cyberark · doodlesbykumbi · Nov 12, 2021 · Nov 9, 2021 · Nov 11, 2021
@@ -8,8 +8,6 @@
 #    - devel
 #
 #Python versions:
-#    - Python 2.7
-#    - Python 3.7
 #    - Python 3.8
 
 name: CI
@@ -36,8 +34,6 @@ jobs:
           - stable-2.10
           - devel
         python:
-          - 2.7
-          - 3.7
           - 3.8
     runs-on: ubuntu-latest
     steps:

@@ -96,9 +96,9 @@ Configure a remote node with a Conjur identity and Summon:
 - hosts: servers
   roles:
     - role: cyberark.conjur.conjur-host-identity
-      conjur_appliance_url: 'https://conjur.myorg.com',
-      conjur_account: 'myorg',
-      conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}",
+      conjur_appliance_url: 'https://conjur.myorg.com'
+      conjur_account: 'myorg'
+      conjur_host_factory_token: "{{ lookup('env', 'HFTOKEN') }}"
       conjur_host_name: "{{ inventory_hostname }}"
       conjur_ssl_certificate: "{{ lookup('file', '/path/to/conjur.pem') }}"
       conjur_validate_certs: yes

@@ -1,4 +1,4 @@
-#!/bin/bash -x
+#!/bin/bash -ex
 
 # Test runner for Ansible Conjur Collection
 
@@ -41,7 +41,7 @@ function run_role_test {
 
 # Handles input to dictate wether all tests should be ran, or just one set
 function handle_input {
-    if [[ ! -z ${target} ]]; then
+    if [[ -n ${target} ]]; then
         for test_dir in "${test_directories[@]}"; do 
             if [[ ${target} == "${test_dir}" ]]; then
                 run_test ${target}
@@ -85,6 +85,11 @@ while getopts ahd: option; do
             ;;
         h) help
             ;;
+        * )
+          echo "$1 is not a valid option"
+          help
+          exit 1
+          ;;
     esac
 done
 
@@ -1,24 +1,42 @@
-FROM ubuntu:18.04
+FROM ubuntu:latest
 
-RUN apt-get update && apt-get install -y \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    software-properties-common \
-    python3-pip
+ENV DEBIAN_FRONTEND=noninteractive
 
-RUN pip3 install pytest pytest-testinfra ansible && mkdir -p /conjurinc/
+WORKDIR /cyberark
 
+# install ansible
+RUN apt-get update && \
+    apt-get install -y ansible
+
+# install python 3
+RUN apt-get update && \
+    apt-get install -y python3-pip && \
+    pip3 install --upgrade pip==9.0.3
+
+# install ansible and its test tool
+RUN pip3 install ansible pytest-testinfra
+
+# install docker installation requirements
+RUN apt-get update && \
+    apt-get install -y apt-transport-https \
+                       ca-certificates \
+                       curl \
+                       software-properties-common
+
+# install docker
 RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
 RUN add-apt-repository \
        "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
        $(lsb_release -cs) \
        stable"
-RUN apt-get update && apt-get -y install docker-ce
+
+RUN apt-get update && \
+    apt-get -y install docker-ce
+
+# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a
+# standard container image for running ansible tests
+
+# install ruby
 RUN apt-get update && apt-get install -y gcc build-essential
 RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.4 ruby2.4-dev
 RUN gem install conjur-cli
-
-WORKDIR /conjurinc/
-
-CMD ["/bin/sleep", "1d"]
@@ -3,5 +3,5 @@ host_key_checking = False
 error_on_undefined_vars = True
 timeout = 60
 inventory = inventory.tmp
-roles_path = /conjurinc
+roles_path = /cyberark
 remote_tmp = /tmp
@@ -4,16 +4,21 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
+    command: /bin/sleep 1d
     environment:
       CONJUR_APPLIANCE_URL: http://conjur:3000
       CONJUR_ACCOUNT: cucumber
       CONJUR_AUTHN_LOGIN: host/ansible/ansible-master
       CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY}
       CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY}
       COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+      # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring
+      # the configuration because it is in a world-writable working directory,
+      # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory.
+      ANSIBLE_CONFIG: ./ansible.cfg
     volumes:
-      - ..:/conjurinc/cyberark.conjur.conjur-host-identity/
-      - .:/conjurinc/tests/
+      - ..:/cyberark/cyberark.conjur.conjur-host-identity/
+      - .:/cyberark/tests/
       - /var/run/docker.sock:/var/run/docker.sock
   pg:
     image: postgres:9.3

@@ -3,4 +3,4 @@
   hosts: localhost
   tasks:
     - name: compile inventory template
-      template: src=inventory.j2 dest=/conjurinc/tests/inventory.tmp
+      template: src=inventory.j2 dest=/cyberark/tests/inventory.tmp
@@ -1,14 +1,19 @@
-#!/bin/bash -e
-set -x
+#!/bin/bash
+set -ex
 
-function finish {
+function clean {
   echo 'Removing test environment'
   echo '---'
   docker-compose down -v
   rm -rf inventory.tmp
 }
+function finish {
+  rv=$?
+  clean || true
+  exit $rv
+}
 trap finish EXIT
-finish
+clean
 
 # normalises project name by filtering non alphanumeric characters and transforming to lowercase
 declare -x COMPOSE_PROJECT_NAME
@@ -22,7 +27,7 @@ declare ansible_cid=''
 
 function api_key_for {
   local role_id=$1
-  if [ ! -z "$role_id" ]
+  if [ -n "$role_id" ]
   then
     docker exec ${conjur_cid} rails r "print Credentials['${role_id}'].api_key"
   else
@@ -43,7 +48,7 @@ function setup_conjur {
   docker exec ${cli_cid} conjur policy load root /policy/root.yml
 
   # set secret values
-  docker exec ${cli_cid} bash -c '
+  docker exec ${cli_cid} bash -ec '
     conjur variable values add ansible/target-password target_secret_password
   '
 }
@@ -58,13 +63,13 @@ function run_test_cases {
 function run_test_case {
   echo "---- testing ${test_case} ----"
   local test_case=$1
-  if [ ! -z "$test_case" ]
+  if [ -n "$test_case" ]
   then
-    docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c "
+    docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -ec "
       cd tests
       ansible-playbook test_cases/${test_case}/playbook.yml
     "
-    docker exec "${ansible_cid}" bash -c "
+    docker exec "${ansible_cid}" bash -ec "
       cd tests
       py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py
     "
@@ -81,7 +86,7 @@ function teardown_and_setup {
 
 function wait_for_server {
   # shellcheck disable=SC2016
-  docker exec "${cli_cid}" bash -c '
+  docker exec "${cli_cid}" bash -ec '
     for i in $( seq 20 ); do
       curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break
       echo "."
@@ -96,7 +101,7 @@ function fetch_ssl_cert {
 
 function generate_inventory {
   # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME
-  docker-compose exec -T ansible bash -c '
+  docker-compose exec -T ansible bash -ec '
     cd tests
     ansible-playbook inventory-playbook.yml
   '

@@ -2,7 +2,7 @@
 - name: Configuring conjur identity on remote hosts
   hosts: testapp
   roles:
-    - role: cyberark.conjur.conjur-host-identity
+    - role: "cyberark.conjur.conjur-host-identity"
       conjur_account: cucumber
       conjur_appliance_url: "https://conjur-proxy-nginx"
       conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}"

@@ -4,7 +4,7 @@
 import testinfra.utils.ansible_runner
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    '/conjurinc/tests/inventory.tmp').get_hosts('testapp')
+    '/cyberark/tests/inventory.tmp').get_hosts('testapp')
 
 
 def test_hosts_file(host):

@@ -90,7 +90,7 @@ function run_test_case {
   local test_case=$1
   echo "---- testing ${test_case} ----"
 
-  if [ ! -n "$test_case" ]; then
+  if [ -z "$test_case" ]; then
     echo ERROR: run_test called with no argument 1>&2
     exit 1
   fi

@@ -0,0 +1,10 @@
+Jenkinsfile shebang
+tests/conjur_variable/test.sh shebang
+tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+roles/conjur_host_identity/tests/test.sh shebang
+roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python
+ci/build_release shebang
+ci/parse-changelog.sh shebang
+ci/publish_to_galaxy shebang
+ci/test.sh shebang
+secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python