* robustness: quote test backup/restore file names
This avoids issues if file names are not safepaths.
* security: use quote with command, shell and validate with variable
Skip quotation only if variable is checked.
Add test suit to excercise some quote use cases.
* robustness: fail if systemd.unit could have something in need of quote
Ensure systemd.unit contents is robust. This disables possibility to
have something that needs to be quoted there. But as ansible lacks
proper way to quote systemd unit files (see man systemd.syntax, rules
are not shell rules), it is better to fail such configs. If you are
trying to do that, you are doing it wrong anyway or have malicious
intent.
Also ensure similar issue with sysctl.conf.
Issue can be seen with `tests_hostkeys_unsafe_path.yml`, when adding
following to role params:
sshd_install_service: true
sshd_config_file: "{{ ansible_facts.env.TMPDIR }}/sshd.d/foo.conf"
sshd_binary: "{{ ansible_facts.env.TMPDIR }}/sshd"
__sshd_runtime_directory: "{{ ansible_facts.env.TMPDIR }}/run"
* tests: Quote also the source filename
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* tests: Add more negative test cases
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* tests: Skip the test with unsafe TMPDIR as it does not work on CentOS8
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* Move the variable checks to separate file ...
... and explain better why this is problematic
Drops also the check for internal variables as the user should not
bother with these.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---------
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Co-authored-by: Markus Linnala <Markus.Linnala@knowit.fi>
Feature: Allow running and testing the role with ostree managed nodes.
Reason: We have users who want to use the role to manage ostree
systems.
Result: Users can use the role to manage ostree managed nodes.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
I noticed some test failures in tests that check ownership/permissions
of config files. The tests were recently changed to reuse the same
VM, so I suspect config files were not being backed up/restored with
the correct file attributes. Use `cp -a` to preserve all file
attributes.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Use facts via ansible_facts only.
Made using:
git ls-files -z|grep -z yml|xargs -0r sed --follow-symlinks -Ei \
"s/ansible_(virtualization_type|os_family|distribution\w*)/ansible_facts['\1']/g"
Add the following files: tests/tasks/check_header.yml and
tests/templates/get_ansible_managed.j2.
Use check_header.yml to check generated files for the ansible_managed
and fingerprint headers.
check_header.yml takes these parameters. `fingerprint` is required,
and one of `__file` or `__file_content`:
* `__file` - the full path of the file to check e.g. `/etc/realmd.conf`
* `__file_content` - the output of `slurp` of the file
* `__fingerprint` - required - the fingerprint string `system_role:$ROLENAME` e.g.
`__fingerprint: "system_role:postfix"`
* `__comment_type` - optional, default `plain` - the type of comments used
e.g. `__comment_type: c` for C/C++-style comments. `plain` uses `#`.
See https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html#adding-comments-to-files
for the different types of comment styles supported.
Example:
```
- name: Check generated files for ansible_managed, fingerprint
include_tasks: tasks/check_header.yml
vars:
__file: /etc/myfile.conf
__fingerprint: "system_role:my_role"
```
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Cleaning up yamllint errors.
- Use .yamllint.yml and .yamllint_defaults.yml instead of
.yamllint.yaml.
- Fix the invalid indentations.
Cleaning up ansible-lint errors.
- Add "name" to every task.
- Use command rather than shell
- Add "changed_when: false".
- Use '|' instead of '>' for the shell module.
- Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
- Add "set -eu" and "set -o pipefail" if pipefail is available.
Note: "pipefail" is not available in "sh" and "dash".
- Add "- '306' # Shells that use pipes should set the pipefail option"
to .ansible-lint since ansible-lint does not recognize it if it's set
in "if set -o | grep pipefail".
RHELPLAN-73804
