PR review fixes

securesign · Nov 18, 2024 · d5baf9f · d5baf9f
1 parent 3e71af6
commit d5baf9f
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 104 deletions.
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -2,8 +2,6 @@
 - name: Converge
   hosts: molecule
   gather_facts: true
-  become: yes
-  become_method: sudo
   vars_files:
     - vars/vars.yml
   tasks:

diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -2,57 +2,14 @@
 - name: Prepare
   hosts: molecule
   gather_facts: false
-  become: yes
-  become_method: sudo
+  vars:
+    users:
+      - user: testingUser
+        password: $y$j9T$WNDCnTZIfLYSpTiZ1yFdJ1$fvdsvfLEdpi39mS/SbfsgPQdAQ//D8xySIXF5hLFdU2
   vars_files:
     - vars/vars.yml
 
   tasks:
-    - name: Create a non-root sudoer user
-      ansible.builtin.user:
-        name: "{{ tas_single_node_user }}"
-        shell: /bin/bash
-        create_home: yes
-
-    - name: Grant passwordless sudo to new user
-      ansible.builtin.lineinfile:
-        path: /etc/sudoers
-        line: "{{ tas_single_node_user }} ALL=(ALL) NOPASSWD: ALL"
-        validate: "visudo -cf %s"
-
-    - name: Create an .ssh directory
-      ansible.builtin.file:
-        path: "/home/{{ tas_single_node_user }}/.ssh"
-        state: directory
-        mode: "0700"
-        owner: "{{ tas_single_node_user }}"
-
-    - name: Configure SSH access for new user
-      ansible.builtin.copy:
-        src: "{{ molecule_ephemeral_directory }}/id_rsa.pub"
-        dest: "/home/{{ tas_single_node_user }}/.ssh/authorized_keys"
-        mode: "0600"
-        owner: "{{ tas_single_node_user }}"
-
-    - name: Edit SSH config to disallow root login
-      ansible.builtin.lineinfile:
-        path: /etc/ssh/sshd_config
-        regexp: '^(#*)?PermitRootLogin'
-        line: PermitRootLogin no
-      notify: Restart SSH
-
-    - name: Modify Molecule inventory
-      ansible.builtin.lineinfile:
-        path: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml"
-        regexp: 'ansible_user:'
-        line: "ansible_user: {{ tas_single_node_user }}}"
-      delegate_to: localhost
-
-    - name: Force refresh inventory
-      ansible.builtin.meta: refresh_inventory
-
-  handlers:
-    - name: Restart SSH
-      service:
-        name: sshd
-        state: restarted
+    - name: Setup a non-root sudoer to replicate a user environment
+      ansible.builtin.include_tasks: ../testing_user_setup.yaml
+      with_items: "{{ users }}"
diff --git a/molecule/default/vars/vars.yml b/molecule/default/vars/vars.yml
@@ -8,4 +8,3 @@ tas_single_node_cockpit:
   enabled: false
 tas_single_node_registry_username: "{{ lookup('env', 'TAS_SINGLE_NODE_REGISTRY_USERNAME') }}"
 tas_single_node_registry_password: "{{ lookup('env', 'TAS_SINGLE_NODE_REGISTRY_PASSWORD') }}"
-tas_single_node_user: testingUser
diff --git a/molecule/testing_user_setup.yaml b/molecule/testing_user_setup.yaml
@@ -0,0 +1,51 @@
+---
+- name: Create a non-root sudoer user
+  ansible.builtin.user:
+    name: "{{ item.user }}"
+    password: "{{ item.password }}"
+    shell: /bin/bash
+    create_home: yes
+
+- name: Add user to wheel group
+  shell: usermod -aG wheel {{ item.user }}
+
+- name: Configure Sudoers for the user
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers
+    line: "{{ item.user }} ALL = (ALL) ALL"
+    validate: 'visudo -cf %s'
+
+- name: Create an .ssh directory
+  ansible.builtin.file:
+    path: "/home/{{ item.user }}/.ssh"
+    state: directory
+    mode: "0700"
+    owner: "{{ item.user }}"
+
+- name: Configure SSH access for new user
+  ansible.builtin.copy:
+    src: "{{ molecule_ephemeral_directory }}/id_rsa.pub"
+    dest: "/home/{{ item.user }}/.ssh/authorized_keys"
+    mode: "0600"
+    owner: "{{ item.user }}"
+
+- name: Edit SSH config to disallow root login
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^(#*)?PermitRootLogin'
+    line: "PermitRootLogin no"
+
+- name: Restart SSH
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
+- name: Modify Molecule inventory
+  ansible.builtin.lineinfile:
+    path: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml"
+    regexp: 'ansible_user:'
+    line: "ansible_user: {{ item.user }}, ansible_become: true, ansible_become_password: {{ item.password }} }"
+  delegate_to: localhost
+
+- name: Force refresh inventory
+  ansible.builtin.meta: refresh_inventory
diff --git a/molecule/user_provided/prepare.yml b/molecule/user_provided/prepare.yml
@@ -2,8 +2,10 @@
 - name: Prepare
   hosts: molecule
   gather_facts: true
-  become: yes
-  become_method: sudo
+  vars:
+    users:
+      - user: testingUser
+        password: $y$j9T$WNDCnTZIfLYSpTiZ1yFdJ1$fvdsvfLEdpi39mS/SbfsgPQdAQ//D8xySIXF5hLFdU2
   vars_files:
     - vars/vars.yml
   tasks:
@@ -71,51 +73,6 @@
         FLUSH PRIVILEGES;
         EOF
 
-    - name: Create a non-root sudoer user
-      ansible.builtin.user:
-        name: "{{ tas_single_node_user }}"
-        shell: /bin/bash
-        create_home: yes
-
-    - name: Grant passwordless sudo to new user
-      ansible.builtin.lineinfile:
-        path: /etc/sudoers
-        line: "{{ tas_single_node_user }} ALL=(ALL) NOPASSWD: ALL"
-        validate: "visudo -cf %s"
-
-    - name: Create an .ssh directory
-      ansible.builtin.file:
-        path: "/home/{{ tas_single_node_user }}/.ssh"
-        state: directory
-        mode: "0700"
-        owner: "{{ tas_single_node_user }}"
-
-    - name: Configure SSH access for new user
-      ansible.builtin.copy:
-        src: "{{ molecule_ephemeral_directory }}/id_rsa.pub"
-        dest: "/home/{{ tas_single_node_user }}/.ssh/authorized_keys"
-        mode: "0600"
-        owner: "{{ tas_single_node_user }}"
-
-    - name: Edit SSH config to disallow root login
-      ansible.builtin.lineinfile:
-        path: /etc/ssh/sshd_config
-        regexp: '^(#*)?PermitRootLogin'
-        line: PermitRootLogin no
-      notify: Restart SSH
-
-    - name: Modify Molecule inventory
-      ansible.builtin.lineinfile:
-        path: "{{ molecule_ephemeral_directory }}/inventory/molecule_inventory.yml"
-        regexp: 'ansible_user:'
-        line: "ansible_user: {{ tas_single_node_user }}}"
-      delegate_to: localhost
-
-    - name: Force refresh inventory
-      ansible.builtin.meta: refresh_inventory
-
-  handlers:
-    - name: Restart SSH
-      service:
-        name: sshd
-        state: restarted
+    - name: Set up a non-root sudoer to replicate a user environment
+      ansible.builtin.include_tasks: ../testing_user_setup.yaml
+      with_items: "{{ users }}" 
diff --git a/molecule/user_provided/vars/vars.yml b/molecule/user_provided/vars/vars.yml
@@ -23,4 +23,3 @@ tas_single_node_rekor_redis:
     host: "{{ ansible_default_ipv4.address }}"
     port: 6379
     password: password
-tas_single_node_user: testingUser