From c082a26b62ff22b7a2f53c0076f8fc73b14aa347 2018-05-29 23:13:58 From: Branko Majic Date: 2018-05-29 23:13:58 Subject: [PATCH] MAR-129: Updated ldap_server role for new Molecule and Ansible: - Fixed syntax warnings. - Moved test playbook variables into group_vars. - Optimised the invocation of test playbook. - Remove the 'ss' utility from test machines in order to properly test the unix sockets. - Fixed how the hosts are being referenced in tests. --- diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml index 038e1cb022845de5eb96ea6d0f316685b5c8a39e..6833a391b26868b4e8218e8fbeb96ac46264a2dc 100644 --- a/roles/ldap_server/defaults/main.yml +++ b/roles/ldap_server/defaults/main.yml @@ -1,6 +1,6 @@ --- -enable_backup: False +enable_backup: false ldap_entries: [] ldap_server_domain: "{{ ansible_domain }}" # Internal value, base DN. @@ -33,4 +33,5 @@ ldap_permissions: by users read by * none -ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" +ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\ ++SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" diff --git a/roles/ldap_server/molecule/default/create.yml b/roles/ldap_server/molecule/default/create.yml index f8eb37cd4df02c540216c02791d0c50870986202..ce8657f9bae3be7f42731fd1efe77e87a62afcd9 100644 --- a/roles/ldap_server/molecule/default/create.yml +++ b/roles/ldap_server/molecule/default/create.yml @@ -2,7 +2,7 @@ - name: Create hosts: localhost connection: local - gather_facts: False + gather_facts: false no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" vars: molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" diff --git a/roles/ldap_server/molecule/default/destroy.yml b/roles/ldap_server/molecule/default/destroy.yml index 3972a2df8fafe515b30a74f951499b83aae8449c..8f0a3703672765e77f4f1a3a8046a1f2b561a7a8 100644 --- a/roles/ldap_server/molecule/default/destroy.yml +++ b/roles/ldap_server/molecule/default/destroy.yml @@ -3,7 +3,7 @@ - name: Destroy hosts: localhost connection: local - gather_facts: False + gather_facts: false no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" vars: molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" diff --git a/roles/ldap_server/molecule/default/group_vars/backup-server.yml b/roles/ldap_server/molecule/default/group_vars/backup-server.yml new file mode 100644 index 0000000000000000000000000000000000000000..8640a838891ed582d4526d619c776bec92e791d2 --- /dev/null +++ b/roles/ldap_server/molecule/default/group_vars/backup-server.yml @@ -0,0 +1,11 @@ +--- + +backup_host_ssh_private_keys: + dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" + rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" + ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" + ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" +backup_clients: + - server: localhost + ip: 127.0.0.1 + public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" diff --git a/roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml b/roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml new file mode 100644 index 0000000000000000000000000000000000000000..018091ee40454e18dbf706cae65dee376c493cbd --- /dev/null +++ b/roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml @@ -0,0 +1,16 @@ +--- + +ldap_admin_password: adminpassword + +# ldap_client +ldap_client_config: + - comment: CA truststore + option: TLS_CACERT + value: /etc/ssl/certs/testca.cert.pem + - comment: Ensure TLS is enforced + option: TLS_REQCERT + value: demand + +# common vars (not the role, global common) +tls_private_key_dir: tests/data/x509/ +tls_certificate_dir: tests/data/x509/ diff --git a/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml b/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml new file mode 100644 index 0000000000000000000000000000000000000000..f314afb3b879d58f0975d3121c691b2b7dbbb05d --- /dev/null +++ b/roles/ldap_server/molecule/default/group_vars/parameters-optional.yml @@ -0,0 +1,78 @@ +--- + +ldap_admin_password: adminpassword +ldap_entries: + - dn: uid=john,dc=local + attributes: + objectClass: + - inetOrgPerson + - simpleSecurityObject + userPassword: johnpassword + uid: john + cn: John Doe + sn: Doe + - dn: uid=jane,dc=local + attributes: + objectClass: + - inetOrgPerson + - simpleSecurityObject + userPassword: janepassword + uid: jane + cn: Jane Doe + sn: Doe + +ldap_permissions: + - > + to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by self write + by * read + by dn="cn=admin,dc=local" write + by * none + +ldap_server_consumers: + - name: consumer1 + password: consumer1password + - name: consumer2 + password: consumer2password + state: present + - name: consumer3 + password: consumer3password + state: absent + +ldap_server_groups: + - name: group1 + - name: group2 + state: present + - name: group3 + state: absent + +ldap_server_domain: "local" +ldap_server_organization: "Example" +ldap_server_log_level: 0 +ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}" +ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}" +ldap_server_ssf: 0 +ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\ ++SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" + +# ldap_client +ldap_client_config: + - comment: CA truststore + option: TLS_CACERT + value: /etc/ssl/certs/testca.cert.pem + - comment: Ensure TLS is enforced + option: TLS_REQCERT + value: demand + +# backup_client +enable_backup: true +backup_client_username: "bak-localhost" +backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" +backup_server: localhost +backup_server_host_ssh_public_keys: + - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}" +backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}" diff --git a/roles/ldap_server/molecule/default/molecule.yml b/roles/ldap_server/molecule/default/molecule.yml index f1ef8b50cc92847a2f7deea1787bb98cde3f5b8d..bb8d755ff50a383beb430a4d7bad31f197ae5eac 100644 --- a/roles/ldap_server/molecule/default/molecule.yml +++ b/roles/ldap_server/molecule/default/molecule.yml @@ -9,6 +9,8 @@ driver: lint: name: yamllint + options: + config-file: ../../.yamllint.yml platforms: @@ -37,6 +39,7 @@ platforms: - name: parameters-optional-jessie64 groups: - parameters-optional + - backup-server box: debian/contrib-jessie64 memory: 256 cpus: 1 diff --git a/roles/ldap_server/molecule/default/playbook.yml b/roles/ldap_server/molecule/default/playbook.yml index 0580673e76cdf8987c99773861711f7b1271402c..de7f80f63f00a32fc3b05f340dc035ef083bc220 100644 --- a/roles/ldap_server/molecule/default/playbook.yml +++ b/roles/ldap_server/molecule/default/playbook.yml @@ -1,114 +1,6 @@ --- -- hosts: parameters-mandatory - become: yes +- hosts: parameters-mandatory,parameters-optional + become: true roles: - - role: ldap_server - ldap_admin_password: adminpassword - - # ldap_client - ldap_client_config: - - comment: CA truststore - option: TLS_CACERT - value: /etc/ssl/certs/testca.cert.pem - - comment: Ensure TLS is enforced - option: TLS_REQCERT - value: demand - - # common vars (not the role, global common) - tls_private_key_dir: tests/data/x509/ - tls_certificate_dir: tests/data/x509/ - -- hosts: parameters-optional - become: yes - roles: - - role: backup_server - backup_host_ssh_private_keys: - dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" - rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" - ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" - ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" - backup_clients: - - server: localhost - ip: 127.0.0.1 - public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" - -- hosts: parameters-optional - become: yes - roles: - - role: ldap_server - ldap_admin_password: adminpassword - ldap_entries: - - dn: uid=john,dc=local - attributes: - objectClass: - - inetOrgPerson - - simpleSecurityObject - userPassword: johnpassword - uid: john - cn: John Doe - sn: Doe - - dn: uid=jane,dc=local - attributes: - objectClass: - - inetOrgPerson - - simpleSecurityObject - userPassword: janepassword - uid: jane - cn: Jane Doe - sn: Doe - - ldap_permissions: - - > - to * - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage - by self write - by * read - by dn="cn=admin,dc=local" write - by * none - - ldap_server_consumers: - - name: consumer1 - password: consumer1password - - name: consumer2 - password: consumer2password - state: present - - name: consumer3 - password: consumer3password - state: absent - - ldap_server_groups: - - name: group1 - - name: group2 - state: present - - name: group3 - state: absent - - ldap_server_domain: "local" - ldap_server_organization: "Example" - ldap_server_log_level: 0 - ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}" - ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}" - ldap_server_ssf: 0 - ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" - - # ldap_client - ldap_client_config: - - comment: CA truststore - option: TLS_CACERT - value: /etc/ssl/certs/testca.cert.pem - - comment: Ensure TLS is enforced - option: TLS_REQCERT - value: demand - - # backup_client - enable_backup: yes - backup_client_username: "bak-localhost" - backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" - backup_server: localhost - backup_server_host_ssh_public_keys: - - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}" - - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" - - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" - - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}" - backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}" + - ldap_server diff --git a/roles/ldap_server/molecule/default/prepare.yml b/roles/ldap_server/molecule/default/prepare.yml index 53a41ad097f7ba71e05380e927379daa31c17ecb..9f733d49f5f2769e874ce7ca66862f6b40380f0a 100644 --- a/roles/ldap_server/molecule/default/prepare.yml +++ b/roles/ldap_server/molecule/default/prepare.yml @@ -2,21 +2,21 @@ - name: Prepare hosts: all - gather_facts: False + gather_facts: false tasks: - name: Install python for Ansible raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) - become: True - changed_when: False + become: true + changed_when: false - hosts: all - become: yes + become: true tasks: - name: Update all caches to avoid errors due to missing remote archives apt: - update_cache: yes - changed_when: False + update_cache: true + changed_when: false - name: Deploy CA certificate copy: @@ -27,16 +27,16 @@ mode: 0644 - hosts: client - become: yes + become: true tasks: - name: Install tool for teting TCP connectivity apt: name: hping3 - state: installed + state: present - hosts: parameters-optional - become: yes + become: true tasks: - name: Set-up the hosts file @@ -52,7 +52,7 @@ 127.0.2.1: parameters-optional - hosts: parameters-mandatory - become: yes + become: true tasks: - name: Set-up the hosts file @@ -66,3 +66,24 @@ state: present with_dict: 127.0.2.1: parameters-mandatory.local + +- hosts: backup-server + become: true + roles: + - role: backup_server + backup_host_ssh_private_keys: + dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" + rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" + ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" + ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" + backup_clients: + - server: localhost + ip: 127.0.0.1 + public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" + +- hosts: parameters-mandatory,parameters-optional + become: true + tasks: + + - name: Rename the ss utility (see https://github.com/philpep/testinfra/pull/320) + command: "mv /bin/ss /bin/ss.bak" diff --git a/roles/ldap_server/molecule/default/tests/test_backup.py b/roles/ldap_server/molecule/default/tests/test_backup.py index 9dbbe9cb39d72c7a2e481113ec4dc08c63ec77b9..68155328db3fe5776bf0288a0583afdc20fcc069 100644 --- a/roles/ldap_server/molecule/default/tests/test_backup.py +++ b/roles/ldap_server/molecule/default/tests/test_backup.py @@ -1,7 +1,10 @@ +import os + import testinfra.utils.ansible_runner + testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory.yml').get_hosts('parameters-optional') + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-optional']) def test_database_dump_directory(host): diff --git a/roles/ldap_server/molecule/default/tests/test_client.py b/roles/ldap_server/molecule/default/tests/test_client.py index 6216013577789e1275c828e86e3faa2844c5826c..2523eb8801db58ce3e396c5d80780f962428e4a5 100644 --- a/roles/ldap_server/molecule/default/tests/test_client.py +++ b/roles/ldap_server/molecule/default/tests/test_client.py @@ -1,7 +1,10 @@ +import os + import testinfra.utils.ansible_runner + testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory.yml').get_hosts('client') + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['client']) def test_connectivity(host): diff --git a/roles/ldap_server/molecule/default/tests/test_default.py b/roles/ldap_server/molecule/default/tests/test_default.py index a102032891a7b02356e1d62e07e9e255bc49173d..1f1f5f1c1e22f709f09c8eacb107be6631314a2d 100644 --- a/roles/ldap_server/molecule/default/tests/test_default.py +++ b/roles/ldap_server/molecule/default/tests/test_default.py @@ -1,8 +1,10 @@ +import os + import testinfra.utils.ansible_runner + testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory.yml').get_hosts('all') -testinfra_hosts.remove("client") + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-mandatory', 'parameters-optional']) def test_installed_packages(host): diff --git a/roles/ldap_server/molecule/default/tests/test_mandatory.py b/roles/ldap_server/molecule/default/tests/test_mandatory.py index bd71bf392ec74321c075713d883a6973caf0c46c..afff428a4b6abebf66c41d9742470fc4a4ac18f9 100644 --- a/roles/ldap_server/molecule/default/tests/test_mandatory.py +++ b/roles/ldap_server/molecule/default/tests/test_mandatory.py @@ -1,7 +1,10 @@ +import os + import testinfra.utils.ansible_runner + testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory') + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-mandatory']) def test_base_entry(host): diff --git a/roles/ldap_server/molecule/default/tests/test_optional.py b/roles/ldap_server/molecule/default/tests/test_optional.py index e4bcb84e58b12c5bc2a142acdcc8a9f6fe69f5a8..684ca5150dce408f0b7dc7bd966f70e5b5fb1450 100644 --- a/roles/ldap_server/molecule/default/tests/test_optional.py +++ b/roles/ldap_server/molecule/default/tests/test_optional.py @@ -1,7 +1,10 @@ +import os + import testinfra.utils.ansible_runner + testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory.yml').get_hosts('parameters-optional') + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-optional']) def test_base_entry(host): diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index e3397c0d6f598be807cd95ff5e9275036b1cb4c0..4abcd1b679495e9ef59210b1da9c8392ffb54662 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -17,12 +17,12 @@ - name: Install slapd apt: name: slapd - state: installed + state: present - name: Allow OpenLDAP user to traverse the directory with TLS private keys user: name: openldap - append: yes + append: true groups: ssl-cert register: openldap_in_ssl_cert @@ -41,13 +41,13 @@ - name: Install Python LDAP bindings apt: name: python-ldap - state: installed + state: present - name: Set-up LDAP server to listen on legacy SSL port lineinfile: dest: /etc/default/slapd state: present - backrefs: yes + backrefs: true regexp: '^SLAPD_SERVICES=.*' line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"' notify: @@ -240,13 +240,13 @@ owner: root group: root mode: 0400 - changed_when: False + changed_when: false - name: Test if LDAP admin password needs to be changed command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password" register: ldap_admin_password_check changed_when: ldap_admin_password_check.rc != 0 - failed_when: False + failed_when: false - name: Update LDAP admin password command: "ldappasswd -Y EXTERNAL -H ldapi:/// 'cn=admin,{{ ldap_server_int_basedn }}' -T /root/.ldap_admin_password" @@ -256,7 +256,7 @@ file: path: "/root/.ldap_admin_password" state: absent - changed_when: False + changed_when: false - name: Enable backup include: backup.yml