From 5283e6756bce78bb39cbda372545ab3869c82095 Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Thu, 6 Feb 2025 18:55:57 +0000 Subject: [PATCH 1/4] CI: Statically specify test usernames and group names This makes it easier to grep for a username and to discover how the user was create. Hence it should be easier to understand/debug tests. --- docs/changelog.rst | 1 + tests/image_prep/_user_accounts.yml | 83 ++++++++++++++++------------- 2 files changed, 46 insertions(+), 38 deletions(-) diff --git a/docs/changelog.rst b/docs/changelog.rst index e8c7e9567..7ae6e5da3 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -23,6 +23,7 @@ In progress (unreleased) * :gh:issue:`1121` :mod:`mitogen`: Log skipped :py:mod:`termios` attributes * :gh:issue:`1238` packaging: Avoid :py:mod:`ast`, requires Python = 2.6 +* :gh:issue:`1118` CI: Statically specify test usernames and group names v0.3.22 (2025-02-04) diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml index ad5a4ef57..bb8067f90 100644 --- a/tests/image_prep/_user_accounts.yml +++ b/tests/image_prep/_user_accounts.yml @@ -13,38 +13,45 @@ vars: distro: "{{ansible_distribution}}" special_users: - - has_sudo - - has_sudo_nopw - - has_sudo_pubkey - - pw_required - - readonly_homedir - - require_tty - - require_tty_pw_required - - permdenied - - slow_user - - webapp - - sudo1 - - sudo2 - - sudo3 - - sudo4 + - name: mitogen__has_sudo + - name: mitogen__has_sudo_nopw + - name: mitogen__has_sudo_pubkey + - name: mitogen__pw_required + - name: mitogen__readonly_homedir + - name: mitogen__require_tty + - name: mitogen__require_tty_pw_required + - name: mitogen__permdenied + - name: mitogen__slow_user + - name: mitogen__webapp + - name: mitogen__sudo1 + - name: mitogen__sudo2 + - name: mitogen__sudo3 + - name: mitogen__sudo4 user_groups: - has_sudo: ['mitogen__group', '{{sudo_group[distro]}}'] - has_sudo_pubkey: ['mitogen__group', '{{sudo_group[distro]}}'] - has_sudo_nopw: ['mitogen__group', 'mitogen__sudo_nopw'] - sudo1: ['mitogen__group', 'mitogen__sudo_nopw'] - sudo2: ['mitogen__group', '{{sudo_group[distro]}}'] - sudo3: ['mitogen__group', '{{sudo_group[distro]}}'] - sudo4: ['mitogen__group', '{{sudo_group[distro]}}'] - - normal_users: "{{ - lookup('sequence', 'start=1 end=5 format=user%d', wantlist=True) - }}" + mitogen__has_sudo: ['mitogen__group', '{{ sudo_group[distro] }}'] + mitogen__has_sudo_pubkey: ['mitogen__group', '{{ sudo_group[distro] }}'] + mitogen__has_sudo_nopw: ['mitogen__group', 'mitogen__sudo_nopw'] + mitogen__sudo1: ['mitogen__group', 'mitogen__sudo_nopw'] + mitogen__sudo2: ['mitogen__group', '{{ sudo_group[distro] }}'] + mitogen__sudo3: ['mitogen__group', '{{ sudo_group[distro] }}'] + mitogen__sudo4: ['mitogen__group', '{{ sudo_group[distro] }}'] + + normal_users: + - name: mitogen__user1 + - name: mitogen__user2 + - name: mitogen__user3 + - name: mitogen__user4 + - name: mitogen__user5 all_users: "{{ special_users + normal_users }}" + + mitogen_test_groups: + - name: mitogen__group + - name: mitogen__sudo_nopw tasks: - name: Disable non-localhost SSH for Mitogen users when: false @@ -56,30 +63,30 @@ - name: Create Mitogen test groups group: - name: "mitogen__{{item}}" - with_items: - - group - - sudo_nopw + name: "{{ item.name }}" + loop: "{{ mitogen_test_groups }}" - name: Create user accounts + vars: + password: "{{ item.name | replace('mitogen__', '') }}_password" block: - user: - name: "mitogen__{{item}}" + name: "{{ item.name }}" shell: /bin/bash - groups: "{{user_groups[item]|default(['mitogen__group'])}}" - password: "{{ (item + '_password') | password_hash('sha256') }}" + groups: "{{ user_groups[item.name] | default(['mitogen__group']) }}" + password: "{{ password | password_hash('sha256') }}" with_items: "{{all_users}}" when: ansible_system != 'Darwin' - user: - name: "mitogen__{{item}}" + name: "{{ item.name }}" shell: /bin/bash group: staff groups: | {{ ['com.apple.access_ssh'] + - (user_groups[item] | default(['mitogen__group'])) + (user_groups[item.name] | default(['mitogen__group'])) }} - password: "{{item}}_password" + password: "{{ password }}" with_items: "{{all_users}}" when: ansible_system == 'Darwin' @@ -91,7 +98,7 @@ domain: /Library/Preferences/com.apple.loginwindow type: array key: HiddenUsersList - value: ['mitogen_{{item}}'] + value: ['{{ item.name }}'] - name: Check if AccountsService is used stat: @@ -102,7 +109,7 @@ when: ansible_system == 'Linux' and out.stat.exists with_items: "{{all_users}}" copy: - dest: /var/lib/AccountsService/users/mitogen__{{item}} + dest: /var/lib/AccountsService/users/{{ item.name }} mode: u=rw,go= content: | [User] @@ -188,7 +195,7 @@ - name: Allow passwordless for many accounts lineinfile: path: /etc/sudoers - line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__{{item}}:ALL) NOPASSWD:ALL" + line: "{{ lookup('pipe', 'whoami') }} ALL = ({{ item.name }}:ALL) NOPASSWD:ALL" validate: '/usr/sbin/visudo -cf %s' with_items: "{{normal_users}}" when: From 11d2d70fd8a0d4b79da6fc6b0f2c792a4497085d Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Fri, 7 Feb 2025 00:16:57 +0000 Subject: [PATCH 2/4] CI: Use native Ansible support to hide macOS users --- tests/image_prep/_user_accounts.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml index bb8067f90..c47b1dce8 100644 --- a/tests/image_prep/_user_accounts.yml +++ b/tests/image_prep/_user_accounts.yml @@ -86,20 +86,11 @@ ['com.apple.access_ssh'] + (user_groups[item.name] | default(['mitogen__group'])) }} + hidden: true password: "{{ password }}" with_items: "{{all_users}}" when: ansible_system == 'Darwin' - - name: Hide users from login window (Darwin). - when: ansible_system == 'Darwin' - with_items: "{{all_users}}" - osx_defaults: - array_add: true - domain: /Library/Preferences/com.apple.loginwindow - type: array - key: HiddenUsersList - value: ['{{ item.name }}'] - - name: Check if AccountsService is used stat: path: /var/lib/AccountsService/users From c92df356e645f7d318f82648e0de7e6d1dd9f67b Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Fri, 7 Feb 2025 00:23:18 +0000 Subject: [PATCH 3/4] CI: Consolidate sudoers config tasks --- tests/image_prep/_user_accounts.yml | 54 +++++++++++------------------ 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml index c47b1dce8..d099091ae 100644 --- a/tests/image_prep/_user_accounts.yml +++ b/tests/image_prep/_user_accounts.yml @@ -152,42 +152,30 @@ owner: mitogen__has_sudo_pubkey group: mitogen__group - - name: Require a TTY for two accounts - lineinfile: - path: /etc/sudoers - line: "{{item}}" - with_items: - - Defaults>mitogen__pw_required targetpw - - Defaults>mitogen__require_tty requiretty - - Defaults>mitogen__require_tty_pw_required requiretty,targetpw - - - name: Require password for two accounts - lineinfile: - path: /etc/sudoers - line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}:ALL) ALL" - validate: '/usr/sbin/visudo -cf %s' - with_items: - - mitogen__pw_required - - mitogen__require_tty_pw_required - when: - - ansible_virtualization_type != "docker" - - - name: Allow passwordless sudo for require_tty/readonly_homedir - lineinfile: + - name: Configure sudoers defaults + blockinfile: path: /etc/sudoers - line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}:ALL) NOPASSWD:ALL" - validate: '/usr/sbin/visudo -cf %s' - with_items: - - mitogen__require_tty - - mitogen__readonly_homedir - when: - - ansible_virtualization_type != "docker" + marker: "# {mark} Mitogen test defaults" + block: | + Defaults>mitogen__pw_required targetpw + Defaults>mitogen__require_tty requiretty + Defaults>mitogen__require_tty_pw_required requiretty,targetpw + prepend_newline: true - - name: Allow passwordless for many accounts - lineinfile: + - name: Configure sudoers users + blockinfile: path: /etc/sudoers - line: "{{ lookup('pipe', 'whoami') }} ALL = ({{ item.name }}:ALL) NOPASSWD:ALL" + marker: "# {mark} Mitogen test users" + block: | + # User Host(s) = (runas user:runas group) Command(s) + {{ lookup('pipe', 'whoami') }} ALL = (mitogen__pw_required:ALL) ALL + {{ lookup('pipe', 'whoami') }} ALL = (mitogen__require_tty_pw_required:ALL) ALL + {{ lookup('pipe', 'whoami') }} ALL = (mitogen__require_tty:ALL) NOPASSWD:ALL + {{ lookup('pipe', 'whoami') }} ALL = (mitogen__readonly_homedir:ALL) NOPASSWD:ALL + {% for runas_user in normal_users %} + {{ lookup('pipe', 'whoami') }} ALL = ({{ runas_user.name }}:ALL) NOPASSWD:ALL + {% endfor %} + prepend_newline: true validate: '/usr/sbin/visudo -cf %s' - with_items: "{{normal_users}}" when: - ansible_virtualization_type != "docker" From 78b440104e51c132ca33a6bbc73d70ac61a60333 Mon Sep 17 00:00:00 2001 From: Alex Willmer Date: Fri, 7 Feb 2025 00:26:32 +0000 Subject: [PATCH 4/4] CI: Validate sudoers file --- tests/image_prep/_user_accounts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/image_prep/_user_accounts.yml b/tests/image_prep/_user_accounts.yml index d099091ae..10834efc2 100644 --- a/tests/image_prep/_user_accounts.yml +++ b/tests/image_prep/_user_accounts.yml @@ -161,6 +161,7 @@ Defaults>mitogen__require_tty requiretty Defaults>mitogen__require_tty_pw_required requiretty,targetpw prepend_newline: true + validate: '/usr/sbin/visudo -cf %s' - name: Configure sudoers users blockinfile: