search

HamWAN / infrastructure-configs

Ansible roles and playbooks for HamWAN servers, applications, and router infrastructure.
http://www.hamwan.org/
Apache License 2.0
8 stars 2 forks source link

Expand roles/users tests to cover changing of group names #15

Closed bkus closed 1 year ago

bkus commented 1 year ago

Introduced a new Vagrant target "test.group.change" to test the scenario of an admin user being in an outdated group (eg: hamwan), and being automatically moved to a new group (eg: hamadmin). The scenario injects multiple network failures, which exposes an unsafe sequencing of tasks. The admin user is locked out of network control, and the test fails.

In order to pull this off, I had to stop using production keys, and there's now a locally stored test key pair. Don't use it in prod or for anything else! The private key is stored in plaintext and distributed widely.

The Ansible admin user changed from "vagrant" to "eo". Vagrant user remains for true back-door access to the test target VMs.

nigelvh commented 1 year ago

The ansible portion looks reasonable.

The bit about using a predefined keypair I'm a bit unclear on what that was required, and not knowing the setup well leaves me with concerns it would end up being used in prod, but I may be entirely off base. Not enough insight to comment.

Not sure why 'eo' was chosen for hardcoded test/admin user, rather than a generic when moving away from the 'vagrant' user.

bkus commented 1 year ago

The ansible portion looks reasonable.

The bit about using a predefined keypair I'm a bit unclear on what that was required, and not knowing the setup well leaves me with concerns it would end up being used in prod, but I may be entirely off base. Not enough insight to comment.

The role populates keys, so I had to feed it some keys to satisfy the role.

Which keys are used is controlled by the override in roles/users/molecule/default/converge.yml. By default, the keys in roles/users/vars/main.yml are used. So the test keys are only used when running molecule itself. Production is safe.

Not sure why 'eo' was chosen for hardcoded test/admin user, rather than a generic when moving away from the 'vagrant' user.

The role doesn't control 'vagrant', it only controls the defined test users: eo, nigel, tom. I picked one at random ... or perhaps with some bias. ;) All 3 are admin users. It's just the one I chose to write the group migration test against. See the Vagrantfile to see how easy that can change to nigel or anyone else.