test/integration/playbook.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

---
- hosts: all
  become: true
  vars:
    no_rvm: no
    myuser: vagrant
    mygroup: vagrant
    homedir: /home/vagrant
    ruby_version: '2.7.7'
    ruby_versions_ssl1:
      - '2.6.10'
      - '2.7.7'
      - '3.0.5'
    ruby_versions:
      - '3.2.1'
      - '3.1.3'
    rvm_install_path: '/usr/local/rvm'
    foopwd: "$6$mhOzf/yapZwS$3RwDl4GfWZ5VcfcsHrK9xNNTxyzLOJBsmMttDNaegIbXxMahV86.v/5HsNtit16MEl0EFf5CSW8Dz2yXV.8GB0"
    foo2pwd: "$6$JiB7y7.M0yI$Abt.ZGIc4DwkRWeI6nKxzzPUZcux7hLRXSdpoKoZvswJz1SZyg5GRQWn9pGID0dgC6e4wFglfW6ev/qZoTqGk/"
    openssh_version: '9.3p1'
    openssh_with_ssl1: False
  pre_tasks:
    - name: get currently installed ruby version
      command: "{{rvm_install_path}}/rubies/ruby-{{ruby_version}}/bin/ruby -e 'puts \"#{RUBY_VERSION}\"'"
      register: current_ruby_version
      ignore_errors: true
    - name: check openssl version
      shell: "openssl version"
      ignore_errors: true
      register: openssl_version_query
    - name: Install openssl-1.1.1g
      block:
        - name: "Download openssl-1.1.1g sources"
          unarchive:
            src: https://www.openssl.org/source/openssl-1.1.1g.tar.gz
            dest: /tmp
            remote_src: True
            validate_certs: False
        - name: Install openssl 1.1
          command: sh -c "./config --prefix=/opt/openssl-1.1.1g --openssldir=/opt/openssl-1.1.1g && make && sudo make install"
          args:
            chdir: /tmp/openssl-1.1.1g
            creates: /opt/openssl-1.1.1g/lib/libssl.so
      when:
        openssl_version_query.stdout.find('OpenSSL 3.') != -1
  roles:
    - { role: rvm.ruby,
        tags: ruby,
        become: true,
        rvm1_user: 'root',
        rvm1_rubies: "{{ ruby_versions_ssl1 }}",
        rvm1_install_path: "{{rvm_install_path}}",
        rvm1_install_flags: '--auto-dotfiles', # Make sure RVM sets itself up so the user has access to it
        rvm1_ruby_install_flags: '--with-openssl-dir=/opt/openssl-1.1.1g',
        rvm1_gpg_key_server: 'hkp://keys.openpgp.org',
        when: "current_ruby_version.stdout|default() != ruby_version and not no_rvm and openssl_version_query.stdout.find('OpenSSL 3.') != -1" 
      }
  tasks:
    - name: Install packages
      apt:
        pkg:
          - libssl-dev
          - build-essential
    - group: name="{{mygroup}}" state=present
    - user: name=net_ssh_1 password="{{foopwd}}" group="{{mygroup}}" state=present
    - user: name=net_ssh_2 password="{{foo2pwd}}" group="{{mygroup}}" state=present
    - file: dest=/home/net_ssh_1/.ssh/ state=directory mode=0740 owner=net_ssh_1
    - file: dest=/home/net_ssh_2/.ssh/ state=directory mode=0740 owner=net_ssh_2
    - lineinfile: dest=/etc/sudoers.d/net_ssh_1 mode=0440 state=present create=yes
        line='net_ssh_1 ALL=(ALL) NOPASSWD:ALL' regexp=net_ssh_1
    - lineinfile: dest=/etc/sudoers.d/net_ssh_1 mode=0440 state=present create=yes
        line='net_ssh_2 ALL=(ALL) NOPASSWD:ALL' regexp=net_ssh_2
    - unarchive:
        src: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-{{openssh_version}}.tar.gz
        dest: /tmp
        remote_src: True
        validate_certs: False
    - name: building and installing openssh {{openssh_version}} with OpenSSL 1 (used in forward test)
      command: sh -c "LD_LIBRARY_PATH=/opt/openssl-1.1.1g/lib ./configure --prefix=/opt/net-ssh-openssh --with-ssl-dir=/opt/openssl-1.1.1g --with-ldflags="-fcommon -L/opt/openssl-1.1.1g/lib" && make && sudo make install"
      args:
        chdir: /tmp/openssh-{{openssh_version}}/
        creates: /opt/net-ssh-openssh
      when:
        openssh_with_ssl1 == True
    - name: building and installing openssh {{openssh_version}} (used in forward test)
      command: sh -c "./configure --prefix=/opt/net-ssh-openssh && make && sudo make install"
      args:
        chdir: /tmp/openssh-{{openssh_version}}/
        creates: /opt/net-ssh-openssh
      when:
        openssh_with_ssl1 != True
    - name: drop installed openssh etc/ in favor of symlink
      file:
        state: absent
        path: /opt/net-ssh-openssh/etc
    - name: creating symlink between system etc/ssh/ and our etc/
      file:
        src: /etc/ssh
        dest: /opt/net-ssh-openssh/etc
        state: link
    - command: ssh-keygen -A
      args:
        creates: /etc/ssh/ssh_host_ed25519_key
      notify: restart sshd
    - name: sshd debug
      lineinfile: dest='/etc/ssh/sshd_config' line='LogLevel DEBUG' regexp=LogLevel
      notify: restart sshd
    - name: sshd allow interactive
      lineinfile: dest='/etc/ssh/sshd_config' line='ChallengeResponseAuthentication yes' regexp='^ChallengeResponseAuthentication.+'
      notify: restart sshd
    - command: ssh-keygen -f /etc/ssh/users_ca -N ''
      args:
        creates: /etc/ssh/users_ca.pub
      notify: restart sshd
    - name: sshd cert auth
      lineinfile: dest='/etc/ssh/sshd_config' line='TrustedUserCAKeys /etc/ssh/users_ca.pub'
      notify: restart sshd
    - name: sshd allow forward
      lineinfile: dest='/etc/ssh/sshd_config' line='AllowTcpForwarding all' regexp=AllowTcpForwarding
      notify: restart sshd
    - name: sshd allow forward
      lineinfile: dest='/etc/ssh/sshd_config' line='GatewayPorts yes' regexp=GatewayPorts
      notify: restart sshd
    - name: disable x11 forward
      lineinfile: dest='/etc/ssh/sshd_config' line='X11Forwarding no' regexp=X11Forwarding
      notify: restart sshd
    - name: sshd allow forward
      lineinfile: dest='/etc/ssh/sshd_config' line='#PasswordAuthentication no' regexp='#?PasswordAuthentication.+no'
      notify: restart sshd
    - name: sshd allow forward
      lineinfile: dest='/etc/ssh/sshd_config' line='PasswordAuthentication yes' regexp=PasswordAuthentication
      notify: restart sshd
    - name: put NET_SSH_RUN_INTEGRATION_TESTS=YES environment
      lineinfile: dest='/etc/environment' line='NET_SSH_RUN_INTEGRATION_TESTS=YES'
    - name: change dir in bashrc
      lineinfile: dest="{{homedir}}/.bashrc" owner="{{myuser}}" mode=0644
        regexp='^cd ' line='cd /net-ssh'
    - name: add host aliases1
      lineinfile: dest='/etc/hosts' owner='root' group='root' mode=0644
        regexp='^127\.0\.0\.1\s+gateway.netssh' line='127.0.0.1  gateway.netssh'
    - name: add host aliases2
      lineinfile: dest='/etc/hosts' owner='root' group='root' mode=0644
        regexp='^127\.0\.0\.1\s+one.hosts.netssh' line='127.0.0.1  one.hosts.netssh'
    - name: Update APT Cache
      apt:
        update_cache: yes
        force_apt_get: yes
    - name: Wait for locfile removal
      become: yes
      shell:  while sudo fuser /var/lib/dpkg/lock >/dev/null 2>&1; do sleep 5; done;
    - name: Install packages
      apt:
        pkg:
          - pv
          - libgmp3-dev
          - git
          - libssl-dev
        state: present
    - copy: content='echo "cd /net-ssh ; rake integration-test"' dest=/etc/update-motd.d/99-net-ssh-tests mode=0755
    - name: add user to rvm group so they can change gem wrappers
      user:
        name: "{{myuser}}"
        groups: rvm
        append: yes
      when: "not no_rvm"
  handlers:
    - name: restart sshd
      service: name=ssh state=restarted