the role disabled - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_enable: false @@ -22,12 +22,12 @@ sshd_config_file: /etc/ssh/sshd_config - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config - name: Print effective configuration - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -41,7 +41,7 @@ - name: Check the options were not applied # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'Acceptenv XDG_*' not in config.content | b64decode" - "'Banner /etc/issue' not in config.content | b64decode" @@ -51,4 +51,4 @@ - "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout" - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_sysconfig.yml b/tests/tests_sysconfig.yml index 2f1be0d..19b4703 100644 --- a/tests/tests_sysconfig.yml +++ b/tests/tests_sysconfig.yml @@ -7,10 +7,10 @@ - /etc/sysconfig/sshd tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_sysconfig: true @@ -19,15 +19,16 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/sysconfig/sshd register: config - name: Evaluate sysconfig similarly as systemd - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -39,7 +40,7 @@ changed_when: false - name: Evaluate sysconfig similarly as systemd on RHEL 8 - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -55,7 +56,7 @@ - ansible_facts['distribution_major_version'] == "8" - name: Check the crypto policies is overridden in RHEL 8 - assert: + ansible.builtin.assert: that: - "'CRYPTO_POLICY=' in config.content | b64decode" # these are string variants in default configuration file @@ -66,7 +67,7 @@ - ansible_facts['distribution_major_version'] == "8" - name: Check the RNG options are in configuration file - assert: + ansible.builtin.assert: that: - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode" # these are string variants in default configuration file @@ -80,4 +81,4 @@ - ansible_facts['distribution_major_version']|int < 9 - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml