openstack/ansible-hardening
Code Issues Proposed changes

Use centralised Ansible test scripts

Browse Source 
This patch consumes the centralised Ansible test scripts
implemented in https://review.openstack.org/381853

Depends-On: I5c1f2f0949d6b7ad7bfc4151257b081728ba956f
Depends-On: Ie379de765c6ebba958ce8e7f9dc27b7a3af74ff8
Change-Id: Ib7fe11b666322b11b1e30dea775304fd5d236f2f
This commit is contained in:
Major Hayden 2016-10-10 08:56:20 -05:00
parent c9062167b2
commit 90c363031e
5 changed files with 29 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tasks/main.yml
View File

@ -56,7 +56,6 @@
tags: tags:
- always - always
- include: rhel6stig/main.yml - include: rhel6stig/main.yml
when: when:
- stig_version == 'rhel6' - stig_version == 'rhel6'

1
tasks/rhel6stig/apt.yml
View File

@ -103,6 +103,7 @@
dest: /etc/apt/apt.conf.d/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";' regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
line: 'Unattended-Upgrade::Mail "root";' line: 'Unattended-Upgrade::Mail "root";'
create: yes
when: when:
- security_unattended_upgrades_enabled | bool - security_unattended_upgrades_enabled | bool
- security_unattended_upgrades_notifications | bool - security_unattended_upgrades_notifications | bool

5
tests/test.yml
View File

@ -32,6 +32,7 @@
path: /etc/apt/apt.conf.d/20auto-upgrades path: /etc/apt/apt.conf.d/20auto-upgrades
register: auto_upgrades_file register: auto_upgrades_file
when: when:
- not check_mode
- stig_version == 'rhel6' - stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt' - ansible_pkg_mgr == 'apt'
- name: Slurp contents of 50unattended-upgrades file - name: Slurp contents of 50unattended-upgrades file
@ -39,12 +40,14 @@
src: /etc/apt/apt.conf.d/50unattended-upgrades src: /etc/apt/apt.conf.d/50unattended-upgrades
register: unattended_upgrades_file_encoded register: unattended_upgrades_file_encoded
when: when:
- not check_mode
- stig_version == 'rhel6' - stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt' - ansible_pkg_mgr == 'apt'
- name: Decode slurp'd 50-unattended-upgrades file - name: Decode slurp'd 50-unattended-upgrades file
set_fact: set_fact:
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}" unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
when: when:
- not check_mode
- stig_version == 'rhel6' - stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt' - ansible_pkg_mgr == 'apt'
- name: Ensure auto updates has been enabled - name: Ensure auto updates has been enabled
@ -52,6 +55,7 @@
that: that:
- auto_upgrades_file.stat.exists - auto_upgrades_file.stat.exists
when: when:
- not check_mode
- stig_version == 'rhel6' - stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt' - ansible_pkg_mgr == 'apt'
- name: Ensure that auto update notifications has been enabled - name: Ensure that auto update notifications has been enabled
@ -59,6 +63,7 @@
that: that:
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file" - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
when: when:
- not check_mode
- stig_version == 'rhel6' - stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt' - ansible_pkg_mgr == 'apt'
roles: roles:

19
tests/test_check.yml
View File

@ -1,19 +0,0 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Playbook for role testing (check mode)
hosts: localhost
roles:
- role: "openstack-ansible-security"

87
tox.ini
View File

@ -25,6 +25,8 @@ whitelist_externals =
setenv = setenv =
PYTHONUNBUFFERED=1 PYTHONUNBUFFERED=1
ROLE_NAME=openstack-ansible-security ROLE_NAME=openstack-ansible-security
TEST_CHECK_MODE=true
TEST_IDEMPOTENCE=true
VIRTUAL_ENV={envdir} VIRTUAL_ENV={envdir}
WORKING_DIR={toxinidir} WORKING_DIR={toxinidir}
@ -84,28 +86,22 @@ commands =
deps = deps =
{[testenv]deps} {[testenv]deps}
-rhttp://git.openstack.org/cgit/openstack/openstack-ansible-tests/plain/test-ansible-deps.txt -rhttp://git.openstack.org/cgit/openstack/openstack-ansible-tests/plain/test-ansible-deps.txt
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-env-prep.sh"
[testenv:ansible-syntax] [testenv:ansible-syntax]
deps = deps =
{[testenv:ansible]deps} {[testenv:ansible]deps}
commands = commands =
{[testenv:ansible]commands} {[testenv:tests_clone]commands}
ansible-playbook -i {toxinidir}/tests/inventory \ bash -c "{toxinidir}/tests/common/test-ansible-syntax.sh"
--syntax-check \
--list-tasks \
{toxinidir}/tests/test.yml
[testenv:ansible-lint] [testenv:ansible-lint]
deps = deps =
{[testenv:ansible]deps} {[testenv:ansible]deps}
commands = commands =
{[testenv:ansible]commands} {[testenv:tests_clone]commands}
ansible-lint {toxinidir} bash -c "{toxinidir}/tests/common/test-ansible-lint.sh"
[testenv:func_base] [testenv:func_base]
@ -116,17 +112,7 @@ install_command =
pip install -U --force-reinstall {opts} {packages} pip install -U --force-reinstall {opts} {packages}
[testenv:func_logs]
commands =
bash -c "{toxinidir}/tests/common/test-log-collect.sh"
[testenv:functional] [testenv:functional]
# Ignore_errors is set to true so that the logs are collected at the
# end of the run. This will not produce a false positive. Any
# exception will be mark the run as failed and exit 1 after all of
# the commands have been iterated through.
ignore_errors = True
# NOTE(odyssey4me): this target does not use constraints because # NOTE(odyssey4me): this target does not use constraints because
# it doesn't work in OpenStack-CI yet. Once that's fixed, we can # it doesn't work in OpenStack-CI yet. Once that's fixed, we can
# drop the install_command. # drop the install_command.
@ -134,38 +120,23 @@ install_command =
{[testenv:func_base]install_command} {[testenv:func_base]install_command}
deps = deps =
{[testenv:ansible]deps} {[testenv:ansible]deps}
commands = setenv =
{[testenv:ansible]commands} {[testenv]setenv}
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
# building images with apt config # building images with apt config
# Apt::Get::AllowUnauthenticated set to true. # Apt::Get::AllowUnauthenticated set to true.
# NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in # NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in
# the images. This can be added back in once # the images. This can be added back in once
# https://review.openstack.org/#/c/354819/ merges. # https://review.openstack.org/354819 merges.
# NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd # NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
# running in the gate images. # running in the gate images.
ansible-playbook --check \ ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620
-i {toxinidir}/tests/inventory \ commands =
--skip-tag V-38462,V-38660,V-38620 \ {[testenv:tests_clone]commands}
{toxinidir}/tests/test_check.yml bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
ansible-playbook -i {toxinidir}/tests/inventory \
--skip-tag V-38462,V-38660,V-38620 \
{toxinidir}/tests/test.yml
bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
--skip-tag V-38462,V-38660,V-38620 \
{toxinidir}/tests/test.yml \
| tee /tmp/idempotence_test_output.txt'
bash -c 'grep -q "changed=0.*failed=0" /tmp/idempotence_test_output.txt \
&& (echo "Idempotence test: pass" && exit 0) \
|| (echo "Idempotence test: fail" && exit 1)'
{[testenv:func_logs]commands}
[testenv:func_rhel7] [testenv:func_rhel7]
# Ignore_errors is set to true so that the logs are collected at the
# end of the run. This will not produce a false positive. Any
# exception will be mark the run as failed and exit 1 after all of
# the commands have been iterated through.
ignore_errors = True
# NOTE(odyssey4me): this target does not use constraints because # NOTE(odyssey4me): this target does not use constraints because
# it doesn't work in OpenStack-CI yet. Once that's fixed, we can # it doesn't work in OpenStack-CI yet. Once that's fixed, we can
# drop the install_command. # drop the install_command.
@ -173,32 +144,20 @@ install_command =
{[testenv:func_base]install_command} {[testenv:func_base]install_command}
deps = deps =
{[testenv:ansible]deps} {[testenv:ansible]deps}
commands = setenv =
{[testenv:ansible]commands} {[testenv]setenv}
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
# building images with apt config # building images with apt config
# Apt::Get::AllowUnauthenticated set to true. # Apt::Get::AllowUnauthenticated set to true.
# NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in # NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in
# the images. This can be added back in once # the images. This can be added back in once
# https://review.openstack.org/#/c/354819/ merges. # https://review.openstack.org/354819 merges.
ansible-playbook --check \ # NOTE(mhayden): Skipping V-38620 since chrony cannot start with ntpd
-i {toxinidir}/tests/inventory \ # running in the gate images.
-e "stig_version=rhel7" \ ANSIBLE_PARAMETERS=--skip-tags V-38462,V-38660,V-38620 -e 'stig_version=rhel7'
--skip-tag V-38462,V-38660 \ commands =
{toxinidir}/tests/test_check.yml {[testenv:tests_clone]commands}
ansible-playbook -i {toxinidir}/tests/inventory \ bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
-e "stig_version=rhel7" \
--skip-tag V-38462,V-38660 \
{toxinidir}/tests/test.yml
bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
-e "stig_version=rhel7" \
--skip-tag V-38462,V-38660 \
{toxinidir}/tests/test.yml \
| tee /tmp/idempotence_test_output.txt'
bash -c 'grep -q "changed=0.*failed=0" /tmp/idempotence_test_output.txt \
&& (echo "Idempotence test: pass" && exit 0) \
|| (echo "Idempotence test: fail" && exit 1)'
{[testenv:func_logs]commands}
[testenv:linters] [testenv:linters]