added tests, still not sure if this role should include more stuff

2023-03-26 22:56:15 +02:00 · 2023-03-26 22:56:15 +02:00 · 6f48a19b0b
commit 6f48a19b0b
parent c81b770732
6 changed files with 68 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,11 +1,13 @@
 ---
 # defaults file for provision_ansible_user
 provision_ansible_user_name: ansible
+provision_ansible_user_group: ansible
 provision_ansible_user_password: "*"
 provision_ansible_user_is_system: true
+provision_ansible_user_home: /opt/{{ provision_ansible_user_name }}
 provision_ansible_user_shell: /bin/bash
 provision_ansible_user_sudoer: false
 provision_ansible_user_add_ssh_key: false
 provision_ansible_user_ssh_key:
 provision_ansible_user_ssh_key_options: ""
-provision_ansible_user_ssh_key_exclusive: true
+provision_ansible_user_ssh_key_exclusive: true
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,3 +1,5 @@
+---
+# meta file for provision_ansible_user
 galaxy_info:
  namespace: 'ednxzu'
  role_name: 'provision_ansible_user'
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@ -3,8 +3,27 @@

 def test_hosts_file(host):
    """Validate /etc/hosts file."""
-    f = host.file("/etc/hosts")
+    etc_hosts = host.file("/etc/hosts")
+    assert etc_hosts.exists
+    assert etc_hosts.user == "root"
+    assert etc_hosts.group == "root"

-    assert f.exists
-    assert f.user == "root"
-    assert f.group == "root"
+def test_ansible_user_group(host):
+    """Validate consul user and group."""
+    ansible_group = host.group("ansible")
+    ansible_user = host.user("ansible")
+    assert ansible_group.exists
+    assert ansible_user.exists
+    assert ansible_user.group == "ansible"
+    assert ansible_user.shell == "/bin/bash"
+
+def test_ansible_sudoer(host):
+    """Validate that ansible user is not sudoer"""
+    etc_sudoers_d_ansible = host.file("/etc/sudoers.d/ansible")
+    assert not etc_sudoers_d_ansible.exists
+
+
+def test_ansible_no_ssh(host):
+    """Validate that ansible user has no authorized_keys"""
+    opt_ansible_authorized_keys = host.file("/opt/ansible/.ssh/authorized_keys")
+    assert not opt_ansible_authorized_keys.exists
--- a/molecule/with_ssh_keys/tests/test_default.py
+++ b/molecule/with_ssh_keys/tests/test_default.py
@ -3,8 +3,34 @@

 def test_hosts_file(host):
    """Validate /etc/hosts file."""
-    f = host.file("/etc/hosts")
+    etc_hosts = host.file("/etc/hosts")
+    assert etc_hosts.exists
+    assert etc_hosts.user == "root"
+    assert etc_hosts.group == "root"

-    assert f.exists
-    assert f.user == "root"
-    assert f.group == "root"
+def test_ansible_user_group(host):
+    """Validate consul user and group."""
+    ansible_group = host.group("ansible")
+    ansible_user = host.user("ansible")
+    assert ansible_group.exists
+    assert ansible_user.exists
+    assert ansible_user.group == "ansible"
+    assert ansible_user.shell == "/bin/bash"
+
+def test_ansible_sudoer(host):
+    """Validate that ansible user is sudoer"""
+    etc_sudoers_d_ansible = host.file("/etc/sudoers.d/ansible")
+    assert etc_sudoers_d_ansible.exists
+    assert etc_sudoers_d_ansible.user == "root"
+    assert etc_sudoers_d_ansible.group == "root"
+    assert etc_sudoers_d_ansible.mode == 0o640
+    assert etc_sudoers_d_ansible.contains("ansible  ALL=(ALL)  NOPASSWD: ALL")
+
+def test_ansible_ssh_authorized_keys(host):
+    """Validate that ansible user has authorized_keys"""
+    opt_ansible_authorized_keys = host.file("/opt/ansible/.ssh/authorized_keys")
+    assert opt_ansible_authorized_keys.exists
+    assert opt_ansible_authorized_keys.user == "ansible"
+    assert opt_ansible_authorized_keys.group == "ansible"
+    assert opt_ansible_authorized_keys.mode == 0o600
+    assert opt_ansible_authorized_keys.contains("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ansible@instance")
--- a/tasks/add_ssh_keys.yml
+++ b/tasks/add_ssh_keys.yml
@ -4,6 +4,6 @@
  ansible.posix.authorized_key:
    user: "{{ provision_ansible_user_name }}"
    key: "{{ provision_ansible_user_ssh_key }}"
-    comment: "ansible@{{ ansible_hostname }}"
+    comment: "{{ provision_ansible_user_name }}@{{ ansible_hostname }}"
    key_options: "{{ provision_ansible_user_ssh_key_options }}"
    exclusive: "{{ provision_ansible_user_ssh_key_exclusive }}"
--- a/tasks/create_user.yml
+++ b/tasks/create_user.yml
@ -1,11 +1,18 @@
 ---
 # task/create_user file for provision_ansible_user
 - name: "Create group {{ provision_ansible_user_group }}"
+  ansible.builtin.group:
+    name: "{{ provision_ansible_user_group }}"
+    state: present
+    system: "{{ provision_ansible_user_is_system }}"
+
 - name: "Create user {{ provision_ansible_user_name }}"
  ansible.builtin.user:
    name: "{{ provision_ansible_user_name }}"
    comment: "Ansible service user"
    password: "{{ provision_ansible_user_password }}"
+    group: "{{ provision_ansible_user_group }}"
+    home: "{{ provision_ansible_user_home }}"
    shell: "{{ provision_ansible_user_shell }}"
    system: "{{ provision_ansible_user_is_system }}"
    create_home: true
@ -13,6 +20,8 @@
 - name: "Add user to sudoers"
  ansible.builtin.copy:
    dest: "/etc/sudoers.d/{{ provision_ansible_user_name }}"
+    owner: root
+    group: root
    mode: 0640
    content: "{{ provision_ansible_user_name }}  ALL=(ALL)  NOPASSWD: ALL"
  when: provision_ansible_user_sudoer