Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

16 files changed, 443 insertions, 0 deletions

diff --git a/ansible_collections/cyberark/conjur/dev/Dockerfile b/ansible_collections/cyberark/conjur/dev/Dockerfile
new file mode 100644
index 000000000..f8ebcaccb
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/Dockerfile
@@ -0,0 +1,38 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+WORKDIR /cyberark
+
+# install python 3
+RUN apt-get update && \
+    apt-get install -y python3-pip && \
+    pip3 install --upgrade pip
+
+# install ansible and its test tool
+RUN pip3 install ansible pytest-testinfra
+
+# install docker installation requirements
+RUN apt-get update && \
+    apt-get install -y apt-transport-https \
+                       ca-certificates \
+                       curl \
+                       software-properties-common
+
+# install docker
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
+RUN add-apt-repository \
+       "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+       $(lsb_release -cs) \
+       stable"
+
+RUN apt-get update && \
+    apt-get -y install docker-ce
+
+# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a
+# standard container image for running ansible tests
+
+# install ruby
+RUN apt-get update && apt-get install -y gcc build-essential
+RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.7 ruby2.7-dev
+RUN gem install conjur-cli
diff --git a/ansible_collections/cyberark/conjur/dev/Dockerfile_nginx b/ansible_collections/cyberark/conjur/dev/Dockerfile_nginx
new file mode 100644
index 000000000..d9f18c7bd
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/Dockerfile_nginx
@@ -0,0 +1,16 @@
+FROM nginx:1.13.3
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y iputils-ping procps openssl && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /etc/nginx/
+
+COPY proxy/ssl.conf /etc/ssl/openssl.cnf
+
+RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -config /etc/ssl/openssl.cnf -extensions v3_ca \
+    -keyout cert.key -out cert.crt
+
+COPY proxy/default.conf /etc/nginx/conf.d/default.conf
diff --git a/ansible_collections/cyberark/conjur/dev/ansible.cfg b/ansible_collections/cyberark/conjur/dev/ansible.cfg
new file mode 100644
index 000000000..5b1d8246b
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/ansible.cfg
@@ -0,0 +1,7 @@
+[defaults]
+host_key_checking = False
+error_on_undefined_vars = True
+timeout = 60
+inventory = inventory.tmp
+roles_path = /cyberark
+remote_tmp = /tmp
diff --git a/ansible_collections/cyberark/conjur/dev/docker-compose.yml b/ansible_collections/cyberark/conjur/dev/docker-compose.yml
new file mode 100644
index 000000000..8e1d2dd9f
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/docker-compose.yml
@@ -0,0 +1,74 @@
+version: '3'
+services:
+  ansible:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    command: /bin/sleep 1d
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur:3000
+      CONJUR_ACCOUNT: cucumber
+      CONJUR_AUTHN_LOGIN: host/ansible/ansible-master
+      CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY}
+      CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY}
+      COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+      # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring
+      # the configuration because it is in a world-writable working directory,
+      # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory.
+      ANSIBLE_CONFIG: ./ansible.cfg
+    volumes:
+      - ../roles/conjur_host_identity:/cyberark/cyberark.conjur.conjur-host-identity/
+      - .:/cyberark/dev/
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  pg:
+    image: postgres:9.3
+
+  conjur:
+    image: cyberark/conjur
+    command: server -a cucumber -p 3000
+    environment:
+      CONJUR_APPLIANCE_URL: http://localhost:3000
+      DATABASE_URL: postgres://postgres@pg/postgres
+      CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA="
+    networks:
+      - default
+    links:
+      - pg
+
+  conjur_cli:
+    image: cyberark/conjur-cli:5-latest
+    entrypoint: []
+    command: sleep infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur:3000
+      CONJUR_ACCOUNT: cucumber
+      CONJUR_AUTHN_LOGIN: admin
+      CONJUR_AUTHN_API_KEY: ${CLI_CONJUR_AUTHN_API_KEY}
+    volumes:
+      - ./policy:/policy
+    networks:
+      - default
+    links:
+      - conjur
+
+  test_app_ubuntu:
+    build: ./test_app_ubuntu
+    entrypoint: sleep
+    command: infinity
+
+  test_app_centos:
+    build: ./test_app_centos
+    entrypoint: sleep
+    command: infinity
+
+  conjur-proxy-nginx:
+    build:
+      context: .
+      dockerfile: Dockerfile_nginx
+    entrypoint: nginx-debug -g 'daemon off;'
+    environment:
+        TERM: xterm
+    depends_on:
+      - conjur
+      - conjur_cli
diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml b/ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml
new file mode 100644
index 000000000..6972b50ed
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml
@@ -0,0 +1,11 @@
+---
+- name: Configuring conjur identity on remote hosts
+  hosts: testapp
+  roles:
+    - role: "cyberark.conjur.conjur-host-identity"
+      conjur_account: cucumber
+      conjur_appliance_url: "https://conjur-proxy-nginx"
+      conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}"
+      conjur_host_name: "conjur_{{ ansible_hostname }}"
+      conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}"
+      conjur_validate_certs: yes
diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml
new file mode 100644
index 000000000..3bf92eaf8
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml
@@ -0,0 +1,6 @@
+---
+- name: Compile inventory template locally
+  hosts: localhost
+  tasks:
+    - name: compile inventory template
+      template: src=inventory-v2.j2 dest=/cyberark/dev/inventory.tmp
diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml
new file mode 100644
index 000000000..e61ee8053
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml
@@ -0,0 +1,6 @@
+---
+- name: Compile inventory template locally
+  hosts: localhost
+  tasks:
+    - name: compile inventory template
+      template: src=inventory.j2 dest=/cyberark/dev/inventory.tmp
diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2 b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2
new file mode 100644
index 000000000..4a004fb13
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2
@@ -0,0 +1,6 @@
+[testapp]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}-test_app_ubuntu-[1:2] ansible_connection=docker
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}-test_app_centos-[1:2] ansible_connection=docker
+
+[ansible]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}-ansible-1 ansible_connection=docker
diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2 b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2
new file mode 100644
index 000000000..62d48ef82
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2
@@ -0,0 +1,6 @@
+[testapp]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_ubuntu_[1:2] ansible_connection=docker
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_centos_[1:2] ansible_connection=docker
+
+[ansible]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}_ansible_1 ansible_connection=docker
diff --git a/ansible_collections/cyberark/conjur/dev/policy/root.yml b/ansible_collections/cyberark/conjur/dev/policy/root.yml
new file mode 100644
index 000000000..0309cf702
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/policy/root.yml
@@ -0,0 +1,32 @@
+---
+- !policy
+  id: ansible
+  annotations:
+    description: Policy for Ansible master and remote hosts
+  body:
+
+  - !host
+    id: ansible-master
+    annotations:
+      description: Host for running Ansible on remote targets
+
+  - !layer &remote_hosts_layer
+    id: remote_hosts
+    annotations:
+      description: Layer for Ansible remote hosts
+
+  - !host-factory
+    id: ansible-factory
+    annotations:
+      description: Factory to create new hosts for ansible
+    layer: [ *remote_hosts_layer ]
+
+  - !variable
+    id: target-password
+    annotations:
+      description: Password needed by the Ansible remote machine
+
+  - !permit
+    role: *remote_hosts_layer
+    privileges: [ execute ]
+    resources: [ !variable target-password ]
diff --git a/ansible_collections/cyberark/conjur/dev/proxy/default.conf b/ansible_collections/cyberark/conjur/dev/proxy/default.conf
new file mode 100644
index 000000000..db2153a71
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/proxy/default.conf
@@ -0,0 +1,33 @@
+server {
+    listen 80;
+    return 301 https://conjur$request_uri;
+}
+
+server {
+    listen       443;
+    server_name  localhost;
+    ssl_certificate           /etc/nginx/cert.crt;
+    ssl_certificate_key       /etc/nginx/cert.key;
+
+    ssl on;
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
+    ssl_prefer_server_ciphers on;
+
+    access_log            /var/log/nginx/access.log;
+
+    location / {
+      proxy_pass http://conjur:3000;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+}
diff --git a/ansible_collections/cyberark/conjur/dev/proxy/ssl.conf b/ansible_collections/cyberark/conjur/dev/proxy/ssl.conf
new file mode 100644
index 000000000..e78716b27
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/proxy/ssl.conf
@@ -0,0 +1,39 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+req_extensions  = v3_req
+x509_extensions = usr_cert
+
+[ dn ]
+C=IL
+ST=Israel
+L=TLV
+O=Onyx
+OU=CyberArk
+CN=conjur-proxy-nginx
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsCertType                      = client, server, email
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+nsComment                       = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_req ]
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = conjur-proxy-nginx
+IP.1 = 127.0.0.1
diff --git a/ansible_collections/cyberark/conjur/dev/start.sh b/ansible_collections/cyberark/conjur/dev/start.sh
new file mode 100755
index 000000000..f9ba8b525
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/start.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+set -ex
+
+
+declare -x ANSIBLE_CONJUR_AUTHN_API_KEY=''
+declare -x CLI_CONJUR_AUTHN_API_KEY=''
+declare cli_cid=''
+declare conjur_cid=''
+declare ansible_cid=''
+# normalises project name by filtering non alphanumeric characters and transforming to lowercase
+declare -x COMPOSE_PROJECT_NAME
+
+COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-pluging-testing}-conjur-host-identity" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]')
+export COMPOSE_PROJECT_NAME
+
+# get conjur client auth api key
+function api_key_for {
+  local role_id=$1
+  if [ -n "$role_id" ]
+  then
+    docker exec "${conjur_cid}" rails r "print Credentials['${role_id}'].api_key"
+  else
+    echo ERROR: api_key_for called with no argument 1>&2
+    exit 1
+  fi
+}
+
+function hf_token {
+  docker exec "${cli_cid}" bash -c 'conjur hostfactory tokens create --duration-days=5 ansible/ansible-factory | jq -r ".[0].token"'
+}
+
+function setup_conjur {
+  echo "---- setting up conjur ----"
+  # run policy
+  docker exec "${cli_cid}" conjur policy load root /policy/root.yml
+  # set secret values
+  docker exec "${cli_cid}" bash -ec 'conjur variable values add ansible/target-password target_secret_password'
+}
+
+function setup_conjur_identities {
+  echo "---scale up inventory nodes and setup the conjur identity there---"
+  teardown_and_setup
+  docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -ec "
+    cd dev
+    ansible-playbook playbooks/conjur-identity-setup/conjur_role_playbook.yml"
+}
+
+ # Scale up inventory nodes
+function teardown_and_setup {
+  docker-compose up -d --force-recreate --scale test_app_ubuntu=2 test_app_ubuntu
+  docker-compose up -d --force-recreate --scale test_app_centos=2 test_app_centos
+}
+
+function wait_for_server {
+  # shellcheck disable=SC2016
+  docker exec "${cli_cid}" bash -ec '
+    for i in $( seq 20 ); do
+      curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break
+      echo "."
+      sleep 2
+    done
+  '
+}
+
+function fetch_ssl_cert {
+  (docker-compose exec -T conjur-proxy-nginx cat cert.crt) > conjur.pem
+}
+
+function generate_inventory {
+  # Use a different inventory file for docker-compose v1 and v2 or later
+  playbook_file="inventory-playbook-v2.yml"
+  compose_ver=$(docker-compose version --short)
+  if [[ $compose_ver == "1"* ]]; then
+    playbook_file="inventory-playbook.yml"
+  fi
+
+  # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME
+  docker-compose exec -T ansible bash -ec "
+    cd dev
+    ansible-playbook playbooks/inventory-setup/$playbook_file
+  "
+}
+
+function clean {
+   echo 'Removing dev environment'
+   echo '---'
+   docker-compose down -v
+   rm -rf inventory.tmp
+}
+
+function main() {
+  clean
+  docker-compose up -d --build
+  generate_inventory
+
+  conjur_cid=$(docker-compose ps -q conjur)
+  cli_cid=$(docker-compose ps -q conjur_cli)
+  fetch_ssl_cert
+  wait_for_server
+
+  CLI_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:user:admin')
+  docker-compose up -d conjur_cli
+
+  cli_cid=$(docker-compose ps -q conjur_cli)
+  setup_conjur
+
+  ANSIBLE_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:host:ansible/ansible-master')
+  docker-compose up -d ansible
+
+  ansible_cid=$(docker-compose ps -q ansible)
+  setup_conjur_identities
+}
+  main
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile b/ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile
new file mode 100644
index 000000000..ee474e7bf
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile
@@ -0,0 +1,4 @@
+FROM centos:7
+
+# Install Python so Ansible can run against node
+RUN yum update -y && yum install -y python3
diff --git a/ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile b/ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile
new file mode 100644
index 000000000..1721241ba
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile
@@ -0,0 +1,5 @@
+FROM ubuntu:20.04
+
+# Install Python so Ansible can run against node
+RUN apt-get update -y && apt-get install -y python3-minimal
+
diff --git a/ansible_collections/cyberark/conjur/dev/test_unit.sh b/ansible_collections/cyberark/conjur/dev/test_unit.sh
new file mode 100755
index 000000000..0a00da865
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/dev/test_unit.sh
@@ -0,0 +1,47 @@
+#!/bin/bash -eu
+
+ansible_version="stable-2.10"
+python_version="3.9"
+gen_report="false"
+
+cd "$(dirname "$0")"/..
+
+function print_usage() {
+   cat << EOF
+Run unit tests for Conjur Variable Lookup plugin.
+
+./ansibletest.sh [options]
+
+-a <version>     Run tests against specified Ansible version (Default: stable-2.10)
+-p <version>     Run tests against specified Python version  (Default: 3.9)
+-r               Generate test coverage report
+EOF
+}
+
+while getopts 'a:p:r' flag; do
+  case "${flag}" in
+    a) ansible_version="${OPTARG}" ;;
+    p) python_version="${OPTARG}" ;;
+    r) gen_report="true" ;;
+    *) print_usage
+       exit 1 ;;
+   esac
+done
+
+test_cmd="ansible-test units -v --python $python_version"
+if [[ "$gen_report" == "true" ]]; then
+  test_cmd="ansible-test coverage erase;
+    $test_cmd --coverage;
+    ansible-test coverage html --requirements --group-by command;
+  "
+fi
+
+docker build \
+  --build-arg PYTHON_VERSION="${python_version}" \
+  --build-arg ANSIBLE_VERSION="${ansible_version}" \
+  -t pytest-tools:latest \
+  -f tests/unit/Dockerfile .
+docker run --rm \
+  -v "${PWD}/":/ansible_collections/cyberark/conjur/ \
+  -w /ansible_collections/cyberark/conjur/tests/unit/ \
+  pytest-tools:latest /bin/bash -c "$test_cmd"