From 975f66f2eebe9dadba04f275774d4ab83f74cf25 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 14:04:41 +0200 Subject: Adding upstream version 7.7.0+dfsg. Signed-off-by: Daniel Baumann --- ansible_collections/cyberark/conjur/dev/Dockerfile | 38 +++++++ .../cyberark/conjur/dev/Dockerfile_nginx | 16 +++ .../cyberark/conjur/dev/ansible.cfg | 7 ++ .../cyberark/conjur/dev/docker-compose.yml | 74 ++++++++++++++ .../conjur-identity-setup/conjur_role_playbook.yml | 11 ++ .../inventory-setup/inventory-playbook-v2.yml | 6 ++ .../inventory-setup/inventory-playbook.yml | 6 ++ .../dev/playbooks/inventory-setup/inventory-v2.j2 | 6 ++ .../dev/playbooks/inventory-setup/inventory.j2 | 6 ++ .../cyberark/conjur/dev/policy/root.yml | 32 ++++++ .../cyberark/conjur/dev/proxy/default.conf | 33 ++++++ .../cyberark/conjur/dev/proxy/ssl.conf | 39 +++++++ ansible_collections/cyberark/conjur/dev/start.sh | 113 +++++++++++++++++++++ .../cyberark/conjur/dev/test_app_centos/Dockerfile | 4 + .../cyberark/conjur/dev/test_app_ubuntu/Dockerfile | 5 + .../cyberark/conjur/dev/test_unit.sh | 47 +++++++++ 16 files changed, 443 insertions(+) create mode 100644 ansible_collections/cyberark/conjur/dev/Dockerfile create mode 100644 ansible_collections/cyberark/conjur/dev/Dockerfile_nginx create mode 100644 ansible_collections/cyberark/conjur/dev/ansible.cfg create mode 100644 ansible_collections/cyberark/conjur/dev/docker-compose.yml create mode 100644 ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml create mode 100644 ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml create mode 100644 ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml create mode 100644 ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2 create mode 100644 ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2 create mode 100644 ansible_collections/cyberark/conjur/dev/policy/root.yml create mode 100644 ansible_collections/cyberark/conjur/dev/proxy/default.conf create mode 100644 ansible_collections/cyberark/conjur/dev/proxy/ssl.conf create mode 100755 ansible_collections/cyberark/conjur/dev/start.sh create mode 100644 ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile create mode 100644 ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile create mode 100755 ansible_collections/cyberark/conjur/dev/test_unit.sh (limited to 'ansible_collections/cyberark/conjur/dev') diff --git a/ansible_collections/cyberark/conjur/dev/Dockerfile b/ansible_collections/cyberark/conjur/dev/Dockerfile new file mode 100644 index 000000000..f8ebcaccb --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/Dockerfile @@ -0,0 +1,38 @@ +FROM ubuntu:20.04 + +ENV DEBIAN_FRONTEND=noninteractive + +WORKDIR /cyberark + +# install python 3 +RUN apt-get update && \ + apt-get install -y python3-pip && \ + pip3 install --upgrade pip + +# install ansible and its test tool +RUN pip3 install ansible pytest-testinfra + +# install docker installation requirements +RUN apt-get update && \ + apt-get install -y apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common + +# install docker +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" + +RUN apt-get update && \ + apt-get -y install docker-ce + +# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a +# standard container image for running ansible tests + +# install ruby +RUN apt-get update && apt-get install -y gcc build-essential +RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.7 ruby2.7-dev +RUN gem install conjur-cli diff --git a/ansible_collections/cyberark/conjur/dev/Dockerfile_nginx b/ansible_collections/cyberark/conjur/dev/Dockerfile_nginx new file mode 100644 index 000000000..d9f18c7bd --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/Dockerfile_nginx @@ -0,0 +1,16 @@ +FROM nginx:1.13.3 + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install -y iputils-ping procps openssl && \ + rm -rf /var/lib/apt/lists/* + +WORKDIR /etc/nginx/ + +COPY proxy/ssl.conf /etc/ssl/openssl.cnf + +RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -config /etc/ssl/openssl.cnf -extensions v3_ca \ + -keyout cert.key -out cert.crt + +COPY proxy/default.conf /etc/nginx/conf.d/default.conf diff --git a/ansible_collections/cyberark/conjur/dev/ansible.cfg b/ansible_collections/cyberark/conjur/dev/ansible.cfg new file mode 100644 index 000000000..5b1d8246b --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/ansible.cfg @@ -0,0 +1,7 @@ +[defaults] +host_key_checking = False +error_on_undefined_vars = True +timeout = 60 +inventory = inventory.tmp +roles_path = /cyberark +remote_tmp = /tmp diff --git a/ansible_collections/cyberark/conjur/dev/docker-compose.yml b/ansible_collections/cyberark/conjur/dev/docker-compose.yml new file mode 100644 index 000000000..8e1d2dd9f --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/docker-compose.yml @@ -0,0 +1,74 @@ +version: '3' +services: + ansible: + build: + context: . + dockerfile: Dockerfile + command: /bin/sleep 1d + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: host/ansible/ansible-master + CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY} + CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY} + COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring + # the configuration because it is in a world-writable working directory, + # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory. + ANSIBLE_CONFIG: ./ansible.cfg + volumes: + - ../roles/conjur_host_identity:/cyberark/cyberark.conjur.conjur-host-identity/ + - .:/cyberark/dev/ + - /var/run/docker.sock:/var/run/docker.sock + + pg: + image: postgres:9.3 + + conjur: + image: cyberark/conjur + command: server -a cucumber -p 3000 + environment: + CONJUR_APPLIANCE_URL: http://localhost:3000 + DATABASE_URL: postgres://postgres@pg/postgres + CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=" + networks: + - default + links: + - pg + + conjur_cli: + image: cyberark/conjur-cli:5-latest + entrypoint: [] + command: sleep infinity + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: admin + CONJUR_AUTHN_API_KEY: ${CLI_CONJUR_AUTHN_API_KEY} + volumes: + - ./policy:/policy + networks: + - default + links: + - conjur + + test_app_ubuntu: + build: ./test_app_ubuntu + entrypoint: sleep + command: infinity + + test_app_centos: + build: ./test_app_centos + entrypoint: sleep + command: infinity + + conjur-proxy-nginx: + build: + context: . + dockerfile: Dockerfile_nginx + entrypoint: nginx-debug -g 'daemon off;' + environment: + TERM: xterm + depends_on: + - conjur + - conjur_cli diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml b/ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml new file mode 100644 index 000000000..6972b50ed --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/playbooks/conjur-identity-setup/conjur_role_playbook.yml @@ -0,0 +1,11 @@ +--- +- name: Configuring conjur identity on remote hosts + hosts: testapp + roles: + - role: "cyberark.conjur.conjur-host-identity" + conjur_account: cucumber + conjur_appliance_url: "https://conjur-proxy-nginx" + conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}" + conjur_host_name: "conjur_{{ ansible_hostname }}" + conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}" + conjur_validate_certs: yes diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml new file mode 100644 index 000000000..3bf92eaf8 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook-v2.yml @@ -0,0 +1,6 @@ +--- +- name: Compile inventory template locally + hosts: localhost + tasks: + - name: compile inventory template + template: src=inventory-v2.j2 dest=/cyberark/dev/inventory.tmp diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml new file mode 100644 index 000000000..e61ee8053 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-playbook.yml @@ -0,0 +1,6 @@ +--- +- name: Compile inventory template locally + hosts: localhost + tasks: + - name: compile inventory template + template: src=inventory.j2 dest=/cyberark/dev/inventory.tmp diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2 b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2 new file mode 100644 index 000000000..4a004fb13 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory-v2.j2 @@ -0,0 +1,6 @@ +[testapp] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}-test_app_ubuntu-[1:2] ansible_connection=docker +{{ lookup('env','COMPOSE_PROJECT_NAME') }}-test_app_centos-[1:2] ansible_connection=docker + +[ansible] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}-ansible-1 ansible_connection=docker diff --git a/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2 b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2 new file mode 100644 index 000000000..62d48ef82 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/playbooks/inventory-setup/inventory.j2 @@ -0,0 +1,6 @@ +[testapp] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_ubuntu_[1:2] ansible_connection=docker +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_centos_[1:2] ansible_connection=docker + +[ansible] +{{ lookup('env','COMPOSE_PROJECT_NAME') }}_ansible_1 ansible_connection=docker diff --git a/ansible_collections/cyberark/conjur/dev/policy/root.yml b/ansible_collections/cyberark/conjur/dev/policy/root.yml new file mode 100644 index 000000000..0309cf702 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/policy/root.yml @@ -0,0 +1,32 @@ +--- +- !policy + id: ansible + annotations: + description: Policy for Ansible master and remote hosts + body: + + - !host + id: ansible-master + annotations: + description: Host for running Ansible on remote targets + + - !layer &remote_hosts_layer + id: remote_hosts + annotations: + description: Layer for Ansible remote hosts + + - !host-factory + id: ansible-factory + annotations: + description: Factory to create new hosts for ansible + layer: [ *remote_hosts_layer ] + + - !variable + id: target-password + annotations: + description: Password needed by the Ansible remote machine + + - !permit + role: *remote_hosts_layer + privileges: [ execute ] + resources: [ !variable target-password ] diff --git a/ansible_collections/cyberark/conjur/dev/proxy/default.conf b/ansible_collections/cyberark/conjur/dev/proxy/default.conf new file mode 100644 index 000000000..db2153a71 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/proxy/default.conf @@ -0,0 +1,33 @@ +server { + listen 80; + return 301 https://conjur$request_uri; +} + +server { + listen 443; + server_name localhost; + ssl_certificate /etc/nginx/cert.crt; + ssl_certificate_key /etc/nginx/cert.key; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + + location / { + proxy_pass http://conjur:3000; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/ansible_collections/cyberark/conjur/dev/proxy/ssl.conf b/ansible_collections/cyberark/conjur/dev/proxy/ssl.conf new file mode 100644 index 000000000..e78716b27 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/proxy/ssl.conf @@ -0,0 +1,39 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = dn +x509_extensions = v3_ca # The extentions to add to the self signed cert +req_extensions = v3_req +x509_extensions = usr_cert + +[ dn ] +C=IL +ST=Israel +L=TLV +O=Onyx +OU=CyberArk +CN=conjur-proxy-nginx + +[ usr_cert ] +basicConstraints=CA:FALSE +nsCertType = client, server, email +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_req ] +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +DNS.2 = conjur-proxy-nginx +IP.1 = 127.0.0.1 diff --git a/ansible_collections/cyberark/conjur/dev/start.sh b/ansible_collections/cyberark/conjur/dev/start.sh new file mode 100755 index 000000000..f9ba8b525 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/start.sh @@ -0,0 +1,113 @@ +#!/bin/bash +set -ex + + +declare -x ANSIBLE_CONJUR_AUTHN_API_KEY='' +declare -x CLI_CONJUR_AUTHN_API_KEY='' +declare cli_cid='' +declare conjur_cid='' +declare ansible_cid='' +# normalises project name by filtering non alphanumeric characters and transforming to lowercase +declare -x COMPOSE_PROJECT_NAME + +COMPOSE_PROJECT_NAME=$(echo "${BUILD_TAG:-ansible-pluging-testing}-conjur-host-identity" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') +export COMPOSE_PROJECT_NAME + +# get conjur client auth api key +function api_key_for { + local role_id=$1 + if [ -n "$role_id" ] + then + docker exec "${conjur_cid}" rails r "print Credentials['${role_id}'].api_key" + else + echo ERROR: api_key_for called with no argument 1>&2 + exit 1 + fi +} + +function hf_token { + docker exec "${cli_cid}" bash -c 'conjur hostfactory tokens create --duration-days=5 ansible/ansible-factory | jq -r ".[0].token"' +} + +function setup_conjur { + echo "---- setting up conjur ----" + # run policy + docker exec "${cli_cid}" conjur policy load root /policy/root.yml + # set secret values + docker exec "${cli_cid}" bash -ec 'conjur variable values add ansible/target-password target_secret_password' +} + +function setup_conjur_identities { + echo "---scale up inventory nodes and setup the conjur identity there---" + teardown_and_setup + docker exec "${ansible_cid}" env HFTOKEN="$(hf_token)" bash -ec " + cd dev + ansible-playbook playbooks/conjur-identity-setup/conjur_role_playbook.yml" +} + + # Scale up inventory nodes +function teardown_and_setup { + docker-compose up -d --force-recreate --scale test_app_ubuntu=2 test_app_ubuntu + docker-compose up -d --force-recreate --scale test_app_centos=2 test_app_centos +} + +function wait_for_server { + # shellcheck disable=SC2016 + docker exec "${cli_cid}" bash -ec ' + for i in $( seq 20 ); do + curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break + echo "." + sleep 2 + done + ' +} + +function fetch_ssl_cert { + (docker-compose exec -T conjur-proxy-nginx cat cert.crt) > conjur.pem +} + +function generate_inventory { + # Use a different inventory file for docker-compose v1 and v2 or later + playbook_file="inventory-playbook-v2.yml" + compose_ver=$(docker-compose version --short) + if [[ $compose_ver == "1"* ]]; then + playbook_file="inventory-playbook.yml" + fi + + # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME + docker-compose exec -T ansible bash -ec " + cd dev + ansible-playbook playbooks/inventory-setup/$playbook_file + " +} + +function clean { + echo 'Removing dev environment' + echo '---' + docker-compose down -v + rm -rf inventory.tmp +} + +function main() { + clean + docker-compose up -d --build + generate_inventory + + conjur_cid=$(docker-compose ps -q conjur) + cli_cid=$(docker-compose ps -q conjur_cli) + fetch_ssl_cert + wait_for_server + + CLI_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:user:admin') + docker-compose up -d conjur_cli + + cli_cid=$(docker-compose ps -q conjur_cli) + setup_conjur + + ANSIBLE_CONJUR_AUTHN_API_KEY=$(api_key_for 'cucumber:host:ansible/ansible-master') + docker-compose up -d ansible + + ansible_cid=$(docker-compose ps -q ansible) + setup_conjur_identities +} + main \ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile b/ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile new file mode 100644 index 000000000..ee474e7bf --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/test_app_centos/Dockerfile @@ -0,0 +1,4 @@ +FROM centos:7 + +# Install Python so Ansible can run against node +RUN yum update -y && yum install -y python3 diff --git a/ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile b/ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile new file mode 100644 index 000000000..1721241ba --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/test_app_ubuntu/Dockerfile @@ -0,0 +1,5 @@ +FROM ubuntu:20.04 + +# Install Python so Ansible can run against node +RUN apt-get update -y && apt-get install -y python3-minimal + diff --git a/ansible_collections/cyberark/conjur/dev/test_unit.sh b/ansible_collections/cyberark/conjur/dev/test_unit.sh new file mode 100755 index 000000000..0a00da865 --- /dev/null +++ b/ansible_collections/cyberark/conjur/dev/test_unit.sh @@ -0,0 +1,47 @@ +#!/bin/bash -eu + +ansible_version="stable-2.10" +python_version="3.9" +gen_report="false" + +cd "$(dirname "$0")"/.. + +function print_usage() { + cat << EOF +Run unit tests for Conjur Variable Lookup plugin. + +./ansibletest.sh [options] + +-a Run tests against specified Ansible version (Default: stable-2.10) +-p Run tests against specified Python version (Default: 3.9) +-r Generate test coverage report +EOF +} + +while getopts 'a:p:r' flag; do + case "${flag}" in + a) ansible_version="${OPTARG}" ;; + p) python_version="${OPTARG}" ;; + r) gen_report="true" ;; + *) print_usage + exit 1 ;; + esac +done + +test_cmd="ansible-test units -v --python $python_version" +if [[ "$gen_report" == "true" ]]; then + test_cmd="ansible-test coverage erase; + $test_cmd --coverage; + ansible-test coverage html --requirements --group-by command; + " +fi + +docker build \ + --build-arg PYTHON_VERSION="${python_version}" \ + --build-arg ANSIBLE_VERSION="${ansible_version}" \ + -t pytest-tools:latest \ + -f tests/unit/Dockerfile . +docker run --rm \ + -v "${PWD}/":/ansible_collections/cyberark/conjur/ \ + -w /ansible_collections/cyberark/conjur/tests/unit/ \ + pytest-tools:latest /bin/bash -c "$test_cmd" -- cgit v1.2.3