forked from ansible/ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor _fixup_perms2 to remove way-nested logic (ansible#70701)
Change: - Refactoring to make it harder to get wrong and easier to read. - Generalize become_unprivileged tests and fix some that never worked but also never failed. Test Plan: - CI, new units/integration tests Signed-off-by: Rick Elrod <[email protected]>
- Loading branch information
Showing
18 changed files
with
642 additions
and
382 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
minor_changes: | ||
- Restructured _fixup_perms2() in ansible.plugins.action to make it more linear |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
test/integration/targets/become_unprivileged/action_plugins/tmpdir.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Make coding more python3-ish | ||
from __future__ import (absolute_import, division, print_function) | ||
__metaclass__ = type | ||
|
||
from ansible.plugins.action import ActionBase | ||
|
||
|
||
class ActionModule(ActionBase): | ||
|
||
def run(self, tmp=None, task_vars=None): | ||
result = super(ActionModule, self).run(tmp, task_vars) | ||
result.update(self._execute_module('ping', task_vars=task_vars)) | ||
result['tmpdir'] = self._connection._shell.tmpdir | ||
return result |
This file was deleted.
Oops, something went wrong.
53 changes: 53 additions & 0 deletions
53
test/integration/targets/become_unprivileged/cleanup_unpriv_users.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
- name: Clean up host and remove unprivileged users | ||
hosts: ssh | ||
gather_facts: yes | ||
remote_user: root | ||
tasks: | ||
# Do this first so we can use tilde notation while the user still exists | ||
- name: Delete homedirs | ||
file: | ||
path: '~{{ item }}' | ||
state: absent | ||
with_items: | ||
- unpriv1 | ||
- unpriv2 | ||
|
||
- name: Delete users | ||
user: | ||
name: "{{ item }}" | ||
state: absent | ||
force: yes # I think this is needed in case pipelining is used and the session remains open | ||
with_items: | ||
- unpriv1 | ||
- unpriv2 | ||
|
||
- name: Delete groups | ||
group: | ||
name: "{{ item }}" | ||
state: absent | ||
with_items: | ||
- acommongroup | ||
- unpriv1 | ||
- unpriv2 | ||
|
||
- name: Fix sudoers.d path for FreeBSD | ||
set_fact: | ||
sudoers_etc: /usr/local/etc | ||
when: ansible_distribution == 'FreeBSD' | ||
|
||
- name: Fix sudoers.d path for everything else | ||
set_fact: | ||
sudoers_etc: /etc | ||
when: ansible_distribution != 'FreeBSD' | ||
|
||
- name: Undo OpenSUSE | ||
lineinfile: | ||
path: "{{ sudoers_etc }}/sudoers" | ||
regexp: '^### Defaults targetpw' | ||
line: 'Defaults targetpw' | ||
backrefs: yes | ||
|
||
- name: Nuke custom sudoers file | ||
file: | ||
path: "{{ sudoers_etc }}/sudoers.d/unpriv1" | ||
state: absent |
35 changes: 35 additions & 0 deletions
35
test/integration/targets/become_unprivileged/common_remote_group/cleanup.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
- name: Cleanup (as root) | ||
hosts: ssh | ||
gather_facts: yes | ||
remote_user: root | ||
tasks: | ||
- name: Remove group for unprivileged users | ||
group: | ||
name: commongroup | ||
state: absent | ||
|
||
- name: Check if /usr/bin/setfacl exists | ||
stat: | ||
path: /usr/bin/setfacl | ||
register: usr_bin_setfacl | ||
|
||
- name: Check if /bin/setfacl exists | ||
stat: | ||
path: /bin/setfacl | ||
register: bin_setfacl | ||
|
||
- name: Set path to setfacl | ||
set_fact: | ||
setfacl_path: /usr/bin/setfacl | ||
when: usr_bin_setfacl.stat.exists | ||
|
||
- name: Set path to setfacl | ||
set_fact: | ||
setfacl_path: /bin/setfacl | ||
when: bin_setfacl.stat.exists | ||
|
||
- name: chmod +x setfacl | ||
file: | ||
path: "{{ setfacl_path }}" | ||
mode: a+x | ||
when: setfacl_path is defined |
43 changes: 43 additions & 0 deletions
43
test/integration/targets/become_unprivileged/common_remote_group/setup.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
- name: Prep (as root) | ||
hosts: ssh | ||
gather_facts: yes | ||
remote_user: root | ||
tasks: | ||
- name: Create group for unprivileged users | ||
group: | ||
name: commongroup | ||
|
||
- name: Add them to the group | ||
user: | ||
name: "{{ item }}" | ||
groups: commongroup | ||
append: yes | ||
with_items: | ||
- unpriv1 | ||
- unpriv2 | ||
|
||
- name: Check if /usr/bin/setfacl exists | ||
stat: | ||
path: /usr/bin/setfacl | ||
register: usr_bin_setfacl | ||
|
||
- name: Check if /bin/setfacl exists | ||
stat: | ||
path: /bin/setfacl | ||
register: bin_setfacl | ||
|
||
- name: Set path to setfacl | ||
set_fact: | ||
setfacl_path: /usr/bin/setfacl | ||
when: usr_bin_setfacl.stat.exists | ||
|
||
- name: Set path to setfacl | ||
set_fact: | ||
setfacl_path: /bin/setfacl | ||
when: bin_setfacl.stat.exists | ||
|
||
- name: chmod -x setfacl to disable it | ||
file: | ||
path: "{{ setfacl_path }}" | ||
mode: a-x | ||
when: setfacl_path is defined |
Oops, something went wrong.