diff --git a/.ci/ansible_tests.py b/.ci/ansible_tests.py index 62dfa8f5..4a7bedae 100755 --- a/.ci/ansible_tests.py +++ b/.ci/ansible_tests.py @@ -41,7 +41,7 @@ with ci_lib.Fold('docker_setup'): with ci_lib.Fold('job_setup'): os.chdir(TESTS_DIR) - os.chmod('../data/docker/mitogen__has_sudo_pubkey.key', int('0600', 7)) + os.chmod('../data/docker/mitogen__has_sudo_pubkey.key', int('0600', 8)) ci_lib.run("mkdir %s", HOSTS_DIR) for path in glob.glob(TESTS_DIR + '/hosts/*'): diff --git a/.ci/localhost_ansible_tests.py b/.ci/localhost_ansible_tests.py index 502a9abc..e4b8329b 100755 --- a/.ci/localhost_ansible_tests.py +++ b/.ci/localhost_ansible_tests.py @@ -51,6 +51,9 @@ with ci_lib.Fold('machine_prep'): subprocess.check_call('sudo chmod 700 ~root/.ssh', shell=True) subprocess.check_call('sudo chmod 600 ~root/.ssh/authorized_keys', shell=True) + os.chdir(IMAGE_PREP_DIR) + ci_lib.run("ansible-playbook -c local -i localhost, macos_localhost.yml") + if os.path.expanduser('~mitogen__user1') == '~mitogen__user1': os.chdir(IMAGE_PREP_DIR) ci_lib.run("ansible-playbook -c local -i localhost, _user_accounts.yml") diff --git a/ansible_mitogen/transport_config.py b/ansible_mitogen/transport_config.py index 97f1b2f0..e4de34f1 100644 --- a/ansible_mitogen/transport_config.py +++ b/ansible_mitogen/transport_config.py @@ -442,18 +442,22 @@ class PlayContextSpec(Spec): raise LOG.info( - 'Used PlayContext fallback for plugin=%r, option=%r', - self._connection, name, + 'Used fallback=PlayContext.%s for plugin=%r, option=%r', + name, self._connection, name, ) return getattr(self._play_context, name) - - def _connection_option(self, name): + def _connection_option(self, name, fallback_attr=None): try: return self._connection.get_option(name, hostvars=self._task_vars) except KeyError: - LOG.debug('Used PlayContext fallback for option=%r', name) - return getattr(self._play_context, name) + if fallback_attr is None: + fallback_attr = name + LOG.info( + 'Used fallback=PlayContext.%s for plugin=%r, option=%r', + fallback_attr, self._connection, name, + ) + return getattr(self._play_context, fallback_attr) def transport(self): return self._transport @@ -462,7 +466,7 @@ class PlayContextSpec(Spec): return self._inventory_name def remote_addr(self): - return self._play_context.remote_addr + return self._connection_option('host', fallback_attr='remote_addr') def remote_user(self): return self._connection_option('remote_user') @@ -500,15 +504,10 @@ class PlayContextSpec(Spec): rediscover_python=rediscover_python) def host_key_checking(self): - def candidates(): - yield self._connection.get_task_var('ansible_ssh_host_key_checking') - yield self._connection.get_task_var('ansible_host_key_checking') - yield C.HOST_KEY_CHECKING - val = next((v for v in candidates() if v is not None), True) - return boolean(val) + return self._connection_option('host_key_checking') def private_key_file(self): - return self._play_context.private_key_file + return self._connection_option('private_key_file') def ssh_executable(self): return self._connection_option('ssh_executable') diff --git a/docs/changelog.rst b/docs/changelog.rst index a4d0a4d1..9e32b89d 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -23,6 +23,20 @@ In progress (unreleased) +v0.3.17 (2024-11-07) +-------------------- + +* :gh:issue:`1182` CI: Fix incorrect world readable/writable file permissions + on SSH key ``mitogen__has_sudo_pubkey.key`` during Ansible tests. +* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH private key file + (e.g. ``ansible_private_key_file``). +* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated SSH host key checking + (e.g. ``ansible_host_key_checking``, ``ansible_ssh_host_key_checking``). +* :gh:issue:`1083` :mod:`ansible_mitogen`: Templated host address + (e.g. ``ansible_host``, ``ansible_ssh_host``) +* :gh:issue:`1184` Test templated SSH host key checking in task vars + + v0.3.16 (2024-11-05) -------------------- diff --git a/mitogen/__init__.py b/mitogen/__init__.py index 40b6850e..73db5b8c 100644 --- a/mitogen/__init__.py +++ b/mitogen/__init__.py @@ -35,7 +35,7 @@ be expected. On the slave, it is built dynamically during startup. #: Library version as a tuple. -__version__ = (0, 3, 17, 'dev') +__version__ = (0, 3, 18, 'dev') #: This is :data:`False` in slave contexts. Previously it was used to prevent diff --git a/tests/ansible/hosts/default.hosts b/tests/ansible/hosts/default.hosts index eb04cf90..6bb21fc6 100644 --- a/tests/ansible/hosts/default.hosts +++ b/tests/ansible/hosts/default.hosts @@ -22,9 +22,6 @@ ssh_args_canary_file=/tmp/ssh_args_by_inv_{{ inventory_hostname }} [tt_targets_bare] tt-bare -[tt_targets_bare:vars] -ansible_host=localhost - [tt_become_bare] tt-become-bare @@ -43,10 +40,10 @@ ansible_host=localhost ansible_user="{{ lookup('pipe', 'whoami') }}" [tt_targets_inventory] -tt-password ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw -tt-port ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw -tt-remote-user ansible_password=has_sudo_nopw_password ansible_user="{{ 'mitogen__has_sudo_nopw' | trim }}" -tt-ssh-executable ansible_password=has_sudo_nopw_password ansible_ssh_executable="{{ 'ssh' | trim }}" ansible_user=mitogen__has_sudo_nopw - -[tt_targets_inventory:vars] -ansible_host=localhost +tt-host ansible_host="{{ 'localhost' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw +tt-host-key-checking ansible_host=localhost ansible_host_key_checking="{{ 'false' | trim }}" ansible_password=has_sudo_nopw_password ansible_user=mitogen__has_sudo_nopw +tt-password ansible_host=localhost ansible_password="{{ 'has_sudo_nopw_password' | trim }}" ansible_user=mitogen__has_sudo_nopw +tt-port ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_port="{{ 22 | int }}" ansible_user=mitogen__has_sudo_nopw +tt-private-key-file ansible_host=localhost ansible_private_key_file="{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_user=mitogen__has_sudo_pubkey +tt-remote-user ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_user="{{ 'mitogen__has_sudo_nopw' | trim }}" +tt-ssh-executable ansible_host=localhost ansible_password=has_sudo_nopw_password ansible_ssh_executable="{{ 'ssh' | trim }}" ansible_user=mitogen__has_sudo_nopw diff --git a/tests/ansible/integration/ssh/args_by_play_taskvar.yml b/tests/ansible/integration/ssh/args_by_play_taskvar.yml index 5ae83f2a..073265b2 100644 --- a/tests/ansible/integration/ssh/args_by_play_taskvar.yml +++ b/tests/ansible/integration/ssh/args_by_play_taskvar.yml @@ -2,6 +2,7 @@ hosts: tt_targets_bare gather_facts: false vars: + ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}" ansible_password: "{{ 'has_sudo_nopw_password' | trim }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_ssh_common_args: >- diff --git a/tests/ansible/integration/ssh/templated_by_play_keyword.yml b/tests/ansible/integration/ssh/templated_by_play_keyword.yml index e66cc5f3..c6ff1674 100644 --- a/tests/ansible/integration/ssh/templated_by_play_keyword.yml +++ b/tests/ansible/integration/ssh/templated_by_play_keyword.yml @@ -3,6 +3,7 @@ gather_facts: false remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}" vars: + ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}" ansible_password: has_sudo_nopw_password ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" tasks: diff --git a/tests/ansible/integration/ssh/templated_by_play_taskvar.yml b/tests/ansible/integration/ssh/templated_by_play_taskvar.yml index 0662adcd..4d7e318e 100644 --- a/tests/ansible/integration/ssh/templated_by_play_taskvar.yml +++ b/tests/ansible/integration/ssh/templated_by_play_taskvar.yml @@ -2,6 +2,8 @@ hosts: tt_targets_bare gather_facts: false vars: + ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}" + ansible_host_key_checking: "{{ 'false' | trim }}" ansible_password: "{{ 'has_sudo_nopw_password' | trim }}" ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ansible_ssh_executable: "{{ 'ssh' | trim }}" @@ -9,5 +11,26 @@ tasks: - meta: reset_connection - - name: Templated variables in play + - name: Templated variables in play, password authentication + ping: + +- name: integration/ssh/templated_by_play_taskvar.yml + hosts: tt_targets_bare + gather_facts: false + vars: + ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}" + ansible_host_key_checking: "{{ 'false' | trim }}" + ansible_private_key_file: "{{ git_basedir }}/tests/data/docker/mitogen__has_sudo_pubkey.key" + ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" + ansible_ssh_executable: "{{ 'ssh' | trim }}" + ansible_user: "{{ 'mitogen__has_sudo_pubkey' | trim }}" + + tasks: + - meta: end_play + when: + # https://github.com/ansible/ansible/issues/84238 + - not is_mitogen + - ansible_version.full is version('2.19', '<', strict=True) + - meta: reset_connection + - name: Templated variables in play, key authentication ping: diff --git a/tests/ansible/integration/ssh/templated_by_task_keyword.yml b/tests/ansible/integration/ssh/templated_by_task_keyword.yml index df956af5..dc16205a 100644 --- a/tests/ansible/integration/ssh/templated_by_task_keyword.yml +++ b/tests/ansible/integration/ssh/templated_by_task_keyword.yml @@ -5,6 +5,7 @@ # https://github.com/mitogen-hq/mitogen/issues/1132 remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}" vars: + ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}" ansible_password: has_sudo_nopw_password ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" tasks: @@ -19,6 +20,7 @@ delegate_to: "{{ groups.tt_targets_bare[0] }}" remote_user: "{{ 'mitogen__has_sudo_nopw' | trim }}" vars: + ansible_host: "{{ hostvars[groups['test-targets'][0]].host | default('localhost') }}" ansible_password: has_sudo_nopw_password ansible_port: "{{ hostvars[groups['test-targets'][0]].ansible_port | default(22) }}" ping: diff --git a/tests/ansible/integration/ssh/variables.yml b/tests/ansible/integration/ssh/variables.yml index 541b29f9..51783881 100644 --- a/tests/ansible/integration/ssh/variables.yml +++ b/tests/ansible/integration/ssh/variables.yml @@ -13,11 +13,6 @@ -o "ControlPath /tmp/mitogen-ansible-test-{{18446744073709551615|random}}" tasks: - - name: setup ansible_ssh_private_key_file - shell: chmod 0600 ../data/docker/mitogen__has_sudo_pubkey.key - args: - chdir: ../.. - - name: ansible_user, ansible_ssh_private_key_file shell: > ANSIBLE_ANY_ERRORS_FATAL=false @@ -34,6 +29,7 @@ args: chdir: ../.. register: out + changed_when: false - name: ansible_user, wrong ansible_ssh_private_key_file shell: > @@ -52,6 +48,7 @@ args: chdir: ../.. register: out + changed_when: false ignore_errors: true - assert: diff --git a/tests/ansible/templates/test-targets.j2 b/tests/ansible/templates/test-targets.j2 index 27949758..cebf7067 100644 --- a/tests/ansible/templates/test-targets.j2 +++ b/tests/ansible/templates/test-targets.j2 @@ -44,7 +44,6 @@ ssh_args_canary_file=/tmp/ssh_args_by_inv_{{ '{{' }} inventory_hostname {{ '}}' tt-bare [tt_targets_bare:vars] -ansible_host={{ tt.hostname }} ansible_python_interpreter={{ tt.python_path }} [tt_become_bare] @@ -71,11 +70,10 @@ ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw [tt_targets_inventory] -tt-password ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}" ansible_port={{ tt.port }} ansible_user=mitogen__has_sudo_nopw -tt-port ansible_password=has_sudo_nopw_password ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw -tt-remote-user ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_user="{{ '{{' }} 'mitogen__has_sudo_nopw' | trim {{ '}}' }}" -tt-ssh-executable ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_ssh_executable="{{ '{{' }} 'ssh' | trim {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw - -[tt_targets_inventory:vars] -ansible_host={{ tt.hostname }} -ansible_python_interpreter={{ tt.python_path }} +tt-host ansible_host="{{ '{{' }} '{{ tt.hostname }}' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw +tt-host-key-checking ansible_host={{ tt.hostname }} ansible_host_key_checking="{{ '{{' }} 'false' | trim {{ '}}' }}" ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw +tt-password ansible_host={{ tt.hostname }} ansible_password="{{ '{{' }} 'has_sudo_nopw_password' | trim {{ '}}' }}" ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw +tt-port ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port="{{ '{{' }} {{ tt.port }} | int {{ '}}' }}" ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_nopw +tt-private-key-file ansible_host={{ tt.hostname }} ansible_port={{ tt.port }} ansible_private_key_file="{{ '{{' }} git_basedir {{ '}}' }}/tests/data/docker/mitogen__has_sudo_pubkey.key" ansible_python_interpreter={{ tt.python_path }} ansible_user=mitogen__has_sudo_pubkey +tt-remote-user ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_user="{{ '{{' }} 'mitogen__has_sudo_nopw' | trim {{ '}}' }}" +tt-ssh-executable ansible_host={{ tt.hostname }} ansible_password=has_sudo_nopw_password ansible_port={{ tt.port }} ansible_python_interpreter={{ tt.python_path }} ansible_ssh_executable="{{ '{{' }} 'ssh' | trim {{ '}}' }}" ansible_user=mitogen__has_sudo_nopw diff --git a/tests/image_prep/_container_setup.yml b/tests/image_prep/_container_setup.yml index d41d1326..2972adda 100644 --- a/tests/image_prep/_container_setup.yml +++ b/tests/image_prep/_container_setup.yml @@ -23,10 +23,16 @@ gather_facts: true vars: distro: "{{ansible_distribution}}" - tasks: - - when: ansible_virtualization_type != "docker" - meta: end_play + pre_tasks: + - meta: end_play + when: + - ansible_facts.virtualization_type != "docker" + + roles: + - role: sshd + + tasks: - name: Ensure requisite apt packages are installed apt: name: "{{ common_packages + packages }}" @@ -134,10 +140,6 @@ content: | i-am-mitogen-test-docker-image - - copy: - dest: /etc/ssh/banner.txt - src: ../data/docker/ssh_login_banner.txt - - name: Ensure /etc/sudoers.d exists file: state: directory @@ -169,17 +171,6 @@ line: "%wheel ALL=(ALL) ALL" when: ansible_os_family == 'RedHat' - - name: Enable SSH banner - lineinfile: - path: /etc/ssh/sshd_config - line: Banner /etc/ssh/banner.txt - - - name: Allow remote SSH root login - lineinfile: - path: /etc/ssh/sshd_config - line: PermitRootLogin yes - regexp: '.*PermitRootLogin.*' - - name: Allow remote SSH root login lineinfile: path: /etc/pam.d/sshd diff --git a/tests/image_prep/macos_localhost.yml b/tests/image_prep/macos_localhost.yml new file mode 100644 index 00000000..c046a2bc --- /dev/null +++ b/tests/image_prep/macos_localhost.yml @@ -0,0 +1,7 @@ +- name: Configure macOS + hosts: all + gather_facts: true + strategy: mitogen_free + become: true + roles: + - role: sshd diff --git a/tests/image_prep/roles/sshd/defaults/main.yml b/tests/image_prep/roles/sshd/defaults/main.yml new file mode 100644 index 00000000..dec0cf0c --- /dev/null +++ b/tests/image_prep/roles/sshd/defaults/main.yml @@ -0,0 +1,3 @@ +sshd_config_file: /etc/ssh/sshd_config + +sshd_config__max_auth_tries: 50 diff --git a/tests/data/docker/ssh_login_banner.txt b/tests/image_prep/roles/sshd/files/banner.txt similarity index 100% rename from tests/data/docker/ssh_login_banner.txt rename to tests/image_prep/roles/sshd/files/banner.txt diff --git a/tests/image_prep/roles/sshd/tasks/main.yml b/tests/image_prep/roles/sshd/tasks/main.yml new file mode 100644 index 00000000..837c7d15 --- /dev/null +++ b/tests/image_prep/roles/sshd/tasks/main.yml @@ -0,0 +1,31 @@ +- name: Create login banner + copy: + src: banner.txt + dest: /etc/ssh/banner.txt + mode: u=rw,go=r + +- name: Configure sshd_config + lineinfile: + path: "{{ sshd_config_file }}" + line: "{{ item.line }}" + regexp: "{{ item.regexp }}" + loop: + - line: Banner /etc/ssh/banner.txt + regexp: '^#? *Banner.*' + - line: MaxAuthTries {{ sshd_config__max_auth_tries }} + regexp: '^#? *MaxAuthTries.*' + - line: PermitRootLogin yes + regexp: '.*PermitRootLogin.*' + loop_control: + label: "{{ item.line }}" + register: configure_sshd_result + +- name: Restart sshd + shell: | + launchctl unload /System/Library/LaunchDaemons/ssh.plist + wait 5 + launchctl load -w /System/Library/LaunchDaemons/ssh.plist + changed_when: true + when: + - ansible_facts.distribution == "MacOSX" + - configure_sshd_result is changed