diff options
| author | Matt Clay <matt@mystile.com> | 2022-07-18 10:19:25 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-18 10:19:25 -0700 |
| commit | ee4588abcaa988debc90ddbabaf3ac2817329524 (patch) | |
| tree | ee342e8a4e775954befcd394995b0fdde923239c /test/integration | |
| parent | b63812bc08fd00fd772c28a2604f77f487d23104 (diff) | |
| download | ansible-ee4588abcaa988debc90ddbabaf3ac2817329524.tar.gz | |
Split integration test fixes. (#78281)
* Add setup_test_user integration target.
This integration target creates a temporary test user and removes
it when the current integration target finishes. This user is
configured with a password so it can be used with become, even
when the current user is unprivileged.
* Fix slurp integration test.
* Fix unarchive integration test.
* Fix module_utils integration test.
Diffstat (limited to 'test/integration')
14 files changed, 152 insertions, 115 deletions
diff --git a/test/integration/targets/module_utils/aliases b/test/integration/targets/module_utils/aliases index 64d1b64a40..05255a3d89 100644 --- a/test/integration/targets/module_utils/aliases +++ b/test/integration/targets/module_utils/aliases @@ -1,5 +1,6 @@ shippable/posix/group3 needs/root -needs/target/setup_nobody +needs/target/setup_test_user needs/target/setup_remote_tmp_dir context/target +destructive diff --git a/test/integration/targets/module_utils/module_utils_basic_setcwd.yml b/test/integration/targets/module_utils/module_utils_basic_setcwd.yml index 2b2b6dbd04..71317f9c29 100644 --- a/test/integration/targets/module_utils/module_utils_basic_setcwd.yml +++ b/test/integration/targets/module_utils/module_utils_basic_setcwd.yml @@ -1,25 +1,50 @@ - hosts: testhost gather_facts: no tasks: - - name: make sure the nobody user is available + - name: make sure the test user is available include_role: - name: setup_nobody + name: setup_test_user - name: verify AnsibleModule works when cwd is missing test_cwd_missing: register: missing - - name: verify AnsibleModule works when cwd is unreadable - test_cwd_unreadable: - register: unreadable - become: yes - become_user: nobody # root can read cwd regardless of permissions, so a non-root user is required here + - name: record the mode of the connection user's home directory + stat: + path: "~" + vars: + ansible_become: no + register: connection_user_home + + - name: limit access to the connection user's home directory + file: + state: directory + path: "{{ connection_user_home.stat.path }}" + mode: "0700" + vars: + ansible_become: no + + - block: + - name: verify AnsibleModule works when cwd is unreadable + test_cwd_unreadable: + register: unreadable + vars: &test_user_become + ansible_become: yes + ansible_become_user: "{{ test_user_name }}" # root can read cwd regardless of permissions, so a non-root user is required here + ansible_become_password: "{{ test_user_plaintext_password }}" + always: + - name: restore access to the connection user's home directory + file: + state: directory + path: "{{ connection_user_home.stat.path }}" + mode: "{{ connection_user_home.stat.mode }}" + vars: + ansible_become: no - name: get real path of home directory of the unprivileged user raw: "{{ ansible_python_interpreter }} -c 'import os.path; print(os.path.realpath(os.path.expanduser(\"~\")))'" register: home - become: yes - become_user: nobody + vars: *test_user_become - name: verify AnsibleModule was able to adjust cwd as expected assert: diff --git a/test/integration/targets/setup_test_user/handlers/main.yml b/test/integration/targets/setup_test_user/handlers/main.yml new file mode 100644 index 0000000000..dec4bd7535 --- /dev/null +++ b/test/integration/targets/setup_test_user/handlers/main.yml @@ -0,0 +1,6 @@ +- name: delete test user + user: + name: "{{ test_user_name }}" + state: absent + remove: yes + force: yes diff --git a/test/integration/targets/setup_test_user/tasks/default.yml b/test/integration/targets/setup_test_user/tasks/default.yml new file mode 100644 index 0000000000..83ee8f1e69 --- /dev/null +++ b/test/integration/targets/setup_test_user/tasks/default.yml @@ -0,0 +1,14 @@ +- name: set variables + set_fact: + test_user_name: ansibletest0 + test_user_group: null + +- name: set plaintext password + no_log: yes + set_fact: + test_user_plaintext_password: "{{ lookup('password', '/dev/null') }}" + +- name: set hashed password + no_log: yes + set_fact: + test_user_hashed_password: "{{ test_user_plaintext_password | password_hash('sha512') }}" diff --git a/test/integration/targets/setup_test_user/tasks/macosx.yml b/test/integration/targets/setup_test_user/tasks/macosx.yml new file mode 100644 index 0000000000..d33ab04e50 --- /dev/null +++ b/test/integration/targets/setup_test_user/tasks/macosx.yml @@ -0,0 +1,14 @@ +- name: set variables + set_fact: + test_user_name: ansibletest0 + test_user_group: staff + +- name: set plaintext password + no_log: yes + set_fact: + test_user_plaintext_password: "{{ lookup('password', '/dev/null') }}" + +- name: set hashed password + no_log: yes + set_fact: + test_user_hashed_password: "{{ test_user_plaintext_password }}" diff --git a/test/integration/targets/setup_test_user/tasks/main.yml b/test/integration/targets/setup_test_user/tasks/main.yml new file mode 100644 index 0000000000..5adfb13d6d --- /dev/null +++ b/test/integration/targets/setup_test_user/tasks/main.yml @@ -0,0 +1,37 @@ +- name: gather distribution facts + gather_facts: + gather_subset: distribution + when: ansible_distribution is not defined + +- name: include distribution specific tasks + include_tasks: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution | lower }}.yml" + - default.yml + paths: + - tasks + +- name: create test user + user: + name: "{{ test_user_name }}" + group: "{{ test_user_group or omit }}" + password: "{{ test_user_hashed_password or omit }}" + register: test_user + notify: + - delete test user + +- name: run whoami as the test user + shell: whoami + vars: + # ansible_become_method and ansible_become_flags are not set, allowing them to be provided by inventory + ansible_become: yes + ansible_become_user: "{{ test_user_name }}" + ansible_become_password: "{{ test_user_plaintext_password }}" + register: whoami + +- name: verify becoming the test user worked + assert: + that: + - whoami.stdout == test_user_name diff --git a/test/integration/targets/slurp/aliases b/test/integration/targets/slurp/aliases index a6dafcf8cd..6eae8bd8dd 100644 --- a/test/integration/targets/slurp/aliases +++ b/test/integration/targets/slurp/aliases @@ -1 +1,2 @@ shippable/posix/group1 +destructive diff --git a/test/integration/targets/slurp/defaults/main.yml b/test/integration/targets/slurp/defaults/main.yml deleted file mode 100644 index 05d1041e76..0000000000 --- a/test/integration/targets/slurp/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ -become_test_user: testuser diff --git a/test/integration/targets/slurp/handlers/main.yml b/test/integration/targets/slurp/handlers/main.yml deleted file mode 100644 index eeda7cedb5..0000000000 --- a/test/integration/targets/slurp/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: remove test user and their home dir - user: - name: "{{ become_test_user }}" - state: absent - remove: yes - force: yes diff --git a/test/integration/targets/slurp/meta/main.yml b/test/integration/targets/slurp/meta/main.yml index 1810d4bec9..3448eceff3 100644 --- a/test/integration/targets/slurp/meta/main.yml +++ b/test/integration/targets/slurp/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_remote_tmp_dir + - setup_test_user diff --git a/test/integration/targets/slurp/tasks/test_unreadable.yml b/test/integration/targets/slurp/tasks/test_unreadable.yml index f8a3cfe7c2..cab80cfa02 100644 --- a/test/integration/targets/slurp/tasks/test_unreadable.yml +++ b/test/integration/targets/slurp/tasks/test_unreadable.yml @@ -17,12 +17,6 @@ # Ensure unreadable file and directory handling and error messages # https://github.com/ansible/ansible/issues/67340 -- name: create test user - user: - name: "{{ become_test_user }}" - create_home: yes - notify: - - "remove test user and their home dir" - name: create unreadable file copy: @@ -35,9 +29,10 @@ slurp: src: "{{ remote_tmp_dir }}/qux.txt" register: slurp_unreadable_file - become: yes - become_user: "{{ become_test_user }}" - become_method: su + vars: &test_user_become + ansible_become: yes + ansible_become_user: "{{ test_user_name }}" + ansible_become_password: "{{ test_user_plaintext_password }}" ignore_errors: yes - name: create unreadable directory @@ -51,9 +46,7 @@ slurp: src: "{{ remote_tmp_dir }}/test_data" register: slurp_unreadable_dir - become: yes - become_user: "{{ become_test_user }}" - become_method: su + vars: *test_user_become ignore_errors: yes - name: Try to access file as directory diff --git a/test/integration/targets/unarchive/meta/main.yml b/test/integration/targets/unarchive/meta/main.yml index 56245b3d2d..ae54a4eb3c 100644 --- a/test/integration/targets/unarchive/meta/main.yml +++ b/test/integration/targets/unarchive/meta/main.yml @@ -1,4 +1,4 @@ dependencies: - - prepare_tests - setup_remote_tmp_dir - setup_gnutar + - setup_test_user diff --git a/test/integration/targets/unarchive/tasks/test_ownership_top_folder.yml b/test/integration/targets/unarchive/tasks/test_ownership_top_folder.yml index 75bd125b6b..da40108bf3 100644 --- a/test/integration/targets/unarchive/tasks/test_ownership_top_folder.yml +++ b/test/integration/targets/unarchive/tasks/test_ownership_top_folder.yml @@ -1,73 +1,50 @@ -- name: Create unarchivetest3 user - user: - name: unarchivetest3 - group: "{{ group_table[ansible_facts['distribution']] | default(omit) }}" - register: user - vars: - group_table: - MacOSX: staff - - name: Test unarchiving as root and apply different ownership to top folder - become: yes - become_user: root + vars: + ansible_become: yes + ansible_become_user: root + ansible_become_password: null block: - - name: Create top folder owned by root file: - path: "{{ user.home }}/tarball-top-folder" + path: "{{ test_user.home }}/tarball-top-folder" state: directory owner: root - name: Add a file owned by root copy: src: foo.txt - dest: "{{ user.home }}/tarball-top-folder/foo-unarchive.txt" + dest: "{{ test_user.home }}/tarball-top-folder/foo-unarchive.txt" mode: preserve - name: Create a tarball as root. This tarball won't list the top folder when doing "tar tvf test-tarball.tar.gz" shell: tar -czf test-tarball.tar.gz tarball-top-folder/foo-unarchive.txt args: - chdir: "{{ user.home }}" - creates: "{{ user.home }}/test-tarball.tar.gz" + chdir: "{{ test_user.home }}" + creates: "{{ test_user.home }}/test-tarball.tar.gz" - - name: Create unarchive destination folder in /home/unarchivetest3/unarchivetest3-unarchive + - name: Create unarchive destination folder in {{ test_user.home }}/unarchivetest3-unarchive file: - path: "{{ user.home }}/unarchivetest3-unarchive" + path: "{{ test_user.home }}/unarchivetest3-unarchive" state: directory - owner: unarchivetest3 - group: "{{ user.group }}" + owner: "{{ test_user.name }}" + group: "{{ test_user.group }}" - - name: unarchive the tarball as root. apply ownership for unarchivetest3 + - name: "unarchive the tarball as root. apply ownership for {{ test_user.name }}" unarchive: - src: "{{ user.home }}/test-tarball.tar.gz" - dest: "{{ user.home }}/unarchivetest3-unarchive" + src: "{{ test_user.home }}/test-tarball.tar.gz" + dest: "{{ test_user.home }}/unarchivetest3-unarchive" remote_src: yes list_files: True - owner: unarchivetest3 - group: "{{ user.group }}" + owner: "{{ test_user.name }}" + group: "{{ test_user.group }}" - name: Stat the extracted top folder stat: - path: "{{ user.home }}/unarchivetest3-unarchive/tarball-top-folder" + path: "{{ test_user.home }}/unarchivetest3-unarchive/tarball-top-folder" register: top_folder_info - - name: verify that extracted top folder is owned by unarchivetest3 + - name: "verify that extracted top folder is owned by {{ test_user.name }}" assert: that: - - top_folder_info.stat.pw_name == "unarchivetest3" - - top_folder_info.stat.gid == {{ user.group }} - - always: - - name: remove our unarchivetest3 user and files - user: - name: unarchivetest3 - state: absent - remove: yes - become: no - - - name: Remove user home directory on macOS - file: - path: /Users/unarchivetest3 - state: absent - become: no - when: ansible_facts.distribution == 'MacOSX' + - top_folder_info.stat.pw_name == test_user.name + - top_folder_info.stat.gid == test_user.group diff --git a/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml b/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml index 0fb2df4dbf..8ee1db49e4 100644 --- a/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml +++ b/test/integration/targets/unarchive/tasks/test_unprivileged_user.yml @@ -1,44 +1,37 @@ -- name: Create unarchivetest1 user - user: - name: unarchivetest1 - group: "{{ group_table[ansible_facts['distribution']] | default(omit) }}" - register: user - vars: - group_table: - MacOSX: staff - - name: Test unarchiving twice as unprivileged user - become: yes - become_user: unarchivetest1 + vars: + ansible_become: yes + ansible_become_user: "{{ test_user_name }}" + ansible_become_password: "{{ test_user_plaintext_password }}" block: - name: prep our file copy: src: foo.txt - dest: "{{ user.home }}/foo-unarchive.txt" + dest: "{{ test_user.home }}/foo-unarchive.txt" mode: preserve - - name: Prep a zip file as unarchivetest1 user + - name: Prep a zip file as {{ test_user.name }} user shell: zip unarchivetest1-unarchive.zip foo-unarchive.txt args: - chdir: "{{ user.home }}" - creates: "{{ user.home }}/unarchivetest1-unarchive.zip" + chdir: "{{ test_user.home }}" + creates: "{{ test_user.home }}/unarchivetest1-unarchive.zip" - - name: create our zip unarchive destination as unarchivetest1 user + - name: create our zip unarchive destination as {{ test_user.name }} user file: - path: "{{ user.home }}/unarchivetest1-unarchive-zip" + path: "{{ test_user.home }}/unarchivetest1-unarchive-zip" state: directory - - name: unarchive a zip file as unarchivetest1 user + - name: unarchive a zip file as {{ test_user.name }} user unarchive: - src: "{{ user.home }}/unarchivetest1-unarchive.zip" - dest: "{{ user.home }}/unarchivetest1-unarchive-zip" + src: "{{ test_user.home }}/unarchivetest1-unarchive.zip" + dest: "{{ test_user.home }}/unarchivetest1-unarchive-zip" remote_src: yes list_files: True register: unarchive10 - name: stat the unarchived file stat: - path: "{{ user.home }}/unarchivetest1-unarchive-zip/foo-unarchive.txt" + path: "{{ test_user.home }}/unarchivetest1-unarchive-zip/foo-unarchive.txt" register: archive_path - name: verify that the tasks performed as expected @@ -53,8 +46,8 @@ - name: repeat the last request to verify no changes unarchive: - src: "{{ user.home }}/unarchivetest1-unarchive.zip" - dest: "{{ user.home }}/unarchivetest1-unarchive-zip" + src: "{{ test_user.home }}/unarchivetest1-unarchive.zip" + dest: "{{ test_user.home }}/unarchivetest1-unarchive-zip" remote_src: yes list_files: True register: unarchive10b @@ -68,21 +61,3 @@ that: - unarchive10b is not changed ignore_errors: yes - - always: - - name: remove our unarchivetest1 user and files - user: - name: unarchivetest1 - state: absent - remove: yes - force: yes - become: yes - become_user: root - - - name: ensure home directory has been removed - stat: - path: "{{ user.home }}" - become: yes - become_user: root - register: home_dir - failed_when: home_dir.stat.exists |