mitogen/tests/image_prep/_user_accounts.yml

188 lines
5.4 KiB
YAML

#
# Add users expected by tests. Assumes passwordless sudo to root.
#
# WARNING: this creates non-privilged accounts with pre-set passwords!
#
- hosts: all
vars_files:
- shared_vars.yml
gather_facts: true
strategy: mitogen_free
become: true
vars:
distro: "{{ansible_distribution}}"
ver: "{{ansible_distribution_major_version}}"
special_users:
- has_sudo
- has_sudo_nopw
- has_sudo_pubkey
- pw_required
- readonly_homedir
- require_tty
- require_tty_pw_required
- permdenied
- slow_user
- webapp
- sudo1
- sudo2
- sudo3
- sudo4
user_groups:
has_sudo: ['mitogen__group', '{{sudo_group[distro]}}']
has_sudo_pubkey: ['mitogen__group', '{{sudo_group[distro]}}']
has_sudo_nopw: ['mitogen__group', 'mitogen__sudo_nopw']
sudo1: ['mitogen__group', 'mitogen__sudo_nopw']
sudo2: ['mitogen__group', '{{sudo_group[distro]}}']
sudo3: ['mitogen__group', '{{sudo_group[distro]}}']
sudo4: ['mitogen__group', '{{sudo_group[distro]}}']
normal_users: "{{
lookup('sequence', 'start=1 end=5 format=user%d', wantlist=True)
}}"
all_users: "{{
special_users +
normal_users
}}"
tasks:
- name: Disable non-localhost SSH for Mitogen users
when: false
blockinfile:
path: /etc/ssh/sshd_config
block: |
Match User mitogen__* Address !127.0.0.1
DenyUsers *
- name: Create Mitogen test groups
group:
name: "mitogen__{{item}}"
with_items:
- group
- sudo_nopw
- name: Create user accounts
block:
- user:
name: "mitogen__{{item}}"
shell: /bin/bash
groups: "{{user_groups[item]|default(['mitogen__group'])}}"
password: "{{ (item + '_password') | password_hash('sha256') }}"
with_items: "{{all_users}}"
when: ansible_system != 'Darwin'
- user:
name: "mitogen__{{item}}"
shell: /bin/bash
groups: |
{{
['com.apple.access_ssh'] +
(user_groups[item] | default(['mitogen__group']))
}}
password: "{{item}}_password"
with_items: "{{all_users}}"
when: ansible_system == 'Darwin'
- name: Hide users from login window (Darwin).
when: ansible_system == 'Darwin'
with_items: "{{all_users}}"
osx_defaults:
array_add: true
domain: /Library/Preferences/com.apple.loginwindow
type: array
key: HiddenUsersList
value: ['mitogen_{{item}}']
- name: Check if AccountsService is used
stat:
path: /var/lib/AccountsService/users
register: out
- name: Hide users from login window (Linux).
when: ansible_system == 'Linux' and out.stat.exists
with_items: "{{all_users}}"
copy:
dest: /var/lib/AccountsService/users/mitogen__{{item}}
content: |
[User]
SystemAccount=true
- name: Restart AccountsService (Linux).
when: ansible_system == 'Linux' and out.stat.exists
service:
name: accounts-daemon
restarted: true
- name: Readonly homedir for one account
shell: "chown -R root: ~mitogen__readonly_homedir"
- name: Slow bash profile for one account
copy:
dest: ~mitogen__slow_user/.{{item}}
src: ../data/docker/mitogen__slow_user.profile
with_items:
- bashrc
- profile
- name: "Login throws permission denied errors (issue #271)"
copy:
dest: ~mitogen__permdenied/.{{item}}
src: ../data/docker/mitogen__permdenied.profile
with_items:
- bashrc
- profile
- name: Install pubkey for mitogen__has_sudo_pubkey
block:
- file:
path: ~mitogen__has_sudo_pubkey/.ssh
state: directory
mode: go=
owner: mitogen__has_sudo_pubkey
- copy:
dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys
src: ../data/docker/mitogen__has_sudo_pubkey.key.pub
mode: go=
owner: mitogen__has_sudo_pubkey
- name: Install slow profile for one account
block:
- copy:
dest: ~mitogen__slow_user/.profile
src: ../data/docker/mitogen__slow_user.profile
- copy:
dest: ~mitogen__slow_user/.bashrc
src: ../data/docker/mitogen__slow_user.profile
- name: Require a TTY for two accounts
lineinfile:
path: /etc/sudoers
line: "{{item}}"
with_items:
- Defaults>mitogen__pw_required targetpw
- Defaults>mitogen__require_tty requiretty
- Defaults>mitogen__require_tty_pw_required requiretty,targetpw
- name: Require password for two accounts
lineinfile:
path: /etc/sudoers
line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) ALL"
with_items:
- mitogen__pw_required
- mitogen__require_tty_pw_required
- name: Allow passwordless sudo for require_tty/readonly_homedir
lineinfile:
path: /etc/sudoers
line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) NOPASSWD:ALL"
with_items:
- mitogen__require_tty
- mitogen__readonly_homedir
- name: Allow passwordless for many accounts
lineinfile:
path: /etc/sudoers
line: "{{lookup('pipe', 'whoami')}} ALL = (mitogen__{{item}}) NOPASSWD:ALL"
with_items: "{{normal_users}}"