From dd52e48925573527b5c21b9b22400499cb83f221 Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@betacloud-solutions.de>
Date: Mon, 27 Feb 2017 20:43:07 +0100
Subject: [PATCH] Prepare vagrant centos/7 box for role testing

This will fix the follwing issues when using the centos/7 box for role testing:

* TASK [../../../openstack-ansible-security : V-38476 ...
  fatal: [centos7]: FAILED! => {"changed": false, "failed": true, "msg": "Missing CentOS 7 GPG keys"}

  The required gpg-pubkey packages are created after the import of the provided signing keys
  in /etc/pki/rpm-gpg.

* TASK [../../../openstack-ansible-security : V-38574 ...
  fatal: [centos7]: FAILED! => {"changed": false, "failed": true, "msg": "Must use SHA512 for password hashing (via PAM)"}

  sha512 instead of md5 has to be used in /etc/pam.d/password-auth

* TASK [../../../openstack-ansible-security : Check password hashing algorithm used in login.defs (for V-38576)] ***
  fatal: [centos7]: FAILED! => {"changed": true, "cmd": "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs", ...

  sha512 instead of md5 has to be used in /etc/login.defs

Change-Id: Ia40119dbf933b8102001cfe914312b17632bcf65
Co-authored-by: David Rabel <rabel@b1-systems.de>
---
 Vagrantfile       | 9 +++++++++
 tests/vagrant.yml | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/Vagrantfile b/Vagrantfile
index 09adb7ba..4a9f4ade 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -15,6 +15,9 @@ Vagrant.configure("2") do |config|
       ansible.skip_tags = ['V-38496']
       # we need to run as sudo for a lot of the checks ansible-security runs
       ansible.raw_arguments = ['-s']
+      ansible.groups = {
+        "ubuntu" => ["ubuntu1404"]
+      }
     end
   end
 
@@ -30,6 +33,9 @@ Vagrant.configure("2") do |config|
       ansible.skip_tags = ['V-38496']
       # we need to run as sudo for a lot of the checks ansible-security runs
       ansible.raw_arguments = ['-s']
+      ansible.groups = {
+        "ubuntu" => ["ubuntu1604"]
+      }
     end
   end
 
@@ -45,6 +51,9 @@ Vagrant.configure("2") do |config|
       ansible.skip_tags = ['V-38496']
       # we need to run as sudo for a lot of the checks ansible-security runs
       ansible.raw_arguments = ['-s']
+      ansible.groups = {
+        "centos" => ["centos7"]
+      }
     end
   end
 end
diff --git a/tests/vagrant.yml b/tests/vagrant.yml
index 040006ba..04426455 100644
--- a/tests/vagrant.yml
+++ b/tests/vagrant.yml
@@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Prepare centos/7 box for role testing
+  hosts: centos
+  tasks:
+  - name: Import all archive signing keys from /etc/pki/rpm-gpg
+    shell: rpm --import /etc/pki/rpm-gpg/*
+
+  - name: Use sha512 instead of md5 as password hashing algorithm
+    shell: authconfig --passalgo=sha512 --update
+
 - name: Playbook for role testing
   hosts: all
   roles: