95 lines
4.7 KiB
YAML
95 lines
4.7 KiB
YAML
---
|
|
language: python
|
|
python: "2.7"
|
|
|
|
before_install:
|
|
# Make sure everything's up to date.
|
|
- sudo apt-get update -qq
|
|
|
|
install:
|
|
# Install Ansible.
|
|
- pip install ansible
|
|
# - |
|
|
# if [ -f requirements.yml ]; then
|
|
# ansible-galaxy install --roles-path ../ -r requirements.yml
|
|
# fi
|
|
|
|
# Add ansible.cfg to pick up roles path.
|
|
# - "printf '[defaults]\nroles_path = ../' > ansible.cfg"
|
|
- "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
|
|
|
|
script:
|
|
# Check the role/playbook's syntax.
|
|
- ansible-playbook -i tests/inventory tests/test.yml --syntax-check
|
|
- ansible-playbook -i tests/inventory tests/test-passchange.yml --syntax-check
|
|
|
|
# Run the role/playbook with ansible-playbook.
|
|
- "ansible-playbook -i tests/inventory tests/test.yml --connection=local --become"
|
|
|
|
# Run the role/playbook again, checking to make sure it's idempotent.
|
|
- >
|
|
ansible-playbook -i tests/inventory tests/test.yml --connection=local --become
|
|
| grep -q 'changed=0.*failed=0'
|
|
&& (echo 'Idempotence test: pass' && exit 0)
|
|
|| (echo 'Idempotence test: fail' && exit 1)
|
|
|
|
# Check users are setup
|
|
- id testuser101 | grep --silent "testuser101"
|
|
- id testuser102 | grep --silent "testuser102"
|
|
- id testuser103 | grep --silent "testuser103"
|
|
- id testuser104 | grep --silent "testuser104"
|
|
- id testuser105 | grep --silent "testuser105"
|
|
- id testuser106 | grep --silent "testuser106"
|
|
- id testuser107 | grep --silent "testuser107"
|
|
- id testuser108 | grep --silent "testuser108"
|
|
- id testuser109 | grep --silent "testuser109"
|
|
- id testuser110 | grep --silent "testuser110"
|
|
- id testuser111 | grep --silent "testuser111"
|
|
- sudo grep testuser101 /etc/shadow | awk -F":" '{exit $2!="$6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60"}'
|
|
- sudo grep testuser102 /etc/shadow | awk -F":" '{exit $2!="$6$F/KXFzMa$ZIDqtYtM6sOC3UmRntVsTcy1rnsvw.6tBquOhX7Sb26jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1"}'
|
|
- grep --silent "^testuser101:" /etc/group
|
|
- ls -lgd /home/testuser101 | awk '{exit $3!="testuser101"}'
|
|
- sudo ls -lg /home/testuser101/.ssh/authorized_keys | awk '{exit $3!="testuser101"}'
|
|
- sudo cat /home/testuser101/.ssh/authorized_keys | wc -l | grep --silent "2"
|
|
- sudo chage -l testuser101 | grep "Account expires" | awk '{exit $4!="never"}'
|
|
- sudo chage -l testuser105 | grep "Account expires" | awk '{exit $4!="Jan"}'
|
|
- sudo cat /etc/sudoers|grep --silent "^testuser102 "
|
|
# Check UID is set as specified
|
|
- grep sshuser /etc/passwd | awk -F":" '{exit $3!="1099"}'
|
|
# Check group(s) are set for users
|
|
- grep "^groupcommon:" /etc/group | grep --silent testuser106
|
|
- grep "^testgroupweb:" /etc/group | grep --silent testuser107
|
|
# Check group not set on webserver
|
|
- grep "^testgroupdb:" /etc/group | grep --silent testuser107 || echo "success, testgroupdb not found"
|
|
# Check primary group set
|
|
- id -gn testuser105 | grep --silent "group105primary"
|
|
# Check primary group id set
|
|
- id -gn testuser106 | grep --silent "group106primary"
|
|
- id -g testuser106 | grep --silent 2222
|
|
# Check ssh key for user was created
|
|
- sudo cat /home/testuser108/.ssh/id_rsa | grep --silent "BEGIN RSA PRIVATE KEY"
|
|
- sudo cat /home/testuser109/.ssh/id_rsa | grep --silent "BEGIN RSA PRIVATE KEY"
|
|
# Check no ssh key for user was created
|
|
- sudo test ! -f /home/testuser110/.ssh/id_rsa
|
|
# Check key is encrypted
|
|
- sudo cat /home/testuser109/.ssh/id_rsa | grep --silent "ENCRYPTED"
|
|
# Check key size is correct
|
|
- sudo ssh-keygen -lf /home/testuser109/.ssh/id_rsa | awk '{exit $1!="4096"}'
|
|
# Check if not system account
|
|
- id -u testuser101 | awk '{exit ($1<1000)?"0":"1"}' || echo "success, not system account"
|
|
# Check if system account
|
|
- id -u testuser111 | awk '{exit ($1<1000)?"0":"1"}'
|
|
# Run the role/playbook again but change a password, and change password where on_create is set
|
|
- "ansible-playbook -i tests/inventory tests/test-passchange.yml --connection=local --become"
|
|
|
|
# Check password changed or not
|
|
- sudo grep testuser101 /etc/shadow | awk -F":" '{exit $2!="$6$/y5RGZnFaD3f$96xVdOAnldEtSxivDY02h.DwPTrJgGQl8/MTRRrFAwKTYbFymeKH/1Rxd3k.RQfpgebM6amLK3xAaycybdc.60"}'
|
|
- sudo grep testuser102 /etc/shadow | awk -F":" '{exit $2!="$6$F/KXFzMa$ZIDqtYtM6sOC3UmRnt__NEW_SHOULD_CHANGE__6jxskXpve8l6DYsQyI1FT8N5I5cL0YkzW7bLbSCMtUw1"}'
|
|
# Confirm you locked yourself out
|
|
- sudo grep testuser103 /etc/shadow | awk -F":" '{exit $2!="!"}'
|
|
# Confirm ssh key was changed and only 1 entry in file
|
|
- sudo grep --silent "^ssh-rsa AAABNEW.... test104@server" /home/testuser104/.ssh/authorized_keys
|
|
- sudo cat /home/testuser104/.ssh/authorized_keys | wc -l | grep --silent "1"
|
|
|
|
notifications:
|
|
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|