From b691182c854a768b35dd4dccbda49ef623d9fd75 Mon Sep 17 00:00:00 2001 From: Rob Pothier Date: Tue, 9 Nov 2021 10:44:20 -0500 Subject: [PATCH 1/2] Remove Python 3.7 End support for Python 2.x DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support --- .github/workflows/ansible-test.yml | 4 ---- ci/test.sh | 7 ++++++- roles/conjur_host_identity/tests/test.sh | 4 ++-- tests/conjur_variable/test.sh | 2 +- tests/sanity/ignore-2.13.txt | 10 ++++++++++ 5 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 tests/sanity/ignore-2.13.txt diff --git a/.github/workflows/ansible-test.yml b/.github/workflows/ansible-test.yml index d460e5e3..61ac8b04 100644 --- a/.github/workflows/ansible-test.yml +++ b/.github/workflows/ansible-test.yml @@ -8,8 +8,6 @@ # - devel # #Python versions: -# - Python 2.7 -# - Python 3.7 # - Python 3.8 name: CI @@ -36,8 +34,6 @@ jobs: - stable-2.10 - devel python: - - 2.7 - - 3.7 - 3.8 runs-on: ubuntu-latest steps: diff --git a/ci/test.sh b/ci/test.sh index c83eb68e..1584fabb 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -41,7 +41,7 @@ function run_role_test { # Handles input to dictate wether all tests should be ran, or just one set function handle_input { - if [[ ! -z ${target} ]]; then + if [[ -n ${target} ]]; then for test_dir in "${test_directories[@]}"; do if [[ ${target} == "${test_dir}" ]]; then run_test ${target} @@ -85,6 +85,11 @@ while getopts ahd: option; do ;; h) help ;; + * ) + echo "$1 is not a valid option" + help + exit 1 + ;; esac done diff --git a/roles/conjur_host_identity/tests/test.sh b/roles/conjur_host_identity/tests/test.sh index a0fe08fb..1c1be478 100755 --- a/roles/conjur_host_identity/tests/test.sh +++ b/roles/conjur_host_identity/tests/test.sh @@ -22,7 +22,7 @@ declare ansible_cid='' function api_key_for { local role_id=$1 - if [ ! -z "$role_id" ] + if [ -n "$role_id" ] then docker exec ${conjur_cid} rails r "print Credentials['${role_id}'].api_key" else @@ -58,7 +58,7 @@ function run_test_cases { function run_test_case { echo "---- testing ${test_case} ----" local test_case=$1 - if [ ! -z "$test_case" ] + if [ -n "$test_case" ] then docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c " cd tests diff --git a/tests/conjur_variable/test.sh b/tests/conjur_variable/test.sh index 3b389e1c..df40407a 100755 --- a/tests/conjur_variable/test.sh +++ b/tests/conjur_variable/test.sh @@ -90,7 +90,7 @@ function run_test_case { local test_case=$1 echo "---- testing ${test_case} ----" - if [ ! -n "$test_case" ]; then + if [ -z "$test_case" ]; then echo ERROR: run_test called with no argument 1>&2 exit 1 fi diff --git a/tests/sanity/ignore-2.13.txt b/tests/sanity/ignore-2.13.txt new file mode 100644 index 00000000..41034e28 --- /dev/null +++ b/tests/sanity/ignore-2.13.txt @@ -0,0 +1,10 @@ +Jenkinsfile shebang +tests/conjur_variable/test.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +roles/conjur_host_identity/tests/test.sh shebang +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python From 7e15293d28e85cb162c168bd049941329b87b0aa Mon Sep 17 00:00:00 2001 From: Kumbirai Tanekha Date: Thu, 11 Nov 2021 18:39:47 +0400 Subject: [PATCH 2/2] Fix conjur_host_identity tests (#70) Also includes PR #70 Standard on the base container image for running ansible tests --- README.md | 6 +-- ci/test.sh | 2 +- roles/conjur_host_identity/tests/Dockerfile | 44 +++++++++++++------ roles/conjur_host_identity/tests/ansible.cfg | 2 +- .../tests/docker-compose.yml | 9 +++- .../tests/inventory-playbook.yml | 2 +- roles/conjur_host_identity/tests/test.sh | 23 ++++++---- .../configure-conjur-identity/playbook.yml | 2 +- .../tests/test_default.py | 2 +- 9 files changed, 60 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 5634cf39..c83a71ed 100644 --- a/README.md +++ b/README.md @@ -96,9 +96,9 @@ Configure a remote node with a Conjur identity and Summon: - hosts: servers roles: - role: cyberark.conjur.conjur-host-identity - conjur_appliance_url: 'https://conjur.myorg.com', - conjur_account: 'myorg', - conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}", + conjur_appliance_url: 'https://conjur.myorg.com' + conjur_account: 'myorg' + conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}" conjur_host_name: "{{ inventory_hostname }}" conjur_ssl_certificate: "{{ lookup('file', '/path/to/conjur.pem') }}" conjur_validate_certs: yes diff --git a/ci/test.sh b/ci/test.sh index 1584fabb..52e63ab9 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -1,4 +1,4 @@ -#!/bin/bash -x +#!/bin/bash -ex # Test runner for Ansible Conjur Collection diff --git a/roles/conjur_host_identity/tests/Dockerfile b/roles/conjur_host_identity/tests/Dockerfile index 49129da5..df27086f 100644 --- a/roles/conjur_host_identity/tests/Dockerfile +++ b/roles/conjur_host_identity/tests/Dockerfile @@ -1,24 +1,42 @@ -FROM ubuntu:18.04 +FROM ubuntu:latest -RUN apt-get update && apt-get install -y \ - apt-transport-https \ - ca-certificates \ - curl \ - software-properties-common \ - python3-pip +ENV DEBIAN_FRONTEND=noninteractive -RUN pip3 install pytest pytest-testinfra ansible && mkdir -p /conjurinc/ +WORKDIR /cyberark +# install ansible +RUN apt-get update && \ + apt-get install -y ansible + +# install python 3 +RUN apt-get update && \ + apt-get install -y python3-pip && \ + pip3 install --upgrade pip==9.0.3 + +# install ansible and its test tool +RUN pip3 install ansible pytest-testinfra + +# install docker installation requirements +RUN apt-get update && \ + apt-get install -y apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common + +# install docker RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - RUN add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" -RUN apt-get update && apt-get -y install docker-ce + +RUN apt-get update && \ + apt-get -y install docker-ce + +# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a +# standard container image for running ansible tests + +# install ruby RUN apt-get update && apt-get install -y gcc build-essential RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.4 ruby2.4-dev RUN gem install conjur-cli - -WORKDIR /conjurinc/ - -CMD ["/bin/sleep", "1d"] diff --git a/roles/conjur_host_identity/tests/ansible.cfg b/roles/conjur_host_identity/tests/ansible.cfg index c3359828..5b1d8246 100644 --- a/roles/conjur_host_identity/tests/ansible.cfg +++ b/roles/conjur_host_identity/tests/ansible.cfg @@ -3,5 +3,5 @@ host_key_checking = False error_on_undefined_vars = True timeout = 60 inventory = inventory.tmp -roles_path = /conjurinc +roles_path = /cyberark remote_tmp = /tmp diff --git a/roles/conjur_host_identity/tests/docker-compose.yml b/roles/conjur_host_identity/tests/docker-compose.yml index 7c0422fb..7fc96f50 100644 --- a/roles/conjur_host_identity/tests/docker-compose.yml +++ b/roles/conjur_host_identity/tests/docker-compose.yml @@ -4,6 +4,7 @@ services: build: context: . dockerfile: Dockerfile + command: /bin/sleep 1d environment: CONJUR_APPLIANCE_URL: http://conjur:3000 CONJUR_ACCOUNT: cucumber @@ -11,9 +12,13 @@ services: CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY} CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring + # the configuration because it is in a world-writable working directory, + # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory. + ANSIBLE_CONFIG: ./ansible.cfg volumes: - - ..:/conjurinc/cyberark.conjur.conjur-host-identity/ - - .:/conjurinc/tests/ + - ..:/cyberark/cyberark.conjur.conjur-host-identity/ + - .:/cyberark/tests/ - /var/run/docker.sock:/var/run/docker.sock pg: image: postgres:9.3 diff --git a/roles/conjur_host_identity/tests/inventory-playbook.yml b/roles/conjur_host_identity/tests/inventory-playbook.yml index 01d0d1d4..91d44fcb 100644 --- a/roles/conjur_host_identity/tests/inventory-playbook.yml +++ b/roles/conjur_host_identity/tests/inventory-playbook.yml @@ -3,4 +3,4 @@ hosts: localhost tasks: - name: compile inventory template - template: src=inventory.j2 dest=/conjurinc/tests/inventory.tmp + template: src=inventory.j2 dest=/cyberark/tests/inventory.tmp diff --git a/roles/conjur_host_identity/tests/test.sh b/roles/conjur_host_identity/tests/test.sh index 1c1be478..45d50c6d 100755 --- a/roles/conjur_host_identity/tests/test.sh +++ b/roles/conjur_host_identity/tests/test.sh @@ -1,14 +1,19 @@ -#!/bin/bash -e -set -x +#!/bin/bash +set -ex -function finish { +function clean { echo 'Removing test environment' echo '---' docker-compose down -v rm -rf inventory.tmp } +function finish { + rv=$? + clean || true + exit $rv +} trap finish EXIT -finish +clean # normalises project name by filtering non alphanumeric characters and transforming to lowercase declare -x COMPOSE_PROJECT_NAME @@ -43,7 +48,7 @@ function setup_conjur { docker exec ${cli_cid} conjur policy load root /policy/root.yml # set secret values - docker exec ${cli_cid} bash -c ' + docker exec ${cli_cid} bash -ec ' conjur variable values add ansible/target-password target_secret_password ' } @@ -60,11 +65,11 @@ function run_test_case { local test_case=$1 if [ -n "$test_case" ] then - docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c " + docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -ec " cd tests ansible-playbook test_cases/${test_case}/playbook.yml " - docker exec "${ansible_cid}" bash -c " + docker exec "${ansible_cid}" bash -ec " cd tests py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py " @@ -81,7 +86,7 @@ function teardown_and_setup { function wait_for_server { # shellcheck disable=SC2016 - docker exec "${cli_cid}" bash -c ' + docker exec "${cli_cid}" bash -ec ' for i in $( seq 20 ); do curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break echo "." @@ -96,7 +101,7 @@ function fetch_ssl_cert { function generate_inventory { # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME - docker-compose exec -T ansible bash -c ' + docker-compose exec -T ansible bash -ec ' cd tests ansible-playbook inventory-playbook.yml ' diff --git a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml index 782091df..6972b50e 100644 --- a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml +++ b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml @@ -2,7 +2,7 @@ - name: Configuring conjur identity on remote hosts hosts: testapp roles: - - role: cyberark.conjur.conjur-host-identity + - role: "cyberark.conjur.conjur-host-identity" conjur_account: cucumber conjur_appliance_url: "https://conjur-proxy-nginx" conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}" diff --git a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py index 245c1711..80513230 100644 --- a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py +++ b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py @@ -4,7 +4,7 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '/conjurinc/tests/inventory.tmp').get_hosts('testapp') + '/cyberark/tests/inventory.tmp').get_hosts('testapp') def test_hosts_file(host):