diff --git a/README.md b/README.md index 5634cf39..c83a71ed 100644 --- a/README.md +++ b/README.md @@ -96,9 +96,9 @@ Configure a remote node with a Conjur identity and Summon: - hosts: servers roles: - role: cyberark.conjur.conjur-host-identity - conjur_appliance_url: 'https://conjur.myorg.com', - conjur_account: 'myorg', - conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}", + conjur_appliance_url: 'https://conjur.myorg.com' + conjur_account: 'myorg' + conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}" conjur_host_name: "{{ inventory_hostname }}" conjur_ssl_certificate: "{{ lookup('file', '/path/to/conjur.pem') }}" conjur_validate_certs: yes diff --git a/ci/test.sh b/ci/test.sh index 1584fabb..52e63ab9 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -1,4 +1,4 @@ -#!/bin/bash -x +#!/bin/bash -ex # Test runner for Ansible Conjur Collection diff --git a/roles/conjur_host_identity/tests/Dockerfile b/roles/conjur_host_identity/tests/Dockerfile index 49129da5..df27086f 100644 --- a/roles/conjur_host_identity/tests/Dockerfile +++ b/roles/conjur_host_identity/tests/Dockerfile @@ -1,24 +1,42 @@ -FROM ubuntu:18.04 +FROM ubuntu:latest -RUN apt-get update && apt-get install -y \ - apt-transport-https \ - ca-certificates \ - curl \ - software-properties-common \ - python3-pip +ENV DEBIAN_FRONTEND=noninteractive -RUN pip3 install pytest pytest-testinfra ansible && mkdir -p /conjurinc/ +WORKDIR /cyberark +# install ansible +RUN apt-get update && \ + apt-get install -y ansible + +# install python 3 +RUN apt-get update && \ + apt-get install -y python3-pip && \ + pip3 install --upgrade pip==9.0.3 + +# install ansible and its test tool +RUN pip3 install ansible pytest-testinfra + +# install docker installation requirements +RUN apt-get update && \ + apt-get install -y apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common + +# install docker RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - RUN add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) \ stable" -RUN apt-get update && apt-get -y install docker-ce + +RUN apt-get update && \ + apt-get -y install docker-ce + +# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a +# standard container image for running ansible tests + +# install ruby RUN apt-get update && apt-get install -y gcc build-essential RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.4 ruby2.4-dev RUN gem install conjur-cli - -WORKDIR /conjurinc/ - -CMD ["/bin/sleep", "1d"] diff --git a/roles/conjur_host_identity/tests/ansible.cfg b/roles/conjur_host_identity/tests/ansible.cfg index c3359828..5b1d8246 100644 --- a/roles/conjur_host_identity/tests/ansible.cfg +++ b/roles/conjur_host_identity/tests/ansible.cfg @@ -3,5 +3,5 @@ host_key_checking = False error_on_undefined_vars = True timeout = 60 inventory = inventory.tmp -roles_path = /conjurinc +roles_path = /cyberark remote_tmp = /tmp diff --git a/roles/conjur_host_identity/tests/docker-compose.yml b/roles/conjur_host_identity/tests/docker-compose.yml index 7c0422fb..7fc96f50 100644 --- a/roles/conjur_host_identity/tests/docker-compose.yml +++ b/roles/conjur_host_identity/tests/docker-compose.yml @@ -4,6 +4,7 @@ services: build: context: . dockerfile: Dockerfile + command: /bin/sleep 1d environment: CONJUR_APPLIANCE_URL: http://conjur:3000 CONJUR_ACCOUNT: cucumber @@ -11,9 +12,13 @@ services: CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY} CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring + # the configuration because it is in a world-writable working directory, + # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory. + ANSIBLE_CONFIG: ./ansible.cfg volumes: - - ..:/conjurinc/cyberark.conjur.conjur-host-identity/ - - .:/conjurinc/tests/ + - ..:/cyberark/cyberark.conjur.conjur-host-identity/ + - .:/cyberark/tests/ - /var/run/docker.sock:/var/run/docker.sock pg: image: postgres:9.3 diff --git a/roles/conjur_host_identity/tests/inventory-playbook.yml b/roles/conjur_host_identity/tests/inventory-playbook.yml index 01d0d1d4..91d44fcb 100644 --- a/roles/conjur_host_identity/tests/inventory-playbook.yml +++ b/roles/conjur_host_identity/tests/inventory-playbook.yml @@ -3,4 +3,4 @@ hosts: localhost tasks: - name: compile inventory template - template: src=inventory.j2 dest=/conjurinc/tests/inventory.tmp + template: src=inventory.j2 dest=/cyberark/tests/inventory.tmp diff --git a/roles/conjur_host_identity/tests/test.sh b/roles/conjur_host_identity/tests/test.sh index 1c1be478..45d50c6d 100755 --- a/roles/conjur_host_identity/tests/test.sh +++ b/roles/conjur_host_identity/tests/test.sh @@ -1,14 +1,19 @@ -#!/bin/bash -e -set -x +#!/bin/bash +set -ex -function finish { +function clean { echo 'Removing test environment' echo '---' docker-compose down -v rm -rf inventory.tmp } +function finish { + rv=$? + clean || true + exit $rv +} trap finish EXIT -finish +clean # normalises project name by filtering non alphanumeric characters and transforming to lowercase declare -x COMPOSE_PROJECT_NAME @@ -43,7 +48,7 @@ function setup_conjur { docker exec ${cli_cid} conjur policy load root /policy/root.yml # set secret values - docker exec ${cli_cid} bash -c ' + docker exec ${cli_cid} bash -ec ' conjur variable values add ansible/target-password target_secret_password ' } @@ -60,11 +65,11 @@ function run_test_case { local test_case=$1 if [ -n "$test_case" ] then - docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c " + docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -ec " cd tests ansible-playbook test_cases/${test_case}/playbook.yml " - docker exec "${ansible_cid}" bash -c " + docker exec "${ansible_cid}" bash -ec " cd tests py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py " @@ -81,7 +86,7 @@ function teardown_and_setup { function wait_for_server { # shellcheck disable=SC2016 - docker exec "${cli_cid}" bash -c ' + docker exec "${cli_cid}" bash -ec ' for i in $( seq 20 ); do curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break echo "." @@ -96,7 +101,7 @@ function fetch_ssl_cert { function generate_inventory { # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME - docker-compose exec -T ansible bash -c ' + docker-compose exec -T ansible bash -ec ' cd tests ansible-playbook inventory-playbook.yml ' diff --git a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml index 782091df..6972b50e 100644 --- a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml +++ b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml @@ -2,7 +2,7 @@ - name: Configuring conjur identity on remote hosts hosts: testapp roles: - - role: cyberark.conjur.conjur-host-identity + - role: "cyberark.conjur.conjur-host-identity" conjur_account: cucumber conjur_appliance_url: "https://conjur-proxy-nginx" conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}" diff --git a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py index 245c1711..80513230 100644 --- a/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py +++ b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py @@ -4,7 +4,7 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '/conjurinc/tests/inventory.tmp').get_hosts('testapp') + '/cyberark/tests/inventory.tmp').get_hosts('testapp') def test_hosts_file(host):