From ba8022424bda9d93eb7b3e6f8ec891852cb96f57 Mon Sep 17 00:00:00 2001 From: David Wilson Date: Mon, 16 Apr 2018 18:35:13 +0100 Subject: [PATCH] tests: more work to standardize user accounts. --- tests/README.md | 14 ++++++++++++++ .../integration/become/sudo_password.yml | 2 +- .../integration/become/sudo_requiretty.yml | 2 +- tests/ansible/osx_setup.yml | 12 ++++++------ tests/build_docker_images.py | 18 +++++++++++++----- tests/data/001-mitogen.sudo | 5 +++++ 6 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 tests/data/001-mitogen.sudo diff --git a/tests/README.md b/tests/README.md index 5cf7c1c5..29c436cf 100644 --- a/tests/README.md +++ b/tests/README.md @@ -58,6 +58,20 @@ also by Ansible's `osx_setup.yml`. The login password is "has_sudo_nopw_password". It can sudo to root without supplying a password. +`mitogen__pw_required` + The login password is "pw_required_password". When "sudo -u" is used to + target this account, its password must be entered rather than the login + user's password. + +`mitogen__require_tty` + The login password is "require_tty_password". When "sudo -u" is used to + target this account, the parent session requires a TTY. + +`mitogen__require_tty_pw_required` + The login password is "require_tty_pw_required_password". When "sudo -u" is + used to target this account, the parent session requires a TTY and the + account password must be entered. + `mitogen__user1` .. `mitogen__user21` These accounts do not have passwords set. They exist to test the Ansible interpreter recycling logic. diff --git a/tests/ansible/integration/become/sudo_password.yml b/tests/ansible/integration/become/sudo_password.yml index a399b59e..78166824 100644 --- a/tests/ansible/integration/become/sudo_password.yml +++ b/tests/ansible/integration/become/sudo_password.yml @@ -43,7 +43,7 @@ become_user: mitogen__pw_required register: out vars: - ansible_become_pass: mitogen__password + ansible_become_pass: pw_required_password - assert: that: diff --git a/tests/ansible/integration/become/sudo_requiretty.yml b/tests/ansible/integration/become/sudo_requiretty.yml index 2af96c7e..3073241a 100644 --- a/tests/ansible/integration/become/sudo_requiretty.yml +++ b/tests/ansible/integration/become/sudo_requiretty.yml @@ -27,7 +27,7 @@ become: true become_user: mitogen__require_tty_pw_required vars: - ansible_become_pass: mitogen__password + ansible_become_pass: require_tty_pw_required_password register: out when: is_mitogen diff --git a/tests/ansible/osx_setup.yml b/tests/ansible/osx_setup.yml index 9482d25b..02717182 100644 --- a/tests/ansible/osx_setup.yml +++ b/tests/ansible/osx_setup.yml @@ -18,19 +18,19 @@ - name: Create Mitogen test users user: - name: "{{item}}" + name: "mitogen__{{item}}" shell: /bin/bash - password: mitogen__password + password: "{{item}}_password" with_items: - - mitogen__require_tty - - mitogen__pw_required - - mitogen__require_tty_pw_required + - require_tty + - pw_required + - require_tty_pw_required - name: Create Mitogen test users user: name: "mitogen__user{{item}}" shell: /bin/bash - password: mitogen__password + password: "user{{item}}_password" with_sequence: start=1 end=21 - name: Hide test users from login window. diff --git a/tests/build_docker_images.py b/tests/build_docker_images.py index 73265019..c4dc0a6f 100755 --- a/tests/build_docker_images.py +++ b/tests/build_docker_images.py @@ -24,27 +24,35 @@ FROM centos:7 RUN yum clean all && \ yum -y install -y python2.7 openssh-server sudo rsync git strace sudo && \ yum clean all && \ - groupadd sudo + groupadd sudo && \ + ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key """ DOCKERFILE = r""" +COPY data/001-mitogen.sudo /etc/sudoers.d/001-mitogen RUN \ - mkdir /var/run/sshd && \ - echo '%mitogen__sudo_nopw ALL=(ALL:ALL) NOPASSWD:ALL' > /etc/sudoers.d/001-mitogen__sudo_nopw && \ + mkdir -p /var/run/sshd && \ echo i-am-mitogen-test-docker-image > /etc/sentinel && \ groupadd mitogen__sudo_nopw && \ useradd -s /bin/bash -m mitogen__has_sudo -G SUDO_GROUP && \ useradd -s /bin/bash -m mitogen__has_sudo_pubkey -G SUDO_GROUP && \ useradd -s /bin/bash -m mitogen__has_sudo_nopw -G mitogen__sudo_nopw && \ useradd -s /bin/bash -m mitogen__webapp && \ + useradd -s /bin/bash -m mitogen__pw_required && \ + useradd -s /bin/bash -m mitogen__require_tty && \ + useradd -s /bin/bash -m mitogen__require_tty_pw_required && \ + { for i in `seq 1 21`; do useradd -s /bin/bash -m mitogen__user$i; done; } && \ ( echo 'root:rootpassword' | chpasswd; ) && \ ( echo 'mitogen__has_sudo:has_sudo_password' | chpasswd; ) && \ ( echo 'mitogen__has_sudo_pubkey:has_sudo_pubkey_password' | chpasswd; ) && \ ( echo 'mitogen__has_sudo_nopw:has_sudo_nopw_password' | chpasswd; ) && \ + ( echo 'mitogen__webapp:webapp_password' | chpasswd; ) && \ + ( echo 'mitogen__pw_required:pw_required_password' | chpasswd; ) && \ + ( echo 'mitogen__require_tty:require_tty_password' | chpasswd; ) && \ + ( echo 'mitogen__require_tty_pw_required:require_tty_pw_required_password' | chpasswd; ) && \ mkdir ~mitogen__has_sudo_pubkey/.ssh && \ - { echo '#!/bin/bash\nexec strace -ff -o /tmp/pywrap$$.trace python2.7 "$@"' > /usr/local/bin/pywrap; chmod +x /usr/local/bin/pywrap; } && \ - { for i in `seq 1 21`; do useradd -s /bin/bash -m mitogen__user$i; done; } + { echo '#!/bin/bash\nexec strace -ff -o /tmp/pywrap$$.trace python2.7 "$@"' > /usr/local/bin/pywrap; chmod +x /usr/local/bin/pywrap; } COPY data/docker/mitogen__has_sudo_pubkey.key.pub /home/mitogen__has_sudo_pubkey/.ssh/authorized_keys RUN \ diff --git a/tests/data/001-mitogen.sudo b/tests/data/001-mitogen.sudo new file mode 100644 index 00000000..65d39df0 --- /dev/null +++ b/tests/data/001-mitogen.sudo @@ -0,0 +1,5 @@ +Defaults>mitogen__pw_required targetpw +Defaults>mitogen__require_tty requiretty +Defaults>mitogen__require_tty_pw_required requiretty,targetpw + +%mitogen__sudo_nopw ALL=(ALL:ALL) NOPASSWD:ALL