added a few options + tests

2023-05-15 18:22:48 +02:00 · 2023-05-15 18:22:48 +02:00 · 56c419ed39
commit 56c419ed39
parent 79b83b6e29
11 changed files with 172 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -7,6 +7,8 @@ provision_management_user_is_system: false
 provision_management_user_home: /home/{{ provision_management_user_name }}
 provision_management_user_shell: /bin/bash
 provision_management_user_sudoer: false
 provision_management_user_disable_root_login: false
 provision_management_user_disable_root_password_auth: false
 provision_management_user_add_ssh_key: false
 provision_management_user_ssh_key:
 provision_management_user_ssh_key_options: ""
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,2 +1,7 @@
 ---
 # handlers file for provision_management_user
 - name: "Restart sshd service"
  ansible.builtin.service:
    name: sshd
    state: restarted
  listen: "systemctl-restart-sshd"
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@ -3,8 +3,26 @@
 def test_hosts_file(host):
    """Validate /etc/hosts file."""
-    f = host.file("/etc/hosts")
+    etc_hosts = host.file("/etc/hosts")
    assert etc_hosts.exists
    assert etc_hosts.user == "root"
    assert etc_hosts.group == "root"
-    assert f.exists
+def test_ubuntu_user_group(host):
-    assert f.user == "root"
+    """Validate ubuntu user and group."""
-    assert f.group == "root"
+    ubuntu_group = host.group("ubuntu")
    ubuntu_user = host.user("ubuntu")
    assert ubuntu_group.exists
    assert ubuntu_user.exists
    assert ubuntu_user.group == "ubuntu"
    assert ubuntu_user.shell == "/bin/bash"
 def test_ubuntu_sudoer(host):
    """Validate that ubuntu user is not sudoer"""
    etc_sudoers_d_ubuntu = host.file("/etc/sudoers.d/ubuntu")
    assert not etc_sudoers_d_ubuntu.exists
 def test_ubuntu_no_ssh(host):
    """Validate that ubuntu user has no authorized_keys"""
    opt_ubuntu_authorized_keys = host.file("/home/ubuntu/.ssh/authorized_keys")
    assert not opt_ubuntu_authorized_keys.exists
--- a/molecule/with_ssh_keys/converge.yml
+++ b/molecule/with_ssh_keys/converge.yml
@ -0,0 +1,7 @@
 ---
 - name: Converge
  hosts: all
  tasks:
    - name: "Include ednxzu.provision_management_user"
      ansible.builtin.include_role:
        name: "ednxzu.provision_management_user"
--- a/molecule/with_ssh_keys/group_vars/all.yml
+++ b/molecule/with_ssh_keys/group_vars/all.yml
@ -0,0 +1,14 @@
 ---
 provision_management_user_name: ubuntu
 provision_management_user_group: ubuntu
 provision_management_user_password: "*"
 provision_management_user_is_system: true
 provision_management_user_home: /home/{{ provision_management_user_name }}
 provision_management_user_shell: /bin/bash
 provision_management_user_sudoer: true
 provision_management_user_disable_root_login: false
 provision_management_user_disable_root_password_auth: false
 provision_management_user_add_ssh_key: true
 provision_management_user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9"
 provision_management_user_ssh_key_options: ""
 provision_management_user_ssh_key_exclusive: true
--- a/molecule/with_ssh_keys/molecule.yml
+++ b/molecule/with_ssh_keys/molecule.yml
@ -0,0 +1,37 @@
 ---
 dependency:
  name: galaxy
  options:
    requirements-file: ./requirements.yml
 driver:
  name: docker
 platforms:
  - name: instance
    image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
    command: ""
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup
    cgroupns_mode: host
    privileged: true
    pre_build_image: true
 provisioner:
  name: ansible
  config_options:
    defaults:
      remote_tmp: /tmp/.ansible
 verifier:
  name: testinfra
 scenario:
  name: with_ssh_keys
  test_sequence:
    - dependency
    - cleanup
    - destroy
    - syntax
    - create
    - prepare
    - converge
    - idempotence
    - verify
    - cleanup
    - destroy
--- a/molecule/with_ssh_keys/requirements.yml
+++ b/molecule/with_ssh_keys/requirements.yml
@ -0,0 +1,3 @@
 ---
 # requirements file for molecule
 roles: []
--- a/molecule/with_ssh_keys/tests/conftest.py
+++ b/molecule/with_ssh_keys/tests/conftest.py
@ -0,0 +1,22 @@
 """PyTest Fixtures."""
 from __future__ import absolute_import
 import os
 import pytest
 def pytest_runtest_setup(item):
    """Run tests only when under molecule with testinfra installed."""
    try:
        import testinfra
    except ImportError:
        pytest.skip("Test requires testinfra", allow_module_level=True)
    if "MOLECULE_INVENTORY_FILE" in os.environ:
        pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
            os.environ["MOLECULE_INVENTORY_FILE"]
        ).get_hosts("all")
    else:
        pytest.skip(
            "Test should run only from inside molecule.", allow_module_level=True
        )
--- a/molecule/with_ssh_keys/tests/test_default.py
+++ b/molecule/with_ssh_keys/tests/test_default.py
@ -0,0 +1,36 @@
 """Role testing files using testinfra."""
 def test_hosts_file(host):
    """Validate /etc/hosts file."""
    etc_hosts = host.file("/etc/hosts")
    assert etc_hosts.exists
    assert etc_hosts.user == "root"
    assert etc_hosts.group == "root"
 def test_ubuntu_user_group(host):
    """Validate ubuntu user and group."""
    ubuntu_group = host.group("ubuntu")
    ubuntu_user = host.user("ubuntu")
    assert ubuntu_group.exists
    assert ubuntu_user.exists
    assert ubuntu_user.group == "ubuntu"
    assert ubuntu_user.shell == "/bin/bash"
 def test_ubuntu_sudoer(host):
    """Validate that ubuntu user is sudoer"""
    etc_sudoers_d_ubuntu = host.file("/etc/sudoers.d/ubuntu")
    assert etc_sudoers_d_ubuntu.exists
    assert etc_sudoers_d_ubuntu.user == "root"
    assert etc_sudoers_d_ubuntu.group == "root"
    assert etc_sudoers_d_ubuntu.mode == 0o640
    assert etc_sudoers_d_ubuntu.contains("ubuntu  ALL=(ALL)  NOPASSWD: ALL")
 def test_ubuntu_ssh_authorized_keys(host):
    """Validate that ubuntu user has authorized_keys"""
    opt_ubuntu_authorized_keys = host.file("/home/ubuntu/.ssh/authorized_keys")
    assert opt_ubuntu_authorized_keys.exists
    assert opt_ubuntu_authorized_keys.user == "ubuntu"
    assert opt_ubuntu_authorized_keys.group == "ubuntu"
    assert opt_ubuntu_authorized_keys.mode == 0o600
    assert opt_ubuntu_authorized_keys.contains("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ubuntu@instance")
--- a/tasks/configure_host.yml
+++ b/tasks/configure_host.yml
@ -0,0 +1,23 @@
 ---
 # task/configure_host file for provision_management_user
 - name: "Lock root password authentication"
  ansible.builtin.lineinfile:
    dest=/etc/ssh/sshd_config
    regexp='^PasswordAuthentication'
    line="PasswordAuthentication no"
    state=present
    backup=yes
  notify:
    - systemctl-restart-sshd
  when: provision_management_user_disable_root_password_auth
 - name: "Lock root authentication"
  ansible.builtin.lineinfile:
    dest=/etc/ssh/sshd_config
    regexp='^PermitRootLogin'
    line="PermitRootLogin no"
    state=present
    backup=yes
  notify:
    - systemctl-restart-sshd
  when: provision_management_user_disable_root_login
--- a/tasks/create_user.yml
+++ b/tasks/create_user.yml
@ -9,7 +9,7 @@
 - name: "Create user {{ provision_management_user_name }}"
  ansible.builtin.user:
    name: "{{ provision_management_user_name }}"
-    comment: "Ansible service user"
+    comment: "Management user"
    password: "{{ provision_management_user_password }}"
    group: "{{ provision_management_user_group }}"
    home: "{{ provision_management_user_home }}"