import missing logic from puppet manifests

The sshd role now implements the existing logic found within the
legacy puppet manifest. This change will ensure our ssh configs are
managed in the same way was as before, with the same user interface,
resulting the same functional outcomes.

A new molecule test has been added to ensure we're exercising all
available code path's. This new test will run through our banner
and motd configuration options.

Change-Id: I68a12c0992455c5a9dc3362b8121151235f409a2
Signed-off-by: Kevin Carter <kecarter@redhat.com>

tripleo_ansible/roles/tripleo-sshd/defaults/main.yml

@@ -28,3 +28,23 @@ tripleo_sshd_banner_enabled: false
 
 # SSH configuration options
 tripleo_sshd_password_authentication: 'no'
+
+tripleo_sshd_server_options:
+  HostKey:
+    - '/etc/ssh/ssh_host_rsa_key'
+    - '/etc/ssh/ssh_host_ecdsa_key'
+    - '/etc/ssh/ssh_host_ed25519_key'
+  SyslogFacility: 'AUTHPRIV'
+  AuthorizedKeysFile: '.ssh/authorized_keys'
+  ChallengeResponseAuthentication: 'no'
+  GSSAPIAuthentication: 'yes'
+  GSSAPICleanupCredentials: 'no'
+  UsePAM: 'yes'
+  UseDNS: 'no'
+  X11Forwarding: 'yes'
+  AcceptEnv:
+    - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
+    - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
+    - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
+    - 'XMODIFIERS'
+  Subsystem: 'sftp /usr/libexec/openssh/sftp-server'

tripleo_ansible/roles/tripleo-sshd/molecule/banners/Dockerfile

@@ -0,0 +1,37 @@
+# Molecule managed
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
+
+{% for pkg in item.easy_install | default([]) %}
+# install pip for centos where there is no python-pip rpm in default repos
+RUN easy_install {{ pkg }}
+{% endfor %}
+
+
+CMD ["sh", "-c", "while true; do sleep 10000; done"]

tripleo_ansible/roles/tripleo-sshd/molecule/banners/molecule.yml

@@ -0,0 +1,68 @@
+---
+driver:
+  name: docker
+
+log: true
+
+platforms:
+  - name: centos7
+    hostname: centos7
+    image: centos:7
+    dockerfile: Dockerfile
+    pkg_extras: python-setuptools
+    easy_install:
+      - pip
+    environment: &env
+      http_proxy: "{{ lookup('env', 'http_proxy') }}"
+      https_proxy: "{{ lookup('env', 'https_proxy') }}"
+    command: /sbin/init
+    tmpfs:
+      - /run
+      - /tmp
+    capabilities:
+      - ALL  # CENT7 requires all due to the age of the software
+    volumes:
+      - /run/udev:/run/udev:ro
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+
+  - name: fedora28
+    hostname: fedora28
+    image: fedora:28
+    dockerfile: Dockerfile
+    pkg_extras: python*-setuptools
+    environment:
+      http_proxy: "{{ lookup('env', 'http_proxy') }}"
+      https_proxy: "{{ lookup('env', 'https_proxy') }}"
+    command: /sbin/init
+    privileged: true
+    tmpfs:
+      - /run
+      - /tmp
+    capabilities:
+      - SYS_ADMIN
+    volumes:
+      - /run/udev:/run/udev:ro
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+
+provisioner:
+  name: ansible
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+
+scenario:
+  test_sequence:
+    - destroy
+    - create
+    - prepare
+    - converge
+    - verify
+    - destroy
+
+lint:
+  enabled: false
+
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

tripleo_ansible/roles/tripleo-sshd/molecule/banners/playbook.yml

@@ -0,0 +1,23 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  roles:
+    - name: tripleo-sshd
+      tripleo_sshd_motd_enabled: true
+      tripleo_sshd_banner_enabled: true

tripleo_ansible/roles/tripleo-sshd/molecule/default/playbook.yml

@@ -19,8 +19,3 @@
   hosts: all
   roles:
     - name: tripleo-sshd
-      vars:
-        tripleo_sshd_install: true
-  post_tasks:
-    - name: End the playbook before the systemd handler runs to restart sshd
-      meta: end_play

tripleo_ansible/roles/tripleo-sshd/tasks/main.yml

@@ -39,17 +39,36 @@
       notify:
         - Restart sshd
 
-    - name: force systemd to reread configs
+    - name: Flush all handlers
       meta: flush_handlers
 
     - name: Adjust ssh server configuration
-      blockinfile:
+      template:
         dest: /etc/ssh/sshd_config
-        state: present
-        marker: "# {mark} MANAGED BY TRIPLEO-ANSIBLE"
-        insertafter: "EOF"
+        src: sshd_config_block.j2
+        validate: '/usr/sbin/sshd -T -f %s'
+      notify:
+        - Restart sshd
+
+    - name: PasswordAuthentication notice
+      debug:
+        msg: >-
+          Notice - The option `tripleo_sshd_password_authentication` is set to
+          "{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is
+          undefined. While this may be perfectly valid, the sshd_config options
+          should be reviewed to ensure general user access is functional and
+          meeting expectations.
+      when:
+        - (tripleo_sshd_password_authentication != 'no') and
+          not (PermitRootLogin in tripleo_sshd_server_options)
+
+    - name: Adjust ssh server auth configuration
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        state: present
+        regexp: '^#?PasswordAuthentication.*'
+        line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}'
         validate: '/usr/sbin/sshd -T -f %s'
-        block: "{{ lookup('template', 'sshd_config_block.j2') }}"
       notify:
         - Restart sshd
 
@@ -60,9 +79,36 @@
       when:
         - tripleo_sshd_banner_enabled | bool
 
+    - name: Adjust ssh server banner configuration
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        state: present
+        regexp: '^#?Banner.*'
+        line: 'Banner /etc/issue'
+        validate: '/usr/sbin/sshd -T -f %s'
+      when:
+        - tripleo_sshd_banner_enabled | bool
+      notify:
+        - Restart sshd
+
     - name: Configure the motd banner
       copy:
         content: "{{ tripleo_sshd_message_of_the_day }}"
         dest: /etc/motd
       when:
         - tripleo_sshd_motd_enabled | bool
+
+    - name: Adjust ssh server motd configuration
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        state: present
+        regexp: '^#?PrintMotd.*'
+        line: 'PrintMotd yes'
+        validate: '/usr/sbin/sshd -T -f %s'
+      when:
+        - tripleo_sshd_motd_enabled | bool
+      notify:
+        - Restart sshd
+
+- name: Flush all handlers
+  meta: flush_handlers

tripleo_ansible/roles/tripleo-sshd/templates/sshd_config_block.j2

@@ -1,9 +1,12 @@
-SyslogFacility AUTHPRIV
-AuthorizedKeysFile .ssh/authorized_keys
-ChallengeResponseAuthentication no
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
-UsePAM yes
-UseDNS no
-X11Forwarding yes
-PasswordAuthentication {{ tripleo_sshd_password_authentication }}
+## {{ ansible_managed }}
+
+{% for k, v in tripleo_sshd_server_options.items() %}
+{%   if (v is iterable) and (v is not string) %}
+{%     set vars = (v | unique) %}
+{%     for var in vars %}
+{{ k }} {{ var }}
+{%     endfor %}
+{%   else %}
+{{ k }} {{ v }}
+{%   endif %}
+{% endfor %}