From f03bcc19d585f0e5fc67146015c44b9650b2fe13 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Tue, 19 Aug 2025 09:38:33 +0100 Subject: [PATCH] Add defaults for ownership of installed files on the target These are currently specified many times in the input data for the pki role leading to repeated values for each file when in most cases the ownership is always the same. This change allows a default owner/group to be set for all installed files that can be overidden per-certificate if needed. Change-Id: Ic2cb44e7e28eefcc6afb96e05dd2fcac6e5a7efa Signed-off-by: Jonathan Rosser --- defaults/main.yml | 6 +++++ molecule/default/group_vars/all.yml | 34 +++++------------------------ molecule/default/prepare.yml | 9 ++++++++ molecule/default/verify.yml | 29 +++++++++++++++++++++++- tasks/main_certs.yml | 10 +++++---- 5 files changed, 54 insertions(+), 34 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ba3d79d..03c2282 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -170,3 +170,9 @@ pki_file_mode: certificate_chain: "{{ pki_cert_mode }}" ca_bundle: "{{ pki_cert_mode }}" private_key: "{{ pki_key_mode }}" + +# file ownership when files are installed on the target +# applies to all files installed +# or, applies to all files not having a more specific owner:group in pki_install_certificates +pki_install_owner: "root" +pki_install_group: "root" diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml index 1f91a84..c57fcaa 100644 --- a/molecule/default/group_vars/all.yml +++ b/molecule/default/group_vars/all.yml @@ -138,44 +138,32 @@ functional_install_key_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ ' pki_install_certificates: - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1.crt' }}" dest: "{{ functional_install_cert_1_dest }}" - owner: "root" - group: "root" mode: "0644" - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1-chain.crt' }}" dest: "{{ functional_install_chain_1_dest }}" - owner: "root" - group: "root" - mode: "0644" + mode: "0755" - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1-ca_bundle.crt' }}" dest: "{{ functional_install_ca_bundle_1_dest }}" - owner: "root" - group: "root" mode: "0644" - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_1.key.pem' }}" dest: "{{ functional_install_key_1_dest }}" - owner: "root" - group: "root" mode: "0640" - name: "{{ ansible_facts['hostname'] ~ '_1' }}" dest: "{{ functional_install_cert_name_1_dest }}" + owner: "test" type: "certificate" - owner: "root" - group: "root" - name: "{{ ansible_facts['hostname'] ~ '_1' }}" dest: "{{ functional_install_chain_name_1_dest }}" + group: "test" type: "certificate_chain" - owner: "root" - group: "root" - name: "{{ ansible_facts['hostname'] ~ '_1' }}" dest: "{{ functional_install_ca_bundle_name_1_dest }}" + owner: "test" + group: "test" type: "ca_bundle" - owner: "root" - group: "root" - name: "{{ ansible_facts['hostname'] ~ '_1' }}" dest: "{{ functional_install_key_name_1_dest }}" type: "private_key" - owner: "root" - group: "root" # Custom certificate installation search pattern pki_search_install_certificates_pattern: "foo_install_certificates_" @@ -193,37 +181,25 @@ functional_install_key_3_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_3.ke foo_install_certificates_variable: - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2.crt' }}" dest: "{{ functional_install_cert_2_dest }}" - owner: "root" - group: "root" mode: "0644" condition: true - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2-chain.crt' }}" dest: "{{ functional_install_chain_2_dest }}" - owner: "root" - group: "root" mode: "0644" condition: true - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2-ca_bundle.crt' }}" dest: "{{ functional_install_ca_bundle_2_dest }}" - owner: "root" - group: "root" mode: "0644" condition: true - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_2.key.pem' }}" dest: "{{ functional_install_key_2_dest }}" - owner: "root" - group: "root" mode: "0640" condition: true - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_3.crt' }}" dest: "{{ functional_install_cert_3_dest }}" - owner: "root" - group: "root" mode: "0644" condition: false - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_3.key.pem' }}" dest: "{{ functional_install_key_3_dest }}" - owner: "root" - group: "root" mode: "0640" condition: false diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index e21e817..0e5b61c 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -2,6 +2,15 @@ - name: Prepare hosts: all tasks: + - name: Create test group + ansible.builtin.group: + name: test + + - name: Create test user + ansible.builtin.user: + name: test + group: test + - name: Update apt cache ansible.builtin.apt: update_cache: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index a7dfe74..3837657 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -54,7 +54,7 @@ - ansible.builtin.stat: path: "{{ functional_install_ca_bundle_name_1_dest }}" - register: chain_name_1_stat + register: ca_bundle_name_1_stat - ansible.builtin.stat: path: "{{ functional_install_key_name_1_dest }}" @@ -92,15 +92,42 @@ - ansible.builtin.assert: that: - cert_1_stat.stat.exists + - cert_1_stat.stat.pw_name == "root" + - cert_1_stat.stat.gr_name == "root" + - chain_1_stat.stat.exists + - chain_1_stat.stat.mode == "0755" + - chain_1_stat.stat.pw_name == "root" + - chain_1_stat.stat.gr_name == "root" + - ca_bundle_1_stat.stat.exists + - ca_bundle_1_stat.stat.pw_name == "root" + - ca_bundle_1_stat.stat.gr_name == "root" + - key_1_stat.stat.exists + - key_1_stat.stat.pw_name == "root" + - key_1_stat.stat.gr_name == "root" + - cert_name_1_stat.stat.exists - cert_name_1_stat.stat.mode == "0644" + - cert_name_1_stat.stat.pw_name == "test" + - cert_name_1_stat.stat.gr_name == "root" + - chain_name_1_stat.stat.exists - chain_name_1_stat.stat.mode == "0644" + - chain_name_1_stat.stat.pw_name == "root" + - chain_name_1_stat.stat.gr_name == "test" + + - ca_bundle_name_1_stat.stat.exists + - ca_bundle_name_1_stat.stat.mode == "0644" + - ca_bundle_name_1_stat.stat.pw_name == "test" + - ca_bundle_name_1_stat.stat.gr_name == "test" + - key_name_1_stat.stat.exists - key_name_1_stat.stat.mode == "0600" + - key_name_1_stat.stat.pw_name == "root" + - key_name_1_stat.stat.gr_name == "root" + - cert_2_stat.stat.exists - chain_2_stat.stat.exists - ca_bundle_2_stat.stat.exists diff --git a/tasks/main_certs.yml b/tasks/main_certs.yml index 05f4abc..9b742f7 100644 --- a/tasks/main_certs.yml +++ b/tasks/main_certs.yml @@ -66,8 +66,8 @@ ansible.builtin.copy: content: "{{ install.content | b64decode }}" dest: "{{ install.item.dest }}" - owner: "{{ install.item.owner | default(omit) }}" - group: "{{ install.item.group | default(omit) }}" + owner: "{{ _owner }}" + group: "{{ _group }}" mode: "{{ _mode }}" loop: "{{ _cert_slurp.results }}" loop_control: @@ -75,10 +75,12 @@ label: "{{ loop_label | to_json }}" vars: _mode : "{{ install.item.mode | d(pki_file_mode[install.item.type | d('certificate')]) }}" + _owner: "{{ install.item.owner | default(pki_install_owner) }}" + _group: "{{ install.item.group | default(pki_install_group) }}" loop_label: dest: "{{ install.item.dest }}" - owner: "{{ install.item.owner | default(omit) }}" - group: "{{ install.item.group | default('omit') }}" + owner: "{{ _owner }}" + group: "{{ _group }}" mode: "{{ _mode }}" ignore_errors: "{{ ansible_check_mode }}" notify: