From a142d77b90b7e0313d91323c5c5811cc0a0b3ced Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Thu, 13 Aug 2020 16:06:14 -0400 Subject: [PATCH 1/7] Migrate ansible-conjur-host-identity project files - Migrated all relevent project files - Migrated Github issue templates - Migrated misc. files --- .github/ISSUE_TEMPLATE/bug.md | 42 ++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 27 +++++++++ .gitignore | 15 +++++ CONTRIBUTING.md | 11 +++- defaults/main.yml | 7 +++ meta/main.yml | 30 ++++++++++ requirements.txt | 1 + tasks/identity.yml | 68 +++++++++++++++++++++++ tasks/identity_check.yml | 49 ++++++++++++++++ tasks/main.yml | 5 ++ tasks/summon-conjur.yml | 13 +++++ tasks/summon.yml | 7 +++ templates/conjur.conf.j2 | 5 ++ templates/conjur.identity.j2 | 3 + 14 files changed, 282 insertions(+), 1 deletion(-) create mode 100644 .github/ISSUE_TEMPLATE/bug.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 defaults/main.yml create mode 100644 meta/main.yml create mode 100644 requirements.txt create mode 100644 tasks/identity.yml create mode 100644 tasks/identity_check.yml create mode 100644 tasks/main.yml create mode 100644 tasks/summon-conjur.yml create mode 100644 tasks/summon.yml create mode 100644 templates/conjur.conf.j2 create mode 100644 templates/conjur.identity.j2 diff --git a/.github/ISSUE_TEMPLATE/bug.md b/.github/ISSUE_TEMPLATE/bug.md new file mode 100644 index 00000000..e91ec392 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug.md @@ -0,0 +1,42 @@ +--- +name: Bug +about: Create a bug report to help us improve +title: '' +labels: kind/bug, component/ansible +assignees: '' + +--- + +## Summary +A clear and concise description of what the bug is. + +## Steps to Reproduce +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +## Expected Results +A clear and concise description of what you expected to happen. + +## Actual Results (including error logs, if applicable) +A clear and concise description of what actually did happen. + +## Reproducible + * [ ] Always + * [ ] Sometimes + * [ ] Non-Reproducible + +## Version/Tag number +What version of the product are you running? Any version info that you can share is helpful. +For example, you might give the version from Docker logs, the Docker tag, a specific download URL, +the output of the `/info` route, etc. + +## Environment setup +Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud? +Which cloud provider? Which container orchestrator (including version)? +The more info you can share about your runtime environment, the better we may be able to reproduce the issue. + +## Additional Information +Add any other context about the problem here. \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..ee0caeee --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,27 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: kind/enhancement, component/ansible +assignees: '' + +--- + +## Is your feature request related to a problem? Please describe. + +A clear and concise description of what the problem is. Ex. `I would like to see [...] because [...]`. +Please include the intended use case and what the feature would improve on so that we can prioritize +the feature accordingly. + +## Describe the solution you would like + +A clear and concise description of what the desired end result(s) would be. + +## Describe alternatives you have considered + +A clear and concise description of any alternative solutions or features that may be related to this that +you have considered. + +## Additional context + +Add any other context information about the feature request here. diff --git a/.gitignore b/.gitignore index 2cb89808..87add2b0 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,18 @@ tests/access_token # Distributable files should not be included in the repo *.tar.gz + +# ansible-conjur-host-identity +*.log +.cache +*.retry +.idea/ +*.pem +*.pyc +**/.molecule/ +**/test-files/output +junit +molecule/conjur.pem +*.tmp +vendor/ +.pytest_cache diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 67d6e8bc..cc05566d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing to the Ansible Conjur Collection -Thanks for your interest in the Ansible Conjur collection. +For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community). ## Pull Request Workflow @@ -24,3 +24,12 @@ of this plugin: - Create the release on GitHub for that tag - Build the release package with `./ci/build_release` - Attach package to Github Release + +### Testing + +To run the tests: + +```sh-session +$ cd tests +$ ./test.sh +``` \ No newline at end of file diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 00000000..4e5477c6 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,7 @@ +summon: + version: 0.6.6 + # TODO - this should dynamically be generated as part of the Ansible fact gathering + os: linux-amd64 +summon_conjur: + version: 0.5.0 + os: linux-amd64 diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 00000000..f0b0d840 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,30 @@ +dependencies: [] + +galaxy_info: + short_description: Grants Conjur machine identity + description: Grants Conjur machine identity to hosts + company: CyberArk + license: Apache + author: + - Dustin Collins (@dustinmm80) + - Oren Ben Meir (@orenbm) + - Jason Vanderhoof (@jvanderhoof) + - Kumbirai Tanekha (@doodlesbykumbi) + - Gary Moon (@garymoon) + + min_ansible_version: '2.3' + + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - name: EL + versions: + - 7 + + galaxy_tags: + - identity + - cyberark + - conjur + - security diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 00000000..1193e198 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +ansible>=2.5.15 diff --git a/tasks/identity.yml b/tasks/identity.yml new file mode 100644 index 00000000..48b2f81e --- /dev/null +++ b/tasks/identity.yml @@ -0,0 +1,68 @@ +--- +- name: Create group conjur + group: + name: conjur + state: present + +- block: + - name: Install "ca-certificates" + package: + name: ca-certificates + retries: 10 + delay: 2 + + - name: Place Conjur public SSL certificate + copy: + dest: "{{ conjur_ssl_certificate_path }}" + content: "{{ conjur_ssl_certificate }}" + mode: 0644 + + - name: Symlink Conjur public SSL certificate into /etc/ssl/certs + file: + src: "{{ conjur_ssl_certificate_path }}" + dest: /etc/ssl/certs/conjur.crt + state: link + register: cert_symlink + + - name: Install openssl-perl Package + yum: + name: openssl-perl + when: + ansible_os_family == 'RedHat' + retries: 10 + delay: 2 + + - name: Rehash certs + command: 'c_rehash' + when: cert_symlink.changed + when: ssl_configuration + +- name: Render /etc/conjur.conf + template: + src: templates/conjur.conf.j2 + dest: /etc/conjur.conf + mode: 0644 + +- block: + - name: Request identity from Conjur + uri: + url: "{{ conjur_appliance_url }}/host_factories/hosts" + method: POST + body: "id={{ conjur_host_name }}" + headers: + Authorization: Token token="{{ conjur_host_factory_token }}" + Content-Type: "application/x-www-form-urlencoded" + status_code: 201 + validate_certs: "{{ conjur_validate_certs }}" + register: host_factory_response + retries: 3 + delay: 10 + until: host_factory_response.status == 201 + + - name: Place identity file /etc/conjur.identity + template: + src: templates/conjur.identity.j2 + dest: /etc/conjur.identity + mode: 0640 + group: conjur + when: not conjurized diff --git a/tasks/identity_check.yml b/tasks/identity_check.yml new file mode 100644 index 00000000..d0f3bba2 --- /dev/null +++ b/tasks/identity_check.yml @@ -0,0 +1,49 @@ +--- +- name: Check if /etc/conjur.identity already exists + stat: + path: /etc/conjur.identity + register: identity_file + +- name: Set fact "conjurized" + set_fact: + conjurized: "{{ identity_file.stat.exists|bool }}" + +- name: Ensure all required variables are set + fail: msg="Variable '{{ item }}' is not set!" + when: item is undefined + with_items: + - "{{ conjur_account }}" + - "{{ conjur_appliance_url }}" + - "{{ conjur_host_name }}" + +- name: Set fact "ssl_configuration" + set_fact: + ssl_configuration: "{{ 'https' in conjur_appliance_url }}" + +- block: + - name: Ensure all required ssl variables are set + fail: msg="Variable '{{ item }}' is not set!" + when: item is undefined + with_items: + - "{{ conjur_ssl_certificate }}" + - "{{ conjur_validate_certs }}" + + - name: Set fact "ssl file path" + set_fact: + conjur_ssl_certificate_path: "/etc/conjur.pem" + when: ssl_configuration + +- block: + - name: Set fact "non ssl configuration" + set_fact: + conjur_ssl_certificate_path: "" + conjur_validate_certs: no + when: not ssl_configuration + +- block: + - name: Ensure "conjur_host_factory_token" is set (if node is not already conjurized) + fail: msg="Variable '{{ item }}' is not set!" + when: item is undefined + with_items: + - "{{ conjur_host_factory_token }}" + when: not conjurized diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 00000000..c75a711a --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- include: identity_check.yml # registers variable 'conjurized' +- include: identity.yml +- include: summon.yml +- include: summon-conjur.yml diff --git a/tasks/summon-conjur.yml b/tasks/summon-conjur.yml new file mode 100644 index 00000000..2e003cd4 --- /dev/null +++ b/tasks/summon-conjur.yml @@ -0,0 +1,13 @@ +--- +- name: Create folder for Summon-Conjur to be installed into + file: + path: /usr/local/lib/summon + state: directory + recurse: yes + +- name: Download and unpack Summon-Conjur + unarchive: + src: https://github.com/cyberark/summon-conjur/releases/download/v{{ summon_conjur.version }}/summon-conjur-{{ summon_conjur.os }}.tar.gz + dest: /usr/local/lib/summon + remote_src: yes + creates: /usr/local/lib/summon/summon-conjur diff --git a/tasks/summon.yml b/tasks/summon.yml new file mode 100644 index 00000000..98ae0b82 --- /dev/null +++ b/tasks/summon.yml @@ -0,0 +1,7 @@ +--- +- name: Download and unpack Summon + unarchive: + src: https://github.com/cyberark/summon/releases/download/v{{ summon.version }}/summon-{{ summon.os }}.tar.gz + dest: /usr/local/bin + remote_src: yes + creates: /usr/local/bin/summon diff --git a/templates/conjur.conf.j2 b/templates/conjur.conf.j2 new file mode 100644 index 00000000..cd1403ce --- /dev/null +++ b/templates/conjur.conf.j2 @@ -0,0 +1,5 @@ +account: {{conjur_account}} +appliance_url: {{conjur_appliance_url}} +cert_file: {{conjur_ssl_certificate_path}} +netrc_path: /etc/conjur.identity +plugins: [] diff --git a/templates/conjur.identity.j2 b/templates/conjur.identity.j2 new file mode 100644 index 00000000..7bde0ff2 --- /dev/null +++ b/templates/conjur.identity.j2 @@ -0,0 +1,3 @@ +machine {{conjur_appliance_url}}/authn + login host/{{conjur_host_name}} + password {{host_factory_response.json.api_key}} From 3298ea9ceb0e16a8d51415f798a22f9d68e8477a Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Mon, 17 Aug 2020 13:26:38 -0400 Subject: [PATCH 2/7] Migrate ansible-conjur-host-identity tests Moved collection tests and host-identity tests to seperate sub-directories and modified our CI test script to take a single param for running either --- .codeclimate.yml | 162 ++++++++++++++++++ .gitignore | 1 - .gitleaks.toml | 109 ++++++++++++ CONTRIBUTING.md | 4 +- Jenkinsfile | 17 +- ci/parse-changelog.sh | 13 +- ci/test.sh | 3 +- tests/conjur-host-identity/Dockerfile | 24 +++ tests/conjur-host-identity/Dockerfile_nginx | 16 ++ tests/conjur-host-identity/ansible.cfg | 7 + tests/conjur-host-identity/docker-compose.yml | 66 +++++++ .../inventory-playbook.yml | 6 + tests/conjur-host-identity/inventory.j2 | 6 + tests/conjur-host-identity/policy/root.yml | 32 ++++ tests/conjur-host-identity/proxy/default.conf | 33 ++++ tests/conjur-host-identity/proxy/ssl.conf | 39 +++++ tests/conjur-host-identity/test.sh | 122 +++++++++++++ .../test_app_centos/Dockerfile | 4 + .../test_app_ubuntu/Dockerfile | 4 + .../configure-conjur-identity/playbook.yml | 11 ++ .../tests/test_default.py | 29 ++++ tests/{ => conjur}/Dockerfile | 0 tests/{ => conjur}/Dockerfile_nginx | 0 tests/conjur/access_token | 5 + tests/{ => conjur}/docker-compose.yml | 0 tests/{ => conjur}/policy/root.yml | 0 tests/{ => conjur}/proxy/default.conf | 0 tests/{ => conjur}/proxy/ssl.conf | 0 tests/{ => conjur}/pytest.ini | 0 tests/{ => conjur}/test.sh | 0 .../retrieve-variable-bad-cert-path/env | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../retrieve-variable-bad-certs/bad-cert.pem} | 2 +- .../retrieve-variable-bad-certs/env | 0 .../retrieve-variable-bad-certs/playbook.yml | 0 .../tests/test_default.py | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../retrieve-variable-with-authn-token/env | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../retrieve-variable-with-spaces-secret/env | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../test_cases/retrieve-variable/env | 0 .../test_cases/retrieve-variable/playbook.yml | 0 .../retrieve-variable/tests/test_default.py | 0 tests/sanity/ignore-2.10.txt | 8 +- tests/sanity/ignore-2.11.txt | 8 +- tests/sanity/ignore-2.9.txt | 3 +- 53 files changed, 715 insertions(+), 19 deletions(-) create mode 100644 .codeclimate.yml create mode 100644 .gitleaks.toml create mode 100644 tests/conjur-host-identity/Dockerfile create mode 100644 tests/conjur-host-identity/Dockerfile_nginx create mode 100644 tests/conjur-host-identity/ansible.cfg create mode 100644 tests/conjur-host-identity/docker-compose.yml create mode 100644 tests/conjur-host-identity/inventory-playbook.yml create mode 100644 tests/conjur-host-identity/inventory.j2 create mode 100644 tests/conjur-host-identity/policy/root.yml create mode 100644 tests/conjur-host-identity/proxy/default.conf create mode 100644 tests/conjur-host-identity/proxy/ssl.conf create mode 100755 tests/conjur-host-identity/test.sh create mode 100644 tests/conjur-host-identity/test_app_centos/Dockerfile create mode 100644 tests/conjur-host-identity/test_app_ubuntu/Dockerfile create mode 100644 tests/conjur-host-identity/test_cases/configure-conjur-identity/playbook.yml create mode 100644 tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py rename tests/{ => conjur}/Dockerfile (100%) rename tests/{ => conjur}/Dockerfile_nginx (100%) create mode 100644 tests/conjur/access_token rename tests/{ => conjur}/docker-compose.yml (100%) rename tests/{ => conjur}/policy/root.yml (100%) rename tests/{ => conjur}/proxy/default.conf (100%) rename tests/{ => conjur}/proxy/ssl.conf (100%) rename tests/{ => conjur}/pytest.ini (100%) rename tests/{ => conjur}/test.sh (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-bad-cert-path/env (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-bad-cert-path/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py (100%) rename tests/{test_cases/retrieve-variable-bad-certs/bad_cert.pem => conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem} (98%) rename tests/{ => conjur}/test_cases/retrieve-variable-bad-certs/env (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-bad-certs/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-bad-certs/tests/test_default.py (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-disable-verify-certs/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-no-cert-provided/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-with-authn-token/env (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-with-authn-token/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-with-authn-token/tests/test_default.py (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-with-spaces-secret/env (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-with-spaces-secret/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py (100%) rename tests/{ => conjur}/test_cases/retrieve-variable/env (100%) rename tests/{ => conjur}/test_cases/retrieve-variable/playbook.yml (100%) rename tests/{ => conjur}/test_cases/retrieve-variable/tests/test_default.py (100%) diff --git a/.codeclimate.yml b/.codeclimate.yml new file mode 100644 index 00000000..40b46a5f --- /dev/null +++ b/.codeclimate.yml @@ -0,0 +1,162 @@ +# This is our default .CodeClimate.yml, broken out by language. Uncomment the +# sections at the bottom that apply to your project. ACTION comments indicate +# places where config might need to be tweaked. + +version: "2" + +plugins: + +# --------------- +# Cross-language plugins. Should always be on. + + duplication: # Looks for similar and identical code blocks + enabled: true + config: + languages: + go: + java: + javascript: + php: + python: + python_version: 3 # ACTION Comment this out if using Python 2 + ruby: + swift: + typescript: + + fixme: # Flags any FIXME, TODO, BUG, XXX, HACK comments so they can be fixed + enabled: true + config: + strings: + - FIXME + - TODO + - HACK + - XXX + - BUG + +# --------------- +# Commonly-used languages - run time is minimal and all of these will work +# whether files of that language are found or not. In general, leave uncommented + + # Markdown + markdownlint: + enabled: true + + # Go + gofmt: + enabled: true + golint: + enabled: true + govet: + enabled: true + + # Ruby + flog: + enabled: true + reek: + enabled: true + rubocop: + enabled: true + channel: rubocop-0-79 # As of March 10, 2020, rubocop 0.80.1 is the latest + # However, it does not work with CodeClimate - throws + # an Invalid JSON error. + # ACTION uncomment bundler-audit below if using Gemfile/Gemfile.lock + # ACTION uncomment brakeman below if using Rails + + # Shell scripts + shellcheck: + enabled: true + +# --------------- +# Other languages - will work with or without language files present. Again, +# runtime is minimal, so OK to leave uncommented. + + # CoffeeScript + coffeelint: + enabled: true + + # CSS + csslint: + enabled: true + + # Groovy + codenarc: + enabled: true + + # Java + pmd: + enabled: true + sonar-java: + enabled: true + config: + sonar.java.source: "7" # ACTION set this to the major version of Java used + # ACTION uncomment checkstyle below if Java code exists in repo + + # Node.js + nodesecurity: + enabled: true + # ACTION uncomment eslint below if JavaScript already exists and .eslintrc + # file exists in repo + + # PHP + phan: + enabled: true + config: + file_extensions: "php" + phpcodesniffer: + enabled: true + config: + file_extensions: "php,inc,lib" + # Using Wordpress standards as our one PHP repo is a Wordpress theme + standards: "PSR1,PSR2,WordPress,WordPress-Core,WordPress-Extra" + phpmd: + enabled: true + config: + file_extensions: "php,inc,lib" + rulesets: "cleancode,codesize,controversial,naming,unusedcode" + sonar-php: + enabled: true + + # Python + bandit: + enabled: true + pep8: + enabled: true + radon: + enabled: true + # config: + # python_version: 2 # ACTION Uncomment these 2 lines if using Python 2 + sonar-python: + enabled: true + +# --------------- +# Configuration Required Language specific - these will error and abort the +# codeclimate run if they are turned on and certain files or configuration are +# missing. Should be commented out unless the project already includes the +# necessary files that the linter looks at + + # Ruby - requires presence of Gemfile and Gemfile.lock + # bundler-audit: + # enabled: true + + # Rails - requires detecting a Rails application + # brakeman: + # enabled: true + + # Chef - requires detecting a cookbook + # foodcritic: + # enabled: true + + # Java - might require Java code? Errored when run without + # checkstyle: + # enabled: true + + # JavaScript - requires an eslintrc to be created and added to project + # eslint: + # enabled: true + # channel: "eslint-6" + +# --------------- +# List any files/folders to exclude from checking. Wildcards accepted. Leave +# commented if no files to exclude as an empty array will error +exclude_patterns: + - ".gitignore" diff --git a/.gitignore b/.gitignore index 87add2b0..1115418e 100644 --- a/.gitignore +++ b/.gitignore @@ -16,7 +16,6 @@ tests/access_token .cache *.retry .idea/ -*.pem *.pyc **/.molecule/ **/test-files/output diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..55c1e5f1 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,109 @@ +title = "ansible-conjur-collection gitleaks config" + +[[rules]] + description = "AWS Manager ID" + regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' + tags = ["key", "AWS"] +[[rules]] + description = "AWS Secret Key" + regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' + tags = ["key", "AWS"] +[[rules]] + description = "AWS MWS key" + regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' + tags = ["key", "AWS", "MWS"] +[[rules]] + description = "Facebook Secret Key" + regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' + tags = ["key", "Facebook"] +[[rules]] + description = "Facebook Client ID" + regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' + tags = ["key", "Facebook"] +[[rules]] + description = "Twitter Secret Key" + regex = '''(?i)twitter(.{0,20})?[0-9a-z]{35,44}''' + tags = ["key", "Twitter"] +[[rules]] + description = "Twitter Client ID" + regex = '''(?i)twitter(.{0,20})?[0-9a-z]{18,25}''' + tags = ["client", "Twitter"] +[[rules]] + description = "Github" + regex = '''(?i)github(.{0,20})?(?-i)[0-9a-zA-Z]{35,40}''' + tags = ["key", "Github"] +[[rules]] + description = "LinkedIn Client ID" + regex = '''(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}''' + tags = ["client", "LinkedIn"] +[[rules]] + description = "LinkedIn Secret Key" + regex = '''(?i)linkedin(.{0,20})?[0-9a-z]{16}''' + tags = ["secret", "LinkedIn"] +[[rules]] + description = "Slack" + regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' + tags = ["key", "Slack"] +[[rules]] + description = "Asymmetric Private Key" + regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' + tags = ["key", "AsymmetricPrivateKey"] +[[rules]] + description = "Google API key" + regex = '''AIza[0-9A-Za-z\\-_]{35}''' + tags = ["key", "Google"] +[[rules]] + description = "Google (GCP) Service Account" + regex = '''"type": "service_account"''' + tags = ["key", "Google"] +[[rules]] + description = "Heroku API key" + regex = '''(?i)heroku(.{0,20})?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' + tags = ["key", "Heroku"] +[[rules]] + description = "MailChimp API key" + regex = '''(?i)(mailchimp|mc)(.{0,20})?[0-9a-f]{32}-us[0-9]{1,2}''' + tags = ["key", "Mailchimp"] +[[rules]] + description = "Mailgun API key" + regex = '''((?i)(mailgun|mg)(.{0,20})?)?key-[0-9a-z]{32}''' + tags = ["key", "Mailgun"] +[[rules]] + description = "PayPal Braintree access token" + regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' + tags = ["key", "Paypal"] +[[rules]] + description = "Picatic API key" + regex = '''sk_live_[0-9a-z]{32}''' + tags = ["key", "Picatic"] +[[rules]] + description = "SendGrid API Key" + regex = '''SG\.[\w_]{16,32}\.[\w_]{16,64}''' + tags = ["key", "SendGrid"] +[[rules]] + description = "Slack Webhook" + regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' + tags = ["key", "slack"] +[[rules]] + description = "Stripe API key" + regex = '''(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}''' + tags = ["key", "Stripe"] +[[rules]] + description = "Square access token" + regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' + tags = ["key", "square"] +[[rules]] + description = "Square OAuth secret" + regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' + tags = ["key", "square"] +[[rules]] + description = "Twilio API key" + regex = '''(?i)twilio(.{0,20})?SK[0-9a-f]{32}''' + tags = ["key", "twilio"] +[allowlist] + commits = ["0f04d2d2bbbbd6315b8b14cfcfa4c89b1cf2213e",] + description = "Allowlisted files" + files = ['''^\.?gitleaks.toml$''', + '''(.*?)(jpg|gif|doc|pdf|bin)$''', + '''(go.mod|go.sum)$''', + '''(*/tests/* ''',] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cc05566d..bf650ec4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -31,5 +31,5 @@ To run the tests: ```sh-session $ cd tests -$ ./test.sh -``` \ No newline at end of file +$ ./test.sh +``` diff --git a/Jenkinsfile b/Jenkinsfile index 6bff6d00..ef4601aa 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -19,9 +19,20 @@ pipeline { } stage('Run tests') { - steps { - sh './ci/test.sh' - junit 'tests/junit/*' + parallel { + stage("Test Ansible-Conjur-Collection") { + steps { + sh './ci/test.sh conjur' + junit 'tests/junit/*' + } + } + + stage("Test Ansible-Conjur-Host-Identity") { + steps { + sh './ci/test.sh conjur-host-identity' + junit 'tests/junit/*' + } + } } } diff --git a/ci/parse-changelog.sh b/ci/parse-changelog.sh index be7d8270..0fd7f528 100755 --- a/ci/parse-changelog.sh +++ b/ci/parse-changelog.sh @@ -1,6 +1,11 @@ #!/bin/bash -ex -docker run \ - --rm \ - --volume "${PWD}/CHANGELOG.md":/CHANGELOG.md \ - cyberark/parse-a-changelog \ No newline at end of file +cd "$(dirname "$0")" + +docker run --rm \ + -v "$PWD/..:/work" \ + -w "/work" \ + ruby:2.5 bash -ec " + gem install -N parse_a_changelog + parse ./CHANGELOG.md + " diff --git a/ci/test.sh b/ci/test.sh index 473547c9..5beea664 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -1,4 +1,5 @@ #!/bin/bash -ex -cd "${PWD}/tests" +cd "${PWD}/tests/$@" + ./test.sh diff --git a/tests/conjur-host-identity/Dockerfile b/tests/conjur-host-identity/Dockerfile new file mode 100644 index 00000000..19b36843 --- /dev/null +++ b/tests/conjur-host-identity/Dockerfile @@ -0,0 +1,24 @@ +FROM ubuntu:18.04 + +RUN apt-get update && apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common \ + python3-pip + +RUN pip3 install pytest testinfra ansible && mkdir -p /conjurinc/ + +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" +RUN apt-get update && apt-get -y install docker-ce +RUN apt-get update && apt-get install -y gcc build-essential +RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.4 ruby2.4-dev +RUN gem install conjur-cli + +WORKDIR /conjurinc/ + +CMD ["/bin/sleep", "1d"] diff --git a/tests/conjur-host-identity/Dockerfile_nginx b/tests/conjur-host-identity/Dockerfile_nginx new file mode 100644 index 00000000..d9f18c7b --- /dev/null +++ b/tests/conjur-host-identity/Dockerfile_nginx @@ -0,0 +1,16 @@ +FROM nginx:1.13.3 + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install -y iputils-ping procps openssl && \ + rm -rf /var/lib/apt/lists/* + +WORKDIR /etc/nginx/ + +COPY proxy/ssl.conf /etc/ssl/openssl.cnf + +RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -config /etc/ssl/openssl.cnf -extensions v3_ca \ + -keyout cert.key -out cert.crt + +COPY proxy/default.conf /etc/nginx/conf.d/default.conf diff --git a/tests/conjur-host-identity/ansible.cfg b/tests/conjur-host-identity/ansible.cfg new file mode 100644 index 00000000..c3359828 --- /dev/null +++ b/tests/conjur-host-identity/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +host_key_checking = False +error_on_undefined_vars = True +timeout = 60 +inventory = inventory.tmp +roles_path = /conjurinc +remote_tmp = /tmp diff --git a/tests/conjur-host-identity/docker-compose.yml b/tests/conjur-host-identity/docker-compose.yml new file mode 100644 index 00000000..fe317cff --- /dev/null +++ b/tests/conjur-host-identity/docker-compose.yml @@ -0,0 +1,66 @@ +version: '3' +services: + ansible: + build: + context: . + dockerfile: Dockerfile + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: host/ansible/ansible-master + CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY} + CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} + COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + volumes: + - ..:/conjurinc/cyberark.conjur-host-identity/ + - ../tests:/conjurinc/tests/ + - /var/run/docker.sock:/var/run/docker.sock + pg: + image: postgres:9.3 + + conjur: + image: cyberark/conjur + command: server -a cucumber -p 3000 + environment: + CONJUR_APPLIANCE_URL: http://localhost:3000 + DATABASE_URL: postgres://postgres@pg/postgres + CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=" + networks: + - default + links: + - pg + + conjur_cli: + image: cyberark/conjur-cli:5-latest + entrypoint: [] + command: sleep infinity + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: admin + CONJUR_AUTHN_API_KEY: ${CLI_CONJUR_AUTHN_API_KEY} + volumes: + - ./policy:/policy + links: + - conjur + + test_app_ubuntu: + build: ./test_app_ubuntu + entrypoint: sleep + command: infinity + + test_app_centos: + build: ./test_app_centos + entrypoint: sleep + command: infinity + + conjur-proxy-nginx: + build: + context: . + dockerfile: Dockerfile_nginx + entrypoint: nginx-debug -g 'daemon off;' + environment: + TERM: xterm + depends_on: + - conjur + - conjur_cli diff --git a/tests/conjur-host-identity/inventory-playbook.yml b/tests/conjur-host-identity/inventory-playbook.yml new file mode 100644 index 00000000..01d0d1d4 --- /dev/null +++ b/tests/conjur-host-identity/inventory-playbook.yml @@ -0,0 +1,6 @@ +--- +- name: Compile inventory template locally + hosts: localhost + tasks: + - name: compile inventory template + template: src=inventory.j2 dest=/conjurinc/tests/inventory.tmp diff --git a/tests/conjur-host-identity/inventory.j2 b/tests/conjur-host-identity/inventory.j2 new file mode 100644 index 00000000..62d48ef8 --- /dev/null +++ b/tests/conjur-host-identity/inventory.j2 @@ -0,0 +1,6 @@ +[testapp] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_ubuntu_[1:2] ansible_connection=docker +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_centos_[1:2] ansible_connection=docker + +[ansible] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_ansible_1 ansible_connection=docker diff --git a/tests/conjur-host-identity/policy/root.yml b/tests/conjur-host-identity/policy/root.yml new file mode 100644 index 00000000..0309cf70 --- /dev/null +++ b/tests/conjur-host-identity/policy/root.yml @@ -0,0 +1,32 @@ +--- +- !policy + id: ansible + annotations: + description: Policy for Ansible master and remote hosts + body: + + - !host + id: ansible-master + annotations: + description: Host for running Ansible on remote targets + + - !layer &remote_hosts_layer + id: remote_hosts + annotations: + description: Layer for Ansible remote hosts + + - !host-factory + id: ansible-factory + annotations: + description: Factory to create new hosts for ansible + layer: [ *remote_hosts_layer ] + + - !variable + id: target-password + annotations: + description: Password needed by the Ansible remote machine + + - !permit + role: *remote_hosts_layer + privileges: [ execute ] + resources: [ !variable target-password ] diff --git a/tests/conjur-host-identity/proxy/default.conf b/tests/conjur-host-identity/proxy/default.conf new file mode 100644 index 00000000..db2153a7 --- /dev/null +++ b/tests/conjur-host-identity/proxy/default.conf @@ -0,0 +1,33 @@ +server { + listen 80; + return 301 https://conjur$request_uri; +} + +server { + listen 443; + server_name localhost; + ssl_certificate /etc/nginx/cert.crt; + ssl_certificate_key /etc/nginx/cert.key; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + + location / { + proxy_pass http://conjur:3000; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/tests/conjur-host-identity/proxy/ssl.conf b/tests/conjur-host-identity/proxy/ssl.conf new file mode 100644 index 00000000..e78716b2 --- /dev/null +++ b/tests/conjur-host-identity/proxy/ssl.conf @@ -0,0 +1,39 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = dn +x509_extensions = v3_ca # The extentions to add to the self signed cert +req_extensions = v3_req +x509_extensions = usr_cert + +[ dn ] +C=IL +ST=Israel +L=TLV +O=Onyx +OU=CyberArk +CN=conjur-proxy-nginx + +[ usr_cert ] +basicConstraints=CA:FALSE +nsCertType = client, server, email +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_req ] +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +DNS.2 = conjur-proxy-nginx +IP.1 = 127.0.0.1 diff --git a/tests/conjur-host-identity/test.sh b/tests/conjur-host-identity/test.sh new file mode 100755 index 00000000..ee2f4bcb --- /dev/null +++ b/tests/conjur-host-identity/test.sh @@ -0,0 +1,122 @@ +#!/bin/bash -e +set -x + +function finish { + echo 'Removing test environment' + echo '---' + docker-compose down -v + rm -rf inventory.tmp +} +trap finish EXIT +finish + +# normalises project name by filtering non alphanumeric characters and transforming to lowercase +declare -x COMPOSE_PROJECT_NAME=$(echo ${BUILD_TAG:-"ansible-role-testing"} | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') + +declare -x ANSIBLE_CONJUR_AUTHN_API_KEY='' +declare -x CLI_CONJUR_AUTHN_API_KEY='' +declare cli_cid='' +declare conjur_cid='' +declare ansible_cid='' + +function api_key_for { + local role_id=$1 + if [ ! -z "$role_id" ] + then + docker exec ${conjur_cid} rails r "print Credentials['${role_id}'].api_key" + else + echo ERROR: api_key_for called with no argument 1>&2 + exit 1 + fi +} + +function hf_token { + echo $(docker exec ${cli_cid} conjur hostfactory tokens create --duration-days=5 ansible/ansible-factory | jq -r '.[0].token') +} + +function setup_conjur { + echo "---- setting up conjur ----" + # run policy + docker exec ${cli_cid} conjur policy load root /policy/root.yml + + # set secret values + docker exec ${cli_cid} bash -c ' + conjur variable values add ansible/target-password target_secret_password + ' +} + +function run_test_cases { + for test_case in `ls test_cases`; do + teardown_and_setup + run_test_case $test_case + done +} + +function run_test_case { + echo "---- testing ${test_case} ----" + local test_case=$1 + if [ ! -z "$test_case" ] + then + docker exec ${ansible_cid} env HFTOKEN=$(hf_token) bash -c " + cd tests + ansible-playbook test_cases/${test_case}/playbook.yml + " + docker exec ${ansible_cid} bash -c " + cd tests + py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py + " + else + echo ERROR: run_test called with no argument 1>&2 + exit 1 + fi +} + +function teardown_and_setup { + docker-compose up -d --force-recreate --scale test_app_ubuntu=2 test_app_ubuntu + docker-compose up -d --force-recreate --scale test_app_centos=2 test_app_centos +} + +function wait_for_server { + docker exec ${cli_cid} bash -c ' + for i in $(seq 20); do + curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break + echo "." + sleep 2 + done + ' +} + +function fetch_ssl_cert { + (docker-compose exec -T conjur-proxy-nginx cat cert.crt) > conjur.pem +} + +function generate_inventory { + # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME + docker-compose exec -T ansible bash -c ' + cd tests + ansible-playbook inventory-playbook.yml + ' +} + +function main() { + docker-compose up -d --build + generate_inventory + + conjur_cid=$(docker-compose ps -q conjur) + cli_cid=$(docker-compose ps -q conjur_cli) + fetch_ssl_cert + wait_for_server + + CLI_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:user:admin') + docker-compose up -d conjur_cli + cli_cid=$(docker-compose ps -q conjur_cli) + setup_conjur + + ANSIBLE_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:host:ansible/ansible-master') + docker-compose up -d ansible + ansible_cid=$(docker-compose ps -q ansible) + + run_test_cases +} + +main diff --git a/tests/conjur-host-identity/test_app_centos/Dockerfile b/tests/conjur-host-identity/test_app_centos/Dockerfile new file mode 100644 index 00000000..ee474e7b --- /dev/null +++ b/tests/conjur-host-identity/test_app_centos/Dockerfile @@ -0,0 +1,4 @@ +FROM centos:7 + +# Install Python so Ansible can run against node +RUN yum update -y && yum install -y python3 diff --git a/tests/conjur-host-identity/test_app_ubuntu/Dockerfile b/tests/conjur-host-identity/test_app_ubuntu/Dockerfile new file mode 100644 index 00000000..414c63f8 --- /dev/null +++ b/tests/conjur-host-identity/test_app_ubuntu/Dockerfile @@ -0,0 +1,4 @@ +FROM ubuntu:16.04 + +# Install Python so Ansible can run against node +RUN apt-get update -y && apt-get install -y python3-minimal diff --git a/tests/conjur-host-identity/test_cases/configure-conjur-identity/playbook.yml b/tests/conjur-host-identity/test_cases/configure-conjur-identity/playbook.yml new file mode 100644 index 00000000..52fd381f --- /dev/null +++ b/tests/conjur-host-identity/test_cases/configure-conjur-identity/playbook.yml @@ -0,0 +1,11 @@ +--- +- name: Configuring conjur identity on remote hosts + hosts: testapp + roles: + - role: cyberark.conjur-host-identity + conjur_account: cucumber + conjur_appliance_url: "https://conjur-proxy-nginx" + conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}" + conjur_host_name: "conjur_{{ ansible_hostname }}" + conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}" + conjur_validate_certs: yes diff --git a/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py b/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py new file mode 100644 index 00000000..18402b6c --- /dev/null +++ b/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py @@ -0,0 +1,29 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '/conjurinc/tests/inventory.tmp').get_hosts('testapp') + +def test_hosts_file(host): + f = host.file('/etc/hosts') + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' + + +def test_is_conjurized(host): + identity_file = host.file('/etc/conjur.identity') + + assert identity_file.exists + assert identity_file.user == 'root' + + conf_file = host.file('/etc/conjur.conf') + + assert conf_file.exists + assert conf_file.user == 'root' + + +def test_retrieve_secret_with_summon(host): + result = host.check_output("summon --yaml 'DB_USERNAME: !var ansible/target-password' bash -c 'printenv DB_USERNAME'", shell=True) + + assert result == "target_secret_password" diff --git a/tests/Dockerfile b/tests/conjur/Dockerfile similarity index 100% rename from tests/Dockerfile rename to tests/conjur/Dockerfile diff --git a/tests/Dockerfile_nginx b/tests/conjur/Dockerfile_nginx similarity index 100% rename from tests/Dockerfile_nginx rename to tests/conjur/Dockerfile_nginx diff --git a/tests/conjur/access_token b/tests/conjur/access_token new file mode 100644 index 00000000..3c215b47 --- /dev/null +++ b/tests/conjur/access_token @@ -0,0 +1,5 @@ +{ + "protected": "eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI0OTkwZTBhODE5NzkyOTQyMThiZDIyOWEzYjA4ZGE5YzQ3YjE5YzM4NjRhNTUxMDI3NzFiZDgyOWVkYmJjYmRhIn0=", + "payload": "eyJzdWIiOiJob3N0L2Fuc2libGUvYW5zaWJsZS1tYXN0ZXIiLCJpYXQiOjE1OTc2ODQ4NzV9", + "signature": "wKLBEsOO-SGbfvUSsve4Lc6NxQe2d9eeiaJwSLHBig3abOXWFGRRAmngextGKRdAaBu5SOUAau4TXugOOGKGPAL1jzY8L4qw6N1XPTl3riKrDhwf8h-xyqqWx1jQ0nre9Ey-_fJzuTGdH5wp9EMpTInvUkMiyNbkTvvV7XwbvvK78w-vN1jamZn9ja-z265x5XRpgUILRO2Xlm5LHOfwzTGTWQBxU-OQXKFPATB_YYNY9lpkfEanlWwse35JNDQF87Z5sPj0COCluptgnBgS3yq7hbqC2s3AYAmpDS38hpe_jteMxASgY2xEruQ_ALU5RcTqQY50loHjUCwfegNnlbRfHzLrpC5DlGvjaBPtpILrDNsPQl-8_Fer_jvW8CNU" +} diff --git a/tests/docker-compose.yml b/tests/conjur/docker-compose.yml similarity index 100% rename from tests/docker-compose.yml rename to tests/conjur/docker-compose.yml diff --git a/tests/policy/root.yml b/tests/conjur/policy/root.yml similarity index 100% rename from tests/policy/root.yml rename to tests/conjur/policy/root.yml diff --git a/tests/proxy/default.conf b/tests/conjur/proxy/default.conf similarity index 100% rename from tests/proxy/default.conf rename to tests/conjur/proxy/default.conf diff --git a/tests/proxy/ssl.conf b/tests/conjur/proxy/ssl.conf similarity index 100% rename from tests/proxy/ssl.conf rename to tests/conjur/proxy/ssl.conf diff --git a/tests/pytest.ini b/tests/conjur/pytest.ini similarity index 100% rename from tests/pytest.ini rename to tests/conjur/pytest.ini diff --git a/tests/test.sh b/tests/conjur/test.sh similarity index 100% rename from tests/test.sh rename to tests/conjur/test.sh diff --git a/tests/test_cases/retrieve-variable-bad-cert-path/env b/tests/conjur/test_cases/retrieve-variable-bad-cert-path/env similarity index 100% rename from tests/test_cases/retrieve-variable-bad-cert-path/env rename to tests/conjur/test_cases/retrieve-variable-bad-cert-path/env diff --git a/tests/test_cases/retrieve-variable-bad-cert-path/playbook.yml b/tests/conjur/test_cases/retrieve-variable-bad-cert-path/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable-bad-cert-path/playbook.yml rename to tests/conjur/test_cases/retrieve-variable-bad-cert-path/playbook.yml diff --git a/tests/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py diff --git a/tests/test_cases/retrieve-variable-bad-certs/bad_cert.pem b/tests/conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem similarity index 98% rename from tests/test_cases/retrieve-variable-bad-certs/bad_cert.pem rename to tests/conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem index a3831e0c..d4d2ed69 100644 --- a/tests/test_cases/retrieve-variable-bad-certs/bad_cert.pem +++ b/tests/conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem @@ -38,4 +38,4 @@ gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo 5Q== ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/tests/test_cases/retrieve-variable-bad-certs/env b/tests/conjur/test_cases/retrieve-variable-bad-certs/env similarity index 100% rename from tests/test_cases/retrieve-variable-bad-certs/env rename to tests/conjur/test_cases/retrieve-variable-bad-certs/env diff --git a/tests/test_cases/retrieve-variable-bad-certs/playbook.yml b/tests/conjur/test_cases/retrieve-variable-bad-certs/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable-bad-certs/playbook.yml rename to tests/conjur/test_cases/retrieve-variable-bad-certs/playbook.yml diff --git a/tests/test_cases/retrieve-variable-bad-certs/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable-bad-certs/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable-bad-certs/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable-bad-certs/tests/test_default.py diff --git a/tests/test_cases/retrieve-variable-disable-verify-certs/playbook.yml b/tests/conjur/test_cases/retrieve-variable-disable-verify-certs/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable-disable-verify-certs/playbook.yml rename to tests/conjur/test_cases/retrieve-variable-disable-verify-certs/playbook.yml diff --git a/tests/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py diff --git a/tests/test_cases/retrieve-variable-no-cert-provided/playbook.yml b/tests/conjur/test_cases/retrieve-variable-no-cert-provided/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable-no-cert-provided/playbook.yml rename to tests/conjur/test_cases/retrieve-variable-no-cert-provided/playbook.yml diff --git a/tests/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py diff --git a/tests/test_cases/retrieve-variable-with-authn-token/env b/tests/conjur/test_cases/retrieve-variable-with-authn-token/env similarity index 100% rename from tests/test_cases/retrieve-variable-with-authn-token/env rename to tests/conjur/test_cases/retrieve-variable-with-authn-token/env diff --git a/tests/test_cases/retrieve-variable-with-authn-token/playbook.yml b/tests/conjur/test_cases/retrieve-variable-with-authn-token/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable-with-authn-token/playbook.yml rename to tests/conjur/test_cases/retrieve-variable-with-authn-token/playbook.yml diff --git a/tests/test_cases/retrieve-variable-with-authn-token/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable-with-authn-token/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable-with-authn-token/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable-with-authn-token/tests/test_default.py diff --git a/tests/test_cases/retrieve-variable-with-spaces-secret/env b/tests/conjur/test_cases/retrieve-variable-with-spaces-secret/env similarity index 100% rename from tests/test_cases/retrieve-variable-with-spaces-secret/env rename to tests/conjur/test_cases/retrieve-variable-with-spaces-secret/env diff --git a/tests/test_cases/retrieve-variable-with-spaces-secret/playbook.yml b/tests/conjur/test_cases/retrieve-variable-with-spaces-secret/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable-with-spaces-secret/playbook.yml rename to tests/conjur/test_cases/retrieve-variable-with-spaces-secret/playbook.yml diff --git a/tests/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py diff --git a/tests/test_cases/retrieve-variable/env b/tests/conjur/test_cases/retrieve-variable/env similarity index 100% rename from tests/test_cases/retrieve-variable/env rename to tests/conjur/test_cases/retrieve-variable/env diff --git a/tests/test_cases/retrieve-variable/playbook.yml b/tests/conjur/test_cases/retrieve-variable/playbook.yml similarity index 100% rename from tests/test_cases/retrieve-variable/playbook.yml rename to tests/conjur/test_cases/retrieve-variable/playbook.yml diff --git a/tests/test_cases/retrieve-variable/tests/test_default.py b/tests/conjur/test_cases/retrieve-variable/tests/test_default.py similarity index 100% rename from tests/test_cases/retrieve-variable/tests/test_default.py rename to tests/conjur/test_cases/retrieve-variable/tests/test_default.py diff --git a/tests/sanity/ignore-2.10.txt b/tests/sanity/ignore-2.10.txt index f5856ece..a28d2d6e 100644 --- a/tests/sanity/ignore-2.10.txt +++ b/tests/sanity/ignore-2.10.txt @@ -1,8 +1,10 @@ Jenkinsfile shebang -tests/test.sh shebang +tests/conjur/test.sh shebang +tests/conjur-host-identity/test.sh shebang +tests/conjur/policy/root.yml yamllint:unparsable-with-libyaml +tests/conjur-host-identity/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python ci/build_release shebang ci/parse-changelog.sh shebang ci/publish_to_galaxy shebang ci/test.sh shebang -secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python -tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python diff --git a/tests/sanity/ignore-2.11.txt b/tests/sanity/ignore-2.11.txt index f5856ece..a28d2d6e 100644 --- a/tests/sanity/ignore-2.11.txt +++ b/tests/sanity/ignore-2.11.txt @@ -1,8 +1,10 @@ Jenkinsfile shebang -tests/test.sh shebang +tests/conjur/test.sh shebang +tests/conjur-host-identity/test.sh shebang +tests/conjur/policy/root.yml yamllint:unparsable-with-libyaml +tests/conjur-host-identity/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python ci/build_release shebang ci/parse-changelog.sh shebang ci/publish_to_galaxy shebang ci/test.sh shebang -secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python -tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python diff --git a/tests/sanity/ignore-2.9.txt b/tests/sanity/ignore-2.9.txt index 3f05bc33..52c574ab 100644 --- a/tests/sanity/ignore-2.9.txt +++ b/tests/sanity/ignore-2.9.txt @@ -1,5 +1,6 @@ Jenkinsfile shebang -tests/test.sh shebang +tests/conjur/test.sh shebang +tests/conjur-host-identity/test.sh shebang ci/build_release shebang ci/parse-changelog.sh shebang ci/publish_to_galaxy shebang From 7245f898a4450492aee39c4cb83c655d97d2379a Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Tue, 18 Aug 2020 11:17:15 -0400 Subject: [PATCH 3/7] Modify test directory references in automation The test directories need to reflect the new project test heirarchy, otherwise they will not be able to access the correct resources. --- .gitignore | 6 +++--- Jenkinsfile | 6 ++++-- tests/conjur-host-identity/docker-compose.yml | 4 ++-- tests/conjur/access_token | 5 ----- tests/conjur/docker-compose.yml | 4 ++-- tests/conjur/test.sh | 2 +- 6 files changed, 12 insertions(+), 15 deletions(-) delete mode 100644 tests/conjur/access_token diff --git a/.gitignore b/.gitignore index 1115418e..6b6fa301 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,9 @@ .DS_Store # We don't care about test outputs -tests/junit/ -tests/conjur.pem -tests/access_token +tests/*/junit/ +tests/*/conjur.pem +tests/*/access_token # We should never check in pycache directories **/__pycache__/ diff --git a/Jenkinsfile b/Jenkinsfile index ef4601aa..8ea70936 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,16 +21,18 @@ pipeline { stage('Run tests') { parallel { stage("Test Ansible-Conjur-Collection") { + agent { label 'executor-v2-large' } + steps { sh './ci/test.sh conjur' - junit 'tests/junit/*' + junit 'tests/conjur/junit/*' } } stage("Test Ansible-Conjur-Host-Identity") { steps { sh './ci/test.sh conjur-host-identity' - junit 'tests/junit/*' + junit 'tests/conjur-host-identity/junit/*' } } } diff --git a/tests/conjur-host-identity/docker-compose.yml b/tests/conjur-host-identity/docker-compose.yml index fe317cff..eb1e9820 100644 --- a/tests/conjur-host-identity/docker-compose.yml +++ b/tests/conjur-host-identity/docker-compose.yml @@ -12,8 +12,8 @@ services: CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} volumes: - - ..:/conjurinc/cyberark.conjur-host-identity/ - - ../tests:/conjurinc/tests/ + - ../..:/conjurinc/cyberark.conjur-host-identity/ + - ../conjur-host-identity:/conjurinc/tests/ - /var/run/docker.sock:/var/run/docker.sock pg: image: postgres:9.3 diff --git a/tests/conjur/access_token b/tests/conjur/access_token deleted file mode 100644 index 3c215b47..00000000 --- a/tests/conjur/access_token +++ /dev/null @@ -1,5 +0,0 @@ -{ - "protected": "eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI0OTkwZTBhODE5NzkyOTQyMThiZDIyOWEzYjA4ZGE5YzQ3YjE5YzM4NjRhNTUxMDI3NzFiZDgyOWVkYmJjYmRhIn0=", - "payload": "eyJzdWIiOiJob3N0L2Fuc2libGUvYW5zaWJsZS1tYXN0ZXIiLCJpYXQiOjE1OTc2ODQ4NzV9", - "signature": "wKLBEsOO-SGbfvUSsve4Lc6NxQe2d9eeiaJwSLHBig3abOXWFGRRAmngextGKRdAaBu5SOUAau4TXugOOGKGPAL1jzY8L4qw6N1XPTl3riKrDhwf8h-xyqqWx1jQ0nre9Ey-_fJzuTGdH5wp9EMpTInvUkMiyNbkTvvV7XwbvvK78w-vN1jamZn9ja-z265x5XRpgUILRO2Xlm5LHOfwzTGTWQBxU-OQXKFPATB_YYNY9lpkfEanlWwse35JNDQF87Z5sPj0COCluptgnBgS3yq7hbqC2s3AYAmpDS38hpe_jteMxASgY2xEruQ_ALU5RcTqQY50loHjUCwfegNnlbRfHzLrpC5DlGvjaBPtpILrDNsPQl-8_Fer_jvW8CNU" -} diff --git a/tests/conjur/docker-compose.yml b/tests/conjur/docker-compose.yml index 233b5199..0e183757 100644 --- a/tests/conjur/docker-compose.yml +++ b/tests/conjur/docker-compose.yml @@ -15,8 +15,8 @@ services: links: - "conjur_https:conjur-https" volumes: - - ../plugins:/root/.ansible/plugins - - ..:/cyberark + - ../../plugins:/root/.ansible/plugins + - ../..:/cyberark - /var/run/docker.sock:/var/run/docker.sock pg: diff --git a/tests/conjur/test.sh b/tests/conjur/test.sh index 1644de21..03ce7bac 100755 --- a/tests/conjur/test.sh +++ b/tests/conjur/test.sh @@ -95,7 +95,7 @@ function run_test_case { fi docker-compose exec -T ansible bash -exc " - cd tests + cd tests/conjur # If env vars were provided, load them if [ -e 'test_cases/${test_case}/env' ]; then From 610a3ade1375251dce6b85cb5f412039cad208eb Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Wed, 19 Aug 2020 14:34:20 -0400 Subject: [PATCH 4/7] Fix sanity-test errors for Conjur Role --- ci/test.sh | 2 +- tests/conjur-host-identity/test.sh | 20 +++++++++++-------- .../tests/test_default.py | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/ci/test.sh b/ci/test.sh index 5beea664..cba73341 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -1,5 +1,5 @@ #!/bin/bash -ex -cd "${PWD}/tests/$@" +cd "${PWD}/tests/${1}" ./test.sh diff --git a/tests/conjur-host-identity/test.sh b/tests/conjur-host-identity/test.sh index ee2f4bcb..41cfee2f 100755 --- a/tests/conjur-host-identity/test.sh +++ b/tests/conjur-host-identity/test.sh @@ -11,7 +11,8 @@ trap finish EXIT finish # normalises project name by filtering non alphanumeric characters and transforming to lowercase -declare -x COMPOSE_PROJECT_NAME=$(echo ${BUILD_TAG:-"ansible-role-testing"} | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') +declare -x COMPOSE_PROJECT_NAME +COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') declare -x ANSIBLE_CONJUR_AUTHN_API_KEY='' declare -x CLI_CONJUR_AUTHN_API_KEY='' @@ -31,7 +32,9 @@ function api_key_for { } function hf_token { - echo $(docker exec ${cli_cid} conjur hostfactory tokens create --duration-days=5 ansible/ansible-factory | jq -r '.[0].token') + docker exec ${cli_cid} conjur hostfactory tokens create \ + --duration-days=5 \ + ansible/ansible-factory | jq -r '.[0].token' } function setup_conjur { @@ -46,9 +49,9 @@ function setup_conjur { } function run_test_cases { - for test_case in `ls test_cases`; do + for test_case in test_cases/*; do teardown_and_setup - run_test_case $test_case + run_test_case "$(basename -- "$test_case")" done } @@ -57,11 +60,11 @@ function run_test_case { local test_case=$1 if [ ! -z "$test_case" ] then - docker exec ${ansible_cid} env HFTOKEN=$(hf_token) bash -c " + docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -c " cd tests ansible-playbook test_cases/${test_case}/playbook.yml " - docker exec ${ansible_cid} bash -c " + docker exec "${ansible_cid}" bash -c " cd tests py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py " @@ -77,8 +80,9 @@ function teardown_and_setup { } function wait_for_server { - docker exec ${cli_cid} bash -c ' - for i in $(seq 20); do + # shellcheck disable=SC2016 + docker exec "${cli_cid}" bash -c ' + for i in $( seq 20 ); do curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break echo "." sleep 2 diff --git a/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py b/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py index 18402b6c..245c1711 100644 --- a/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py +++ b/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py @@ -1,8 +1,12 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( '/conjurinc/tests/inventory.tmp').get_hosts('testapp') + def test_hosts_file(host): f = host.file('/etc/hosts') From 9517144b385b28fa773f4edf6640f8f51a7b016f Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Mon, 14 Sep 2020 15:54:59 -0400 Subject: [PATCH 5/7] Update test runner script - Modified test-runner script to take certain flags - Test runner now validates input - Fixed an issue with the `gitleaks.toml` --- .gitleaks.toml | 2 +- Jenkinsfile | 4 +-- ci/test.sh | 69 +++++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 69 insertions(+), 6 deletions(-) diff --git a/.gitleaks.toml b/.gitleaks.toml index 55c1e5f1..8b9bae1b 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -106,4 +106,4 @@ title = "ansible-conjur-collection gitleaks config" files = ['''^\.?gitleaks.toml$''', '''(.*?)(jpg|gif|doc|pdf|bin)$''', '''(go.mod|go.sum)$''', - '''(*/tests/* ''',] + '''(.*/tests/.*)$ ''',] diff --git a/Jenkinsfile b/Jenkinsfile index 8ea70936..535dc5ba 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -24,14 +24,14 @@ pipeline { agent { label 'executor-v2-large' } steps { - sh './ci/test.sh conjur' + sh './ci/test.sh -d conjur' junit 'tests/conjur/junit/*' } } stage("Test Ansible-Conjur-Host-Identity") { steps { - sh './ci/test.sh conjur-host-identity' + sh './ci/test.sh -d conjur-host-identity' junit 'tests/conjur-host-identity/junit/*' } } diff --git a/ci/test.sh b/ci/test.sh index cba73341..a9201916 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -1,5 +1,68 @@ -#!/bin/bash -ex +#!/bin/bash -x -cd "${PWD}/tests/${1}" +# Test runner for Ansible Conjur Collection + +# Directories containing a `test.sh` file +test_directories=("conjur" "conjur-host-identity") + +# Target directory that can be manually set by passing a value to the `-d` flag +target="" + +# Print usage instructions +function help { + echo "Test runner for Ansible Conjur Collection" + + echo "-a Run all test files in default test directories" + echo "-d Run test file in given directory. Valid options are: ${test_directories[*]} all" + echo "-h View help and available commands" + exit 1 +} + +# Run a `test.sh` file in a given subdirectory of the top-level `tests` directory +function run_test { + pushd "${PWD}/tests/${1}" + echo "Running tests for ${1}..." + ./test.sh + popd +} + +# Handles input to dictate wether all tests should be ran, or just one set +function handle_input { + if [[ ! -z ${target} ]]; then + for test_dir in "${test_directories[@]}"; do + if [[ ${target} == "${test_dir}" ]]; then + run_test ${target} + exit 0 + fi + done + echo "Error: unrecognized test directory given: ${target}" + echo "" + help + else + echo "Running all tests..." + for test_dir in "${test_directories[@]}"; do + run_test "${test_dir}" + done + exit 0 + fi +} + +# Exit if no input given +if [[ $# -eq 0 ]] ; then + echo "Error: No test directory or flag given" + echo "" + help +fi + +while getopts ahd: option; do + case "$option" in + a) handle_input + ;; + d) target=${OPTARG} + handle_input + ;; + h) help + ;; + esac +done -./test.sh From a768495baf088ecf642bde6ad4c4770fbe3211e0 Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Tue, 15 Sep 2020 12:02:51 -0400 Subject: [PATCH 6/7] Add Conjur Role information to README.md --- CHANGELOG.md | 11 ++++ README.md | 142 ++++++++++++++++++++++++++++++++++++++-------- defaults/main.yml | 1 - galaxy.yml | 2 +- 4 files changed, 129 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bfe2c26f..f97ea465 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,17 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Added +- The Ansible [conjur-host-identity](https://galaxy.ansible.com/cyberark/conjur-host-identity) has + been migrated to this collection, where it will be maintained moving forward. [cyberark/ + conjur-host-identity#30](https://github.com/cyberark/ansible-conjur-host-identity/issues/30) + +### Changed +- [Added retries](https://github.com/cyberark/ansible-conjur-host-identity/pull/32) to tasks/ + identity/Request identity from Conjur. + This will increase the reliability of host factory requests without introducing any extra delay + if the first request succeeds. + ## [1.0.7] - 2020-08-20 ### Changed diff --git a/README.md b/README.md index ece43087..0075bc75 100644 --- a/README.md +++ b/README.md @@ -1,35 +1,59 @@ ![](https://img.shields.io/badge/Certification%20Level-Community-28A745?link=https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md) -## CyberArk Ansible Conjur Collection +# CyberArk Ansible Conjur Collection -**** +This collection contains plugins to be used for CyberArk Conjur & DAP (Dynamic Access Provider) hosted in [ansible galaxy](https://galaxy.ansible.com/cyberark/conjur). -### cyberark.conjur +## Table of Contents +- [CyberArk Ansible Conjur Collection](#cyberark-ansible-conjur-collection) + * [Requirements](#requirements) + * [conjur_variable Lookup Plugin](#conjur_variable-lookup-plugin) + + [Role Variables](#role-variables) + + [Dependencies](#dependencies) + + [Example Playbook](#example-playbook) + * [Conjur Ansible Role](#conjur-ansible-role) + + [Usage](#usage) + + [Role Variables](#role-variables-1) + + [Dependencies](#dependencies) + + [Example Playbook](#example-playbook-1) + + [Summon & Service Managers](#summon---service-managers) + + [Recommendations](#recommendations) + * [Contributing](#contributing) + * [License](#license) -This collection contains plugins to be used for CyberArk Conjur & DAP hosted in [ansible galaxy](https://galaxy.ansible.com/cyberark/conjur). + -### Requirements +## Requirements -- [CyberArk Conjur Open Source](https://www.conjur.org) v1.x+ or -- [CyberArk Dynamic Access Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Resources/_TopNav/cc_Home.htm) v10.x+ -- Ansible v2.9+ +- conjur_variable Lookup Plugin + - [CyberArk Conjur Open Source](https://www.conjur.org) v1.x+ or + - [CyberArk Dynamic Access Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Resources/_TopNav/cc_Home.htm) v10.x+ + - Ansible >= 2.9 -### Role Variables - -None. -
-
+- Conjur Role + - A running Conjur service that is accessible from the target nodes. + - Ansible >= 2.3.0.0 -## Plugins - -### conjur_variable Lookup Plugin +## Installation +From terminal, run the following command: +```sh +ansible-galaxy collection install cyberark.conjur +``` +## conjur_variable Lookup Plugin Fetch credentials from CyberArk Conjur using the controlling host's Conjur identity or environment variables. - The controlling host running Ansible has a Conjur identity. [More Information here](https://docs.conjur.org/latest/en/Content/Get%20Started/key_concepts/machine_identity.html) and here in [Conjur Ansible role project](https://github.com/cyberark/ansible-conjur-host-identity/) -- Environment variables could be CONJUR_ACCOUNT, CONJUR_APPLIANCE_URL, CONJUR_CERT_FILE, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY, CONJUR_AUTHN_TOKEN_FILE -#### Example Playbook +- Environment variables could be `CONJUR_ACCOUNT`, `CONJUR_APPLIANCE_URL`, `CONJUR_CERT_FILE`, `CONJUR_AUTHN_LOGIN`, `CONJUR_AUTHN_API_KEY`, `CONJUR_AUTHN_TOKEN_FILE` + +### Role Variables + +None. +
+ +### Example Playbook ```yaml --- @@ -40,10 +64,78 @@ Fetch credentials from CyberArk Conjur using the controlling host's Conjur ident msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" ``` -### Author Information -- CyberArk Business Development Technical Team - - @cyberark-bizdev - - @enunez-cyberark - - @jimmyjamcabd -- CyberArk Community and Integrations Team - - @cyberark/community-and-integrations-team +## Conjur Ansible Role +This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that identity, secrets can then be retrieved securely using the [Summon](https://github.com/cyberark/summon) tool (installed on hosts with identities created by this role). + +### Usage +The Conjur role provides a method to "Conjurize" or establish the Conjur identity of a remote node with Ansible. The node can then be granted least-privilege access to retrieve the secrets it needs in a secure manner. + +### Role Variables + +* `conjur_appliance_url` `*`: URL of the running Conjur service +* `conjur_account` `*`: Conjur account name +* `conjur_host_factory_token` `*`: [Host Factory](https://developer.conjur.net/reference/services/host_factory/) token for +layer enrollment. This should be specified in the environment on the Ansible controlling host. +* `conjur_host_name` `*`: Name of the host being conjurized. +* `conjur_ssl_certificate`: Public SSL certificate of the Conjur endpoint +* `conjur_validate_certs`: Boolean value to indicate if the Conjur endpoint should validate certificates +* `summon.version`: version of Summon to install. Default is `0.6.6`. +* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.0`. + +The variables marked with `*` are required fields. The other variables are required for running with an HTTPS Conjur endpoint, but are not required if you run with an HTTP Conjur endpoint. + +### Dependencies + +None. +
+ +### Example Playbook + +Configure a remote node with a Conjur identity and Summon: +```yml +- hosts: servers + roles: + - role: cyberark.conjur-host-identity + conjur_appliance_url: 'https://conjur.myorg.com/api', + conjur_account: 'myorg', + conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}", + conjur_host_name: "{{inventory_hostname}}" +``` + +This example: +- Registers the host with Conjur, adding it into the layer specific to the provided host factory token. +- Installs Summon with the Summon Conjur provider for secret retrieval from Conjur. + +### Summon & Service Managers +With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a simple example of a SystemD file connecting to Conjur: +```ini +[Unit] +Description=DemoApp +After=network-online.target + +[Service] +User=DemoUser +#Environment=CONJUR_MAJOR_VERSION=4 +ExecStart=/usr/local/bin/summon --yaml 'DB_PASSWORD: !var staging/demoapp/database/password' /usr/local/bin/myapp +``` +> Note: +When connecting to Conjur 4 (Conjur Enterprise), Summon requires the environment variable `CONJUR_MAJOR_VERSION` set to `4`. You can provide it by uncommenting the relevant line above. + +The above example uses Summon to retrieve the password stored in `staging/myapp/database/password`, set it to an environment variable `DB_PASSWORD`, and provide it to the demo application process. Using Summon, the secret is kept off disk. If the service is restarted, Summon retrieves the password as the application is started. + +### Recommendations + +- Add `no_log: true` to each play that uses sensitive data, otherwise that data can be printed to the logs. + +- Set the Ansible files to minimum permissions. Ansible uses the permissions of the user that runs it. + +## Contributing + +We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing +guide][contrib]. + +[contrib]: https://github.com/cyberark/ansible-conjur-collection/blob/master/CONTRIBUTING.md + +## License + +This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details. diff --git a/defaults/main.yml b/defaults/main.yml index 4e5477c6..d0f732bf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,5 @@ summon: version: 0.6.6 - # TODO - this should dynamically be generated as part of the Ansible fact gathering os: linux-amd64 summon_conjur: version: 0.5.0 diff --git a/galaxy.yml b/galaxy.yml index 027fac28..d87f1cf9 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -5,7 +5,7 @@ readme: README.md authors: - CyberArk Business Development (@cyberark-bizdev) - CyberArk Community and Integrations Team (@cyberark/community-and-integrations-team) -description: "This is a Collection of CyberArk Conjur/DAP toolkit." +description: "This is a Collection of the CyberArk Conjur/DAP toolkit." license: "Apache-2.0" tags: - cyberark From 00c1514c6f1c14d3a2e936f10bef286b9928de8f Mon Sep 17 00:00:00 2001 From: Bradley Boutcher Date: Wed, 16 Sep 2020 17:48:30 -0400 Subject: [PATCH 7/7] Create role subdirectory Per Ansible Collection documentation, the conjur_host_identity role has been moved to a `role` subdirectory. A `tests` subdirectory has been added for this role, and all relevant tests moved there. --- .gitignore | 23 ++- .gitleaks.toml | 109 ---------- CHANGELOG.md | 12 +- CONTRIBUTING.md | 10 +- Jenkinsfile | 14 +- README.md | 187 +++++++++++------- ci/parse-changelog.sh | 13 +- ci/test.sh | 28 ++- requirements.txt | 2 +- .../conjur_host_identity/defaults}/main.yml | 4 +- .../conjur_host_identity/meta}/main.yml | 8 +- .../conjur_host_identity/tasks}/identity.yml | 0 .../tasks}/identity_check.yml | 0 .../conjur_host_identity/tasks}/main.yml | 0 .../tasks}/summon-conjur.yml | 0 .../conjur_host_identity/tasks}/summon.yml | 0 .../templates}/conjur.conf.j2 | 0 .../templates}/conjur.identity.j2 | 0 .../conjur_host_identity/tests}/Dockerfile | 0 .../tests}/Dockerfile_nginx | 0 .../conjur_host_identity/tests}/ansible.cfg | 0 roles/conjur_host_identity/tests/conjur.pem | 21 ++ .../tests}/docker-compose.yml | 4 +- .../tests}/inventory-playbook.yml | 0 .../conjur_host_identity/tests}/inventory.j2 | 0 .../tests}/policy/root.yml | 0 .../tests}/proxy/default.conf | 0 .../tests}/proxy/ssl.conf | 0 .../conjur_host_identity/tests}/test.sh | 2 +- .../tests}/test_app_centos/Dockerfile | 0 .../tests}/test_app_ubuntu/Dockerfile | 0 .../configure-conjur-identity/playbook.yml | 0 .../tests/test_default.py | 0 tests/{conjur => conjur_variable}/Dockerfile | 0 .../Dockerfile_nginx | 0 .../docker-compose.yml | 0 .../policy/root.yml | 0 .../proxy/default.conf | 0 .../proxy/ssl.conf | 0 tests/{conjur => conjur_variable}/pytest.ini | 0 tests/{conjur => conjur_variable}/test.sh | 6 +- .../retrieve-variable-bad-cert-path/env | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../retrieve-variable-bad-certs/bad-cert.pem | 2 +- .../retrieve-variable-bad-certs/env | 0 .../retrieve-variable-bad-certs/playbook.yml | 0 .../tests/test_default.py | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../retrieve-variable-with-authn-token/env | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../retrieve-variable-with-spaces-secret/env | 0 .../playbook.yml | 0 .../tests/test_default.py | 0 .../test_cases/retrieve-variable/env | 0 .../test_cases/retrieve-variable/playbook.yml | 0 .../retrieve-variable/tests/test_default.py | 0 tests/sanity/ignore-2.10.txt | 8 +- tests/sanity/ignore-2.11.txt | 8 +- tests/sanity/ignore-2.9.txt | 4 +- 64 files changed, 214 insertions(+), 251 deletions(-) delete mode 100644 .gitleaks.toml rename {defaults => roles/conjur_host_identity/defaults}/main.yml (63%) rename {meta => roles/conjur_host_identity/meta}/main.yml (65%) rename {tasks => roles/conjur_host_identity/tasks}/identity.yml (100%) rename {tasks => roles/conjur_host_identity/tasks}/identity_check.yml (100%) rename {tasks => roles/conjur_host_identity/tasks}/main.yml (100%) rename {tasks => roles/conjur_host_identity/tasks}/summon-conjur.yml (100%) rename {tasks => roles/conjur_host_identity/tasks}/summon.yml (100%) rename {templates => roles/conjur_host_identity/templates}/conjur.conf.j2 (100%) rename {templates => roles/conjur_host_identity/templates}/conjur.identity.j2 (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/Dockerfile (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/Dockerfile_nginx (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/ansible.cfg (100%) create mode 100644 roles/conjur_host_identity/tests/conjur.pem rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/docker-compose.yml (93%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/inventory-playbook.yml (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/inventory.j2 (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/policy/root.yml (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/proxy/default.conf (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/proxy/ssl.conf (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/test.sh (97%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/test_app_centos/Dockerfile (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/test_app_ubuntu/Dockerfile (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/test_cases/configure-conjur-identity/playbook.yml (100%) rename {tests/conjur-host-identity => roles/conjur_host_identity/tests}/test_cases/configure-conjur-identity/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/Dockerfile (100%) rename tests/{conjur => conjur_variable}/Dockerfile_nginx (100%) rename tests/{conjur => conjur_variable}/docker-compose.yml (100%) rename tests/{conjur => conjur_variable}/policy/root.yml (100%) rename tests/{conjur => conjur_variable}/proxy/default.conf (100%) rename tests/{conjur => conjur_variable}/proxy/ssl.conf (100%) rename tests/{conjur => conjur_variable}/pytest.ini (100%) rename tests/{conjur => conjur_variable}/test.sh (94%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-cert-path/env (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-cert-path/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-certs/bad-cert.pem (98%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-certs/env (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-certs/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-bad-certs/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-disable-verify-certs/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-no-cert-provided/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-with-authn-token/env (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-with-authn-token/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-with-authn-token/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-with-spaces-secret/env (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-with-spaces-secret/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable/env (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable/playbook.yml (100%) rename tests/{conjur => conjur_variable}/test_cases/retrieve-variable/tests/test_default.py (100%) diff --git a/.gitignore b/.gitignore index 6b6fa301..9059d81f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,26 +1,25 @@ +# System directories files .DS_Store +.idea/ -# We don't care about test outputs +# Test output tests/*/junit/ tests/*/conjur.pem tests/*/access_token +**/test-files/output +junit -# We should never check in pycache directories +# Pycache directories and files **/__pycache__/ +.pytest_cache +*.pyc -# Distributable files should not be included in the repo +# Distributable directories files *.tar.gz +vendor/ -# ansible-conjur-host-identity +# Temporary files *.log .cache *.retry -.idea/ -*.pyc -**/.molecule/ -**/test-files/output -junit -molecule/conjur.pem *.tmp -vendor/ -.pytest_cache diff --git a/.gitleaks.toml b/.gitleaks.toml deleted file mode 100644 index 8b9bae1b..00000000 --- a/.gitleaks.toml +++ /dev/null @@ -1,109 +0,0 @@ -title = "ansible-conjur-collection gitleaks config" - -[[rules]] - description = "AWS Manager ID" - regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' - tags = ["key", "AWS"] -[[rules]] - description = "AWS Secret Key" - regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' - tags = ["key", "AWS"] -[[rules]] - description = "AWS MWS key" - regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "AWS", "MWS"] -[[rules]] - description = "Facebook Secret Key" - regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' - tags = ["key", "Facebook"] -[[rules]] - description = "Facebook Client ID" - regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' - tags = ["key", "Facebook"] -[[rules]] - description = "Twitter Secret Key" - regex = '''(?i)twitter(.{0,20})?[0-9a-z]{35,44}''' - tags = ["key", "Twitter"] -[[rules]] - description = "Twitter Client ID" - regex = '''(?i)twitter(.{0,20})?[0-9a-z]{18,25}''' - tags = ["client", "Twitter"] -[[rules]] - description = "Github" - regex = '''(?i)github(.{0,20})?(?-i)[0-9a-zA-Z]{35,40}''' - tags = ["key", "Github"] -[[rules]] - description = "LinkedIn Client ID" - regex = '''(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}''' - tags = ["client", "LinkedIn"] -[[rules]] - description = "LinkedIn Secret Key" - regex = '''(?i)linkedin(.{0,20})?[0-9a-z]{16}''' - tags = ["secret", "LinkedIn"] -[[rules]] - description = "Slack" - regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' - tags = ["key", "Slack"] -[[rules]] - description = "Asymmetric Private Key" - regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' - tags = ["key", "AsymmetricPrivateKey"] -[[rules]] - description = "Google API key" - regex = '''AIza[0-9A-Za-z\\-_]{35}''' - tags = ["key", "Google"] -[[rules]] - description = "Google (GCP) Service Account" - regex = '''"type": "service_account"''' - tags = ["key", "Google"] -[[rules]] - description = "Heroku API key" - regex = '''(?i)heroku(.{0,20})?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' - tags = ["key", "Heroku"] -[[rules]] - description = "MailChimp API key" - regex = '''(?i)(mailchimp|mc)(.{0,20})?[0-9a-f]{32}-us[0-9]{1,2}''' - tags = ["key", "Mailchimp"] -[[rules]] - description = "Mailgun API key" - regex = '''((?i)(mailgun|mg)(.{0,20})?)?key-[0-9a-z]{32}''' - tags = ["key", "Mailgun"] -[[rules]] - description = "PayPal Braintree access token" - regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' - tags = ["key", "Paypal"] -[[rules]] - description = "Picatic API key" - regex = '''sk_live_[0-9a-z]{32}''' - tags = ["key", "Picatic"] -[[rules]] - description = "SendGrid API Key" - regex = '''SG\.[\w_]{16,32}\.[\w_]{16,64}''' - tags = ["key", "SendGrid"] -[[rules]] - description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' - tags = ["key", "slack"] -[[rules]] - description = "Stripe API key" - regex = '''(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}''' - tags = ["key", "Stripe"] -[[rules]] - description = "Square access token" - regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' - tags = ["key", "square"] -[[rules]] - description = "Square OAuth secret" - regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' - tags = ["key", "square"] -[[rules]] - description = "Twilio API key" - regex = '''(?i)twilio(.{0,20})?SK[0-9a-f]{32}''' - tags = ["key", "twilio"] -[allowlist] - commits = ["0f04d2d2bbbbd6315b8b14cfcfa4c89b1cf2213e",] - description = "Allowlisted files" - files = ['''^\.?gitleaks.toml$''', - '''(.*?)(jpg|gif|doc|pdf|bin)$''', - '''(go.mod|go.sum)$''', - '''(.*/tests/.*)$ ''',] diff --git a/CHANGELOG.md b/CHANGELOG.md index f97ea465..f997e2b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,15 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] ### Added -- The Ansible [conjur-host-identity](https://galaxy.ansible.com/cyberark/conjur-host-identity) has - been migrated to this collection, where it will be maintained moving forward. [cyberark/ - conjur-host-identity#30](https://github.com/cyberark/ansible-conjur-host-identity/issues/30) - -### Changed -- [Added retries](https://github.com/cyberark/ansible-conjur-host-identity/pull/32) to tasks/ - identity/Request identity from Conjur. - This will increase the reliability of host factory requests without introducing any extra delay - if the first request succeeds. +- The [Conjur Ansible role](https://galaxy.ansible.com/cyberark/conjur-host-identity) has been + migrated to this collection, where it will be maintained moving forward. + [cyberark/ansible-conjur-host-identity#30](https://github.com/cyberark/ansible-conjur-host-identity/issues/30) ## [1.0.7] - 2020-08-20 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bf650ec4..ad11fac3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -27,9 +27,15 @@ of this plugin: ### Testing -To run the tests: +To run a specific set of tests: ```sh-session $ cd tests -$ ./test.sh +$ ./test.sh -d ``` +To run all tests: + +```sh-session +$ cd tests +$ ./test.sh -a +``` \ No newline at end of file diff --git a/Jenkinsfile b/Jenkinsfile index 535dc5ba..f63138de 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -20,19 +20,17 @@ pipeline { stage('Run tests') { parallel { - stage("Test Ansible-Conjur-Collection") { - agent { label 'executor-v2-large' } - + stage("Test conjur_lookup Plugin") { steps { - sh './ci/test.sh -d conjur' - junit 'tests/conjur/junit/*' + sh './ci/test.sh -d conjur_variable' + junit 'tests/conjur_variable/junit/*' } } - stage("Test Ansible-Conjur-Host-Identity") { + stage("Test conjur_host_identity Role") { steps { - sh './ci/test.sh -d conjur-host-identity' - junit 'tests/conjur-host-identity/junit/*' + sh './ci/test.sh -d conjur_host_identity' + junit 'roles/conjur_host_identity/tests/junit/*' } } } diff --git a/README.md b/README.md index 0075bc75..a6607c64 100644 --- a/README.md +++ b/README.md @@ -2,92 +2,77 @@ # CyberArk Ansible Conjur Collection -This collection contains plugins to be used for CyberArk Conjur & DAP (Dynamic Access Provider) hosted in [ansible galaxy](https://galaxy.ansible.com/cyberark/conjur). +This collection contains components to be used with CyberArk Conjur & DAP (Dynamic Access Provider) +hosted in [Ansible Galaxy](https://galaxy.ansible.com/cyberark/conjur). ## Table of Contents -- [CyberArk Ansible Conjur Collection](#cyberark-ansible-conjur-collection) - * [Requirements](#requirements) - * [conjur_variable Lookup Plugin](#conjur_variable-lookup-plugin) - + [Role Variables](#role-variables) - + [Dependencies](#dependencies) - + [Example Playbook](#example-playbook) - * [Conjur Ansible Role](#conjur-ansible-role) - + [Usage](#usage) - + [Role Variables](#role-variables-1) - + [Dependencies](#dependencies) - + [Example Playbook](#example-playbook-1) - + [Summon & Service Managers](#summon---service-managers) - + [Recommendations](#recommendations) - * [Contributing](#contributing) - * [License](#license) + +* [Requirements](#requirements) +* [Installation](#installation) +* [Conjur Ansible Role](#conjur-ansible-role) + + [Usage](#usage) + + [Role Variables](#role-variables) + + [Example Playbook](#example-playbook) + + [Summon & Service Managers](#summon---service-managers) + + [Recommendations](#recommendations) +* [Conjur Ansible Lookup Plugin](#conjur-ansible-lookup-plugin) + + [Environment variables](#environment-variables) + + [Role Variables](#role-variables-1) + + [Example Playbook](#example-playbook-1) +* [Contributing](#contributing) +* [License](#license) ## Requirements -- conjur_variable Lookup Plugin - - [CyberArk Conjur Open Source](https://www.conjur.org) v1.x+ or - - [CyberArk Dynamic Access Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Resources/_TopNav/cc_Home.htm) v10.x+ - - Ansible >= 2.9 - -- Conjur Role - - A running Conjur service that is accessible from the target nodes. - - Ansible >= 2.3.0.0 +- An instance of [CyberArk Conjur Open Source](https://www.conjur.org) v1.x+ or [CyberArk Dynamic + Access + Provider](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Resources/_TopNav/cc_Home.htm) + v10.x+ accessible from the target node +- Ansible >= 2.9 ## Installation + From terminal, run the following command: ```sh ansible-galaxy collection install cyberark.conjur ``` -## conjur_variable Lookup Plugin -Fetch credentials from CyberArk Conjur using the controlling host's Conjur identity or environment variables. - -- The controlling host running Ansible has a Conjur identity. [More Information here](https://docs.conjur.org/latest/en/Content/Get%20Started/key_concepts/machine_identity.html) and here in [Conjur Ansible role project](https://github.com/cyberark/ansible-conjur-host-identity/) - -- Environment variables could be `CONJUR_ACCOUNT`, `CONJUR_APPLIANCE_URL`, `CONJUR_CERT_FILE`, `CONJUR_AUTHN_LOGIN`, `CONJUR_AUTHN_API_KEY`, `CONJUR_AUTHN_TOKEN_FILE` - -### Role Variables - -None. -
- -### Example Playbook +## Conjur Ansible Role -```yaml ---- -- hosts: localhost - tasks: - - name: Lookup variable in Conjur - debug: - msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" -``` +**NOTE**: This role is currently not available in releases installed through Ansible Galaxy, but +will be added in the next release. Follow [issue +#30](https://github.com/cyberark/ansible-conjur-collection/issues/35) for updates. -## Conjur Ansible Role -This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that identity, secrets can then be retrieved securely using the [Summon](https://github.com/cyberark/summon) tool (installed on hosts with identities created by this role). +This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that +identity, secrets can then be retrieved securely using the [Conjur Lookup +Plugin](#conjur-ansible-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon) +tool (installed on hosts with identities created by this role). ### Usage -The Conjur role provides a method to "Conjurize" or establish the Conjur identity of a remote node with Ansible. The node can then be granted least-privilege access to retrieve the secrets it needs in a secure manner. + +The Conjur role provides a method to establish the Conjur identity of a remote node with Ansible. +The node can then be granted least-privilege access to retrieve the secrets it needs in a secure +manner. ### Role Variables -* `conjur_appliance_url` `*`: URL of the running Conjur service -* `conjur_account` `*`: Conjur account name -* `conjur_host_factory_token` `*`: [Host Factory](https://developer.conjur.net/reference/services/host_factory/) token for -layer enrollment. This should be specified in the environment on the Ansible controlling host. -* `conjur_host_name` `*`: Name of the host being conjurized. +* `conjur_appliance_url` _(Optional)_: URL of the running Conjur service +* `conjur_account` _(Optional)_: Conjur account name +* `conjur_host_factory_token` _(Optional)_: [Host + Factory](https://developer.conjur.net/reference/services/host_factory/) token for layer + enrollment. This should be specified in the environment on the Ansible controlling host. +* `conjur_host_name` _(Optional)_: Name of the host to be created. * `conjur_ssl_certificate`: Public SSL certificate of the Conjur endpoint -* `conjur_validate_certs`: Boolean value to indicate if the Conjur endpoint should validate certificates -* `summon.version`: version of Summon to install. Default is `0.6.6`. -* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.0`. - -The variables marked with `*` are required fields. The other variables are required for running with an HTTPS Conjur endpoint, but are not required if you run with an HTTP Conjur endpoint. +* `conjur_validate_certs`: Boolean value to indicate if the Conjur endpoint should validate + certificates +* `summon.version`: version of Summon to install. Default is `0.8.2`. +* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.3`. -### Dependencies - -None. -
+The variables marked with _`(Optional)`_ are not required fields. All other variables are required +for running with an HTTPS Conjur endpoint. ### Example Playbook @@ -95,7 +80,7 @@ Configure a remote node with a Conjur identity and Summon: ```yml - hosts: servers roles: - - role: cyberark.conjur-host-identity + - role: cyberark.conjur.conjur-host-identity conjur_appliance_url: 'https://conjur.myorg.com/api', conjur_account: 'myorg', conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}", @@ -103,11 +88,15 @@ Configure a remote node with a Conjur identity and Summon: ``` This example: -- Registers the host with Conjur, adding it into the layer specific to the provided host factory token. +- Registers the host `{{ inventory_hostname }}` with Conjur, adding it into the Conjur policy layer + defined for the provided host factory token. - Installs Summon with the Summon Conjur provider for secret retrieval from Conjur. ### Summon & Service Managers -With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a simple example of a SystemD file connecting to Conjur: + +With Summon installed, using Conjur with a Service Manager (like systemd) becomes a snap. Here's a +simple example of a `systemd` file connecting to Conjur: + ```ini [Unit] Description=DemoApp @@ -118,24 +107,76 @@ User=DemoUser #Environment=CONJUR_MAJOR_VERSION=4 ExecStart=/usr/local/bin/summon --yaml 'DB_PASSWORD: !var staging/demoapp/database/password' /usr/local/bin/myapp ``` -> Note: -When connecting to Conjur 4 (Conjur Enterprise), Summon requires the environment variable `CONJUR_MAJOR_VERSION` set to `4`. You can provide it by uncommenting the relevant line above. -The above example uses Summon to retrieve the password stored in `staging/myapp/database/password`, set it to an environment variable `DB_PASSWORD`, and provide it to the demo application process. Using Summon, the secret is kept off disk. If the service is restarted, Summon retrieves the password as the application is started. +> Note: When connecting to Conjur 4 (Conjur Enterprise), Summon requires the environment variable +`CONJUR_MAJOR_VERSION` set to `4`. You can provide it by uncommenting the relevant line above. + +The above example uses Summon to retrieve the password stored in `staging/myapp/database/password`, +set it to an environment variable `DB_PASSWORD`, and provide it to the demo application process. +Using Summon, the secret is kept off disk. If the service is restarted, Summon retrieves the +password as the application is started. ### Recommendations -- Add `no_log: true` to each play that uses sensitive data, otherwise that data can be printed to the logs. +- Add `no_log: true` to each play that uses sensitive data, otherwise that data can be printed to + the logs. + +- Set the Ansible files to minimum permissions. Ansible uses the permissions of the user that runs + it. + +## Conjur Ansible Lookup Plugin + +Fetch credentials from CyberArk Conjur using the controlling host's Conjur identity or environment +variables. + +The controlling host running Ansible must have a Conjur identity, provided for example by the +[ConjurAnsible role](#conjur-ansible-role). + +### Environment variables + +The following environment variables will be used by the lookup plugin to authenticate with the +Conjur host, if they are present on the system running the lookup plugin. + +- `CONJUR_ACCOUNT` : The Conjur account name +- `CONJUR_APPLIANCE_URL` : URL of the running Conjur service +- `CONJUR_CERT_FILE` : Path to the Conjur certificate file +- `CONJUR_AUTHN_LOGIN` : A valid Conjur host username +- `CONJUR_AUTHN_API_KEY` : The api key that corresponds to the Conjur host username +- `CONJUR_AUTHN_TOKEN_FILE` : Path to a file containing a valid Conjur auth token + +### Role Variables + +None. + +### Example Playbook -- Set the Ansible files to minimum permissions. Ansible uses the permissions of the user that runs it. +```yaml +--- +- hosts: localhost + tasks: + - name: Lookup variable in Conjur + debug: + msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" +``` ## Contributing -We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing -guide][contrib]. +We welcome contributions of all kinds to this repository. For instructions on how to get started and +descriptions of our development workflows, please see our [contributing guide][contrib]. [contrib]: https://github.com/cyberark/ansible-conjur-collection/blob/master/CONTRIBUTING.md ## License -This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details. +Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. Licensed under the Apache License, +Version 2.0 (the "License"); you may not use this file except in compliance with the License. You +may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed under the License is +distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +implied. See the License for the specific language governing permissions and limitations under the +License. + +For the full license text see [`LICENSE`](LICENSE). diff --git a/ci/parse-changelog.sh b/ci/parse-changelog.sh index 0fd7f528..be7d8270 100755 --- a/ci/parse-changelog.sh +++ b/ci/parse-changelog.sh @@ -1,11 +1,6 @@ #!/bin/bash -ex -cd "$(dirname "$0")" - -docker run --rm \ - -v "$PWD/..:/work" \ - -w "/work" \ - ruby:2.5 bash -ec " - gem install -N parse_a_changelog - parse ./CHANGELOG.md - " +docker run \ + --rm \ + --volume "${PWD}/CHANGELOG.md":/CHANGELOG.md \ + cyberark/parse-a-changelog \ No newline at end of file diff --git a/ci/test.sh b/ci/test.sh index a9201916..c83eb68e 100755 --- a/ci/test.sh +++ b/ci/test.sh @@ -2,8 +2,11 @@ # Test runner for Ansible Conjur Collection -# Directories containing a `test.sh` file -test_directories=("conjur" "conjur-host-identity") +# Test subdirectors containing a `test.sh` file +test_directories=("conjur_variable") + +# Roles containing a test subdirectory +role_directories=("conjur_host_identity") # Target directory that can be manually set by passing a value to the `-d` flag target="" @@ -19,9 +22,19 @@ function help { } # Run a `test.sh` file in a given subdirectory of the top-level `tests` directory +# Expected directory structure is "tests//test.sh" function run_test { pushd "${PWD}/tests/${1}" - echo "Running tests for ${1}..." + echo "Running ${1} tests..." + ./test.sh + popd +} + +# Run a `test.sh` file for a given role +# Expected directory structure is "roles//tests/test.sh" +function run_role_test { + pushd "${PWD}/roles/${1}/tests" + echo "Running ${1} tests..." ./test.sh popd } @@ -35,6 +48,12 @@ function handle_input { exit 0 fi done + for test_dir in "${role_directories[@]}"; do + if [[ ${target} == "${test_dir}" ]]; then + run_role_test ${target} + exit 0 + fi + done echo "Error: unrecognized test directory given: ${target}" echo "" help @@ -43,6 +62,9 @@ function handle_input { for test_dir in "${test_directories[@]}"; do run_test "${test_dir}" done + for test_dir in "${role_directories[@]}"; do + run_role_test "${test_dir}" + done exit 0 fi } diff --git a/requirements.txt b/requirements.txt index 1193e198..40d19fd8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -ansible>=2.5.15 +ansible>=2.9 diff --git a/defaults/main.yml b/roles/conjur_host_identity/defaults/main.yml similarity index 63% rename from defaults/main.yml rename to roles/conjur_host_identity/defaults/main.yml index d0f732bf..d04410d8 100644 --- a/defaults/main.yml +++ b/roles/conjur_host_identity/defaults/main.yml @@ -1,6 +1,6 @@ summon: - version: 0.6.6 + version: 0.8.2 os: linux-amd64 summon_conjur: - version: 0.5.0 + version: 0.5.3 os: linux-amd64 diff --git a/meta/main.yml b/roles/conjur_host_identity/meta/main.yml similarity index 65% rename from meta/main.yml rename to roles/conjur_host_identity/meta/main.yml index f0b0d840..1fc12ef1 100644 --- a/meta/main.yml +++ b/roles/conjur_host_identity/meta/main.yml @@ -6,13 +6,9 @@ galaxy_info: company: CyberArk license: Apache author: - - Dustin Collins (@dustinmm80) - - Oren Ben Meir (@orenbm) - - Jason Vanderhoof (@jvanderhoof) - - Kumbirai Tanekha (@doodlesbykumbi) - - Gary Moon (@garymoon) + - Cyberark Community and Integrations Team (@cyberark/community-and-integrations-team) - min_ansible_version: '2.3' + min_ansible_version: '2.9' platforms: - name: Ubuntu diff --git a/tasks/identity.yml b/roles/conjur_host_identity/tasks/identity.yml similarity index 100% rename from tasks/identity.yml rename to roles/conjur_host_identity/tasks/identity.yml diff --git a/tasks/identity_check.yml b/roles/conjur_host_identity/tasks/identity_check.yml similarity index 100% rename from tasks/identity_check.yml rename to roles/conjur_host_identity/tasks/identity_check.yml diff --git a/tasks/main.yml b/roles/conjur_host_identity/tasks/main.yml similarity index 100% rename from tasks/main.yml rename to roles/conjur_host_identity/tasks/main.yml diff --git a/tasks/summon-conjur.yml b/roles/conjur_host_identity/tasks/summon-conjur.yml similarity index 100% rename from tasks/summon-conjur.yml rename to roles/conjur_host_identity/tasks/summon-conjur.yml diff --git a/tasks/summon.yml b/roles/conjur_host_identity/tasks/summon.yml similarity index 100% rename from tasks/summon.yml rename to roles/conjur_host_identity/tasks/summon.yml diff --git a/templates/conjur.conf.j2 b/roles/conjur_host_identity/templates/conjur.conf.j2 similarity index 100% rename from templates/conjur.conf.j2 rename to roles/conjur_host_identity/templates/conjur.conf.j2 diff --git a/templates/conjur.identity.j2 b/roles/conjur_host_identity/templates/conjur.identity.j2 similarity index 100% rename from templates/conjur.identity.j2 rename to roles/conjur_host_identity/templates/conjur.identity.j2 diff --git a/tests/conjur-host-identity/Dockerfile b/roles/conjur_host_identity/tests/Dockerfile similarity index 100% rename from tests/conjur-host-identity/Dockerfile rename to roles/conjur_host_identity/tests/Dockerfile diff --git a/tests/conjur-host-identity/Dockerfile_nginx b/roles/conjur_host_identity/tests/Dockerfile_nginx similarity index 100% rename from tests/conjur-host-identity/Dockerfile_nginx rename to roles/conjur_host_identity/tests/Dockerfile_nginx diff --git a/tests/conjur-host-identity/ansible.cfg b/roles/conjur_host_identity/tests/ansible.cfg similarity index 100% rename from tests/conjur-host-identity/ansible.cfg rename to roles/conjur_host_identity/tests/ansible.cfg diff --git a/roles/conjur_host_identity/tests/conjur.pem b/roles/conjur_host_identity/tests/conjur.pem new file mode 100644 index 00000000..979201cf --- /dev/null +++ b/roles/conjur_host_identity/tests/conjur.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDizCCAnOgAwIBAgIJAIzfbS84IEf2MA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV +BAYTAklMMQ8wDQYDVQQIDAZJc3JhZWwxDDAKBgNVBAcMA1RMVjENMAsGA1UECgwE +T255eDERMA8GA1UECwwIQ3liZXJBcmsxGzAZBgNVBAMMEmNvbmp1ci1wcm94eS1u +Z2lueDAeFw0yMDA4MTgxNDA2NDNaFw0yMTA4MTgxNDA2NDNaMGsxCzAJBgNVBAYT +AklMMQ8wDQYDVQQIDAZJc3JhZWwxDDAKBgNVBAcMA1RMVjENMAsGA1UECgwET255 +eDERMA8GA1UECwwIQ3liZXJBcmsxGzAZBgNVBAMMEmNvbmp1ci1wcm94eS1uZ2lu +eDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrnWSgW7zySUlKZb1a3 +0EaIuKImB2kP5Hl200t4icel5oi+PlrmNsh2y9MhsqsUGem/uaRksHRcco/vpmcV +nj8j+QH4xcVy6UVmd6EYYI2J5uRFIX+aFbo9CvWCGuFbPITIadyinaKgYMtUwhN1 +wPAvT5rSpFKlERBHthfVVhseGJQSdFKAdtgdu3Umu6VdrONKbTrSFePyxJYxa6sL +AxZHfTc/urJn+3r5ddDqhGP/daD8CES8QrZ4FsRDnlV1oell9UotLhIAdqJ81eUL +GmYSa/QWoOOLnyXfmyCICIWSI5Rit76OlB/e0n2LyBZz80rUOxyJGUjRmu56a4rt +x/MCAwEAAaMyMDAwLgYDVR0RBCcwJYIJbG9jYWxob3N0ghJjb25qdXItcHJveHkt +bmdpbniHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAB/0oG8J0eXhX1SfmZltO95H +LiQAtOIyOJ6JwMQ3sosNEryCg3c8muJ7WlqenlApWt90qRZFDmKvZZQc4vwKrFPt +hJuJdJc/97+wrJzZiBQRBiH4n0IBOz94bZeHzkftYQp5ipQhChqwm7R6bvlumTF9 +L4V/sGbPNFW8z7fcy4sg9+yH34th62ZKZr9MusE4TsiUtJjHCFlvesYLZydsO6Ve +taA2XLd+JT2wOek+yVpdPmm7yA9yNVsWmjRQQoRz04ayCso4EMWI9iLXBQSCpaIK +jmCFXShJgNaPXE/f14QAR3ZHNvajIFty6Qdy9fCSZgUGaFYmHjGM7tXq7rIFTA0= +-----END CERTIFICATE----- diff --git a/tests/conjur-host-identity/docker-compose.yml b/roles/conjur_host_identity/tests/docker-compose.yml similarity index 93% rename from tests/conjur-host-identity/docker-compose.yml rename to roles/conjur_host_identity/tests/docker-compose.yml index eb1e9820..e2360119 100644 --- a/tests/conjur-host-identity/docker-compose.yml +++ b/roles/conjur_host_identity/tests/docker-compose.yml @@ -12,8 +12,8 @@ services: CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} volumes: - - ../..:/conjurinc/cyberark.conjur-host-identity/ - - ../conjur-host-identity:/conjurinc/tests/ + - ..:/conjurinc/cyberark.conjur-host-identity/ + - .:/conjurinc/tests/ - /var/run/docker.sock:/var/run/docker.sock pg: image: postgres:9.3 diff --git a/tests/conjur-host-identity/inventory-playbook.yml b/roles/conjur_host_identity/tests/inventory-playbook.yml similarity index 100% rename from tests/conjur-host-identity/inventory-playbook.yml rename to roles/conjur_host_identity/tests/inventory-playbook.yml diff --git a/tests/conjur-host-identity/inventory.j2 b/roles/conjur_host_identity/tests/inventory.j2 similarity index 100% rename from tests/conjur-host-identity/inventory.j2 rename to roles/conjur_host_identity/tests/inventory.j2 diff --git a/tests/conjur-host-identity/policy/root.yml b/roles/conjur_host_identity/tests/policy/root.yml similarity index 100% rename from tests/conjur-host-identity/policy/root.yml rename to roles/conjur_host_identity/tests/policy/root.yml diff --git a/tests/conjur-host-identity/proxy/default.conf b/roles/conjur_host_identity/tests/proxy/default.conf similarity index 100% rename from tests/conjur-host-identity/proxy/default.conf rename to roles/conjur_host_identity/tests/proxy/default.conf diff --git a/tests/conjur-host-identity/proxy/ssl.conf b/roles/conjur_host_identity/tests/proxy/ssl.conf similarity index 100% rename from tests/conjur-host-identity/proxy/ssl.conf rename to roles/conjur_host_identity/tests/proxy/ssl.conf diff --git a/tests/conjur-host-identity/test.sh b/roles/conjur_host_identity/tests/test.sh similarity index 97% rename from tests/conjur-host-identity/test.sh rename to roles/conjur_host_identity/tests/test.sh index 41cfee2f..a0fe08fb 100755 --- a/tests/conjur-host-identity/test.sh +++ b/roles/conjur_host_identity/tests/test.sh @@ -12,7 +12,7 @@ finish # normalises project name by filtering non alphanumeric characters and transforming to lowercase declare -x COMPOSE_PROJECT_NAME -COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') +COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-host-identity" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') declare -x ANSIBLE_CONJUR_AUTHN_API_KEY='' declare -x CLI_CONJUR_AUTHN_API_KEY='' diff --git a/tests/conjur-host-identity/test_app_centos/Dockerfile b/roles/conjur_host_identity/tests/test_app_centos/Dockerfile similarity index 100% rename from tests/conjur-host-identity/test_app_centos/Dockerfile rename to roles/conjur_host_identity/tests/test_app_centos/Dockerfile diff --git a/tests/conjur-host-identity/test_app_ubuntu/Dockerfile b/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile similarity index 100% rename from tests/conjur-host-identity/test_app_ubuntu/Dockerfile rename to roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile diff --git a/tests/conjur-host-identity/test_cases/configure-conjur-identity/playbook.yml b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml similarity index 100% rename from tests/conjur-host-identity/test_cases/configure-conjur-identity/playbook.yml rename to roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml diff --git a/tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py b/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py similarity index 100% rename from tests/conjur-host-identity/test_cases/configure-conjur-identity/tests/test_default.py rename to roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py diff --git a/tests/conjur/Dockerfile b/tests/conjur_variable/Dockerfile similarity index 100% rename from tests/conjur/Dockerfile rename to tests/conjur_variable/Dockerfile diff --git a/tests/conjur/Dockerfile_nginx b/tests/conjur_variable/Dockerfile_nginx similarity index 100% rename from tests/conjur/Dockerfile_nginx rename to tests/conjur_variable/Dockerfile_nginx diff --git a/tests/conjur/docker-compose.yml b/tests/conjur_variable/docker-compose.yml similarity index 100% rename from tests/conjur/docker-compose.yml rename to tests/conjur_variable/docker-compose.yml diff --git a/tests/conjur/policy/root.yml b/tests/conjur_variable/policy/root.yml similarity index 100% rename from tests/conjur/policy/root.yml rename to tests/conjur_variable/policy/root.yml diff --git a/tests/conjur/proxy/default.conf b/tests/conjur_variable/proxy/default.conf similarity index 100% rename from tests/conjur/proxy/default.conf rename to tests/conjur_variable/proxy/default.conf diff --git a/tests/conjur/proxy/ssl.conf b/tests/conjur_variable/proxy/ssl.conf similarity index 100% rename from tests/conjur/proxy/ssl.conf rename to tests/conjur_variable/proxy/ssl.conf diff --git a/tests/conjur/pytest.ini b/tests/conjur_variable/pytest.ini similarity index 100% rename from tests/conjur/pytest.ini rename to tests/conjur_variable/pytest.ini diff --git a/tests/conjur/test.sh b/tests/conjur_variable/test.sh similarity index 94% rename from tests/conjur/test.sh rename to tests/conjur_variable/test.sh index 03ce7bac..85b89bb6 100755 --- a/tests/conjur/test.sh +++ b/tests/conjur_variable/test.sh @@ -14,7 +14,7 @@ cleanup # normalises project name by filtering non alphanumeric characters and transforming to lowercase declare -x COMPOSE_PROJECT_NAME -COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') +COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-variable" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') declare -x ANSIBLE_MASTER_AUTHN_API_KEY='' declare -x CONJUR_ADMIN_AUTHN_API_KEY='' @@ -23,7 +23,7 @@ declare -x ANSIBLE_CONJUR_CERT_FILE='' function main() { docker-compose up -d --build conjur \ conjur_https \ - conjur_cli + conjur_cli \ echo "Waiting for Conjur server to come up" wait_for_conjur @@ -95,7 +95,7 @@ function run_test_case { fi docker-compose exec -T ansible bash -exc " - cd tests/conjur + cd tests/conjur_variable # If env vars were provided, load them if [ -e 'test_cases/${test_case}/env' ]; then diff --git a/tests/conjur/test_cases/retrieve-variable-bad-cert-path/env b/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-bad-cert-path/env rename to tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env diff --git a/tests/conjur/test_cases/retrieve-variable-bad-cert-path/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-bad-cert-path/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py diff --git a/tests/conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem b/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem similarity index 98% rename from tests/conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem rename to tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem index d4d2ed69..a3831e0c 100644 --- a/tests/conjur/test_cases/retrieve-variable-bad-certs/bad-cert.pem +++ b/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem @@ -38,4 +38,4 @@ gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo 5Q== ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- diff --git a/tests/conjur/test_cases/retrieve-variable-bad-certs/env b/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-bad-certs/env rename to tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env diff --git a/tests/conjur/test_cases/retrieve-variable-bad-certs/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-bad-certs/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable-bad-certs/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-bad-certs/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py diff --git a/tests/conjur/test_cases/retrieve-variable-disable-verify-certs/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-disable-verify-certs/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py diff --git a/tests/conjur/test_cases/retrieve-variable-no-cert-provided/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-no-cert-provided/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py diff --git a/tests/conjur/test_cases/retrieve-variable-with-authn-token/env b/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-with-authn-token/env rename to tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env diff --git a/tests/conjur/test_cases/retrieve-variable-with-authn-token/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-with-authn-token/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable-with-authn-token/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-with-authn-token/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py diff --git a/tests/conjur/test_cases/retrieve-variable-with-spaces-secret/env b/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-with-spaces-secret/env rename to tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env diff --git a/tests/conjur/test_cases/retrieve-variable-with-spaces-secret/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-with-spaces-secret/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py diff --git a/tests/conjur/test_cases/retrieve-variable/env b/tests/conjur_variable/test_cases/retrieve-variable/env similarity index 100% rename from tests/conjur/test_cases/retrieve-variable/env rename to tests/conjur_variable/test_cases/retrieve-variable/env diff --git a/tests/conjur/test_cases/retrieve-variable/playbook.yml b/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml similarity index 100% rename from tests/conjur/test_cases/retrieve-variable/playbook.yml rename to tests/conjur_variable/test_cases/retrieve-variable/playbook.yml diff --git a/tests/conjur/test_cases/retrieve-variable/tests/test_default.py b/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py similarity index 100% rename from tests/conjur/test_cases/retrieve-variable/tests/test_default.py rename to tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py diff --git a/tests/sanity/ignore-2.10.txt b/tests/sanity/ignore-2.10.txt index a28d2d6e..d93b42a3 100644 --- a/tests/sanity/ignore-2.10.txt +++ b/tests/sanity/ignore-2.10.txt @@ -1,8 +1,8 @@ Jenkinsfile shebang -tests/conjur/test.sh shebang -tests/conjur-host-identity/test.sh shebang -tests/conjur/policy/root.yml yamllint:unparsable-with-libyaml -tests/conjur-host-identity/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +tests/conjur_variable/test.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml +roles/conjur_host_identity/tests/test.sh shebang +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python ci/build_release shebang ci/parse-changelog.sh shebang ci/publish_to_galaxy shebang diff --git a/tests/sanity/ignore-2.11.txt b/tests/sanity/ignore-2.11.txt index a28d2d6e..d93b42a3 100644 --- a/tests/sanity/ignore-2.11.txt +++ b/tests/sanity/ignore-2.11.txt @@ -1,8 +1,8 @@ Jenkinsfile shebang -tests/conjur/test.sh shebang -tests/conjur-host-identity/test.sh shebang -tests/conjur/policy/root.yml yamllint:unparsable-with-libyaml -tests/conjur-host-identity/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +tests/conjur_variable/test.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml +roles/conjur_host_identity/tests/test.sh shebang +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python ci/build_release shebang ci/parse-changelog.sh shebang ci/publish_to_galaxy shebang diff --git a/tests/sanity/ignore-2.9.txt b/tests/sanity/ignore-2.9.txt index 52c574ab..85dc8780 100644 --- a/tests/sanity/ignore-2.9.txt +++ b/tests/sanity/ignore-2.9.txt @@ -1,6 +1,6 @@ Jenkinsfile shebang -tests/conjur/test.sh shebang -tests/conjur-host-identity/test.sh shebang +tests/conjur_variable/test.sh shebang +roles/conjur_host_identity/tests/test.sh shebang ci/build_release shebang ci/parse-changelog.sh shebang ci/publish_to_galaxy shebang