|
|
76240a |
From bf018e9f8327b231b967db8ec74fabf01802b6a8 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Watson Sato <wsato@redhat.com>
|
|
|
76240a |
Date: Wed, 11 Aug 2021 09:45:04 +0200
|
|
|
76240a |
Subject: [PATCH 1/3] Add test for ansible files removed and readded
|
|
|
76240a |
|
|
|
76240a |
Check if any playbook removes a file and then add it back again.
|
|
|
76240a |
The file removal is based on the 'file' module with 'state: absent', and
|
|
|
76240a |
the reintroduction of the file is based on 'lineinfile', 'blockinfile'
|
|
|
76240a |
and 'copy' modules.
|
|
|
76240a |
---
|
|
|
76240a |
CMakeLists.txt | 2 +
|
|
|
76240a |
tests/CMakeLists.txt | 8 ++
|
|
|
76240a |
tests/test_ansible_file_removed_and_added.py | 97 ++++++++++++++++++++
|
|
|
76240a |
3 files changed, 107 insertions(+)
|
|
|
76240a |
create mode 100644 tests/test_ansible_file_removed_and_added.py
|
|
|
76240a |
|
|
|
76240a |
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
|
76240a |
index 330b869d0f9..e41f2caa630 100644
|
|
|
76240a |
--- a/CMakeLists.txt
|
|
|
76240a |
+++ b/CMakeLists.txt
|
|
|
76240a |
@@ -129,6 +129,7 @@ find_python_module(jinja2 REQUIRED)
|
|
|
76240a |
find_python_module(pytest)
|
|
|
76240a |
find_python_module(pytest_cov)
|
|
|
76240a |
find_python_module(json2html)
|
|
|
76240a |
+find_python_module(yamlpath)
|
|
|
76240a |
|
|
|
76240a |
# sphinx documentation requirements
|
|
|
76240a |
find_python_module(sphinx)
|
|
|
76240a |
@@ -231,6 +232,7 @@ message(STATUS "python pytest module (optional): ${PY_PYTEST}")
|
|
|
76240a |
message(STATUS "ansible-playbook module (optional): ${ANSIBLE_PLAYBOOK_EXECUTABLE}")
|
|
|
76240a |
message(STATUS "ansible-lint module (optional): ${ANSIBLE_LINT_EXECUTABLE}")
|
|
|
76240a |
message(STATUS "yamllint module (optional): ${YAMLLINT_EXECUTABLE}")
|
|
|
76240a |
+message(STATUS "yamlpath module (optional): ${PY_YAMLPATH}")
|
|
|
76240a |
message(STATUS "BATS framework (optional): ${BATS_EXECUTABLE}")
|
|
|
76240a |
message(STATUS "python sphinx module (optional): ${PY_SPHINX}")
|
|
|
76240a |
message(STATUS "python sphinxcontrib.autojinja module (optional): ${PY_SPHINXCONTRIB.AUTOJINJA}")
|
|
|
76240a |
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
|
|
|
76240a |
index 3e2d8a4ec31..739cc124035 100644
|
|
|
76240a |
--- a/tests/CMakeLists.txt
|
|
|
76240a |
+++ b/tests/CMakeLists.txt
|
|
|
76240a |
@@ -121,3 +121,11 @@ add_test(
|
|
|
76240a |
)
|
|
|
76240a |
set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick)
|
|
|
76240a |
set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json")
|
|
|
76240a |
+
|
|
|
76240a |
+if (PY_YAMLPATH)
|
|
|
76240a |
+ add_test(
|
|
|
76240a |
+ NAME "ansible-file-removed-and-added"
|
|
|
76240a |
+ COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible"
|
|
|
76240a |
+ )
|
|
|
76240a |
+ set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick)
|
|
|
76240a |
+endif()
|
|
|
76240a |
diff --git a/tests/test_ansible_file_removed_and_added.py b/tests/test_ansible_file_removed_and_added.py
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..23f6f888bda
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/tests/test_ansible_file_removed_and_added.py
|
|
|
76240a |
@@ -0,0 +1,97 @@
|
|
|
76240a |
+#!/usr/bin/python3
|
|
|
76240a |
+
|
|
|
76240a |
+import argparse
|
|
|
76240a |
+import os
|
|
|
76240a |
+import sys
|
|
|
76240a |
+from types import SimpleNamespace
|
|
|
76240a |
+from yamlpath import Processor
|
|
|
76240a |
+from yamlpath import YAMLPath
|
|
|
76240a |
+from yamlpath.common import Parsers
|
|
|
76240a |
+from yamlpath.exceptions import YAMLPathException
|
|
|
76240a |
+from yamlpath.wrappers import ConsolePrinter
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def parse_command_line_args():
|
|
|
76240a |
+ parser = argparse.ArgumentParser(
|
|
|
76240a |
+ description="Checks if an Ansible Playbook removes a file and then adds it again.")
|
|
|
76240a |
+ parser.add_argument("--ansible_dir", required=True,
|
|
|
76240a |
+ help="Directory containing Ansible Playbooks")
|
|
|
76240a |
+ args = parser.parse_args()
|
|
|
76240a |
+ return args
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def check_playbook_file_removed_and_added(playbook_path):
|
|
|
76240a |
+ playbook_ok = True
|
|
|
76240a |
+
|
|
|
76240a |
+ yaml_parser = Parsers.get_yaml_editor()
|
|
|
76240a |
+
|
|
|
76240a |
+ logging_args = SimpleNamespace(quiet=False, verbose=False, debug=False)
|
|
|
76240a |
+ log = ConsolePrinter(logging_args)
|
|
|
76240a |
+
|
|
|
76240a |
+ # Find every path removed by a file Task (also matches tasks within blocks)
|
|
|
76240a |
+ files_absent_string = "tasks.**.file[state=absent][parent()].path"
|
|
|
76240a |
+ files_absent_yamlpath = YAMLPath(files_absent_string)
|
|
|
76240a |
+ path_editing_tasks_yamlpath = ""
|
|
|
76240a |
+
|
|
|
76240a |
+ log.info("Info: Evaluating playbook '{}'".format(playbook_path))
|
|
|
76240a |
+ (yaml_data, doc_loaded) = Parsers.get_yaml_data(yaml_parser, log, playbook_path)
|
|
|
76240a |
+ if not doc_loaded:
|
|
|
76240a |
+ # There was an issue loading the file; an error message has already been
|
|
|
76240a |
+ # printed via ConsolePrinter.
|
|
|
76240a |
+ return False
|
|
|
76240a |
+
|
|
|
76240a |
+ processor = Processor(log, yaml_data)
|
|
|
76240a |
+ try:
|
|
|
76240a |
+ for node in processor.get_nodes(files_absent_yamlpath, mustexist=False):
|
|
|
76240a |
+ path = str(node)
|
|
|
76240a |
+ # 'node' is a NodeCoords.
|
|
|
76240a |
+ if path == 'None':
|
|
|
76240a |
+ continue
|
|
|
76240a |
+ elif "{{" in path:
|
|
|
76240a |
+ # Identified path is a Jinja expression, unfortunately there is no easy way to get
|
|
|
76240a |
+ # the actual path without making this test very complicated
|
|
|
76240a |
+ continue
|
|
|
76240a |
+
|
|
|
76240a |
+ # Check if this paths is used in any of the following ansible modules
|
|
|
76240a |
+ ansible_modules = ["lineinfile", "blockinfile", "copy"]
|
|
|
76240a |
+ path_editing_tasks_string = "tasks.**.[.=~/{modules}/][*='{path}'][parent()].name"
|
|
|
76240a |
+ path_editing_tasks_yamlpath = YAMLPath(path_editing_tasks_string.format(
|
|
|
76240a |
+ modules="|".join(ansible_modules),
|
|
|
76240a |
+ path=node)
|
|
|
76240a |
+ )
|
|
|
76240a |
+ for task in processor.get_nodes(path_editing_tasks_yamlpath, mustexist=False):
|
|
|
76240a |
+ log.info("Error: Task '{}' manipulates a file that is removed by another task"
|
|
|
76240a |
+ .format(task))
|
|
|
76240a |
+ playbook_ok = False
|
|
|
76240a |
+ except YAMLPathException as ex:
|
|
|
76240a |
+ no_file_msg = ("Cannot add PathSegmentTypes.TRAVERSE subreference to lists at 'None' "
|
|
|
76240a |
+ "in '{}'.")
|
|
|
76240a |
+ if str(ex) == no_file_msg.format(files_absent_string):
|
|
|
76240a |
+ log.info("Info: Playbook {} has no 'file' tasks.".format(playbook_path))
|
|
|
76240a |
+ elif path_editing_tasks_yamlpath and str(ex) == no_file_msg.format(
|
|
|
76240a |
+ path_editing_tasks_yamlpath):
|
|
|
76240a |
+ log.info("Info: Playbook {} has no '{}' tasks.".format(
|
|
|
76240a |
+ playbook_path, " ".join(ansible_modules)))
|
|
|
76240a |
+ else:
|
|
|
76240a |
+ log.info("Error: {}.".format(ex))
|
|
|
76240a |
+
|
|
|
76240a |
+ return playbook_ok
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def main():
|
|
|
76240a |
+ args = parse_command_line_args()
|
|
|
76240a |
+
|
|
|
76240a |
+ all_playbooks_ok = True
|
|
|
76240a |
+ for dir_item in os.listdir(args.ansible_dir):
|
|
|
76240a |
+ if dir_item.endswith(".yml"):
|
|
|
76240a |
+ playbook_path = os.path.join(args.ansible_dir, dir_item)
|
|
|
76240a |
+
|
|
|
76240a |
+ if not check_playbook_file_removed_and_added(playbook_path):
|
|
|
76240a |
+ all_playbooks_ok = False
|
|
|
76240a |
+
|
|
|
76240a |
+ if not all_playbooks_ok:
|
|
|
76240a |
+ sys.exit(1)
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+if __name__ == "__main__":
|
|
|
76240a |
+ main()
|
|
|
76240a |
|
|
|
76240a |
From e6d727762ba446cad94f1e002fa7a7fef0f1a4cb Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Watson Sato <wsato@redhat.com>
|
|
|
76240a |
Date: Wed, 11 Aug 2021 09:48:14 +0200
|
|
|
76240a |
Subject: [PATCH 2/3] Unit tests the function for file removed and added
|
|
|
76240a |
|
|
|
76240a |
Add a unit test for the core function that checks if any playbook
|
|
|
76240a |
removes a file and then reintroduces it back.
|
|
|
76240a |
---
|
|
|
76240a |
tests/CMakeLists.txt | 6 ++
|
|
|
76240a |
.../file_block_removed_and_added.yml | 69 +++++++++++++++++++
|
|
|
76240a |
.../file_not_removed_and_added.yml | 49 +++++++++++++
|
|
|
76240a |
.../file_removed_and_added.yml | 62 +++++++++++++++++
|
|
|
76240a |
.../file_removed_and_not_added.yml | 46 +++++++++++++
|
|
|
76240a |
...t_check_playbook_file_removed_and_added.py | 39 +++++++++++
|
|
|
76240a |
6 files changed, 271 insertions(+)
|
|
|
76240a |
create mode 100644 tests/ansible_file_removed_and_added/file_block_removed_and_added.yml
|
|
|
76240a |
create mode 100644 tests/ansible_file_removed_and_added/file_not_removed_and_added.yml
|
|
|
76240a |
create mode 100644 tests/ansible_file_removed_and_added/file_removed_and_added.yml
|
|
|
76240a |
create mode 100644 tests/ansible_file_removed_and_added/file_removed_and_not_added.yml
|
|
|
76240a |
create mode 100644 tests/test_check_playbook_file_removed_and_added.py
|
|
|
76240a |
|
|
|
76240a |
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
|
|
|
76240a |
index 739cc124035..000a1b1385d 100644
|
|
|
76240a |
--- a/tests/CMakeLists.txt
|
|
|
76240a |
+++ b/tests/CMakeLists.txt
|
|
|
76240a |
@@ -123,6 +123,12 @@ set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick)
|
|
|
76240a |
set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json")
|
|
|
76240a |
|
|
|
76240a |
if (PY_YAMLPATH)
|
|
|
76240a |
+ if (PY_PYTEST)
|
|
|
76240a |
+ add_test(
|
|
|
76240a |
+ NAME "test-function-check_playbook_file_removed_and_added"
|
|
|
76240a |
+ COMMAND "${PYTHON_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_CURRENT_SOURCE_DIR}/test_check_playbook_file_removed_and_added.py"
|
|
|
76240a |
+ )
|
|
|
76240a |
+ endif()
|
|
|
76240a |
add_test(
|
|
|
76240a |
NAME "ansible-file-removed-and-added"
|
|
|
76240a |
COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible"
|
|
|
76240a |
diff --git a/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..8863b333129
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml
|
|
|
76240a |
@@ -0,0 +1,69 @@
|
|
|
76240a |
+---
|
|
|
76240a |
+
|
|
|
76240a |
+- hosts: all
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ var_system_crypto_policy: !!str FUTURE
|
|
|
76240a |
+ var_sudo_logfile: !!str /var/log/sudo.log
|
|
|
76240a |
+
|
|
|
76240a |
+ tasks:
|
|
|
76240a |
+ - name: Modify the System Login Banner - add correct banner
|
|
|
76240a |
+ lineinfile:
|
|
|
76240a |
+ dest: /etc/issue
|
|
|
76240a |
+ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
|
|
|
76240a |
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
|
|
|
76240a |
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
|
|
|
76240a |
+ create: true
|
|
|
76240a |
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - banner_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - medium_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+ - unknown_strategy
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Test for existence /etc/issue
|
|
|
76240a |
+ stat:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ register: file_exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Ensure permission 0644 on /etc/issue
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ mode: '0644'
|
|
|
76240a |
+ when: file_exists.stat is defined and file_exists.stat.exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
+ - block:
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Remove Rsh Trust Files
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: /root/shosts.equiv
|
|
|
76240a |
+ state: absent
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Add line to /root/shosts.equiv
|
|
|
76240a |
+ lineinfile:
|
|
|
76240a |
+ dest: /root/shosts.equiv
|
|
|
76240a |
+ line: 'test host'
|
|
|
76240a |
+ create: true
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - high_severity
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+ - no_rsh_trust_files
|
|
|
76240a |
+ - restrict_strategy
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..3d3e53b958f
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml
|
|
|
76240a |
@@ -0,0 +1,49 @@
|
|
|
76240a |
+---
|
|
|
76240a |
+
|
|
|
76240a |
+- hosts: all
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ var_system_crypto_policy: !!str FUTURE
|
|
|
76240a |
+ var_sudo_logfile: !!str /var/log/sudo.log
|
|
|
76240a |
+
|
|
|
76240a |
+ tasks:
|
|
|
76240a |
+ - name: Modify the System Login Banner - add correct banner
|
|
|
76240a |
+ lineinfile:
|
|
|
76240a |
+ dest: /etc/issue
|
|
|
76240a |
+ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
|
|
|
76240a |
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
|
|
|
76240a |
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
|
|
|
76240a |
+ create: true
|
|
|
76240a |
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - banner_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - medium_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+ - unknown_strategy
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Test for existence /etc/issue
|
|
|
76240a |
+ stat:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ register: file_exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Ensure permission 0644 on /etc/issue
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ mode: '0644'
|
|
|
76240a |
+ when: file_exists.stat is defined and file_exists.stat.exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/tests/ansible_file_removed_and_added/file_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_removed_and_added.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..a44c39a9db2
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/tests/ansible_file_removed_and_added/file_removed_and_added.yml
|
|
|
76240a |
@@ -0,0 +1,62 @@
|
|
|
76240a |
+---
|
|
|
76240a |
+
|
|
|
76240a |
+- hosts: all
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ var_system_crypto_policy: !!str FUTURE
|
|
|
76240a |
+ var_sudo_logfile: !!str /var/log/sudo.log
|
|
|
76240a |
+
|
|
|
76240a |
+ tasks:
|
|
|
76240a |
+ - name: Modify the System Login Banner - remove incorrect banner
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ state: absent
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - banner_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - medium_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+ - unknown_strategy
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Modify the System Login Banner - add correct banner
|
|
|
76240a |
+ lineinfile:
|
|
|
76240a |
+ dest: /etc/issue
|
|
|
76240a |
+ line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
|
|
|
76240a |
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
|
|
|
76240a |
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
|
|
|
76240a |
+ create: true
|
|
|
76240a |
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - banner_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - medium_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+ - unknown_strategy
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Test for existence /etc/issue
|
|
|
76240a |
+ stat:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ register: file_exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Ensure permission 0644 on /etc/issue
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ mode: '0644'
|
|
|
76240a |
+ when: file_exists.stat is defined and file_exists.stat.exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml b/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..08cda7e5063
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml
|
|
|
76240a |
@@ -0,0 +1,46 @@
|
|
|
76240a |
+---
|
|
|
76240a |
+
|
|
|
76240a |
+- hosts: all
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ var_system_crypto_policy: !!str FUTURE
|
|
|
76240a |
+ var_sudo_logfile: !!str /var/log/sudo.log
|
|
|
76240a |
+
|
|
|
76240a |
+ tasks:
|
|
|
76240a |
+ - name: Modify the System Login Banner - remove incorrect banner
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ state: absent
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - banner_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - medium_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+ - unknown_strategy
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Test for existence /etc/issue
|
|
|
76240a |
+ stat:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ register: file_exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: Ensure permission 0644 on /etc/issue
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: /etc/issue
|
|
|
76240a |
+ mode: '0644'
|
|
|
76240a |
+ when: file_exists.stat is defined and file_exists.stat.exists
|
|
|
76240a |
+ tags:
|
|
|
76240a |
+ - configure_strategy
|
|
|
76240a |
+ - file_permissions_etc_issue
|
|
|
76240a |
+ - low_complexity
|
|
|
76240a |
+ - low_disruption
|
|
|
76240a |
+ - medium_severity
|
|
|
76240a |
+ - no_reboot_needed
|
|
|
76240a |
+
|
|
|
76240a |
diff --git a/tests/test_check_playbook_file_removed_and_added.py b/tests/test_check_playbook_file_removed_and_added.py
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..181bb14ed46
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/tests/test_check_playbook_file_removed_and_added.py
|
|
|
76240a |
@@ -0,0 +1,39 @@
|
|
|
76240a |
+import os
|
|
|
76240a |
+import pytest
|
|
|
76240a |
+
|
|
|
76240a |
+from .test_ansible_file_removed_and_added import check_playbook_file_removed_and_added
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def test_file_removed_and_added():
|
|
|
76240a |
+ playbook_path = os.path.join(os.path.dirname(__file__),
|
|
|
76240a |
+ "ansible_file_removed_and_added",
|
|
|
76240a |
+ "file_removed_and_added.yml")
|
|
|
76240a |
+ assert not check_playbook_file_removed_and_added(playbook_path)
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def test_file_removed_and_not_added():
|
|
|
76240a |
+ playbook_path = os.path.join(os.path.dirname(__file__),
|
|
|
76240a |
+ "ansible_file_removed_and_added",
|
|
|
76240a |
+ "file_removed_and_not_added.yml")
|
|
|
76240a |
+ assert check_playbook_file_removed_and_added(playbook_path)
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def test_file_not_removed_and_added():
|
|
|
76240a |
+ playbook_path = os.path.join(os.path.dirname(__file__),
|
|
|
76240a |
+ "ansible_file_removed_and_added",
|
|
|
76240a |
+ "file_not_removed_and_added.yml")
|
|
|
76240a |
+ assert check_playbook_file_removed_and_added(playbook_path)
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def test_file_block_removed_and_added():
|
|
|
76240a |
+ playbook_path = os.path.join(os.path.dirname(__file__),
|
|
|
76240a |
+ "ansible_file_removed_and_added",
|
|
|
76240a |
+ "file_block_removed_and_added.yml")
|
|
|
76240a |
+ assert not check_playbook_file_removed_and_added(playbook_path)
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+def test_file_block_removed_and_not_added():
|
|
|
76240a |
+ playbook_path = os.path.join(os.path.dirname(__file__),
|
|
|
76240a |
+ "ansible_file_removed_and_added",
|
|
|
76240a |
+ "file_block_removed_and_not_added.yml")
|
|
|
76240a |
+ assert check_playbook_file_removed_and_added(playbook_path)
|
|
|
76240a |
|
|
|
76240a |
From 741ec823ac39341f8aa0649031b72d2ac36e8a64 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Watson Sato <wsato@redhat.com>
|
|
|
76240a |
Date: Thu, 12 Aug 2021 10:36:47 +0200
|
|
|
76240a |
Subject: [PATCH 3/3] Mention Ansible static yamlpath test in docs
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../developer/02_building_complianceascode.md | 14 ++++++++++++++
|
|
|
76240a |
1 file changed, 14 insertions(+)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/docs/manual/developer/02_building_complianceascode.md b/docs/manual/developer/02_building_complianceascode.md
|
|
|
76240a |
index d536df0a259..87469bf5f9b 100644
|
|
|
76240a |
--- a/docs/manual/developer/02_building_complianceascode.md
|
|
|
76240a |
+++ b/docs/manual/developer/02_building_complianceascode.md
|
|
|
76240a |
@@ -64,6 +64,20 @@ yum install yamllint ansible-lint
|
|
|
76240a |
apt-get install yamllint ansible-lint
|
|
|
76240a |
```
|
|
|
76240a |
|
|
|
76240a |
+### Static Ansible Playbooks tests
|
|
|
76240a |
+
|
|
|
76240a |
+Install `yamlpath` and `pytest` to run tests cases that analyse the Ansible
|
|
|
76240a |
+Playbooks' yaml nodes.
|
|
|
76240a |
+```bash
|
|
|
76240a |
+pip3 install yamlpath
|
|
|
76240a |
+
|
|
|
76240a |
+# Fedora/RHEL
|
|
|
76240a |
+yum install python3-pytest
|
|
|
76240a |
+
|
|
|
76240a |
+# Ubuntu/Debian
|
|
|
76240a |
+apt-get install python-pytest
|
|
|
76240a |
+```
|
|
|
76240a |
+
|
|
|
76240a |
### Ninja (Faster Builds)
|
|
|
76240a |
|
|
|
76240a |
Install the `ninja` build system if you want to use it instead of
|