Add variable to set(keep) "PasswordAuthentication yes" in sshd_config

theoapp · Aug 2, 2020 · e05e5ed · e05e5ed
1 parent 3353b85
commit e05e5ed
Show file tree

Hide file tree

Showing 7 changed files with 234 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -10,3 +10,4 @@ theo_agent_public_key: ""
 theo_agent_public_key_path: "{{ theo_agent_config_dir }}/public.pem"
 theo_agent_hostname_prefix: ""
 theo_agent_hostname_suffix: ""
+theo_agent_with_password_authentication: false
diff --git a/molecule/passwordauthentication/Dockerfile.j2 b/molecule/passwordauthentication/Dockerfile.j2
@@ -0,0 +1,14 @@
+# Molecule managed
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi
diff --git a/molecule/passwordauthentication/INSTALL.rst b/molecule/passwordauthentication/INSTALL.rst
@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule[docker]'
diff --git a/molecule/passwordauthentication/molecule.yml b/molecule/passwordauthentication/molecule.yml
@@ -0,0 +1,23 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint:
+  name: yamllint
+platforms:
+  - name: instance
+    image: "${REGISTRY_USER:-geerlingguy}/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  lint:
+    name: ansible-lint
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
diff --git a/molecule/passwordauthentication/playbook.yml b/molecule/passwordauthentication/playbook.yml
@@ -0,0 +1,51 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    - theo_url: https://theo.example.com
+    - theo_client_token: zdOPNza4jjtceH5F2rU0iOkIJ2xlV4hGUauKT4cNe8HAp+AMnzYEzSc0EIBGM+MJuqL7gLd6bwIP
+    - theo_agent_with_password_authentication: true
+    - theo_agent_hostname_prefix: "test-"
+    - theo_agent_verify_signature: true
+    - theo_agent_public_key: |
+        -----BEGIN PUBLIC KEY-----
+        MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwVhHEBTVqEpBOpguARtg
+        //WyDBEoCT2F2OjnHB6fxJ9oopYJZB2Y4jj5cxo1O41r65XmMRT4lqeHWS6Iovde
+        kzlJ0bH91gl7/iNziUMN4ONiIR0SU3PiBGQ0XKq6rUxpsOhe+tFPfBQYhkkAiQeG
+        WC1GYQynYjZ/MTEDIPnd5YjSl0agzm7BMRujEcjWyYqEBuZjtDqP6AICz8nkFo9i
+        CWBONYbCujDl+1sei3WUfeGcUdGiPNwQGU/TW4sfcRWQzayw3XQEl3ERNRMihVsb
+        in2529O4+JMKdKn22mzTmWsraP/ZakVeti0VtpGZEe1YSTW8+SCz7DnTadnuUZAO
+        5JFVTmFcbF7/d/H0atKVVAeTC5nqYNeDrW4jtIQalUZeaHrBkWK7i/yxDYFlC2AW
+        ZEu4IQZtGfNJCaZFuYSiN96yzlnMWRp1nUGaBxoax4K8rBwX8EWxT4EAyN1mtan0
+        ZQITjiZTqDvnhr8iSIvn9hy3942GYi3upOsBeqfb90vzS7BAmoplyWPS0D+UWweB
+        +sjv96Gtb4BFpc96qwptLCnVFFOVlq0bq0u1FN6sZ4RApl2IaSJV9JGsJjeeJowh
+        GCK9sSDVI5XY3wy6UYMo9SZQGIglyRPrnd3R82O277lAyOVC/NNp1vq5WH/Mi1Mu
+        JK85kX7Atut+tgWgwuwT5vcCAwEAAQ==
+        -----END PUBLIC KEY-----
+  pre_tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 600
+      when: ansible_os_family == 'Debian'
+
+    - name: Ensure sshd is installed
+      package:
+        name:
+          - openssh-server
+        state: present
+
+    - name: Ensure sshd service is started
+      service:
+        name: ssh
+        state: started
+      when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04'
+
+    - name: Ensure sshd service is started
+      service:
+        name: sshd
+        state: started
+      when: not (ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04')
+
+  roles:
+    - role: ansible-theo-agent
diff --git a/molecule/passwordauthentication/tests/test_default.py b/molecule/passwordauthentication/tests/test_default.py
@@ -0,0 +1,108 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_theo_binary_file(host):
+    f = host.file('/usr/sbin/theo-agent')
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'
+
+
+def test_theo_config_file(host):
+    f = host.file('/etc/theo-agent/config.yml')
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'
+    conf = f.content
+    '''
+    url: https://theo.example.com
+    token: \
+        zdOPNza4jjtceH5F2rU0iOkIJ2xlV4hGUauKT4cNe8HAp+AMnzYEzSc0EIBGM+MJuqL7gLd6bwIP
+    cachedir: /var/cache/theo-agent
+    verify: True
+    public_key: /etc/theo-agent/public.pem
+    hostname-prefix: test-
+    '''
+    expected = [
+        b'url: https://theo.example.com',
+        b'token: zdOPNza4jjtceH5F2rU0iOkIJ2xlV4hGUauKT4cNe8HAp'
+        b'+AMnzYEzSc0EIBGM+MJuqL7gLd6bwIP',
+        b'cachedir: /var/cache/theo-agent',
+        b'verify: True',
+        b'public_key: /etc/theo-agent/public.pem',
+        b'hostname-prefix: test-'
+    ]
+    for line in expected:
+        assert line in conf
+
+
+def test_theo_public_key_file(host):
+    f = host.file('/etc/theo-agent/public.pem')
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'
+
+
+def test_sshd_config(host):
+    distro = os.getenv('MOLECULE_DISTRO', 'centos7')
+    if distro == 'centos6':
+        expected = get_sshd_config_centos6()
+    elif distro == 'debian8':
+        expected = get_sshd_config_pre_v69()
+    elif distro == 'ubuntu1404':
+        expected = get_sshd_config_pre_v69()
+    else:
+        expected = get_sshd_config_v69()
+    f = host.file('/etc/ssh/sshd_config')
+    config = f.content
+    configlines = []
+    for line in config.splitlines():
+        if not line.startswith(b'#'):
+            configlines.append(line)
+    '''
+        I don't want to use something like:
+            assert set(expected).issubset(configlines)
+        Because there's no detail of the missing line(s)
+    '''
+    errors = []
+    for line in expected:
+        if line not in configlines:
+            errors.append(line)
+
+    if(len(errors)):
+        print('Failed test_sshd_config, missing line(s)')
+        for error in errors:
+            print(error)
+        assert False
+
+
+def get_sshd_config_centos6():
+    return [
+        b'PasswordAuthentication yes',
+        b'AuthorizedKeysCommandRunAs theo-agent',
+        b'AuthorizedKeysCommand /usr/sbin/theo-agent',
+        b'AuthorizedKeysFile /var/cache/theo-agent/%u'
+    ]
+
+
+def get_sshd_config_pre_v69():
+    return [
+        b'PasswordAuthentication yes',
+        b'AuthorizedKeysCommandUser theo-agent',
+        b'AuthorizedKeysCommand /usr/sbin/theo-agent',
+        b'AuthorizedKeysFile /var/cache/theo-agent/%u'
+    ]
+
+
+def get_sshd_config_v69():
+    return [
+        b'PasswordAuthentication yes',
+        b'AuthorizedKeysCommandUser theo-agent',
+        b'AuthorizedKeysCommand /usr/sbin/theo-agent -fingerprint %f %u',
+        b'AuthorizedKeysFile /var/cache/theo-agent/%u'
+    ]
diff --git a/tasks/sshd.yml b/tasks/sshd.yml
@@ -39,6 +39,20 @@
         line: "AuthorizedKeysCommandRunAs {{ theo_agent_user }}"
   when: ( ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 6 )
 
+- name: Set PasswordAuthentication on config snippet
+  set_fact:
+    sshd_password_authentication_options:
+      - regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication yes"
+  when: theo_agent_with_password_authentication|bool
+
+- name: Set PasswordAuthentication off config snippet
+  set_fact:
+    sshd_password_authentication_options:
+      - regexp: "^PasswordAuthentication"
+        line: "PasswordAuthentication no"
+  when: not theo_agent_with_password_authentication|bool
+
 - name: Update sshd configuration options
   lineinfile:
     path: /etc/ssh/sshd_config
@@ -47,8 +61,7 @@
     state: present
     validate: "/usr/sbin/sshd -T -f %s"
   with_items:
-    - regexp: "^PasswordAuthentication"
-      line: "PasswordAuthentication no"
+    - "{{ sshd_password_authentication_options }}"
     - "{{ sshd_authorized_keys_command_user_options }}"
     - regexp: "^AuthorizedKeysCommand "
       line: "AuthorizedKeysCommand {{ theo_agent_sshd_authorized_keys_command }}"