ansible-sshd/tests/tests_systemd_services.yml
Jakub Jelen e83cb52ded fix: Document and streamline the sshd_main_config_file
The option was introduced in 6bb0d7b456
without documentation and intended use. The recent change
f6ae2094fe propagated this option to the
generated service files, which is resulting in unexpected results, when
a user decided to set only `sshd_config_file` for the second sshd
service causing the service file points to the system-wide
configuration file.

This is an attempt to fix this by introducing some heuristics to guess
if the user wants to set up second drop-in directory (ending with .d)
or create a standalone configuration file.

Fixes: #280
2024-04-05 09:29:10 +02:00

160 lines
6.1 KiB
YAML

---
- name: Test systemd services and sockets files can be installed
hosts: all
vars:
__sshd_test_backup_files:
- /etc/ssh/sshd_config
- /etc/ssh/sshd_config.d/00-ansible_system_role.conf
- /etc/systemd/system/sshd.service
- /etc/systemd/system/sshd@.service
- /etc/systemd/system/sshd.socket
- /etc/systemd/system/ssh.service
- /etc/systemd/system/ssh@.service
- /etc/systemd/system/ssh.socket
__sshd_test_service_name: sshd
__sshd_service_list: []
__sshd_service_inst_list: []
__sshd_socket_list: []
tasks:
- name: Fix the service name on Debian
ansible.builtin.set_fact:
__sshd_test_service_name: ssh
when:
- ansible_facts['os_family'] == "Debian"
- name: Backup configuration files
ansible.builtin.include_tasks: tasks/backup.yml
- name: Configure sshd with default options and install service files
ansible.builtin.include_role:
name: ansible-sshd
vars:
sshd_install_service: true
- name: Read the service files and verify they are reasonable
tags: tests::verify
when:
- ansible_facts['service_mgr'] == 'systemd' or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
block:
- name: Read the distribution service file
ansible.builtin.slurp:
src: "/lib/systemd/system/{{ __sshd_test_service_name }}.service"
register: service_old
- name: Read the distribution socket file
ansible.builtin.slurp:
src: "/lib/systemd/system/{{ __sshd_test_service_name }}.socket"
register: socket_old
- name: Read the created service file
ansible.builtin.slurp:
src: "/etc/systemd/system/{{ __sshd_test_service_name }}.service"
register: service
- name: Read the created socket file
ansible.builtin.slurp:
src: "/etc/systemd/system/{{ __sshd_test_service_name }}.socket"
register: socket
- name: Decode service file
ansible.builtin.set_fact:
service_old: "{{ service_old.content | b64decode }}"
# quite basic, but it should do the job
# * I do not think the ConditionPathExists is much useful so skipping on Ubuntu
# * I do not think the Description needs to match verbatim either
- name: Construct the options list from old service file
ansible.builtin.set_fact:
__sshd_service_list: "{{ __sshd_service_list + [item] }}"
when:
- not item.startswith("#")
- not item.startswith("ConditionPathExists=")
- not item.startswith("Description=")
loop:
"{{ service_old.splitlines() }}"
- name: Test options in sshd.service are kept
ansible.builtin.assert:
that:
- "item in service.content | b64decode"
loop:
"{{ __sshd_service_list }}"
- name: Verify the ExecStart line contains the configuration file
ansible.builtin.assert:
that:
- "' -f/etc/ssh/' in service.content | b64decode"
- name: Decode socket file
ansible.builtin.set_fact:
socket_old: "{{ socket_old.content | b64decode }}"
# quite basic, but it should do the job
# * I do not think the ConditionPathExists is much useful so skipping on Ubuntu
# * Before= does not make any sense in combination with Conflicts=
# * I do not think the Description needs to match verbatim either
- name: Construct the options list from old socket file
ansible.builtin.set_fact:
__sshd_socket_list: "{{ __sshd_socket_list + [item] }}"
when:
- not item.startswith("#")
- not item.startswith("ConditionPathExists=")
- not item.startswith("Before=")
- not item.startswith("Description=")
loop:
"{{ socket_old.splitlines() }}"
- name: Test options in sshd.socket are kept
ansible.builtin.assert:
that:
- "item in socket.content | b64decode"
loop:
"{{ __sshd_socket_list }}"
- name: Read the instantiated service file and verify they are reasonable
tags: tests::verify
when:
- ansible_facts['service_mgr'] == 'systemd' or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
block:
- name: Read the distribution instantiated service file
ansible.builtin.slurp:
src: "/lib/systemd/system/{{ __sshd_test_service_name }}@.service"
register: service_inst_old
- name: Read the created instantiated service file
ansible.builtin.slurp:
src: "/etc/systemd/system/{{ __sshd_test_service_name }}@.service"
register: service_inst
- name: Decode instantiated service file
ansible.builtin.set_fact:
service_inst_old: "{{ service_inst_old.content | b64decode }}"
# quite basic, but it should do the job
# * I do not think the Description needs to match verbatim either
- name: Construct the options list from old instantiated service file
ansible.builtin.set_fact:
__sshd_service_inst_list: "{{ __sshd_service_inst_list + [item] }}"
when:
- not item.startswith("#")
- not item.startswith("Description=")
loop:
"{{ service_inst_old.splitlines() }}"
- name: Test options in sshd@.service are kept
ansible.builtin.assert:
that:
- "item in service_inst.content | b64decode"
loop:
"{{ __sshd_service_inst_list }}"
- name: Verify the ExecStart line contains the configuration file
ansible.builtin.assert:
that:
- "' -f/etc/ssh/' in service_inst.content | b64decode"
- name: "Restore configuration files"
ansible.builtin.include_tasks: tasks/restore.yml