From 2c24e973d44a748ea731fbe23d76d18e3913d974 2024-02-26 23:25:19 From: Branko Majic Date: 2024-02-26 23:25:19 Subject: [PATCH] MAR-192: Added support for Debian 12 Bookworm to backup_server role: - Use test parametrisation instead of looping over a list when testing correct key usage. - Replace deprecated key algorithm (in Debian 12 Bookworm) for test purposes (it just needs to be one of the RSA variants). --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 6de6d32ad5a792c96d6ab8f811caa85c1a7d413b..c2717a4eb2c81e201f25f414a75fcc48c4536860 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -2240,6 +2240,7 @@ Distribution compatibility Role is compatible with the following distributions: - Debian 11 (Bullseye) +- Debian 12 (Bookworm) Examples diff --git a/roles/backup_server/meta/main.yml b/roles/backup_server/meta/main.yml index 778b950d1c4db5bf08ae4ab8a989687b5b6948e4..118f08166e023e5d7aa6d6f61f80cd12263b7009 100644 --- a/roles/backup_server/meta/main.yml +++ b/roles/backup_server/meta/main.yml @@ -12,3 +12,4 @@ galaxy_info: - name: Debian versions: - 11 + - 12 diff --git a/roles/backup_server/molecule/default/molecule.yml b/roles/backup_server/molecule/default/molecule.yml index a14be1c8bb27275f1c61900fbe4cc0ee4ff901ef..76f531cf62986d4bb615c0b12864d9702937f020 100644 --- a/roles/backup_server/molecule/default/molecule.yml +++ b/roles/backup_server/molecule/default/molecule.yml @@ -42,6 +42,34 @@ platforms: network_name: private_network type: static + - name: parameters-mandatory-bookworm + groups: + - parameters-mandatory + box: debian/bookworm64 + memory: 384 + cpus: 1 + provider_raw_config_args: + - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" + interfaces: + - auto_config: true + ip: 192.168.56.31 + network_name: private_network + type: static + + - name: parameters-optional-bookworm + groups: + - parameters-optional + box: debian/bookworm64 + memory: 384 + cpus: 1 + provider_raw_config_args: + - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" + interfaces: + - auto_config: true + ip: 192.168.56.32 + network_name: private_network + type: static + provisioner: name: ansible config_options: diff --git a/roles/backup_server/molecule/default/tests/data/ssh/known_hosts b/roles/backup_server/molecule/default/tests/data/ssh/known_hosts index dd017681fb5750e344254ed3a6490c516b0b71b7..6513ecdb6ebcc90f4f5f143e1294eac40ef144da 100644 --- a/roles/backup_server/molecule/default/tests/data/ssh/known_hosts +++ b/roles/backup_server/molecule/default/tests/data/ssh/known_hosts @@ -7,3 +7,13 @@ [192.168.56.22]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ [192.168.56.22]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= [192.168.56.22]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 + +# Bookworm +[192.168.56.31]:2222 ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg== +[192.168.56.31]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ +[192.168.56.31]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= +[192.168.56.31]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 +[192.168.56.32]:2222 ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg== +[192.168.56.32]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ +[192.168.56.32]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= +[192.168.56.32]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 diff --git a/roles/backup_server/molecule/default/tests/test_parameters_optional.py b/roles/backup_server/molecule/default/tests/test_parameters_optional.py index c91f551b842c5781138089d302a5e6f0a075d408..8a5d6f6a411fd5a2b98a796d8c6b375f70b36d4a 100644 --- a/roles/backup_server/molecule/default/tests/test_parameters_optional.py +++ b/roles/backup_server/molecule/default/tests/test_parameters_optional.py @@ -207,27 +207,28 @@ def test_backup_ssh_service_connectivity(host): @pytest.mark.usefixtures("prepare_ssh_client_private_key_permissions") -def test_backup_ssh_service_key_fingerprints(host): +@pytest.mark.parametrize('key_algorithm', [ + 'rsa-sha2-512', + 'ssh-ed25519', + 'ecdsa-sha2-nistp256', +]) +def test_backup_ssh_service_key_fingerprints(host, key_algorithm): """ Tests fingerprints of backup SSH server in order to ensure correct keys are in use. """ - key_types = ['ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256'] - # Extract first non-IPv6 IP. Crude test, but it should work. remote_ip = next(a for a in host.interface("eth1").addresses if ":" not in a) local = host.get_host("local://") - for key_type in key_types: - - login_attempt = local.run("ssh -p 2222 " - "-o PasswordAuthentication=no " - "-o StrictHostKeyChecking=yes " - "-o UserKnownHostsFile=tests/data/ssh/known_hosts " - "-i tests/data/ssh/client1 " - "-o HostKeyAlgorithms=%s " - "bak-client1_backup@%s /bin/echo sshtest" % (key_type, remote_ip)) - assert login_attempt.rc == 1 - assert "This service allows sftp connections only." in login_attempt.stdout + login_attempt = local.run("ssh -p 2222 " + "-o PasswordAuthentication=no " + "-o StrictHostKeyChecking=yes " + "-o UserKnownHostsFile=tests/data/ssh/known_hosts " + "-i tests/data/ssh/client1 " + "-o HostKeyAlgorithms=%s " + "bak-client1_backup@%s /bin/echo sshtest" % (key_algorithm, remote_ip)) + assert login_attempt.rc == 1 + assert "This service allows sftp connections only." in login_attempt.stdout