Add defaults for ownership of installed files on the target

These are currently specified many times in the input data for the pki role leading to repeated values for each file when in most cases the ownership is always the same. This change allows a default owner/group to be set for all installed files that can be overidden per-certificate if needed. Change-Id: Ic2cb44e7e28eefcc6afb96e05dd2fcac6e5a7efa Signed-off-by: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
2025-08-19 09:38:33 +01:00
parent 7cff89ee71
commit f03bcc19d5
5 changed files with 54 additions and 34 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -170,3 +170,9 @@ pki_file_mode:
  certificate_chain: "{{ pki_cert_mode }}"
  ca_bundle: "{{ pki_cert_mode }}"
  private_key: "{{ pki_key_mode }}"
+
+# file ownership when files are installed on the target
+#  applies to all files installed
+#  or, applies to all files not having a more specific owner:group in pki_install_certificates
+pki_install_owner: "root"
+pki_install_group: "root"
--- a/molecule/default/group_vars/all.yml
+++ b/molecule/default/group_vars/all.yml
@@ -138,44 +138,32 @@ functional_install_key_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '
 pki_install_certificates:
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1.crt' }}"
    dest: "{{ functional_install_cert_1_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0644"
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1-chain.crt' }}"
    dest: "{{ functional_install_chain_1_dest }}"
-    owner: "root"
-    group: "root"
-    mode: "0644"
+    mode: "0755"
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1-ca_bundle.crt' }}"
    dest: "{{ functional_install_ca_bundle_1_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0644"
  - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_1.key.pem' }}"
    dest: "{{ functional_install_key_1_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0640"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_cert_name_1_dest }}"
+    owner: "test"
    type: "certificate"
-    owner: "root"
-    group: "root"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_chain_name_1_dest }}"
+    group: "test"
    type: "certificate_chain"
-    owner: "root"
-    group: "root"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_ca_bundle_name_1_dest }}"
+    owner: "test"
+    group: "test"
    type: "ca_bundle"
-    owner: "root"
-    group: "root"
  - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
    dest: "{{ functional_install_key_name_1_dest }}"
    type: "private_key"
-    owner: "root"
-    group: "root"

 # Custom certificate installation search pattern
 pki_search_install_certificates_pattern: "foo_install_certificates_"
@@ -193,37 +181,25 @@ functional_install_key_3_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_3.ke
 foo_install_certificates_variable:
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2.crt' }}"
    dest: "{{ functional_install_cert_2_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0644"
    condition: true
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2-chain.crt' }}"
    dest: "{{ functional_install_chain_2_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0644"
    condition: true
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2-ca_bundle.crt' }}"
    dest: "{{ functional_install_ca_bundle_2_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0644"
    condition: true
  - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_2.key.pem' }}"
    dest: "{{ functional_install_key_2_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0640"
    condition: true
  - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_3.crt' }}"
    dest: "{{ functional_install_cert_3_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0644"
    condition: false
  - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_3.key.pem' }}"
    dest: "{{ functional_install_key_3_dest }}"
-    owner: "root"
-    group: "root"
    mode: "0640"
    condition: false
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -2,6 +2,15 @@
 - name: Prepare
  hosts: all
  tasks:
+    - name: Create test group
+      ansible.builtin.group:
+        name: test
+
+    - name: Create test user
+      ansible.builtin.user:
+        name: test
+        group: test
+
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: true
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -54,7 +54,7 @@

    - ansible.builtin.stat:
        path: "{{ functional_install_ca_bundle_name_1_dest }}"
-      register: chain_name_1_stat
+      register: ca_bundle_name_1_stat

    - ansible.builtin.stat:
        path: "{{ functional_install_key_name_1_dest }}"
@@ -92,15 +92,42 @@
    - ansible.builtin.assert:
        that:
          - cert_1_stat.stat.exists
+          - cert_1_stat.stat.pw_name == "root"
+          - cert_1_stat.stat.gr_name == "root"
+
          - chain_1_stat.stat.exists
+          - chain_1_stat.stat.mode == "0755"
+          - chain_1_stat.stat.pw_name == "root"
+          - chain_1_stat.stat.gr_name == "root"
+
          - ca_bundle_1_stat.stat.exists
+          - ca_bundle_1_stat.stat.pw_name == "root"
+          - ca_bundle_1_stat.stat.gr_name == "root"
+
          - key_1_stat.stat.exists
+          - key_1_stat.stat.pw_name == "root"
+          - key_1_stat.stat.gr_name == "root"
+
          - cert_name_1_stat.stat.exists
          - cert_name_1_stat.stat.mode == "0644"
+          - cert_name_1_stat.stat.pw_name == "test"
+          - cert_name_1_stat.stat.gr_name == "root"
+
          - chain_name_1_stat.stat.exists
          - chain_name_1_stat.stat.mode == "0644"
+          - chain_name_1_stat.stat.pw_name == "root"
+          - chain_name_1_stat.stat.gr_name == "test"
+
+          - ca_bundle_name_1_stat.stat.exists
+          - ca_bundle_name_1_stat.stat.mode == "0644"
+          - ca_bundle_name_1_stat.stat.pw_name == "test"
+          - ca_bundle_name_1_stat.stat.gr_name == "test"
+
          - key_name_1_stat.stat.exists
          - key_name_1_stat.stat.mode == "0600"
+          - key_name_1_stat.stat.pw_name == "root"
+          - key_name_1_stat.stat.gr_name == "root"
+
          - cert_2_stat.stat.exists
          - chain_2_stat.stat.exists
          - ca_bundle_2_stat.stat.exists
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@@ -66,8 +66,8 @@
  ansible.builtin.copy:
    content: "{{ install.content | b64decode }}"
    dest: "{{ install.item.dest }}"
-    owner: "{{ install.item.owner | default(omit) }}"
-    group: "{{ install.item.group | default(omit) }}"
+    owner: "{{ _owner }}"
+    group: "{{ _group }}"
    mode: "{{ _mode }}"
  loop: "{{ _cert_slurp.results }}"
  loop_control:
@@ -75,10 +75,12 @@
    label: "{{ loop_label | to_json }}"
  vars:
    _mode : "{{ install.item.mode | d(pki_file_mode[install.item.type | d('certificate')]) }}"
+    _owner: "{{ install.item.owner | default(pki_install_owner) }}"
+    _group: "{{ install.item.group | default(pki_install_group) }}"
    loop_label:
      dest: "{{ install.item.dest }}"
-      owner: "{{ install.item.owner | default(omit) }}"
-      group: "{{ install.item.group | default('omit') }}"
+      owner: "{{ _owner }}"
+      group: "{{ _group }}"
      mode: "{{ _mode }}"
  ignore_errors: "{{ ansible_check_mode }}"
  notify: