--- language: python python: "2.7" before_install: # Make sure everything's up to date. - sudo apt-get update -qq install: # Install Ansible. - pip install ansible # - | # if [ -f requirements.yml ]; then # ansible-galaxy install --roles-path ../ -r requirements.yml # fi # Add ansible.cfg to pick up roles path. # - "printf '[defaults]\nroles_path = ../' > ansible.cfg" - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg" script: # Check the role/playbook's syntax. - ansible-playbook -i tests/inventory tests/test.yml --syntax-check - ansible-playbook -i tests/inventory tests/test-passchange.yml --syntax-check # Run the role/playbook with ansible-playbook. - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become" # Run the role/playbook again, checking to make sure it's idempotent. - > ansible-playbook -i tests/inventory tests/test.yml --connection=local --become | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1) # Check users are setup - id testuser101 | grep --silent "testuser101" - id testuser102 | grep --silent "testuser102" - id testuser103 | grep --silent "testuser103" - id testuser104 | grep --silent "testuser104" - id testuser105 | grep --silent "testuser105" - id testuser106 | grep --silent "testuser106" - id testuser107 | grep --silent "testuser107" - id testuser108 | grep --silent "testuser108" - id testuser109 | grep --silent "testuser109" - id testuser110 | grep --silent "testuser110" - id testuser111 | grep --silent "testuser111" - sudo grep testuser101 /etc/shadow | awk -F":" '{exit $2!="$6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60"}' - sudo grep testuser102 /etc/shadow | awk -F":" '{exit $2!="$6$F/KXFzMa$ZIDqtYtM6sOC3UmRntVsTcy1rnsvw.6tBquOhX7Sb26jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1"}' - grep --silent "^testuser101:" /etc/group - ls -lgd /home/testuser101 | awk '{exit $3!="testuser101"}' - sudo ls -lg /home/testuser101/.ssh/authorized_keys | awk '{exit $3!="testuser101"}' - sudo cat /home/testuser101/.ssh/authorized_keys | wc -l | grep --silent "2" - sudo chage -l testuser101 | grep "Account expires" | awk '{exit $4!="never"}' - sudo chage -l testuser105 | grep "Account expires" | awk '{exit $4!="Jan"}' - sudo cat /etc/sudoers|grep --silent "^testuser102 " # Check UID is set as specified - grep sshuser /etc/passwd | awk -F":" '{exit $3!="1099"}' # Check group(s) are set for users - grep "^groupcommon:" /etc/group | grep --silent testuser106 - grep "^testgroupweb:" /etc/group | grep --silent testuser107 # Check group not set on webserver - grep "^testgroupdb:" /etc/group | grep --silent testuser107 || echo "success, testgroupdb not found" # Check primary group set - id -gn testuser105 | grep --silent "group105primary" # Check primary group id set - id -gn testuser106 | grep --silent "group106primary" - id -g testuser106 | grep --silent 2222 # Check ssh key for user was created - sudo cat /home/testuser108/.ssh/id_rsa | grep --silent "BEGIN RSA PRIVATE KEY" - sudo cat /home/testuser109/.ssh/id_rsa | grep --silent "BEGIN RSA PRIVATE KEY" # Check no ssh key for user was created - sudo test ! -f /home/testuser110/.ssh/id_rsa # Check key is encrypted - sudo cat /home/testuser109/.ssh/id_rsa | grep --silent "ENCRYPTED" # Check key size is correct - sudo ssh-keygen -lf /home/testuser109/.ssh/id_rsa | awk '{exit $1!="4096"}' # Check if not system account - id -u testuser101 | awk '{exit ($1<1000)?"0":"1"}' || echo "success, not system account" # Check if system account - id -u testuser111 | awk '{exit ($1<1000)?"0":"1"}' # Run the role/playbook again but change a password, and change password where on_create is set - "ansible-playbook -i tests/inventory tests/test-passchange.yml --connection=local --become" # Check password changed or not - sudo grep testuser101 /etc/shadow | awk -F":" '{exit $2!="$6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60"}' - sudo grep testuser102 /etc/shadow | awk -F":" '{exit $2!="$6$F/KXFzMa$ZIDqtYtM6sOC3UmRnt__NEW_SHOULD_CHANGE__6jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1"}' # Confirm you locked yourself out - sudo grep testuser103 /etc/shadow | awk -F":" '{exit $2!="!"}' # Confirm ssh key was changed and only 1 entry in file - sudo grep --silent "^ssh-rsa AAABNEW.... test104@server" /home/testuser104/.ssh/authorized_keys - sudo cat /home/testuser104/.ssh/authorized_keys | wc -l | grep --silent "1" notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/