Fix conjur_host_identity tests (#70)

Also includes PR #70

Standard on the base container image for running ansible tests

README.md

@@ -96,9 +96,9 @@ Configure a remote node with a Conjur identity and Summon:
 - hosts: servers
   roles:
     - role: cyberark.conjur.conjur-host-identity
-      conjur_appliance_url: 'https://conjur.myorg.com',
-      conjur_account: 'myorg',
-      conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}",
+      conjur_appliance_url: 'https://conjur.myorg.com'
+      conjur_account: 'myorg'
+      conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}"
       conjur_host_name: "{{ inventory_hostname }}"
       conjur_ssl_certificate: "{{ lookup('file', '/path/to/conjur.pem') }}"
       conjur_validate_certs: yes

ci/test.sh

@@ -1,4 +1,4 @@
-#!/bin/bash -x
+#!/bin/bash -ex
 
 # Test runner for Ansible Conjur Collection
 

roles/conjur_host_identity/tests/Dockerfile

@@ -1,24 +1,42 @@
-FROM ubuntu:18.04
+FROM ubuntu:latest
 
-RUN apt-get update && apt-get install -y \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    software-properties-common \
-    python3-pip
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN pip3 install pytest pytest-testinfra ansible && mkdir -p /conjurinc/
+WORKDIR /cyberark
 
+# install ansible
+RUN apt-get update && \
+    apt-get install -y ansible
+
+# install python 3
+RUN apt-get update && \
+    apt-get install -y python3-pip && \
+    pip3 install --upgrade pip==9.0.3
+
+# install ansible and its test tool
+RUN pip3 install ansible pytest-testinfra
+
+# install docker installation requirements
+RUN apt-get update && \
+    apt-get install -y apt-transport-https \
+                       ca-certificates \
+                       curl \
+                       software-properties-common
+
+# install docker
 RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
 RUN add-apt-repository \
        "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
        $(lsb_release -cs) \
        stable"
-RUN apt-get update && apt-get -y install docker-ce
+
+RUN apt-get update && \
+    apt-get -y install docker-ce
+
+# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a
+# standard container image for running ansible tests
+
+# install ruby
 RUN apt-get update && apt-get install -y gcc build-essential
 RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.4 ruby2.4-dev
 RUN gem install conjur-cli
-
-WORKDIR /conjurinc/
-
-CMD ["/bin/sleep", "1d"]

roles/conjur_host_identity/tests/ansible.cfg

@@ -3,5 +3,5 @@ host_key_checking = False
 error_on_undefined_vars = True
 timeout = 60
 inventory = inventory.tmp
-roles_path = /conjurinc
+roles_path = /cyberark
 remote_tmp = /tmp

roles/conjur_host_identity/tests/docker-compose.yml

@@ -4,16 +4,21 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
+    command: /bin/sleep 1d
     environment:
       CONJUR_APPLIANCE_URL: http://conjur:3000
       CONJUR_ACCOUNT: cucumber
       CONJUR_AUTHN_LOGIN: host/ansible/ansible-master
       CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY}
       CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY}
       COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+      # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring
+      # the configuration because it is in a world-writable working directory,
+      # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory.
+      ANSIBLE_CONFIG: ./ansible.cfg
     volumes:
-      - ..:/conjurinc/cyberark.conjur.conjur-host-identity/
-      - .:/conjurinc/tests/
+      - ..:/cyberark/cyberark.conjur.conjur-host-identity/
+      - .:/cyberark/tests/
       - /var/run/docker.sock:/var/run/docker.sock
   pg:
     image: postgres:9.3

roles/conjur_host_identity/tests/inventory-playbook.yml

@@ -3,4 +3,4 @@
   hosts: localhost
   tasks:
     - name: compile inventory template
-      template: src=inventory.j2 dest=/conjurinc/tests/inventory.tmp
+      template: src=inventory.j2 dest=/cyberark/tests/inventory.tmp

roles/conjur_host_identity/tests/test.sh

@@ -1,14 +1,19 @@
-#!/bin/bash -e
-set -x
+#!/bin/bash
+set -ex
 
-function finish {
+function clean {
   echo 'Removing test environment'
   echo '---'
   docker-compose down -v
   rm -rf inventory.tmp
 }
+function finish {
+  rv=$?
+  clean || true
+  exit $rv
+}
 trap finish EXIT
-finish
+clean
 
 # normalises project name by filtering non alphanumeric characters and transforming to lowercase
 declare -x COMPOSE_PROJECT_NAME
@@ -43,7 +48,7 @@ function setup_conjur {
   docker exec ${cli_cid} conjur policy load root /policy/root.yml
 
   # set secret values
-  docker exec ${cli_cid} bash -c '
+  docker exec ${cli_cid} bash -ec '
     conjur variable values add ansible/target-password target_secret_password
   '
 }
@@ -60,11 +65,11 @@ function run_test_case {
   local test_case=$1
   if [ -n "$test_case" ]
   then
-    docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c "
+    docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -ec "
       cd tests
       ansible-playbook test_cases/${test_case}/playbook.yml
     "
-    docker exec "${ansible_cid}" bash -c "
+    docker exec "${ansible_cid}" bash -ec "
       cd tests
       py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py
     "
@@ -81,7 +86,7 @@ function teardown_and_setup {
 
 function wait_for_server {
   # shellcheck disable=SC2016
-  docker exec "${cli_cid}" bash -c '
+  docker exec "${cli_cid}" bash -ec '
     for i in $( seq 20 ); do
       curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break
       echo "."
@@ -96,7 +101,7 @@ function fetch_ssl_cert {
 
 function generate_inventory {
   # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME
-  docker-compose exec -T ansible bash -c '
+  docker-compose exec -T ansible bash -ec '
     cd tests
     ansible-playbook inventory-playbook.yml
   '

roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml

@@ -2,7 +2,7 @@
 - name: Configuring conjur identity on remote hosts
   hosts: testapp
   roles:
-    - role: cyberark.conjur.conjur-host-identity
+    - role: "cyberark.conjur.conjur-host-identity"
       conjur_account: cucumber
       conjur_appliance_url: "https://conjur-proxy-nginx"
       conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}"

roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py

@@ -4,7 +4,7 @@
 import testinfra.utils.ansible_runner
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    '/conjurinc/tests/inventory.tmp').get_hosts('testapp')
+    '/cyberark/tests/inventory.tmp').get_hosts('testapp')
 
 
 def test_hosts_file(host):