archive
/
mitogen
mirror of https://github.com/mitogen-hq/mitogen.git
1
0
Fork 0
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
docs-master
stable
pr683
0.2-release
pull-request-checklist
dmw
circleci-project-setup
new-serialization
gh-pages
redirect
issue531
issue510
issue260
issue72
wip-fakessh-exit-status
v0.2.10rc1
v0.3.0rc1
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
working-django
working
v0.2.0
v0.2.1
v0.2.10
v0.2.10-rc.0
v0.2.2
v0.3.0
v0.3.0-rc.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.17
v0.3.18
v0.3.19
v0.3.2
v0.3.20
v0.3.21
v0.3.22
v0.3.23
v0.3.24
v0.3.25
v0.3.25a1
v0.3.25a2
v0.3.25a3
v0.3.25b1
v0.3.26
v0.3.27
v0.3.28
v0.3.29
v0.3.3
v0.3.30
v0.3.31
v0.3.32
v0.3.33
v0.3.34
v0.3.35
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2d8751c1fe'
${ noResults }
mitogen/tests/image_prep/_user_accounts.yml

187 lines
5.8 KiB
YAML
Raw Blame History

#
# Add users expected by tests. Assumes passwordless sudo to root.
#
# WARNING: this creates non-privilged accounts with pre-set passwords!
#
- name: Mitogen test users and groups
hosts: all
gather_facts: true
strategy: mitogen_free
become: true
vars:
distro: "{{ansible_distribution}}"
special_users:
- name: mitogen__has_sudo
- name: mitogen__has_sudo_nopw
- name: mitogen__has_sudo_pubkey
- name: mitogen__pw_required
- name: mitogen__readonly_homedir
- name: mitogen__require_tty
- name: mitogen__require_tty_pw_required
- name: mitogen__permdenied
- name: mitogen__slow_user
- name: mitogen__webapp
- name: mitogen__sudo1
- name: mitogen__sudo2
- name: mitogen__sudo3
- name: mitogen__sudo4
user_groups:
mitogen__has_sudo: ['mitogen__group', '{{ sudo_group[distro] }}']
mitogen__has_sudo_pubkey: ['mitogen__group', '{{ sudo_group[distro] }}']
mitogen__has_sudo_nopw: ['mitogen__group', 'mitogen__sudo_nopw']
mitogen__sudo1: ['mitogen__group', 'mitogen__sudo_nopw']
mitogen__sudo2: ['mitogen__group', '{{ sudo_group[distro] }}']
mitogen__sudo3: ['mitogen__group', '{{ sudo_group[distro] }}']
mitogen__sudo4: ['mitogen__group', '{{ sudo_group[distro] }}']
normal_users:
- name: mitogen__user1
- name: mitogen__user2
- name: mitogen__user3
- name: mitogen__user4
- name: mitogen__user5
all_users: "{{
special_users +
normal_users
}}"
mitogen_test_groups:
- name: mitogen__group
- name: mitogen__sudo_nopw
user_policies_max_failed_logins: 1000
user_policies_users: "{{ all_users }}"
pre_tasks:
- name: Disable non-localhost SSH for Mitogen users
when: false
blockinfile:
path: /etc/ssh/sshd_config
block: |
Match User mitogen__* Address !127.0.0.1
DenyUsers *
- name: Create Mitogen test groups
group:
name: "{{ item.name }}"
with_items: "{{ mitogen_test_groups }}"
- name: Create user accounts
vars:
password: "{{ item.name | replace('mitogen__', '') }}_password"
block:
- user:
name: "{{ item.name }}"
shell: /bin/bash
groups: "{{ user_groups[item.name] | default(['mitogen__group']) }}"
password: "{{ password | password_hash('sha256') }}"
with_items: "{{all_users}}"
when: ansible_system != 'Darwin'
- user:
name: "{{ item.name }}"
shell: /bin/bash
group: staff
groups: |
{{
['com.apple.access_ssh'] +
(user_groups[item.name] | default(['mitogen__group']))
}}
hidden: true
password: "{{ password }}"
with_items: "{{all_users}}"
when: ansible_system == 'Darwin'
- name: Check if AccountsService is used
stat:
path: /var/lib/AccountsService/users
register: out
- name: Hide users from login window (Linux).
when: ansible_system == 'Linux' and out.stat.exists
with_items: "{{all_users}}"
copy:
dest: /var/lib/AccountsService/users/{{ item.name }}
mode: u=rw,go=
content: |
[User]
SystemAccount=true
- name: Restart AccountsService (Linux).
when: ansible_system == 'Linux' and out.stat.exists
service:
name: accounts-daemon
state: restarted
- name: Readonly homedir for one account
file:
path: ~mitogen__readonly_homedir
owner: root
recurse: true
state: directory
- name: Slow bash profile for one account
copy:
dest: ~mitogen__slow_user/.{{item}}
src: ../data/docker/mitogen__slow_user.profile
owner: mitogen__slow_user
group: mitogen__group
mode: u=rw,go=r
with_items:
- bashrc
- profile
- name: "Login throws permission denied errors (issue #271)"
copy:
dest: ~mitogen__permdenied/.{{item}}
src: ../data/docker/mitogen__permdenied.profile
owner: mitogen__permdenied
group: mitogen__group
mode: u=rw,go=r
with_items:
- bashrc
- profile
- name: Install pubkey for mitogen__has_sudo_pubkey
block:
- file:
path: ~mitogen__has_sudo_pubkey/.ssh
state: directory
mode: go=
owner: mitogen__has_sudo_pubkey
group: mitogen__group
- copy:
dest: ~mitogen__has_sudo_pubkey/.ssh/authorized_keys
src: ../data/docker/mitogen__has_sudo_pubkey.key.pub
mode: go=
owner: mitogen__has_sudo_pubkey
group: mitogen__group
- name: Configure sudoers
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: ug=r,o=
validate: '/usr/sbin/visudo -cf %s'
with_items:
- {src: sudoers_defaults, dest: /etc/sudoers.d/mitogen_test_defaults}
- name: Configure sudoers users
blockinfile:
path: /etc/sudoers
marker: "# {mark} Mitogen test users"
block: |
# User Host(s) = (runas user:runas group) Command(s)
{{ lookup('pipe', 'whoami') }} ALL = (mitogen__pw_required:ALL) ALL
{{ lookup('pipe', 'whoami') }} ALL = (mitogen__require_tty_pw_required:ALL) ALL
{{ lookup('pipe', 'whoami') }} ALL = (mitogen__require_tty:ALL) NOPASSWD:ALL
{{ lookup('pipe', 'whoami') }} ALL = (mitogen__readonly_homedir:ALL) NOPASSWD:ALL
{% for runas_user in normal_users %}
{{ lookup('pipe', 'whoami') }} ALL = ({{ runas_user.name }}:ALL) NOPASSWD:ALL
{% endfor %}
validate: '/usr/sbin/visudo -cf %s'
when:
- ansible_connection == "local"
roles:
- role: user_policies
View Git Blame Copy Permalink