libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-28 21:50:18 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix various linting issues

Browse source
This commit is contained in:
Matt Willsher 2022-06-05 08:54:56 +01:00
parent b9c5db54b6
commit af7230cf29
12 changed files with 108 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
tests/tests_config_namespace.yml
View file

@ -45,7 +45,7 @@
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config register: config
- name: List effective configuration using sshd -T (matching) # noqa no-changed-when - name: List effective configuration using sshd -T (matching)
ansible.builtin.shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
@ -56,10 +56,12 @@
fi fi
sshd -T -Cuser=root,host=localhost,addr=127.0.0.1 sshd -T -Cuser=root,host=localhost,addr=127.0.0.1
register: runtime register: runtime
changed_when: false
- name: List effective configuration using sshd -T (non-matching) # noqa no-changed-when - name: List effective configuration using sshd -T (non-matching)
ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
register: nonmatching register: nonmatching
changed_when: false
- name: Check content of configuration file (blocks) - name: Check content of configuration file (blocks)
ansible.builtin.assert: ansible.builtin.assert:

25
tests/tests_hostkeys.yml
View file

@ -7,19 +7,19 @@
- /tmp/ssh_host_rsa_key2 - /tmp/ssh_host_rsa_key2
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove host key before the test - name: Remove host key before the test
file: ansible.builtin.file:
path: /tmp/ssh_host_rsa_key2 path: /tmp/ssh_host_rsa_key2
state: absent state: absent
- name: Ensure group 'nobody' exists - name: Ensure group 'nobody' exists
group: ansible.builtin.group:
name: nobody name: nobody
- name: Ensure the user 'nobody' exists - name: Ensure the user 'nobody' exists
user: ansible.builtin.user:
name: nobody name: nobody
group: nobody group: nobody
comment: nobody comment: nobody
@ -27,7 +27,7 @@
shell: /sbin/nologin shell: /sbin/nologin
- name: Configure sshd with alternative host keys - name: Configure sshd with alternative host keys
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# very BAD example # very BAD example
@ -40,30 +40,31 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Get stat of private key - name: Get stat of private key
stat: ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2 path: /tmp/ssh_host_rsa_key2
register: privkey register: privkey
- name: Get stat of public key - name: Get stat of public key
stat: ansible.builtin.stat:
path: /tmp/ssh_host_rsa_key2.pub path: /tmp/ssh_host_rsa_key2.pub
register: pubkey register: pubkey
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode"
- name: Check the generated host key has requested properties - name: Check the generated host key has requested properties
assert: ansible.builtin.assert:
that: that:
- privkey.stat.exists - privkey.stat.exists
- privkey.stat.gr_name == 'nobody' - privkey.stat.gr_name == 'nobody'
@ -73,4 +74,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

23
tests/tests_include_present.yml
View file

@ -7,10 +7,10 @@
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Remove include directory from the main config file - name: Remove include directory from the main config file
lineinfile: ansible.builtin.lineinfile:
path: "/etc/ssh/sshd_config" path: "/etc/ssh/sshd_config"
regexp: "^Include" regexp: "^Include"
state: absent state: absent
@ -19,7 +19,7 @@
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22)
- name: Create a new configuration in drop-in directory - name: Create a new configuration in drop-in directory
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
@ -32,20 +32,21 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print drop-in configuration file - name: Print drop-in configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
register: config register: config
- name: Print the main configuration file - name: Print the main configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config_main register: config_main
- name: Check content of drop-in configuration file - name: Check content of drop-in configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/include-issue' in config.content | b64decode" - "'Banner /etc/include-issue' in config.content | b64decode"
- "'Ciphers aes192-ctr' in config.content | b64decode" - "'Ciphers aes192-ctr' in config.content | b64decode"
@ -54,20 +55,20 @@
- "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode" - "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode"
- name: Check common content of the main configuration file - name: Check common content of the main configuration file
assert: ansible.builtin.assert:
that: that:
- "'Banner /etc/include-issue' not in config_main.content | b64decode" - "'Banner /etc/include-issue' not in config_main.content | b64decode"
- "'Ciphers aes192-ctr' not in config_main.content | b64decode" - "'Ciphers aes192-ctr' not in config_main.content | b64decode"
- "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode"
- name: Check RHEL content of the main configuration file - name: Check RHEL content of the main configuration file
assert: ansible.builtin.assert:
that: that:
- "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode" - "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode"
when: ansible_facts['os_family'] == 'RedHat' when: ansible_facts['os_family'] == 'RedHat'
- name: Check Ubuntu content of the main configuration file - name: Check Ubuntu content of the main configuration file
assert: ansible.builtin.assert:
that: that:
- "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode" - "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode"
when: ansible_facts['os_family'] == 'Ubuntu' when: ansible_facts['os_family'] == 'Ubuntu'
@ -79,4 +80,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

13
tests/tests_indent.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with simple config options - name: Configure sshd with simple config options
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
@ -21,15 +21,16 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the options are correctly indented in configuration file - name: Check the options are correctly indented in configuration file
assert: ansible.builtin.assert:
that: that:
- "config.content | b64decode | regex_search('^PasswordAuthentication yes$', multiline=True)" - "config.content | b64decode | regex_search('^PasswordAuthentication yes$', multiline=True)"
- "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)" - "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)"
@ -38,4 +39,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

27
tests/tests_match.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# For Fedora containers, we need to make sure we have keys for sshd -T below # For Fedora containers, we need to make sure we have keys for sshd -T below
@ -35,32 +35,37 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T for xusers - name: List effective configuration using sshd -T for xusers
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
register: xusers_effective register: xusers_effective
changed_when: false
- name: List effective configuration using sshd -T for bot - name: List effective configuration using sshd -T for bot
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
register: bot_effective register: bot_effective
changed_when: false
- name: List effective configuration using sshd -T for sftponly - name: List effective configuration using sshd -T for sftponly
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
register: sftponly_effective register: sftponly_effective
changed_when: false
- name: List effective configuration using sshd -T for root - name: List effective configuration using sshd -T for root
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
register: root_effective register: root_effective
changed_when: false
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the options are effective - name: Check the options are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'x11forwarding yes' in xusers_effective.stdout" - "'x11forwarding yes' in xusers_effective.stdout"
- "'banner /tmp/xusers-banner' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
@ -72,7 +77,7 @@
- "'allowtcpforwarding yes' in root_effective.stdout" - "'allowtcpforwarding yes' in root_effective.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'Match User xusers' in config.content | b64decode" - "'Match User xusers' in config.content | b64decode"
- "'Match User bot' in config.content | b64decode" - "'Match User bot' in config.content | b64decode"
@ -81,4 +86,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

27
tests/tests_match_iterate.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
# For Fedora containers, we need to make sure we have keys for sshd -T below # For Fedora containers, we need to make sure we have keys for sshd -T below
@ -33,32 +33,37 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T for xusers - name: List effective configuration using sshd -T for xusers
command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
register: xusers_effective register: xusers_effective
changed_when: false
- name: List effective configuration using sshd -T for bot - name: List effective configuration using sshd -T for bot
command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
register: bot_effective register: bot_effective
changed_when: false
- name: List effective configuration using sshd -T for sftponly - name: List effective configuration using sshd -T for sftponly
command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
register: sftponly_effective register: sftponly_effective
changed_when: false
- name: List effective configuration using sshd -T for root - name: List effective configuration using sshd -T for root
command: sshd -T -C user=root,addr=127.0.0.1,host=example.com ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
register: root_effective register: root_effective
changed_when: false
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- name: Check the options are effective - name: Check the options are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'x11forwarding yes' in xusers_effective.stdout" - "'x11forwarding yes' in xusers_effective.stdout"
- "'banner /tmp/xusers-banner' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
@ -70,7 +75,7 @@
- "'allowtcpforwarding yes' in root_effective.stdout" - "'allowtcpforwarding yes' in root_effective.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'Match User xusers' in config.content | b64decode" - "'Match User xusers' in config.content | b64decode"
- "'Match User bot' in config.content | b64decode" - "'Match User bot' in config.content | b64decode"
@ -79,4 +84,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_os_defaults.yml
View file

@ -9,10 +9,10 @@
tasks: tasks:
- name: Backup configuration files - name: Backup configuration files
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Show effective configuration before running role (system defaults) - name: Show effective configuration before running role (system defaults)
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -25,16 +25,16 @@
changed_when: false changed_when: false
- name: Configure sshd - name: Configure sshd
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
- name: Show effective configuration after running role (role defaults) - name: Show effective configuration after running role (role defaults)
command: sshd -T ansible.builtin.command: sshd -T
register: runtime_after register: runtime_after
changed_when: false changed_when: false
- name: Check that the effective configuration did not change from OS defaults - name: Check that the effective configuration did not change from OS defaults
assert: ansible.builtin.assert:
that: that:
- runtime_before.stdout == runtime_after.stdout - runtime_before.stdout == runtime_after.stdout
when: when:
@ -42,4 +42,4 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Restore configuration files - name: Restore configuration files
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

3
tests/tests_precedence.yml
View file

@ -31,9 +31,10 @@
- name: Flush metadata - name: Flush metadata
ansible.builtin.meta: flush_handlers ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T # noqa no-changed-when - name: List effective configuration using sshd -T
ansible.builtin.command: sshd -T ansible.builtin.command: sshd -T
register: runtime register: runtime
changed_when: false
- name: Print current configuration file - name: Print current configuration file
ansible.builtin.slurp: ansible.builtin.slurp:

18
tests/tests_set_common.yml
View file

@ -6,10 +6,10 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
@ -21,20 +21,22 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: List effective configuration using sshd -T - name: List effective configuration using sshd -T
command: sshd -T ansible.builtin.command: sshd -T
register: runtime register: runtime
changed_when: false
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config register: config
- name: Check the options are effective - name: Check the options are effective
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'acceptenv LANG' in runtime.stdout" - "'acceptenv LANG' in runtime.stdout"
- "'banner /etc/issue' in runtime.stdout" - "'banner /etc/issue' in runtime.stdout"
@ -42,7 +44,7 @@
- "'subsystem sftp internal-sftp' in runtime.stdout" - "'subsystem sftp internal-sftp' in runtime.stdout"
- name: Check the options are in configuration file - name: Check the options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'AcceptEnv LANG' in config.content | b64decode" - "'AcceptEnv LANG' in config.content | b64decode"
- "'Banner /etc/issue' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode"
@ -51,4 +53,4 @@
tags: tests::verify tags: tests::verify
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_set_uncommon.yml
View file

@ -6,12 +6,12 @@
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with uncommon options, making sure it keeps running - name: Configure sshd with uncommon options, making sure it keeps running
block: block:
- name: Configure ssh with unsupported options - name: Configure ssh with unsupported options
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd: sshd:
@ -39,11 +39,11 @@
register: role_result register: role_result
- name: unreachable task - name: unreachable task
fail: ansible.builtin.fail:
msg: UNREACH msg: UNREACH
rescue: rescue:
- name: Check that we failed in the role - name: Check that we failed in the role
assert: ansible.builtin.assert:
that: that:
- ansible_failed_result.msg != 'UNREACH' - ansible_failed_result.msg != 'UNREACH'
- not role_result.changed - not role_result.changed
@ -52,7 +52,7 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Make sure service is still running - name: Make sure service is still running
service: ansible.builtin.service:
name: sshd name: sshd
state: started state: started
register: result register: result
@ -62,4 +62,4 @@
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

12
tests/tests_sshd_enable.yml
View file

@ -8,10 +8,10 @@
- /etc/ssh/ssh_host_rsa_key.pub - /etc/ssh/ssh_host_rsa_key.pub
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with the role disabled - name: Configure sshd with the role disabled
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_enable: false sshd_enable: false
@ -22,12 +22,12 @@
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
register: config register: config
- name: Print effective configuration - name: Print effective configuration
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -41,7 +41,7 @@
- name: Check the options were not applied - name: Check the options were not applied
# note, the options are in lower-case here # note, the options are in lower-case here
assert: ansible.builtin.assert:
that: that:
- "'Acceptenv XDG_*' not in config.content | b64decode" - "'Acceptenv XDG_*' not in config.content | b64decode"
- "'Banner /etc/issue' not in config.content | b64decode" - "'Banner /etc/issue' not in config.content | b64decode"
@ -51,4 +51,4 @@
- "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout" - "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout"
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml

19
tests/tests_sysconfig.yml
View file

@ -7,10 +7,10 @@
- /etc/sysconfig/sshd - /etc/sysconfig/sshd
tasks: tasks:
- name: "Backup configuration files" - name: "Backup configuration files"
include_tasks: tasks/backup.yml ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd - name: Configure sshd
include_role: ansible.builtin.include_role:
name: ansible-sshd name: ansible-sshd
vars: vars:
sshd_sysconfig: true sshd_sysconfig: true
@ -19,15 +19,16 @@
- name: Verify the options are correctly set - name: Verify the options are correctly set
block: block:
- meta: flush_handlers - name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Print current configuration file - name: Print current configuration file
slurp: ansible.builtin.slurp:
src: /etc/sysconfig/sshd src: /etc/sysconfig/sshd
register: config register: config
- name: Evaluate sysconfig similarly as systemd - name: Evaluate sysconfig similarly as systemd
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -39,7 +40,7 @@
changed_when: false changed_when: false
- name: Evaluate sysconfig similarly as systemd on RHEL 8 - name: Evaluate sysconfig similarly as systemd on RHEL 8
shell: | ansible.builtin.shell: |
set -eu set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail set -o pipefail
@ -55,7 +56,7 @@
- ansible_facts['distribution_major_version'] == "8" - ansible_facts['distribution_major_version'] == "8"
- name: Check the crypto policies is overridden in RHEL 8 - name: Check the crypto policies is overridden in RHEL 8
assert: ansible.builtin.assert:
that: that:
- "'CRYPTO_POLICY=' in config.content | b64decode" - "'CRYPTO_POLICY=' in config.content | b64decode"
# these are string variants in default configuration file # these are string variants in default configuration file
@ -66,7 +67,7 @@
- ansible_facts['distribution_major_version'] == "8" - ansible_facts['distribution_major_version'] == "8"
- name: Check the RNG options are in configuration file - name: Check the RNG options are in configuration file
assert: ansible.builtin.assert:
that: that:
- "'SSH_USE_STRONG_RNG=32' in config.content | b64decode" - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode"
# these are string variants in default configuration file # these are string variants in default configuration file
@ -80,4 +81,4 @@
- ansible_facts['distribution_major_version']|int < 9 - ansible_facts['distribution_major_version']|int < 9
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml ansible.builtin.include_tasks: tasks/restore.yml