From c14f6c98d1951569edce426418cf7870cc568e71 Mon Sep 17 00:00:00 2001
From: David Wilson <dw@botanicus.net>
Date: Mon, 9 Apr 2018 15:05:57 +0100
Subject: [PATCH] ansible: import osx_setup.yml.

---
 tests/ansible/README.md     |  5 +++
 tests/ansible/osx_setup.yml | 63 +++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 tests/ansible/osx_setup.yml

diff --git a/tests/ansible/README.md b/tests/ansible/README.md
index fe343125..a76c7c1f 100644
--- a/tests/ansible/README.md
+++ b/tests/ansible/README.md
@@ -8,6 +8,11 @@ It will be tidied up over time, meanwhile, the playbooks here are a useful
 demonstrator for what does and doesn't work.
 
 
+## Preparation
+
+For OS X, run the ``osx_setup.yml`` script to create a bunch of users.
+
+
 ## ``run_ansible_playbook.sh``
 
 This is necessary to set some environment variables used by future tests, as
diff --git a/tests/ansible/osx_setup.yml b/tests/ansible/osx_setup.yml
new file mode 100644
index 00000000..582dd280
--- /dev/null
+++ b/tests/ansible/osx_setup.yml
@@ -0,0 +1,63 @@
+
+#
+# Add users expected by tests to an OS X machine. Assumes passwordless sudo to
+# root.
+#
+# WARNING: this creates non-privilged accounts with pre-set passwords!
+#
+
+- hosts: all
+  become: true
+  tasks:
+    - name: Disable non-localhost SSH for Mitogen users
+      blockinfile:
+        path: /etc/ssh/sshd_config
+        block: |
+          Match User mitogen__* Address !127.0.0.1
+            DenyUsers *
+
+    - name: Create Mitogen test users
+      user:
+        name: "{{item}}"
+        shell: /bin/bash
+        password: mitogen__password
+      with_items:
+        - mitogen__require_tty
+        - mitogen__pw_required
+        - mitogen__require_tty_pw_required
+
+    - name: Hide test users from login window.
+      shell: >
+        defaults
+        write
+        /Library/Preferences/com.apple.loginwindow
+        HiddenUsersList
+        -array-add '{{item}}'
+      with_items:
+        - mitogen__require_tty
+        - mitogen__pw_required
+        - mitogen__require_tty_pw_required
+
+    - name: Require a TTY for two accounts
+      lineinfile:
+        path: /etc/sudoers
+        line: "{{item}}"
+      with_items:
+        - Defaults>mitogen__pw_required targetpw
+        - Defaults>mitogen__require_tty requiretty
+        - Defaults>mitogen__require_tty_pw_required requiretty,targetpw
+
+    - name: Require password for two accounts
+      lineinfile:
+        path: /etc/sudoers
+        line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) ALL"
+      with_items:
+        - mitogen__pw_required
+        - mitogen__require_tty_pw_required
+
+    - name: Allow passwordless for one account
+      lineinfile:
+        path: /etc/sudoers
+        line: "{{lookup('pipe', 'whoami')}} ALL = ({{item}}) NOPASSWD:ALL"
+      with_items:
+        - mitogen__require_tty