Commit graph

108 commits

Author SHA1 Message Date
Jakub Jelen
d10f2ada11
fix: use quote with command, shell and validate with variable (#298)
* robustness: quote test backup/restore file names

This avoids issues if file names are not safepaths.

* security: use quote with command, shell and validate with variable

Skip quotation only if variable is checked.

Add test suit to excercise some quote use cases.

* robustness: fail if systemd.unit could have something in need of quote

Ensure systemd.unit contents is robust. This disables possibility to
have something that needs to be quoted there. But as ansible lacks
proper way to quote systemd unit files (see man systemd.syntax, rules
are not shell rules), it is better to fail such configs. If you are
trying to do that, you are doing it wrong anyway or have malicious
intent.

Also ensure similar issue with sysctl.conf.

Issue can be seen with `tests_hostkeys_unsafe_path.yml`, when adding
following to role params:

       sshd_install_service: true
       sshd_config_file: "{{ ansible_facts.env.TMPDIR }}/sshd.d/foo.conf"
       sshd_binary: "{{ ansible_facts.env.TMPDIR }}/sshd"
       __sshd_runtime_directory: "{{ ansible_facts.env.TMPDIR }}/run"

* tests: Quote also the source filename

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

* tests: Add more negative test cases

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

* tests: Skip the test with unsafe TMPDIR as it does not work on CentOS8

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

* Move the variable checks to separate file ...

... and explain better why this is problematic

Drops also the check for internal variables as the user should not
bother with these.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---------

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Co-authored-by: Markus Linnala <Markus.Linnala@knowit.fi>
2024-09-12 07:24:22 +01:00
Matt Willsher
d4eae954c1
feat: Ubuntu noble (#290)
* feat: Add support for Ubuntu Nobel/24.04 LTS
* fix: Add missing PrintMotd to Ubuntu 22.04
* fix(tests): Various linting fixes

---------
Co-authored-by: Jakub Jelen <jjelen@redhat.com>
2024-06-21 09:12:02 +01:00
Jakub Jelen
e83cb52ded fix: Document and streamline the sshd_main_config_file
The option was introduced in 6bb0d7b456
without documentation and intended use. The recent change
f6ae2094fe propagated this option to the
generated service files, which is resulting in unexpected results, when
a user decided to set only `sshd_config_file` for the second sshd
service causing the service file points to the system-wide
configuration file.

This is an attempt to fix this by introducing some heuristics to guess
if the user wants to set up second drop-in directory (ending with .d)
or create a standalone configuration file.

Fixes: #280
2024-04-05 09:29:10 +02:00
Jakub Jelen
237e8b4255 Workaround for CentOS7 reporting ansible_facts['service_mgr'] == 'sysvinit' in containers
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-02-15 16:57:48 +01:00
Jakub Jelen
f6ae2094fe Update service/socket files to match main OS's defaults
Specifics:
 * Debian 12 has no longer the instantiated service using inet, see the
   following commit:

0dc73888bb

 * I am not matching the Description tag verbosely as I do not find it
   crucial for functionality.
 * We generate additional -f switch to the sshd CLI pointing go the main
   sshd config we manage
 * The Before=sshd.service in the socket is not generated as I find it
   unnecessary when we conflict the service.
 * Recent Ubuntu versions have RuntimeDirectoryPreserve option, which I
   set for all Ubuntu/Debian as it should not hurt.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-01-22 16:41:33 +01:00
Jakub Jelen
d3e3bdce5a Add whitespace around the filter symbol
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-01-22 16:41:33 +01:00
Rich Megginson
4543f0c679 feat: support for ostree systems
Feature: Allow running and testing the role with ostree managed nodes.

Reason: We have users who want to use the role to manage ostree
systems.

Result: Users can use the role to manage ostree managed nodes.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
2023-11-28 09:40:18 -07:00
Jakub Jelen
350a0e562b
fix: Avoid creation of runtime directories in home (#265) 2023-10-30 13:27:37 +00:00
EmyLIEUTAUD
0bc6d8f40b
feat: manage ssh certificates (#252)
* Role configured to accept SSH connection via SSH certificates
* Works with or without principals and ansible-lint updated
* add test for SSH certificates authentication with principals
* Add configuration to run tests for SSH certificates authentication with principals
* tasks to use SSH certificates grouped into one file
* Update README.md
2023-09-11 14:39:03 +01:00
Markus Linnala
66785690fa Support inject_facts_as_vars = false
Use facts via ansible_facts only.

Made using:
  git ls-files -z|grep -z yml|xargs -0r sed --follow-symlinks -Ei \
    "s/ansible_(virtualization_type|os_family|distribution\w*)/ansible_facts['\1']/g"
2023-08-29 12:40:48 +02:00
Markus Linnala
29efda347b Drop "ansible" from variable names
Keep ansible variable namespace for upstream only.
2023-08-29 12:40:48 +02:00
Rich Megginson
70808e97fc ansible-lint - align with current Ansible recommendations
Use `true/false` instead of `yes/no`
Ensure use of FQCN for builtin modules
Use correct spacing in Jinja expressions
All tasks and plays must have a `name`, and the `name` string must begin with an uppercase letter
Use `ansible.posix.mount` instead of `ansible.builtin.mount`
Use `set -o pipefail` with `shell` module where supported by the platform shell

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
2023-04-10 14:21:30 -06:00
Jakub Jelen
04f056867c Add support for managing selinux and firewall on RHEL 2023-01-13 10:42:40 +01:00
Jakub Jelen
6f4d3d8fdb tasks: Improve the order of keys and add missing name
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-12-13 14:13:18 +01:00
Jakub Jelen
c201ba2060 Support __sshd_supports_validate 2022-09-27 22:32:57 +02:00
Matt Willsher
abe2b26a89 Linting fixes 2022-09-07 09:33:33 +01:00
Nikolaos Kakouros
6bb0d7b456 tMakes drop-in functionality configurable by the user 2022-08-26 20:23:51 +00:00
Nikolaos Kakouros
221a801260 Adds workaround for CentOS6 2022-08-23 15:18:41 +02:00
Nikolaos Kakouros
c8d7c25be3 Defaults __sshd_testing when not testing 2022-08-23 15:18:41 +02:00
Nikolaos Kakouros
d2b274a0a1 Fixes tests 2022-08-23 15:18:41 +02:00
Nikolaos Kakouros
db39a733aa Moves internal non-overridable variables out of defaults 2022-08-23 15:18:41 +02:00
Jakub Jelen
77d3163243 Workaround for https://github.com/ansible/ansible-lint/issues/2209
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-08-18 09:08:53 +02:00
Jakub Jelen
08285659ed Fix ansible-lint warnings
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-08-18 09:08:53 +02:00
Matt Willsher
b9c5db54b6 Revert incorrect module name 2022-06-03 11:30:13 +01:00
Matt Willsher
90338a3f0a Fix various linting issues 2022-06-03 11:22:17 +01:00
Jakub Jelen
b1421c7d2d Refactor tasks to separate files based on the context
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
Jakub Jelen
9c202bd60e Verify the Include is in main configuration file
... if drop-in file is modified

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-05-10 16:48:22 +02:00
Jakub Jelen
e24ff31d2a Ensure the ansible facts are available 2022-04-19 17:20:27 +02:00
Jakub Jelen
bd64ca7441 More portable way for sharing variables between role and tests 2022-04-19 17:20:27 +02:00
Jakub Jelen
c515ffdf94 Move the common variables to separate file 2022-04-19 17:20:27 +02:00
Jakub Jelen
09b4214a51 Clarify the magic number 2022-04-19 17:20:27 +02:00
Jakub Jelen
c1d1cdfeac Reuse the list of skipped virtualization environments 2022-04-19 17:20:27 +02:00
Jakub Jelen
860e533713 Introduce default hostkeys to check when using drop-in directory
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.

This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
daa81ee84c Unbreak FIPS detection and hostkey filtering
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
09f2c6a999 Add another virtualization platform exception
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2022-04-19 17:20:27 +02:00
Jakub Jelen
fc998f21c2 Fix runtime directory check 2021-11-30 16:29:06 +01:00
Jakub Jelen
67fee24ecb Address review comments (to be squashed) 2021-11-16 15:05:22 +01:00
Jakub Jelen
7f69d1e69a Filter out Ed25519 keys from default in FIPS mode
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-11-16 15:05:22 +01:00
Dominik Rimpf
961f10b710 FIX: indentation including tests 2021-08-17 15:50:36 +02:00
Jakub Jelen
91784d1874 Workaround namespace feature also for RHEL6
The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we
need some creative workaround for this old stuff.
2021-08-09 10:07:09 +02:00
Jakub Jelen
b97a7b0bde Do not assume the hostkey for the main config exists 2021-06-11 21:49:31 +02:00
Jakub Jelen
8a85e7309b Rename sshd_namespace_append to sshd_config_namespace 2021-06-11 21:49:31 +02:00
Jakub Jelen
ad399343c9 Skip defaults when appending configuration 2021-06-01 16:09:23 +02:00
Jakub Jelen
8e180cfb48 Add new identification for Github Actions virtualization platform 2021-06-01 16:09:23 +02:00
Jakub Jelen
380ebd21d9 Support for appending a snippet to configuration file 2021-06-01 16:09:23 +02:00
Noriko Hosoi
6887864d2c Fix issues found by linters - enable all tests on all repos - remove suppressions
Cleaning up yamllint errors.
  - Use .yamllint.yml and .yamllint_defaults.yml instead of
    .yamllint.yaml.
  - Fix the invalid indentations.

Cleaning up ansible-lint errors.
  - Add "name" to every task.
  - Use command rather than shell
  - Add "changed_when: false".
  - Use '|' instead of '>' for the shell module.
  - Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
  - Add "set -eu" and "set -o pipefail" if pipefail is available.
    Note: "pipefail" is not available in "sh" and "dash".
  - Add "- '306'  # Shells that use pipes should set the pipefail option"
    to .ansible-lint since ansible-lint does not recognize it if it's set
    in "if set -o | grep pipefail".

RHELPLAN-73804
2021-04-09 10:27:42 -07:00
Jakub Jelen
c9015f37c3 variables: Use more specific vars file first 2020-12-11 13:25:19 +01:00
Jakub Jelen
425400d521 Do not attempt to create and verify sysconfig on unrelated systems 2020-12-11 13:25:19 +01:00
Jakub Jelen
48dc56b2d2 Recognize podman container runtime and ignore services there 2020-12-11 13:25:19 +01:00
Jakub Jelen
6b36488299 Check runtime directory for running CI in Debian and Ubuntu 2020-12-11 13:25:19 +01:00