diff --git a/.ansible-lint b/.ansible-lint index 7476db5..3627a03 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,4 @@ warn_list: # or 'skip_list' to silence them completely - - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - '306' # Shells that use pipes should set the pipefail option - - 'fqcn-builtins' # this is not compatible with ansible 2.6 on RHEL6 exclude_paths: - tests/roles/ diff --git a/.github/workflows/ansible-centos-check.yml b/.github/workflows/ansible-centos-check.yml index d172f9e..9b48300 100644 --- a/.github/workflows/ansible-centos-check.yml +++ b/.github/workflows/ansible-centos-check.yml @@ -11,6 +11,7 @@ jobs: # Workaround missing support for end_host in old ansible - run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml" - run: "sed -i -e 's/.*public: true//' tests/tasks/restore.yml" + - run: "sed -i -e 's/ansible.builtin.//g' */*.yml */*/*.yml" - name: ansible check with centos 6 uses: roles-ansible/check-ansible-centos-centos6-action@master diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d561167..09dc6cd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,14 +1,14 @@ --- repos: - repo: https://github.com/adrienverge/yamllint.git - rev: v1.24.2 + rev: v1.26.3 hooks: - id: yamllint files: \.(yaml|yml)$ types: [file, yaml] entry: yamllint --strict - repo: https://github.com/ansible/ansible-lint.git - rev: v4.3.5 + rev: v6.2.2 hooks: - id: ansible-lint files: \.(yaml|yml)$ diff --git a/README.md b/README.md index 958a776..3d8bd59 100644 --- a/README.md +++ b/README.md @@ -219,7 +219,8 @@ the above list. ### Secondary role variables These variables are used by the role internals and can be used to override the -defaults that correspond to each supported platform. +defaults that correspond to each supported platform. They are not tested and +generally are not needed as the role will determine them from the OS type. * `sshd_packages` diff --git a/handlers/main.yml b/handlers/main.yml index 11e7770..bb9d8d6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: Reload the SSH service - service: + ansible.builtin.service: name: "{{ sshd_service }}" state: reloaded when: @@ -16,7 +16,7 @@ # Instead, use a dirty shell script: # https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6 - name: Reload sshd Service (AIX) - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail diff --git a/meta/main.yml b/meta/main.yml index 0ee0184..f459eca 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,10 +1,11 @@ --- galaxy_info: + role_name: sshd author: Matt Willsher description: OpenSSH SSH daemon configuration company: Willsher Systems license: LGPLv3 - min_ansible_version: 2.9 + min_ansible_version: "2.10" platforms: - name: Debian versions: @@ -23,23 +24,23 @@ galaxy_info: - jammy - name: FreeBSD version: - - 10.1 + - "10.1" - name: EL versions: - - 6 - - 7 - - 8 - - 9 + - "6" + - "7" + - "8" + - "9" - name: Fedora versions: - all - name: OpenBSD versions: - - 6.0 + - "6.0" - name: AIX versions: - - 7.1 - - 7.2 + - "7.1" + - "7.2" galaxy_tags: - networking - system diff --git a/tasks/check_fips.yml b/tasks/check_fips.yml index ca0ba10..3f417d8 100644 --- a/tasks/check_fips.yml +++ b/tasks/check_fips.yml @@ -1,12 +1,12 @@ --- - name: Check the kernel FIPS mode - slurp: + ansible.builtin.slurp: src: /proc/sys/crypto/fips_enabled register: __sshd_kernel_fips_mode failed_when: false - name: Check the userspace FIPS mode - slurp: + ansible.builtin.slurp: src: /etc/system-fips register: __sshd_userspace_fips_mode failed_when: false diff --git a/tasks/install.yml b/tasks/install.yml index 56d8943..f822130 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,16 +1,16 @@ --- - name: OS is supported - meta: end_host + ansible.builtin.meta: end_host when: - not __sshd_os_supported|bool - name: Install ssh packages - package: + ansible.builtin.package: name: "{{ sshd_packages }}" state: present - name: Sysconfig configuration - template: + ansible.builtin.template: src: sysconfig.j2 dest: "/etc/sysconfig/sshd" owner: "root" @@ -23,7 +23,7 @@ notify: reload_sshd - name: Check FIPS mode - include_tasks: check_fips.yml + ansible.builtin.include_tasks: check_fips.yml when: - __sshd_hostkeys_nofips | d([]) @@ -70,7 +70,7 @@ {% endif %} block: - name: Make sure hostkeys are available - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -85,7 +85,7 @@ changed_when: false - name: Make sure private hostkeys have expected permissions - file: + ansible.builtin.file: path: "{{ item }}" owner: "{{ sshd_hostkey_owner }}" group: "{{ sshd_hostkey_group }}" @@ -97,7 +97,7 @@ <<: *share_vars block: - name: Create a temporary hostkey for syntax verification if needed - tempfile: + ansible.builtin.tempfile: state: directory register: sshd_test_hostkey changed_when: false @@ -105,13 +105,13 @@ - __sshd_hostkeys_from_config | from_json == [] - name: Generate temporary hostkey - command: > + ansible.builtin.command: > ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N '' changed_when: false when: sshd_test_hostkey.path is defined - name: Make sure sshd runtime directory is present - file: + ansible.builtin.file: path: "{{ __sshd_runtime_directory }}" state: directory owner: root @@ -121,29 +121,29 @@ - __sshd_runtime_directory | d(false) - name: Create the complete configuration file - include_tasks: install_config.yml + ansible.builtin.include_tasks: install_config.yml when: sshd_config_namespace is none - name: Update configuration file snippet - include_tasks: install_namespace.yml + ansible.builtin.include_tasks: install_namespace.yml when: sshd_config_namespace is not none rescue: - name: re-raise the error - fail: + ansible.builtin.fail: msg: "{{ ansible_failed_result }}" always: - name: Remove temporary host keys - file: + ansible.builtin.file: path: "{{ sshd_test_hostkey.path }}" state: absent changed_when: false when: sshd_test_hostkey.path is defined - name: Install and start systemd service - include_tasks: install_service.yml + ansible.builtin.include_tasks: install_service.yml - name: Register that this role has run - set_fact: + ansible.builtin.set_fact: sshd_has_run: true when: sshd_has_run is not defined diff --git a/tasks/install_config.yml b/tasks/install_config.yml index 4f4fca9..fd222c7 100644 --- a/tasks/install_config.yml +++ b/tasks/install_config.yml @@ -1,6 +1,6 @@ --- - name: Create the complete configuration file - template: + ansible.builtin.template: src: sshd_config.j2 dest: "{{ sshd_config_file }}" owner: "{{ sshd_config_owner }}" @@ -16,7 +16,7 @@ notify: reload_sshd - name: Make sure the include path is present in the main sshd_config - lineinfile: + ansible.builtin.lineinfile: insertbefore: BOF line: "Include {{ __sshd_defaults['Include'] }}" path: "{{ __sshd_main_config_file }}" diff --git a/tasks/install_namespace.yml b/tasks/install_namespace.yml index b8c2ade..08ef319 100644 --- a/tasks/install_namespace.yml +++ b/tasks/install_namespace.yml @@ -2,7 +2,7 @@ - name: Update configuration file snippet vars: sshd_skip_defaults: true - blockinfile: + ansible.builtin.blockinfile: path: "{{ sshd_config_file }}" owner: "{{ sshd_config_owner }}" group: "{{ sshd_config_group }}" diff --git a/tasks/install_service.yml b/tasks/install_service.yml index ead7701..2d042ea 100644 --- a/tasks/install_service.yml +++ b/tasks/install_service.yml @@ -2,7 +2,7 @@ - name: Install systemd service files block: - name: Install service unit file - template: + ansible.builtin.template: src: "{{ sshd_service_template_service }}" dest: "/etc/systemd/system/{{ sshd_service }}.service" owner: root @@ -10,7 +10,7 @@ mode: "0644" notify: reload_sshd - name: Install instanced service unit file - template: + ansible.builtin.template: src: "{{ sshd_service_template_at_service }}" dest: "/etc/systemd/system/{{ sshd_service }}@.service" owner: root @@ -18,7 +18,7 @@ mode: "0644" notify: reload_sshd - name: Install socket unit file - template: + ansible.builtin.template: src: "{{ sshd_service_template_socket }}" dest: "/etc/systemd/system/{{ sshd_service }}.socket" owner: root @@ -28,7 +28,7 @@ when: sshd_install_service|bool - name: Service enabled and running - service: + ansible.builtin.service: name: "{{ sshd_service }}" enabled: true state: started @@ -39,7 +39,7 @@ # Due to ansible bug 21026, cannot use service module on RHEL 7 - name: Enable service in chroot - command: systemctl enable {{ sshd_service }} # noqa 303 + ansible.builtin.command: systemctl enable {{ sshd_service }} # noqa 303 when: - ansible_connection == 'chroot' - ansible_os_family == 'RedHat' diff --git a/tasks/main.yml b/tasks/main.yml index 54b708e..787f016 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,4 @@ --- -- include_tasks: sshd.yml +- ansible.builtin.include_tasks: sshd.yml when: sshd_enable|bool diff --git a/tasks/set_common_vars.yml b/tasks/set_common_vars.yml index 56de4fe..6ce34d3 100644 --- a/tasks/set_common_vars.yml +++ b/tasks/set_common_vars.yml @@ -1,9 +1,9 @@ --- - name: Ensure ansible_facts used by role - setup: + ansible.builtin.setup: gather_subset: min when: not ansible_facts.keys() | list | intersect(__sshd_required_facts) == __sshd_required_facts - name: Include common vars - include_vars: vars/common.yml + ansible.builtin.include_vars: vars/common.yml diff --git a/tasks/sshd.yml b/tasks/sshd.yml index e946313..7f96072 100644 --- a/tasks/sshd.yml +++ b/tasks/sshd.yml @@ -1,9 +1,9 @@ --- - name: Set common variables and ensure basic facts are gathered - include_tasks: set_common_vars.yml + ansible.builtin.include_tasks: set_common_vars.yml - name: Set platform/version specific variables - include_tasks: variables.yml + ansible.builtin.include_tasks: variables.yml - name: Execute the actual role tasks - include_tasks: install.yml + ansible.builtin.include_tasks: install.yml diff --git a/tasks/variables.yml b/tasks/variables.yml index 8293d27..7610995 100644 --- a/tasks/variables.yml +++ b/tasks/variables.yml @@ -1,9 +1,9 @@ --- - name: Set common vars - include_vars: vars/common.yml + ansible.builtin.include_vars: vars/common.yml - name: Set OS dependent variables - include_vars: "{{ lookup('first_found', params) }}" + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" vars: ansible_distribution_lts_offset: >- {{ diff --git a/tests/tasks/backup.yml b/tests/tasks/backup.yml index 8f7004f..f09f7dd 100644 --- a/tests/tasks/backup.yml +++ b/tests/tasks/backup.yml @@ -1,9 +1,9 @@ --- - name: Setup - include_tasks: setup.yml + ansible.builtin.include_tasks: setup.yml - name: Create a temporary directory for backup files - tempfile: + ansible.builtin.tempfile: state: directory register: __sshd_test_backup changed_when: false @@ -11,7 +11,7 @@ - sshd_test_backup_skip is not defined - name: Backup files - shell: | + ansible.builtin.shell: | if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail fi diff --git a/tests/tasks/restore.yml b/tests/tasks/restore.yml index 75bb25b..2356167 100644 --- a/tests/tasks/restore.yml +++ b/tests/tasks/restore.yml @@ -1,6 +1,6 @@ --- - name: Restore backed up files and remove what was not present - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -17,7 +17,7 @@ - __sshd_test_backup.path is defined - name: Remove temporary directory for backup files - file: + ansible.builtin.file: path: "{{ __sshd_test_backup.path }}" state: absent changed_when: false @@ -26,13 +26,13 @@ - __sshd_test_backup.path is defined - name: Include common variables - include_role: + ansible.builtin.include_role: name: ansible-sshd tasks_from: set_common_vars.yml public: true - name: Restart sshd service - service: + ansible.builtin.service: name: sshd state: reloaded changed_when: false diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index e565808..f81d5e5 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -1,11 +1,11 @@ --- - name: Make sure openssh is installed before creating backup - package: + ansible.builtin.package: name: openssh-server state: present - name: Make sure openssh has runtime directory on debian - file: + ansible.builtin.file: path: /run/sshd state: directory owner: root @@ -15,13 +15,13 @@ - ansible_facts['os_family'] == 'Debian' - name: Define common variables - set_fact: + ansible.builtin.set_fact: main_sshd_config: /etc/ssh/sshd_config main_sshd_config_name: sshd_config main_sshd_config_path: /etc/ssh/ - name: Define specific variables - set_fact: + ansible.builtin.set_fact: main_sshd_config: /etc/ssh/sshd_config.d/00-ansible_system_role.conf main_sshd_config_name: 00-ansible_system_role.conf main_sshd_config_path: /etc/ssh/sshd_config.d/ diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml index ebf54f5..37f7f4b 100644 --- a/tests/tests_alternative_file.yml +++ b/tests/tests_alternative_file.yml @@ -9,14 +9,14 @@ - /tmp/ssh_host_ecdsa_key tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Ensure group 'nobody' exists - group: + ansible.builtin.group: name: nobody - name: Ensure the user 'nobody' exists - user: + ansible.builtin.user: name: nobody group: nobody comment: nobody @@ -24,7 +24,7 @@ shell: /sbin/nologin - name: Configure alternative sshd_config file - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # just anything -- will not get processed by sshd @@ -36,10 +36,10 @@ AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr - sshd_Compression: no + sshd_Compression: no # noqa var-naming - name: Configure second alternative sshd_config file - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # just anything -- will not get processed by sshd @@ -48,10 +48,10 @@ sshd: Banner: /etc/issue2 Ciphers: aes128-ctr - sshd_MaxStartups: 100 + sshd_MaxStartups: 100 # noqa var-naming - name: Now configure the main sshd_config file - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config @@ -60,34 +60,35 @@ Ciphers: aes192-ctr HostKey: - /tmp/ssh_host_ecdsa_key - sshd_PasswordAuthentication: no + sshd_PasswordAuthentication: no # noqa var-naming - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config_custom register: config - name: Get stat of the configuration file - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config_custom register: config_stat - name: Print second configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config_custom_second register: config2 - name: Print the main configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config3 - name: Check content of first configuration file - assert: + ansible.builtin.assert: that: - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" @@ -95,7 +96,7 @@ - "'Compression no' in config.content | b64decode" - name: Check Fedora/RHEL9+ defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" @@ -104,7 +105,7 @@ - ansible_facts['distribution_major_version']|int > 8 - name: Check RHEL7 and RHEL8 defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'X11Forwarding yes' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" @@ -115,7 +116,7 @@ - ansible_facts['distribution_major_version']|int < 9 - name: Check RHEL6 defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'Protocol 2' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" @@ -124,7 +125,7 @@ - ansible_facts['distribution_major_version'] == '6' - name: Check Debian defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'PrintMotd no' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" @@ -133,7 +134,7 @@ - ansible_facts['distribution_major_version']|int < 22 - name: Check Ubuntu 22 defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'KbdInteractiveAuthentication no' in config.content | b64decode" @@ -143,7 +144,7 @@ - ansible_facts['distribution_major_version']|int >= 22 - name: Check content of second configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/issue2' in config2.content | b64decode" - "'Ciphers aes128-ctr' in config2.content | b64decode" @@ -152,7 +153,7 @@ - "'Compression no' not in config2.content | b64decode" - name: Check content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/issue' in config3.content | b64decode" - "'Ciphers aes192-ctr' in config3.content | b64decode" @@ -162,7 +163,7 @@ - "'Compression no' not in config3.content | b64decode" - name: Check the main configuration file contains some default values for RHEL 9 or Fedora - assert: + ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode" @@ -172,7 +173,7 @@ - ansible_facts['distribution_major_version']|int > 8 - name: Check the generated config has requested properties - assert: + ansible.builtin.assert: that: - config_stat.stat.exists - config_stat.stat.gr_name == 'nobody' @@ -181,4 +182,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml index dd95b1c..f86bb5a 100644 --- a/tests/tests_alternative_file_role.yml +++ b/tests/tests_alternative_file_role.yml @@ -9,14 +9,14 @@ - /tmp/ssh_host_ecdsa_key tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Ensure group 'nobody' exists - group: + ansible.builtin.group: name: nobody - name: Ensure the user 'nobody' exists - user: + ansible.builtin.user: name: nobody group: nobody comment: nobody @@ -37,7 +37,7 @@ AcceptEnv: LANG Banner: /etc/issue Ciphers: aes256-ctr - sshd_Compression: no + sshd_Compression: no # noqa var-naming # Configure second alternative sshd_config file - hosts: all @@ -50,7 +50,7 @@ sshd: Banner: /etc/issue2 Ciphers: aes128-ctr - sshd_MaxStartups: 100 + sshd_MaxStartups: 100 # noqa var-naming # Now configure the main sshd_config file - hosts: all @@ -63,7 +63,7 @@ Ciphers: aes192-ctr HostKey: - /tmp/ssh_host_ecdsa_key - sshd_PasswordAuthentication: no + sshd_PasswordAuthentication: no # noqa var-naming - hosts: all vars: @@ -78,30 +78,31 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config_custom register: config - name: Get stat of the configuration file - stat: + ansible.builtin.stat: path: /etc/ssh/sshd_config_custom register: config_stat - name: Print second configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config_custom_second register: config2 - name: Print the main configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config3 - name: Check content of first configuration file - assert: + ansible.builtin.assert: that: - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" @@ -109,7 +110,7 @@ - "'Compression no' in config.content | b64decode" - name: Check Fedora/RHEL9+ defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" @@ -118,7 +119,7 @@ - ansible_facts['distribution_major_version']|int > 8 - name: Check RHEL7 and RHEL8 defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'X11Forwarding yes' in config.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config.content | b64decode" @@ -129,7 +130,7 @@ - ansible_facts['distribution_major_version']|int < 9 - name: Check RHEL6 defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'Protocol 2' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" @@ -138,7 +139,7 @@ - ansible_facts['distribution_major_version'] == '6' - name: Check Debian defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'PrintMotd no' in config.content | b64decode" - "'UsePAM yes' in config.content | b64decode" @@ -147,7 +148,7 @@ - ansible_facts['distribution_major_version']|int < 22 - name: Check Ubuntu 22 defaults are present in the first configuration file - assert: + ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'KbdInteractiveAuthentication no' in config.content | b64decode" @@ -158,7 +159,7 @@ - name: Check content of second configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/issue2' in config2.content | b64decode" - "'Ciphers aes128-ctr' in config2.content | b64decode" @@ -167,7 +168,7 @@ - "'Compression no' not in config2.content | b64decode" - name: Check content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/issue' in config3.content | b64decode" - "'Ciphers aes192-ctr' in config3.content | b64decode" @@ -177,7 +178,7 @@ - "'Compression no' not in config3.content | b64decode" - name: Check the main configuration file contains some default values for RHEL 9 or Fedora - assert: + ansible.builtin.assert: that: - "'Include /etc/ssh/sshd_config.d/*.conf' in config3.content | b64decode" - "'AuthorizedKeysFile .ssh/authorized_keys' in config3.content | b64decode" @@ -187,7 +188,7 @@ - ansible_facts['distribution_major_version']|int > 8 - name: Check the generated config has requested properties - assert: + ansible.builtin.assert: that: - config_stat.stat.exists - config_stat.stat.gr_name == 'nobody' @@ -196,4 +197,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_backup.yml b/tests/tests_backup.yml index fc39f55..d827097 100644 --- a/tests/tests_backup.yml +++ b/tests/tests_backup.yml @@ -6,50 +6,50 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: Backup configuration files - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Find old backups files - find: + ansible.builtin.find: paths: "{{ main_sshd_config_path }}" patterns: "{{ main_sshd_config_name }}.*@*~" register: backup_files - name: Remove old backup files - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ backup_files.files }}" - name: Configure sshd without creating backup - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_backup: false - name: Find new backups files - find: + ansible.builtin.find: paths: "{{ main_sshd_config_path }}" patterns: "{{ main_sshd_config_name }}.*@*~" register: no_backup - name: Configure sshd again with different configuration and with backup - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: - sshd_Banner: /tmp/banner + sshd_Banner: /tmp/banner # noqa var-naming register: second_run - name: Find new backups files - find: + ansible.builtin.find: paths: "{{ main_sshd_config_path }}" patterns: "{{ main_sshd_config_name }}.*@*~" register: new_backup - name: Verify the backup was not done in the first attempt, but in the second one - assert: + ansible.builtin.assert: that: - no_backup.files == [] - new_backup.files != [] - name: Restore configuration files - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml index 2eca977..d0e2ac6 100644 --- a/tests/tests_config_namespace.yml +++ b/tests/tests_config_namespace.yml @@ -7,10 +7,10 @@ - /etc/ssh/ssh_host_rsa_key.pub tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Add configuration block to default configuration file - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config @@ -23,7 +23,7 @@ AllowAgentForwarding: no - name: Add second configuration block to default configuration file - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config @@ -37,15 +37,16 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config - name: List effective configuration using sshd -T (matching) - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -55,13 +56,15 @@ fi sshd -T -Cuser=root,host=localhost,addr=127.0.0.1 register: runtime + changed_when: false - name: List effective configuration using sshd -T (non-matching) - command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 + ansible.builtin.command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 register: nonmatching + changed_when: false - name: Check content of configuration file (blocks) - assert: + ansible.builtin.assert: that: - "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')" - "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')" @@ -69,7 +72,7 @@ - ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6' - name: Check content of configuration file (blocks for RHEL 6) - assert: + ansible.builtin.assert: that: - "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')" - "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')" @@ -78,7 +81,7 @@ - ansible_facts['distribution_major_version'] == '6' - name: Check content of configuration file - assert: + ansible.builtin.assert: that: - "'PermitRootLogin yes' in config.content | b64decode" - "'PasswordAuthentication yes' in config.content | b64decode" @@ -93,7 +96,7 @@ - name: Check the configuration values are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'permitrootlogin yes' in runtime.stdout" - "'allowagentforwarding no' in runtime.stdout" @@ -102,7 +105,7 @@ - name: Check the configuration values are not effective for non-matching connection # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'permitrootlogin yes' in runtime.stdout" - "'allowAgentforwarding no' not in nonmatching.stdout" @@ -111,4 +114,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_default.yml b/tests/tests_default.yml index e9a6631..22feffc 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -6,7 +6,7 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - hosts: all roles: @@ -19,4 +19,4 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_default_include.yml b/tests/tests_default_include.yml index 68d6cf3..878f9b8 100644 --- a/tests/tests_default_include.yml +++ b/tests/tests_default_include.yml @@ -6,11 +6,11 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: "Configure sshd" - include_role: + ansible.builtin.include_role: name: ansible-sshd - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_hostkeys.yml b/tests/tests_hostkeys.yml index 6748472..0ec8394 100644 --- a/tests/tests_hostkeys.yml +++ b/tests/tests_hostkeys.yml @@ -7,19 +7,19 @@ - /tmp/ssh_host_rsa_key2 tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Remove host key before the test - file: + ansible.builtin.file: path: /tmp/ssh_host_rsa_key2 state: absent - name: Ensure group 'nobody' exists - group: + ansible.builtin.group: name: nobody - name: Ensure the user 'nobody' exists - user: + ansible.builtin.user: name: nobody group: nobody comment: nobody @@ -27,7 +27,7 @@ shell: /sbin/nologin - name: Configure sshd with alternative host keys - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # very BAD example @@ -40,30 +40,31 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key - stat: + ansible.builtin.stat: path: /tmp/ssh_host_rsa_key2 register: privkey - name: Get stat of public key - stat: + ansible.builtin.stat: path: /tmp/ssh_host_rsa_key2.pub register: pubkey - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - name: Check the generated host key has requested properties - assert: + ansible.builtin.assert: that: - privkey.stat.exists - privkey.stat.gr_name == 'nobody' @@ -73,4 +74,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml index e994f85..2c345d3 100644 --- a/tests/tests_hostkeys_fips.yml +++ b/tests/tests_hostkeys_fips.yml @@ -9,33 +9,34 @@ - /etc/system-fips tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Run the role with default parameters without FIPS mode - include_role: + ansible.builtin.include_role: name: ansible-sshd - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key register: privkey - name: Get stat of public key - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key.pub register: pubkey - name: Check the key is in configuration file (without include) - assert: + ansible.builtin.assert: that: - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode" when: @@ -43,7 +44,7 @@ - ansible_facts['distribution_major_version']|int < 9 - name: Check host key was generated - assert: + ansible.builtin.assert: that: - privkey.stat.exists - pubkey.stat.exists @@ -55,22 +56,24 @@ - name: Fake FIPS mode block: - name: Create temporary directory - tempfile: + ansible.builtin.tempfile: state: directory register: fips_directory - name: Create a /etc/system-fips - copy: + ansible.builtin.copy: dest: /etc/system-fips content: userspace fips + mode: "0644" - name: Create a fips_enabled file - copy: + ansible.builtin.copy: dest: "{{ fips_directory.path }}/fips_enabled" content: 1 + mode: "0644" - name: Bind mount the file where we need it - mount: + ansible.builtin.mount: path: /proc/sys/crypto/fips_enabled src: "{{ fips_directory.path }}/fips_enabled" opts: bind @@ -79,47 +82,48 @@ failed_when: false - name: Remove the Ed25519 hostkey - file: + ansible.builtin.file: path: /etc/ssh/ssh_host_ed25519_key state: absent - name: Remove the Ed25519 pubkey - file: + ansible.builtin.file: path: /etc/ssh/ssh_host_ed25519_key.pub state: absent - name: Run the role with default parameters - include_role: + ansible.builtin.include_role: name: ansible-sshd - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key register: privkey - name: Get stat of public key - stat: + ansible.builtin.stat: path: /etc/ssh/ssh_host_ed25519_key.pub register: pubkey - name: Check the key is not in configuration file - assert: + ansible.builtin.assert: that: - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode" - name: Check no host key was generated - assert: + ansible.builtin.assert: that: - not privkey.stat.exists - not pubkey.stat.exists @@ -137,9 +141,9 @@ failed_when: false - name: Remove the temporary directory - file: + ansible.builtin.file: path: "{{ fips_directory.path }}" state: absent - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_hostkeys_missing.yml b/tests/tests_hostkeys_missing.yml index ad739a4..15d5081 100644 --- a/tests/tests_hostkeys_missing.yml +++ b/tests/tests_hostkeys_missing.yml @@ -7,12 +7,12 @@ - /tmp/missing_ssh_host_rsa_key tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with missing host keys and prevent their creation block: - name: Configure missing hostkey - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_verify_hostkeys: [] @@ -22,12 +22,12 @@ register: role_result - name: unreachable task - fail: + ansible.builtin.fail: msg: UNREACH rescue: - name: Check that we failed in the role - assert: + ansible.builtin.assert: that: - ansible_failed_result.msg != 'UNREACH' - not role_result.changed @@ -38,7 +38,7 @@ tags: tests::verify - name: Make sure the key was not created - file: + ansible.builtin.file: path: /tmp/missing_ssh_host_rsa_key state: absent register: key @@ -46,7 +46,7 @@ tags: tests::verify - name: Make sure service is still running - service: + ansible.builtin.service: name: sshd state: started register: result @@ -56,4 +56,4 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_hostkeys_role.yml b/tests/tests_hostkeys_role.yml index e7fabce..ff93378 100644 --- a/tests/tests_hostkeys_role.yml +++ b/tests/tests_hostkeys_role.yml @@ -7,19 +7,19 @@ - /tmp/ssh_host_rsa_key2 tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Remove host key before the test - file: + ansible.builtin.file: path: /tmp/ssh_host_rsa_key2 state: absent - name: Ensure group 'nobody' exists - group: + ansible.builtin.group: name: nobody - name: Ensure the user 'nobody' exists - user: + ansible.builtin.user: name: nobody group: nobody comment: nobody @@ -47,34 +47,35 @@ - /tmp/ssh_host_rsa_key2 tasks: - name: Setup variables - include_tasks: tasks/setup.yml + ansible.builtin.include_tasks: tasks/setup.yml - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush metadata + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Get stat of private key - stat: + ansible.builtin.stat: path: /tmp/ssh_host_rsa_key2 register: privkey - name: Get stat of public key - stat: + ansible.builtin.stat: path: /tmp/ssh_host_rsa_key2.pub register: pubkey - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'HostKey /tmp/ssh_host_rsa_key2' in config.content | b64decode" - name: Check the generated host key has requested properties - assert: + ansible.builtin.assert: that: - privkey.stat.exists - privkey.stat.gr_name == 'nobody' @@ -84,4 +85,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_include_present.yml b/tests/tests_include_present.yml index 428308c..69cabc5 100644 --- a/tests/tests_include_present.yml +++ b/tests/tests_include_present.yml @@ -7,10 +7,10 @@ tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Remove include directory from the main config file - lineinfile: + ansible.builtin.lineinfile: path: "/etc/ssh/sshd_config" regexp: "^Include" state: absent @@ -19,7 +19,7 @@ (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version']|int >= 22) - name: Create a new configuration in drop-in directory - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf @@ -32,20 +32,21 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print drop-in configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config.d/00-ansible_system_role.conf register: config - name: Print the main configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config_main - name: Check content of drop-in configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/include-issue' in config.content | b64decode" - "'Ciphers aes192-ctr' in config.content | b64decode" @@ -54,20 +55,20 @@ - "'Subsystem sftp /usr/lib/openssh/sftp-server' not in config.content | b64decode" - name: Check common content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/include-issue' not in config_main.content | b64decode" - "'Ciphers aes192-ctr' not in config_main.content | b64decode" - "'Include /etc/ssh/sshd_config.d/*.conf' in config_main.content | b64decode" - name: Check RHEL content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Subsystem sftp /usr/libexec/openssh/sftp-server' in config_main.content | b64decode" when: ansible_facts['os_family'] == 'RedHat' - name: Check Ubuntu content of the main configuration file - assert: + ansible.builtin.assert: that: - "'Subsystem sftp /usr/lib/openssh/sftp-server' in config_main.content | b64decode" when: ansible_facts['os_family'] == 'Ubuntu' @@ -79,4 +80,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_indent.yml b/tests/tests_indent.yml index 0caa2f5..c29f0a4 100644 --- a/tests/tests_indent.yml +++ b/tests/tests_indent.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with simple config options - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -21,15 +21,16 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are correctly indented in configuration file - assert: + ansible.builtin.assert: that: - "config.content | b64decode | regex_search('^PasswordAuthentication yes$', multiline=True)" - "config.content | b64decode | regex_search('^PermitRootLogin yes$', multiline=True)" @@ -38,4 +39,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_match.yml b/tests/tests_match.yml index b3d4dde..8ccbefa 100644 --- a/tests/tests_match.yml +++ b/tests/tests_match.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # For Fedora containers, we need to make sure we have keys for sshd -T below @@ -35,32 +35,37 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T for xusers - command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com register: xusers_effective + changed_when: false - name: List effective configuration using sshd -T for bot - command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com register: bot_effective + changed_when: false - name: List effective configuration using sshd -T for sftponly - command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com register: sftponly_effective + changed_when: false - name: List effective configuration using sshd -T for root - command: sshd -T -C user=root,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com register: root_effective + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'x11forwarding yes' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout" @@ -72,7 +77,7 @@ - "'allowtcpforwarding yes' in root_effective.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'Match User xusers' in config.content | b64decode" - "'Match User bot' in config.content | b64decode" @@ -81,4 +86,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_match_iterate.yml b/tests/tests_match_iterate.yml index 96664cd..77210ca 100644 --- a/tests/tests_match_iterate.yml +++ b/tests/tests_match_iterate.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: # For Fedora containers, we need to make sure we have keys for sshd -T below @@ -33,32 +33,37 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T for xusers - command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com register: xusers_effective + changed_when: false - name: List effective configuration using sshd -T for bot - command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com register: bot_effective + changed_when: false - name: List effective configuration using sshd -T for sftponly - command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com register: sftponly_effective + changed_when: false - name: List effective configuration using sshd -T for root - command: sshd -T -C user=root,addr=127.0.0.1,host=example.com + ansible.builtin.command: sshd -T -C user=root,addr=127.0.0.1,host=example.com register: root_effective + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the options are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'x11forwarding yes' in xusers_effective.stdout" - "'banner /tmp/xusers-banner' in xusers_effective.stdout" @@ -70,7 +75,7 @@ - "'allowtcpforwarding yes' in root_effective.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'Match User xusers' in config.content | b64decode" - "'Match User bot' in config.content | b64decode" @@ -79,4 +84,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_os_defaults.yml b/tests/tests_os_defaults.yml index df66526..3d7e38f 100644 --- a/tests/tests_os_defaults.yml +++ b/tests/tests_os_defaults.yml @@ -9,10 +9,10 @@ tasks: - name: Backup configuration files - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Show effective configuration before running role (system defaults) - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -25,16 +25,16 @@ changed_when: false - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd - name: Show effective configuration after running role (role defaults) - command: sshd -T + ansible.builtin.command: sshd -T register: runtime_after changed_when: false - name: Check that the effective configuration did not change from OS defaults - assert: + ansible.builtin.assert: that: - runtime_before.stdout == runtime_after.stdout when: @@ -42,4 +42,4 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: Restore configuration files - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_precedence.yml b/tests/tests_precedence.yml index 6e482b4..d658acf 100644 --- a/tests/tests_precedence.yml +++ b/tests/tests_precedence.yml @@ -7,15 +7,15 @@ - /tmp/ssh_host_rsa_key tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Remove host key before the test - file: + ansible.builtin.file: path: /tmp/ssh_host_rsa_key state: absent - - name: Configure sshd - include_role: + - name: Configure sshd # noqa var-naming + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -28,27 +28,29 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush metadata + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T - command: sshd -T + ansible.builtin.command: sshd -T register: runtime + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: "{{ main_sshd_config }}" register: config - name: Check the sshd_* values are effective in runtime # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'banner /etc/good-issue' in runtime.stdout" - "'ciphers aes128-ctr' in runtime.stdout" - "'hostkey /tmp/ssh_host_rsa_key' in runtime.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'Banner /etc/good-issue' in config.content | b64decode" - "'Ciphers aes128-ctr' in config.content | b64decode" @@ -56,4 +58,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_set_common.yml b/tests/tests_set_common.yml index 5532a70..373c41e 100644 --- a/tests/tests_set_common.yml +++ b/tests/tests_set_common.yml @@ -6,10 +6,10 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -21,20 +21,22 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: List effective configuration using sshd -T - command: sshd -T + ansible.builtin.command: sshd -T register: runtime + changed_when: false - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config - name: Check the options are effective # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'acceptenv LANG' in runtime.stdout" - "'banner /etc/issue' in runtime.stdout" @@ -42,7 +44,7 @@ - "'subsystem sftp internal-sftp' in runtime.stdout" - name: Check the options are in configuration file - assert: + ansible.builtin.assert: that: - "'AcceptEnv LANG' in config.content | b64decode" - "'Banner /etc/issue' in config.content | b64decode" @@ -51,4 +53,4 @@ tags: tests::verify - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_set_uncommon.yml b/tests/tests_set_uncommon.yml index 0660da4..8f71646 100644 --- a/tests/tests_set_uncommon.yml +++ b/tests/tests_set_uncommon.yml @@ -6,12 +6,12 @@ - /etc/ssh/sshd_config.d/00-ansible_system_role.conf tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with uncommon options, making sure it keeps running block: - name: Configure ssh with unsupported options - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd: @@ -39,11 +39,11 @@ register: role_result - name: unreachable task - fail: + ansible.builtin.fail: msg: UNREACH rescue: - name: Check that we failed in the role - assert: + ansible.builtin.assert: that: - ansible_failed_result.msg != 'UNREACH' - not role_result.changed @@ -52,7 +52,7 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: Make sure service is still running - service: + ansible.builtin.service: name: sshd state: started register: result @@ -62,4 +62,4 @@ - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_sshd_enable.yml b/tests/tests_sshd_enable.yml index b076f6b..51a90c0 100644 --- a/tests/tests_sshd_enable.yml +++ b/tests/tests_sshd_enable.yml @@ -8,10 +8,10 @@ - /etc/ssh/ssh_host_rsa_key.pub tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd with the role disabled - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_enable: false @@ -22,12 +22,12 @@ sshd_config_file: /etc/ssh/sshd_config - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/ssh/sshd_config register: config - name: Print effective configuration - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -41,7 +41,7 @@ - name: Check the options were not applied # note, the options are in lower-case here - assert: + ansible.builtin.assert: that: - "'Acceptenv XDG_*' not in config.content | b64decode" - "'Banner /etc/issue' not in config.content | b64decode" @@ -51,4 +51,4 @@ - "'ciphers aes256-ctr,aes128-ctr' not in runtime.stdout" - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml diff --git a/tests/tests_sysconfig.yml b/tests/tests_sysconfig.yml index 2f1be0d..19b4703 100644 --- a/tests/tests_sysconfig.yml +++ b/tests/tests_sysconfig.yml @@ -7,10 +7,10 @@ - /etc/sysconfig/sshd tasks: - name: "Backup configuration files" - include_tasks: tasks/backup.yml + ansible.builtin.include_tasks: tasks/backup.yml - name: Configure sshd - include_role: + ansible.builtin.include_role: name: ansible-sshd vars: sshd_sysconfig: true @@ -19,15 +19,16 @@ - name: Verify the options are correctly set block: - - meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Print current configuration file - slurp: + ansible.builtin.slurp: src: /etc/sysconfig/sshd register: config - name: Evaluate sysconfig similarly as systemd - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -39,7 +40,7 @@ changed_when: false - name: Evaluate sysconfig similarly as systemd on RHEL 8 - shell: | + ansible.builtin.shell: | set -eu if set -o | grep pipefail 2>&1 /dev/null ; then set -o pipefail @@ -55,7 +56,7 @@ - ansible_facts['distribution_major_version'] == "8" - name: Check the crypto policies is overridden in RHEL 8 - assert: + ansible.builtin.assert: that: - "'CRYPTO_POLICY=' in config.content | b64decode" # these are string variants in default configuration file @@ -66,7 +67,7 @@ - ansible_facts['distribution_major_version'] == "8" - name: Check the RNG options are in configuration file - assert: + ansible.builtin.assert: that: - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode" # these are string variants in default configuration file @@ -80,4 +81,4 @@ - ansible_facts['distribution_major_version']|int < 9 - name: "Restore configuration files" - include_tasks: tasks/restore.yml + ansible.builtin.include_tasks: tasks/restore.yml