From 6f48a19b0b28a668d0d24b6f205aa94812171b40 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 26 Mar 2023 22:56:15 +0200 Subject: [PATCH] added tests, still not sure if this role should include more stuff --- defaults/main.yml | 4 ++- meta/main.yml | 2 ++ molecule/default/tests/test_default.py | 27 +++++++++++++--- molecule/with_ssh_keys/tests/test_default.py | 34 +++++++++++++++++--- tasks/add_ssh_keys.yml | 2 +- tasks/create_user.yml | 9 ++++++ 6 files changed, 68 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 95afd9f..aa73c93 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,11 +1,13 @@ --- # defaults file for provision_ansible_user provision_ansible_user_name: ansible +provision_ansible_user_group: ansible provision_ansible_user_password: "*" provision_ansible_user_is_system: true +provision_ansible_user_home: /opt/{{ provision_ansible_user_name }} provision_ansible_user_shell: /bin/bash provision_ansible_user_sudoer: false provision_ansible_user_add_ssh_key: false provision_ansible_user_ssh_key: provision_ansible_user_ssh_key_options: "" -provision_ansible_user_ssh_key_exclusive: true \ No newline at end of file +provision_ansible_user_ssh_key_exclusive: true diff --git a/meta/main.yml b/meta/main.yml index 9ff291b..987b506 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,3 +1,5 @@ +--- +# meta file for provision_ansible_user galaxy_info: namespace: 'ednxzu' role_name: 'provision_ansible_user' diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py index 0cff669..05368c9 100644 --- a/molecule/default/tests/test_default.py +++ b/molecule/default/tests/test_default.py @@ -3,8 +3,27 @@ def test_hosts_file(host): """Validate /etc/hosts file.""" - f = host.file("/etc/hosts") + etc_hosts = host.file("/etc/hosts") + assert etc_hosts.exists + assert etc_hosts.user == "root" + assert etc_hosts.group == "root" - assert f.exists - assert f.user == "root" - assert f.group == "root" +def test_ansible_user_group(host): + """Validate consul user and group.""" + ansible_group = host.group("ansible") + ansible_user = host.user("ansible") + assert ansible_group.exists + assert ansible_user.exists + assert ansible_user.group == "ansible" + assert ansible_user.shell == "/bin/bash" + +def test_ansible_sudoer(host): + """Validate that ansible user is not sudoer""" + etc_sudoers_d_ansible = host.file("/etc/sudoers.d/ansible") + assert not etc_sudoers_d_ansible.exists + + +def test_ansible_no_ssh(host): + """Validate that ansible user has no authorized_keys""" + opt_ansible_authorized_keys = host.file("/opt/ansible/.ssh/authorized_keys") + assert not opt_ansible_authorized_keys.exists diff --git a/molecule/with_ssh_keys/tests/test_default.py b/molecule/with_ssh_keys/tests/test_default.py index 0cff669..283d2da 100644 --- a/molecule/with_ssh_keys/tests/test_default.py +++ b/molecule/with_ssh_keys/tests/test_default.py @@ -3,8 +3,34 @@ def test_hosts_file(host): """Validate /etc/hosts file.""" - f = host.file("/etc/hosts") + etc_hosts = host.file("/etc/hosts") + assert etc_hosts.exists + assert etc_hosts.user == "root" + assert etc_hosts.group == "root" - assert f.exists - assert f.user == "root" - assert f.group == "root" +def test_ansible_user_group(host): + """Validate consul user and group.""" + ansible_group = host.group("ansible") + ansible_user = host.user("ansible") + assert ansible_group.exists + assert ansible_user.exists + assert ansible_user.group == "ansible" + assert ansible_user.shell == "/bin/bash" + +def test_ansible_sudoer(host): + """Validate that ansible user is sudoer""" + etc_sudoers_d_ansible = host.file("/etc/sudoers.d/ansible") + assert etc_sudoers_d_ansible.exists + assert etc_sudoers_d_ansible.user == "root" + assert etc_sudoers_d_ansible.group == "root" + assert etc_sudoers_d_ansible.mode == 0o640 + assert etc_sudoers_d_ansible.contains("ansible ALL=(ALL) NOPASSWD: ALL") + +def test_ansible_ssh_authorized_keys(host): + """Validate that ansible user has authorized_keys""" + opt_ansible_authorized_keys = host.file("/opt/ansible/.ssh/authorized_keys") + assert opt_ansible_authorized_keys.exists + assert opt_ansible_authorized_keys.user == "ansible" + assert opt_ansible_authorized_keys.group == "ansible" + assert opt_ansible_authorized_keys.mode == 0o600 + assert opt_ansible_authorized_keys.contains("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ansible@instance") diff --git a/tasks/add_ssh_keys.yml b/tasks/add_ssh_keys.yml index f4e56ef..165bf2e 100644 --- a/tasks/add_ssh_keys.yml +++ b/tasks/add_ssh_keys.yml @@ -4,6 +4,6 @@ ansible.posix.authorized_key: user: "{{ provision_ansible_user_name }}" key: "{{ provision_ansible_user_ssh_key }}" - comment: "ansible@{{ ansible_hostname }}" + comment: "{{ provision_ansible_user_name }}@{{ ansible_hostname }}" key_options: "{{ provision_ansible_user_ssh_key_options }}" exclusive: "{{ provision_ansible_user_ssh_key_exclusive }}" diff --git a/tasks/create_user.yml b/tasks/create_user.yml index 4ac6b82..df6f61f 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -1,11 +1,18 @@ --- # task/create_user file for provision_ansible_user - name: "Create group {{ provision_ansible_user_group }}" + ansible.builtin.group: + name: "{{ provision_ansible_user_group }}" + state: present + system: "{{ provision_ansible_user_is_system }}" + - name: "Create user {{ provision_ansible_user_name }}" ansible.builtin.user: name: "{{ provision_ansible_user_name }}" comment: "Ansible service user" password: "{{ provision_ansible_user_password }}" + group: "{{ provision_ansible_user_group }}" + home: "{{ provision_ansible_user_home }}" shell: "{{ provision_ansible_user_shell }}" system: "{{ provision_ansible_user_is_system }}" create_home: true @@ -13,6 +20,8 @@ - name: "Add user to sudoers" ansible.builtin.copy: dest: "/etc/sudoers.d/{{ provision_ansible_user_name }}" + owner: root + group: root mode: 0640 content: "{{ provision_ansible_user_name }} ALL=(ALL) NOPASSWD: ALL" when: provision_ansible_user_sudoer