From 68d6e6bf34d26f9989c6d6b162371a4c67a3e53b Mon Sep 17 00:00:00 2001
From: David Wilson <dw@botanicus.net>
Date: Tue, 8 May 2018 18:30:44 +0100
Subject: [PATCH] ansible: tests for all SSH variables.

Closes #184.
---
 tests/ansible/integration/ssh/all.yml       |   1 +
 tests/ansible/integration/ssh/variables.yml | 101 ++++++++++++++++++++
 tests/ansible/osx_setup.yml                 |  24 +++++
 3 files changed, 126 insertions(+)
 create mode 100644 tests/ansible/integration/ssh/variables.yml

diff --git a/tests/ansible/integration/ssh/all.yml b/tests/ansible/integration/ssh/all.yml
index 8a3b7f88..2425943a 100644
--- a/tests/ansible/integration/ssh/all.yml
+++ b/tests/ansible/integration/ssh/all.yml
@@ -1 +1,2 @@
 - import_playbook: timeouts.yml
+- import_playbook: variables.yml
diff --git a/tests/ansible/integration/ssh/variables.yml b/tests/ansible/integration/ssh/variables.yml
new file mode 100644
index 00000000..e9fa3584
--- /dev/null
+++ b/tests/ansible/integration/ssh/variables.yml
@@ -0,0 +1,101 @@
+
+- name: integration/ssh/variables.yml
+  hosts: test-targets
+  connection: local
+  vars:
+    # ControlMaster has the effect of caching the previous auth to the same
+    # account, so disable it. Can't disable with ControlMaster no since that
+    # already appears on command line, so override ControlPath with junk.
+    ansible_ssh_common_args: |
+      -o "ControlPath /tmp/mitogen-ansible-test-{{18446744073709551615|random}}"
+
+  tasks:
+    - name: ansible_ssh_user
+      # Remaining tests just use "ansible_user".
+      shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_ssh_user=mitogen__has_sudo
+        -e ansible_ssh_pass=has_sudo_password
+      register: out
+
+    - shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_ssh_user=mitogen__has_sudo
+        -e ansible_ssh_pass=wrong_password
+      register: out
+      ignore_errors: true
+
+    - assert:
+        that: out.rc == 4  # unreachable
+
+
+    - name: ansible_ssh_pass
+      shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_user=mitogen__has_sudo
+        -e ansible_ssh_pass=has_sudo_password
+      register: out
+
+    - shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_user=mitogen__has_sudo
+        -e ansible_ssh_pass=wrong_password
+      register: out
+      ignore_errors: true
+
+    - assert:
+        that: out.rc == 4  # unreachable
+
+
+    - name: ansible_password
+      shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_user=mitogen__has_sudo
+        -e ansible_password=has_sudo_password
+      register: out
+
+    - shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_user=mitogen__has_sudo
+        -e ansible_password=wrong_password
+      register: out
+      ignore_errors: true
+
+    - assert:
+        that: out.rc == 4  # unreachable
+
+
+    - name: ansible_ssh_private_key_file
+      shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_user=mitogen__has_sudo_pubkey
+        -e ansible_ssh_private_key_file=../data/docker/mitogen__has_sudo_pubkey.key
+      register: out
+
+    - shell: >
+        ANSIBLE_STRATEGY=mitogen_linear
+        ANSIBLE_SSH_ARGS=""
+        ansible -m shell -a whoami -i "{{inventory_file}}" test-targets
+        -e ansible_user=mitogen__has_sudo
+        -e ansible_ssh_private_key_file=/dev/null
+      register: out
+      ignore_errors: true
+
+    - assert:
+        that: out.rc == 4  # unreachable
+
+
diff --git a/tests/ansible/osx_setup.yml b/tests/ansible/osx_setup.yml
index 3c53fd8f..655c7605 100644
--- a/tests/ansible/osx_setup.yml
+++ b/tests/ansible/osx_setup.yml
@@ -20,12 +20,19 @@
     #
     # Hashed passwords.
     #
+    - name: Create Mitogen test group
+      group:
+        name: "mitogen__group"
+
     - name: Create Mitogen test users
       user:
         name: "mitogen__{{item}}"
         shell: /bin/bash
+        groups: mitogen__group
         password: "{{ (item + '_password') | password_hash('sha256') }}"
       with_items:
+        - has_sudo
+        - has_sudo_pubkey
         - require_tty
         - pw_required
         - require_tty_pw_required
@@ -47,8 +54,11 @@
       user:
         name: "mitogen__{{item}}"
         shell: /bin/bash
+        groups: mitogen__group
         password: "{{item}}_password"
       with_items:
+        - has_sudo
+        - has_sudo_pubkey
         - require_tty
         - pw_required
         - require_tty_pw_required
@@ -98,6 +108,20 @@
       - bashrc
       - profile
 
+    - name: Install pubkey for one account
+      file:
+        path: ~mitogen__has_sudo_pubkey/.ssh
+        state: directory
+        mode: go=
+        owner: mitogen__has_sudo_pubkey
+
+    - name: Install pubkey for one account
+      copy:
+        dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys
+        src: ../data/docker/mitogen__has_sudo_pubkey.key.pub
+        mode: go=
+        owner: mitogen__has_sudo_pubkey
+
     - name: Require a TTY for two accounts
       lineinfile:
         path: /etc/sudoers