Add hardening specific variables to tests

In order to fully test hardening role we need to enable as much tasks as we can. So we add extra set of variables, that might be not enabled by default Change-Id: I0d6ba3632962ef1b6ecf865489846a95b46f6a30
2021-05-21 17:27:02 +03:00 · 2021-05-21 17:27:02 +03:00 · 1d5824ddc4
commit 1d5824ddc4
parent 82e3d013fe
3 changed files with 44 additions and 0 deletions
--- a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml
+++ b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml
@ -188,6 +188,9 @@
    - src: user_variables_horizon.yml.j2
      dest: user_variables_horizon.yml
      condition: "{{ 'horizon' in bootstrap_host_scenarios }}"
+    - src: user_variables_hardening.yml.j2
+      dest: user_variables_hardening.yml
+      condition: "{{ 'hardening' in bootstrap_host_scenarios_expanded }}"

 - name: Copy modified cinder-volume env.d file for ceph scenario
  copy:
--- a/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2
@ -0,0 +1,29 @@
+---
+
+security_disable_account_if_password_expires: yes
+security_enable_firewalld: yes
+security_pwquality_apply_rules: yes
+security_enable_pwquality_password_set: yes
+security_lock_session: yes
+security_pwquality_require_minimum_password_length: yes
+security_package_clean_on_remove: yes
+security_pam_faillock_enable: yes
+security_password_remember_password: 5
+security_reset_perm_ownership: yes
+security_require_grub_authentication: yes
+security_rhel7_automatic_package_updates: yes
+security_rhel7_initialize_aide: yes
+security_rhel7_remove_shosts_files: yes
+security_search_for_invalid_owner: yes
+security_search_for_invalid_group_owner: yes
+security_set_home_directory_permissions_and_owners: yes
+security_set_minimum_password_lifetime: yes
+security_unattended_upgrades_enabled: yes
+security_unattended_upgrades_notifications: yes
+# NOTE(mhayden): clamav is only available if EPEL is installed. There needs
+# to be some work done to figure out how to install EPEL for use with
+# this role without causing disruptions on the system.
+security_enable_virus_scanner: no
+security_run_virus_scanner_update: no
+# Enable the contrib tasks.
+security_contrib_enabled: yes
--- a/zuul.d/playbooks/pre-gate-scenario.yml
+++ b/zuul.d/playbooks/pre-gate-scenario.yml
@ -41,6 +41,14 @@
          {%     set role_service_name = zuul.project.short_name |
                                       regex_replace('^openstack-ansible-os_(.*)$', '\\1')
          %}
+          {%   elif zuul.project.short_name is match('^ansible-role-(.*)$') %}
+          {%     set role_service_name = zuul.project.short_name |
+                                       regex_replace('^ansible-role-(.*)$', '\\1')
+          %}
+          {%   elif zuul.project.short_name == 'ansible-hardening' %}
+          {%     set role_service_name = 'hardening' %}
+          {%   endif %}
+          {%   if role_service_name is defined %}
          {%     set _ = _scenario.append(role_service_name) %}
          {#     Add special scenarios based on the project name #}
          {%     if role_service_name in scenario_map %}
@ -58,6 +66,10 @@
          %}
          {%     endif%}
          {%   endfor %}
+          {# Hardening role is special as our regular filters don't work for it #}
+          {%   if zuul.project.short_name == 'ansible-hardening' %}
+          {%     set _ = _scenario.append('hardening') %}
+          {%   endif %}
          {% endif %}
          {{ _scenario | join('_') }}
      when: