majic-ansible-roles Changeset

Changeset - c082a26b62ff

Parent rev.

Child rev.

[Not reviewed]

0 12 3

Branko Majic (branko) - 6 years ago 2018-05-29 23:13:58
branko@majic.rs

MAR-129: Updated ldap_server role for new Molecule and Ansible:

- Fixed syntax warnings.
- Moved test playbook variables into group_vars.
- Optimised the invocation of test playbook.
- Remove the 'ss' utility from test machines in order to properly test
the unix sockets.
- Fixed how the hosts are being referenced in tests.

15 files changed with 174 insertions and 138 deletions:

roles/ldap_server/defaults/main.yml

roles/ldap_server/molecule/default/create.yml

roles/ldap_server/molecule/default/destroy.yml

roles/ldap_server/molecule/default/group_vars/backup-server.yml

roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

roles/ldap_server/molecule/default/molecule.yml

roles/ldap_server/molecule/default/playbook.yml

111

roles/ldap_server/molecule/default/prepare.yml

roles/ldap_server/molecule/default/tests/test_backup.py

roles/ldap_server/molecule/default/tests/test_client.py

roles/ldap_server/molecule/default/tests/test_default.py

roles/ldap_server/molecule/default/tests/test_mandatory.py

roles/ldap_server/molecule/default/tests/test_optional.py

roles/ldap_server/tasks/main.yml

0 comments (0 inline, 0 general)

roles/ldap_server/defaults/main.yml

➞

Show inline comments

 ---
-enable_backup: False
+enable_backup: false
 ldap_entries: []
 ldap_server_domain: "{{ ansible_domain }}"
 # Internal value, base DN.
@@ @@ -33,4 +33,5 @@ ldap_permissions: @@
     by users read
     by * none
 ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
 ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\
 +SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"

roles/ldap_server/molecule/default/create.yml

➞

Show inline comments

@@ @@ -2,7 +2,7 @@ @@
 - name: Create
   hosts: localhost
   connection: local
-  gather_facts: False
+  gather_facts: false
   no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
   vars:
     molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

roles/ldap_server/molecule/default/destroy.yml

➞

Show inline comments

@@ @@ -3,7 +3,7 @@ @@
 - name: Destroy
   hosts: localhost
   connection: local
-  gather_facts: False
+  gather_facts: false
   no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
   vars:
     molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

roles/ldap_server/molecule/default/group_vars/backup-server.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 backup_host_ssh_private_keys:
   dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
   rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
   ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
   - server: localhost
     ip: 127.0.0.1
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 ldap_admin_password: adminpassword
 # ldap_client
 ldap_client_config:
   - comment: CA truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/testca.cert.pem
   - comment: Ensure TLS is enforced
     option: TLS_REQCERT
     value: demand
 # common vars (not the role, global common)
 tls_private_key_dir: tests/data/x509/
 tls_certificate_dir: tests/data/x509/

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 ldap_admin_password: adminpassword
 ldap_entries:
   - dn: uid=john,dc=local
     attributes:
       objectClass:
         - inetOrgPerson
         - simpleSecurityObject
       userPassword: johnpassword
       uid: john
       cn: John Doe
       sn: Doe
   - dn: uid=jane,dc=local
     attributes:
       objectClass:
         - inetOrgPerson
         - simpleSecurityObject
       userPassword: janepassword
       uid: jane
       cn: Jane Doe
       sn: Doe
 ldap_permissions:
   - >
     to *
     by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
     by self write
     by * read
     by dn="cn=admin,dc=local" write
     by * none
 ldap_server_consumers:
   - name: consumer1
     password: consumer1password
   - name: consumer2
     password: consumer2password
     state: present
   - name: consumer3
     password: consumer3password
     state: absent
 ldap_server_groups:
   - name: group1
   - name: group2
     state: present
   - name: group3
     state: absent
 ldap_server_domain: "local"
 ldap_server_organization: "Example"
 ldap_server_log_level: 0
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}"
 ldap_server_ssf: 0
 ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\
 +SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
 # ldap_client
 ldap_client_config:
   - comment: CA truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/testca.cert.pem
   - comment: Ensure TLS is enforced
     option: TLS_REQCERT
     value: demand
 # backup_client
 enable_backup: true
 backup_client_username: "bak-localhost"
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
 backup_server: localhost
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
 backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

roles/ldap_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -9,6 +9,8 @@ driver: @@
 lint:
   name: yamllint
   options:
     config-file: ../../.yamllint.yml
 platforms:
@@ @@ -37,6 +39,7 @@ platforms: @@
   - name: parameters-optional-jessie64
     groups:
       - parameters-optional
       - backup-server
     box: debian/contrib-jessie64
     memory: 256
     cpus: 1

roles/ldap_server/molecule/default/playbook.yml

➞

Show inline comments

 ---
 - hosts: parameters-mandatory
   become: yes
 - hosts: parameters-mandatory,parameters-optional
   become: true
   roles:
     - role: ldap_server
       ldap_admin_password: adminpassword
       # ldap_client
       ldap_client_config:
         - comment: CA truststore
           option: TLS_CACERT
           value: /etc/ssl/certs/testca.cert.pem
         - comment: Ensure TLS is enforced
           option: TLS_REQCERT
           value: demand
       # common vars (not the role, global common)
       tls_private_key_dir: tests/data/x509/
       tls_certificate_dir: tests/data/x509/
 - hosts: parameters-optional
   become: yes
   roles:
     - role: backup_server
       backup_host_ssh_private_keys:
         dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
         rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
         ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
         ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
       backup_clients:
         - server: localhost
           ip: 127.0.0.1
           public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
 - hosts: parameters-optional
   become: yes
   roles:
     - role: ldap_server
       ldap_admin_password: adminpassword
       ldap_entries:
         - dn: uid=john,dc=local
           attributes:
             objectClass:
               - inetOrgPerson
               - simpleSecurityObject
             userPassword: johnpassword
             uid: john
             cn: John Doe
             sn: Doe
         - dn: uid=jane,dc=local
           attributes:
             objectClass:
               - inetOrgPerson
               - simpleSecurityObject
             userPassword: janepassword
             uid: jane
             cn: Jane Doe
             sn: Doe
       ldap_permissions:
         - >
           to *
           by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
           by self write
           by * read
           by dn="cn=admin,dc=local" write
           by * none
       ldap_server_consumers:
         - name: consumer1
           password: consumer1password
         - name: consumer2
           password: consumer2password
           state: present
         - name: consumer3
           password: consumer3password
           state: absent
       ldap_server_groups:
         - name: group1
         - name: group2
           state: present
         - name: group3
           state: absent
       ldap_server_domain: "local"
       ldap_server_organization: "Example"
       ldap_server_log_level: 0
       ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}"
       ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}"
       ldap_server_ssf: 0
       ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
       # ldap_client
       ldap_client_config:
         - comment: CA truststore
           option: TLS_CACERT
           value: /etc/ssl/certs/testca.cert.pem
         - comment: Ensure TLS is enforced
           option: TLS_REQCERT
           value: demand
       # backup_client
       enable_backup: yes
       backup_client_username: "bak-localhost"
       backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
       backup_server: localhost
       backup_server_host_ssh_public_keys:
         - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
       backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"
     - ldap_server

roles/ldap_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -2,21 +2,21 @@ @@
 - name: Prepare
   hosts: all
-  gather_facts: False
+  gather_facts: false
   tasks:
     - name: Install python for Ansible
       raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
       become: True
       changed_when: False
       become: true
       changed_when: false
 - hosts: all
-  become: yes
+  become: true
   tasks:
     - name: Update all caches to avoid errors due to missing remote archives
       apt:
         update_cache: yes
       changed_when: False
         update_cache: true
       changed_when: false
     - name: Deploy CA certificate
       copy:
@@ @@ -27,16 +27,16 @@ @@
         mode: 0644
 - hosts: client
-  become: yes
+  become: true
   tasks:
     - name: Install tool for teting TCP connectivity
       apt:
         name: hping3
-        state: installed
+        state: present
 - hosts: parameters-optional
-  become: yes
+  become: true
   tasks:
     - name: Set-up the hosts file
@@ @@ -52,7 +52,7 @@ @@
 .0.2.1: parameters-optional
 - hosts: parameters-mandatory
-  become: yes
+  become: true
   tasks:
     - name: Set-up the hosts file
@@ @@ -66,3 +66,24 @@ @@
         state: present
       with_dict:
 .0.2.1: parameters-mandatory.local
 - hosts: backup-server
   become: true
   roles:
     - role: backup_server
       backup_host_ssh_private_keys:
         dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
         rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
         ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
         ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
       backup_clients:
         - server: localhost
           ip: 127.0.0.1
           public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
 - hosts: parameters-mandatory,parameters-optional
   become: true
   tasks:
   - name: Rename the ss utility (see https://github.com/philpep/testinfra/pull/320)
     command: "mv /bin/ss /bin/ss.bak"

roles/ldap_server/molecule/default/tests/test_backup.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    '.molecule/ansible_inventory.yml').get_hosts('parameters-optional')
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-optional'])
 def test_database_dump_directory(host):

roles/ldap_server/molecule/default/tests/test_client.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    '.molecule/ansible_inventory.yml').get_hosts('client')
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['client'])
 def test_connectivity(host):

roles/ldap_server/molecule/default/tests/test_default.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     '.molecule/ansible_inventory.yml').get_hosts('all')
 testinfra_hosts.remove("client")
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-mandatory', 'parameters-optional'])
 def test_installed_packages(host):

roles/ldap_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-mandatory'])
 def test_base_entry(host):

roles/ldap_server/molecule/default/tests/test_optional.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    '.molecule/ansible_inventory.yml').get_hosts('parameters-optional')
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-optional'])
 def test_base_entry(host):

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -17,12 +17,12 @@ @@
 - name: Install slapd
   apt:
     name: slapd
-    state: installed
+    state: present
 - name: Allow OpenLDAP user to traverse the directory with TLS private keys
   user:
     name: openldap
-    append: yes
+    append: true
     groups: ssl-cert
   register: openldap_in_ssl_cert
@@ @@ -41,13 +41,13 @@ @@
 - name: Install Python LDAP bindings
   apt:
     name: python-ldap
-    state: installed
+    state: present
 - name: Set-up LDAP server to listen on legacy SSL port
   lineinfile:
     dest: /etc/default/slapd
     state: present
-    backrefs: yes
+    backrefs: true
     regexp: '^SLAPD_SERVICES=.*'
     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
   notify:
@@ @@ -240,13 +240,13 @@ @@
     owner: root
     group: root
     mode: 0400
-  changed_when: False
+  changed_when: false
 - name: Test if LDAP admin password needs to be changed
   command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"
   register: ldap_admin_password_check
   changed_when: ldap_admin_password_check.rc != 0
-  failed_when: False
+  failed_when: false
 - name: Update LDAP admin password
   command: "ldappasswd -Y EXTERNAL -H ldapi:/// 'cn=admin,{{ ldap_server_int_basedn }}' -T /root/.ldap_admin_password"
@@ @@ -256,7 +256,7 @@ @@
   file:
     path: "/root/.ldap_admin_password"
     state: absent
-  changed_when: False
+  changed_when: false
 - name: Enable backup
   include: backup.yml

0 comments (0 inline, 0 general)