diff --git a/tests/tasks/cleanup.yml b/tests/tasks/cleanup.yml new file mode 100644 index 0000000..9dd1a42 --- /dev/null +++ b/tests/tasks/cleanup.yml @@ -0,0 +1,74 @@ +# SPDX-License-Identifier: MIT +--- +- name: Stat quadlet install directory for cleanup + ansible.builtin.stat: + path: "{{ __trustee_client_quadlet_install_dir }}" + register: __trustee_client_cleanup_quadlet_dir + +- name: Find trustee-gc quadlet pod files + ansible.builtin.find: + paths: "{{ __trustee_client_quadlet_install_dir }}" + patterns: trustee-gc*.pod + register: __trustee_client_cleanup_pod_files + when: __trustee_client_cleanup_quadlet_dir.stat.exists + +- name: Stop and disable trustee quadlet pod services + ansible.builtin.systemd: + name: "{{ item.path | basename | regex_replace('\\.pod$', '') }}-pod.service" + state: stopped + enabled: false + loop: >- + {{ + (__trustee_client_cleanup_pod_files.files | default([])) + if not (__trustee_client_cleanup_pod_files is skipped) + else [] + }} + failed_when: false + +- name: Stop and disable services tracked by trustee_client role + ansible.builtin.systemd: + name: "{{ item }}" + state: stopped + enabled: false + loop: "{{ __trustee_client_services }}" + failed_when: false + +- name: Find trustee-gc quadlet unit files to remove + ansible.builtin.find: + paths: "{{ __trustee_client_quadlet_install_dir }}" + patterns: + - trustee-gc*.container + - trustee-gc*.pod + - trustee-gc*.volume + register: __trustee_client_cleanup_quadlet_files + when: __trustee_client_cleanup_quadlet_dir.stat.exists + +- name: Remove trustee-gc quadlet unit files + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: >- + {{ + (__trustee_client_cleanup_quadlet_files.files | default([])) + if not (__trustee_client_cleanup_quadlet_files is skipped) + else [] + }} + +- name: Remove trustee-gc configuration directory + ansible.builtin.file: + path: /etc/trustee-gc + state: absent + +- name: Remove secret registration client script + ansible.builtin.file: + path: /usr/local/bin/secret_registration_client.sh + state: absent + +- name: Remove secret registration client systemd unit + ansible.builtin.file: + path: /etc/systemd/system/secret_registration_client.service + state: absent + +- name: Reload systemd after removing trustee_client units + ansible.builtin.systemd: + daemon_reload: true diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 9494d01..9cee9a7 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -6,86 +6,97 @@ trustee_client_trustee_gc: true trustee_client_encrypt_disk: false tasks: - - name: Run the role - ansible.builtin.include_tasks: - file: tasks/run_role_with_clear_facts.yml - vars: - __sr_public: true + - name: Run the tests + block: + - name: Run the role + ansible.builtin.include_tasks: + file: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true - - name: Collect package facts - package_facts: - manager: auto - no_log: true + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers - - name: Assert required packages are installed - assert: - that: - - item in ansible_facts.packages - fail_msg: "Required package '{{ item }}' is not installed" - loop: "{{ __trustee_client_trustee_gc_packages }}" + - name: Collect package facts + package_facts: + manager: auto + no_log: true - - name: Stat the quadlet install directory - stat: - path: "{{ __trustee_client_quadlet_install_dir }}" - register: __test_quadlet_dir + - name: Assert required packages are installed + assert: + that: + - item in ansible_facts.packages + fail_msg: "Required package '{{ item }}' is not installed" + loop: "{{ __trustee_client_trustee_gc_packages }}" - - name: Assert quadlet install directory exists - assert: - that: - - __test_quadlet_dir.stat.exists - - __test_quadlet_dir.stat.isdir - fail_msg: >- - Quadlet install directory {{ __trustee_client_quadlet_install_dir }} - does not exist + - name: Stat the quadlet install directory + stat: + path: "{{ __trustee_client_quadlet_install_dir }}" + register: __test_quadlet_dir - - name: Find deployed quadlet files - find: - paths: "{{ __trustee_client_quadlet_install_dir }}" - patterns: - - "*.container" - - "*.volume" - - "*.network" - - "*.kube" - - "*.pod" - register: __test_quadlet_files + - name: Assert quadlet install directory exists + assert: + that: + - __test_quadlet_dir.stat.exists + - __test_quadlet_dir.stat.isdir + fail_msg: >- + Quadlet install directory {{ __trustee_client_quadlet_install_dir }} + does not exist - - name: Assert quadlet files were deployed - assert: - that: - - __test_quadlet_files.files | length > 0 - fail_msg: >- - No quadlet files found in {{ __trustee_client_quadlet_install_dir }} + - name: Find deployed quadlet files + find: + paths: "{{ __trustee_client_quadlet_install_dir }}" + patterns: + - "*.container" + - "*.volume" + - "*.network" + - "*.kube" + - "*.pod" + register: __test_quadlet_files - - name: Stat the trustee-gc config directory - stat: - path: /etc/trustee-gc - register: __test_trustee_gc_dir + - name: Assert quadlet files were deployed + assert: + that: + - __test_quadlet_files.files | length > 0 + fail_msg: >- + No quadlet files found in {{ __trustee_client_quadlet_install_dir }} - - name: Assert trustee-gc config directory exists - assert: - that: - - __test_trustee_gc_dir.stat.exists - - __test_trustee_gc_dir.stat.isdir - fail_msg: "Trustee GC config directory /etc/trustee-gc does not exist" + - name: Stat the trustee-gc config directory + stat: + path: /etc/trustee-gc + register: __test_trustee_gc_dir - - name: Find trustee pod file - find: - paths: "{{ __trustee_client_quadlet_install_dir }}" - patterns: "*.pod" - recurse: false - register: __test_trustee_pod_files + - name: Assert trustee-gc config directory exists + assert: + that: + - __test_trustee_gc_dir.stat.exists + - __test_trustee_gc_dir.stat.isdir + fail_msg: "Trustee GC config directory /etc/trustee-gc does not exist" - - name: Assert trustee pod file exists - assert: - that: __test_trustee_pod_files.matched | int > 0 - fail_msg: "No trustee pod file found in {{ __trustee_client_quadlet_install_dir }}" + - name: Find trustee pod file + find: + paths: "{{ __trustee_client_quadlet_install_dir }}" + patterns: "*.pod" + recurse: false + register: __test_trustee_pod_files - - name: Set trustee pod service name - ansible.builtin.set_fact: - __test_trustee_pod_service: "{{ (__test_trustee_pod_files.files[0].path | basename) | replace('.pod', '') }}-pod" + - name: Assert trustee pod file exists + assert: + that: __test_trustee_pod_files.matched | int > 0 + fail_msg: "No trustee pod file found in {{ __trustee_client_quadlet_install_dir }}" - - name: Assert trustee pod service is running - ansible.builtin.service: - name: "{{ __test_trustee_pod_service }}" - state: started - check_mode: true + - name: Set trustee pod service name + ansible.builtin.set_fact: + __test_trustee_pod_service: "{{ (__test_trustee_pod_files.files[0].path | basename) | replace('.pod', '') }}-pod" + + - name: Assert trustee pod service is running + ansible.builtin.service: + name: "{{ __test_trustee_pod_service }}" + state: started + check_mode: true + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup diff --git a/tests/tests_encrypt_disk.yml b/tests/tests_encrypt_disk.yml index 19e4f50..ea0bb10 100644 --- a/tests/tests_encrypt_disk.yml +++ b/tests/tests_encrypt_disk.yml @@ -10,132 +10,147 @@ trustee_client_encrypt_disk: true trustee_client_encrypt_disk_mount_point: /mnt/encrypted-disk tasks: - - name: Check for an unpartitioned disk device - ansible.builtin.shell: | - set -o pipefail - lsblk -n -o NAME,TYPE,PKNAME | awk ' - $2=="disk" && $1 !~ /^zram|^loop|^dm/ { disk=$1; haspart[disk]=0 } - $2=="part" { parent=$3; if (parent in haspart) haspart[parent]=1 } - END { - for (d in haspart) { - if (haspart[d] == 0) { - print d - exit 0 + - name: Run the tests + block: + - name: Check for an unpartitioned disk device + ansible.builtin.shell: | + set -o pipefail + lsblk -n -o NAME,TYPE,PKNAME | awk ' + $2=="disk" && $1 !~ /^zram|^loop|^dm/ { disk=$1; haspart[disk]=0 } + $2=="part" { parent=$3; if (parent in haspart) haspart[parent]=1 } + END { + for (d in haspart) { + if (haspart[d] == 0) { + print d + exit 0 + } + } } - } - } - ' - register: __test_unpartitioned_disk - changed_when: false - failed_when: false - - - name: Set fact when no unpartitioned disk is available - ansible.builtin.set_fact: - __test_skip_encrypt_assertions: "{{ __test_unpartitioned_disk.stdout | trim == '' }}" - - - name: Run trustee_client role with disk encryption enabled - ansible.builtin.include_tasks: - file: tasks/run_role_with_clear_facts.yml - when: not __test_skip_encrypt_assertions - - - name: Stat the encrypted disk mount point - ansible.builtin.stat: - path: "{{ trustee_client_encrypt_disk_mount_point }}" - register: __test_mount_point - when: not __test_skip_encrypt_assertions - - - name: Assert mount point directory exists - ansible.builtin.assert: - that: - - __test_mount_point.stat.exists - - __test_mount_point.stat.isdir - fail_msg: >- - Encrypted disk mount point - {{ trustee_client_encrypt_disk_mount_point }} does not exist - when: not __test_skip_encrypt_assertions - - - name: Get mount information - ansible.builtin.command: findmnt --noheadings --output SOURCE {{ trustee_client_encrypt_disk_mount_point }} - register: __test_findmnt - changed_when: false - failed_when: false - when: not __test_skip_encrypt_assertions - - - name: Assert the encrypted disk is mounted - ansible.builtin.assert: - that: - - __test_findmnt.rc == 0 - - __test_findmnt.stdout | trim != "" - fail_msg: >- - Nothing is mounted at {{ trustee_client_encrypt_disk_mount_point }} - when: not __test_skip_encrypt_assertions - - - name: Assert the mounted device is the LUKS mapper device - ansible.builtin.assert: - that: - - >- - '/dev/mapper/trustee_client_encrypted_disk_0' in - (__test_findmnt.stdout | trim) - fail_msg: >- - Expected /dev/mapper/trustee_client_encrypted_disk_0 to be mounted at - {{ trustee_client_encrypt_disk_mount_point }} but found: - {{ __test_findmnt.stdout }} - when: not __test_skip_encrypt_assertions - - - name: Stat the LUKS mapper device - ansible.builtin.stat: - path: /dev/mapper/trustee_client_encrypted_disk_0 - register: __test_mapper_dev - when: not __test_skip_encrypt_assertions - - - name: Assert LUKS mapper device exists - ansible.builtin.assert: - that: - - __test_mapper_dev.stat.exists - fail_msg: "LUKS mapper device /dev/mapper/trustee_client_encrypted_disk_0 does not exist" - when: not __test_skip_encrypt_assertions - - - name: Assert encrypted_disk_key fact was set - ansible.builtin.assert: - that: - - encrypted_disk_key is defined - - encrypted_disk_key | length > 0 - fail_msg: "encrypted_disk_key fact was not set by the role" - when: not __test_skip_encrypt_assertions - - - name: Stat podman storage directory on encrypted disk - ansible.builtin.stat: - path: "{{ trustee_client_encrypt_disk_mount_point }}/containers-storage" - register: __test_containers_storage - when: not __test_skip_encrypt_assertions - - - name: Assert podman storage directory was created on encrypted disk - ansible.builtin.assert: - that: - - __test_containers_storage.stat.exists - - __test_containers_storage.stat.isdir - fail_msg: >- - Podman storage directory - {{ trustee_client_encrypt_disk_mount_point }}/containers-storage - was not created - when: not __test_skip_encrypt_assertions - - - name: Read podman storage config - ansible.builtin.slurp: - src: /etc/containers/storage.conf - register: __test_storage_conf - when: not __test_skip_encrypt_assertions - - - name: Assert podman storage config points to encrypted disk - ansible.builtin.assert: - that: - - >- - trustee_client_encrypt_disk_mount_point in - (__test_storage_conf.content | b64decode) - fail_msg: >- - /etc/containers/storage.conf does not reference the encrypted - disk mount point {{ trustee_client_encrypt_disk_mount_point }} - when: not __test_skip_encrypt_assertions + ' + register: __test_unpartitioned_disk + changed_when: false + failed_when: false + + - name: Set fact when no unpartitioned disk is available + ansible.builtin.set_fact: + __test_skip_encrypt_assertions: "{{ __test_unpartitioned_disk.stdout | trim == '' }}" + + - name: Run trustee_client role with disk encryption enabled + ansible.builtin.include_tasks: + file: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true + when: not __test_skip_encrypt_assertions + + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers + when: not __test_skip_encrypt_assertions + + - name: Stat the encrypted disk mount point + ansible.builtin.stat: + path: "{{ trustee_client_encrypt_disk_mount_point }}" + register: __test_mount_point + when: not __test_skip_encrypt_assertions + + - name: Assert mount point directory exists + ansible.builtin.assert: + that: + - __test_mount_point.stat.exists + - __test_mount_point.stat.isdir + fail_msg: >- + Encrypted disk mount point + {{ trustee_client_encrypt_disk_mount_point }} does not exist + when: not __test_skip_encrypt_assertions + + - name: Get mount information + ansible.builtin.command: findmnt --noheadings --output SOURCE {{ trustee_client_encrypt_disk_mount_point }} + register: __test_findmnt + changed_when: false + failed_when: false + when: not __test_skip_encrypt_assertions + + - name: Assert the encrypted disk is mounted + ansible.builtin.assert: + that: + - __test_findmnt.rc == 0 + - __test_findmnt.stdout | trim != "" + fail_msg: >- + Nothing is mounted at {{ trustee_client_encrypt_disk_mount_point }} + when: not __test_skip_encrypt_assertions + + - name: Assert the mounted device is the LUKS mapper device + ansible.builtin.assert: + that: + - >- + '/dev/mapper/trustee_client_encrypted_disk_0' in + (__test_findmnt.stdout | trim) + fail_msg: >- + Expected /dev/mapper/trustee_client_encrypted_disk_0 to be mounted at + {{ trustee_client_encrypt_disk_mount_point }} but found: + {{ __test_findmnt.stdout }} + when: not __test_skip_encrypt_assertions + + - name: Stat the LUKS mapper device + ansible.builtin.stat: + path: /dev/mapper/trustee_client_encrypted_disk_0 + register: __test_mapper_dev + when: not __test_skip_encrypt_assertions + + - name: Assert LUKS mapper device exists + ansible.builtin.assert: + that: + - __test_mapper_dev.stat.exists + fail_msg: "LUKS mapper device /dev/mapper/trustee_client_encrypted_disk_0 does not exist" + when: not __test_skip_encrypt_assertions + + - name: Assert encrypted_disk_key fact was set + ansible.builtin.assert: + that: + - encrypted_disk_key is defined + - encrypted_disk_key | length > 0 + fail_msg: "encrypted_disk_key fact was not set by the role" + when: not __test_skip_encrypt_assertions + + - name: Stat podman storage directory on encrypted disk + ansible.builtin.stat: + path: "{{ trustee_client_encrypt_disk_mount_point }}/containers-storage" + register: __test_containers_storage + when: not __test_skip_encrypt_assertions + + - name: Assert podman storage directory was created on encrypted disk + ansible.builtin.assert: + that: + - __test_containers_storage.stat.exists + - __test_containers_storage.stat.isdir + fail_msg: >- + Podman storage directory + {{ trustee_client_encrypt_disk_mount_point }}/containers-storage + was not created + when: not __test_skip_encrypt_assertions + + - name: Read podman storage config + ansible.builtin.slurp: + src: /etc/containers/storage.conf + register: __test_storage_conf + when: not __test_skip_encrypt_assertions + + - name: Assert podman storage config points to encrypted disk + ansible.builtin.assert: + that: + - >- + trustee_client_encrypt_disk_mount_point in + (__test_storage_conf.content | b64decode) + fail_msg: >- + /etc/containers/storage.conf does not reference the encrypted + disk mount point {{ trustee_client_encrypt_disk_mount_point }} + when: not __test_skip_encrypt_assertions + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup + when: not __test_skip_encrypt_assertions - name: Ensure disk encryption works with systemd-cryptenroll when secret_registration_client is disabled hosts: all @@ -145,103 +160,117 @@ trustee_client_secret_registration_enabled: false trustee_client_encrypt_disk_mount_point: /mnt/encrypted-disk tasks: - - name: Check for an unpartitioned disk device - ansible.builtin.shell: | - set -o pipefail - lsblk -n -o NAME,TYPE,PKNAME | awk ' - $2=="disk" && $1 !~ /^zram|^loop|^dm/ { disk=$1; haspart[disk]=0 } - $2=="part" { parent=$3; if (parent in haspart) haspart[parent]=1 } - END { - for (d in haspart) { - if (haspart[d] == 0) { - print d - exit 0 + - name: Run the tests + block: + - name: Check for an unpartitioned disk device + ansible.builtin.shell: | + set -o pipefail + lsblk -n -o NAME,TYPE,PKNAME | awk ' + $2=="disk" && $1 !~ /^zram|^loop|^dm/ { disk=$1; haspart[disk]=0 } + $2=="part" { parent=$3; if (parent in haspart) haspart[parent]=1 } + END { + for (d in haspart) { + if (haspart[d] == 0) { + print d + exit 0 + } + } } - } - } - ' - register: __test_unpartitioned_disk - changed_when: false - failed_when: false - - - name: Set fact when no unpartitioned disk is available - ansible.builtin.set_fact: - __test_skip_cryptenroll_assertions: "{{ __test_unpartitioned_disk.stdout | trim == '' }}" - - - name: Check systemd-cryptenroll exists - ansible.builtin.command: command -v systemd-cryptenroll - register: __test_cryptenroll_check - changed_when: false - failed_when: false - when: not __test_skip_cryptenroll_assertions - - - name: Set fact when systemd-cryptenroll is not available - ansible.builtin.set_fact: - __test_skip_cryptenroll_assertions: "{{ __test_skip_cryptenroll_assertions or __test_cryptenroll_check.rc != 0 }}" - when: not __test_skip_cryptenroll_assertions - - - name: Run trustee_client role with disk encryption (cryptenroll path) - ansible.builtin.include_role: - name: linux-system-roles.trustee_client - when: not __test_skip_cryptenroll_assertions - - - name: Stat the encrypted disk mount point - ansible.builtin.stat: - path: "{{ trustee_client_encrypt_disk_mount_point }}" - register: __test_mount_point - when: not __test_skip_cryptenroll_assertions - - - name: Assert mount point directory exists - ansible.builtin.assert: - that: - - __test_mount_point.stat.exists - - __test_mount_point.stat.isdir - fail_msg: >- - Encrypted disk mount point - {{ trustee_client_encrypt_disk_mount_point }} does not exist - when: not __test_skip_cryptenroll_assertions - - - name: Assert the encrypted disk is mounted - ansible.builtin.command: findmnt --noheadings --output SOURCE {{ trustee_client_encrypt_disk_mount_point }} - register: __test_findmnt - changed_when: false - when: not __test_skip_cryptenroll_assertions - - - name: Assert the mounted device is the LUKS mapper device - ansible.builtin.assert: - that: - - __test_findmnt.rc == 0 - - "'/dev/mapper/trustee_client_encrypted_disk_0' in (__test_findmnt.stdout | default('') | trim)" - fail_msg: >- - Expected /dev/mapper/trustee_client_encrypted_disk_0 in the output of findmnt to be mounted at - {{ trustee_client_encrypt_disk_mount_point }} but found: - {{ __test_findmnt.stdout | default('') }} - when: not __test_skip_cryptenroll_assertions - - - name: Assert crypttab contains trustee_client_encrypted_disk_0 entry - ansible.builtin.slurp: - src: /etc/crypttab - register: __test_crypttab - when: not __test_skip_cryptenroll_assertions - - - name: Verify crypttab has trustee_client_encrypted_disk_0 with tpm2-device=auto - ansible.builtin.assert: - that: - - "'trustee_client_encrypted_disk_0' in (__test_crypttab.content | b64decode)" - - "'tpm2-device=auto' in (__test_crypttab.content | b64decode)" - fail_msg: "/etc/crypttab does not contain trustee_client_encrypted_disk_0 entry with tpm2-device=auto" - when: not __test_skip_cryptenroll_assertions - - - name: Assert fstab contains encrypted disk mount - ansible.builtin.slurp: - src: /etc/fstab - register: __test_fstab - when: not __test_skip_cryptenroll_assertions - - - name: Verify fstab has encrypted disk mount point - ansible.builtin.assert: - that: - - trustee_client_encrypt_disk_mount_point in (__test_fstab.content | b64decode) - - "'/dev/mapper/trustee_client_encrypted_disk_0' in (__test_fstab.content | b64decode)" - fail_msg: "/etc/fstab does not contain encrypted disk mount entry" - when: not __test_skip_cryptenroll_assertions + ' + register: __test_unpartitioned_disk + changed_when: false + failed_when: false + + - name: Set fact when no unpartitioned disk is available + ansible.builtin.set_fact: + __test_skip_cryptenroll_assertions: "{{ __test_unpartitioned_disk.stdout | trim == '' }}" + + - name: Check systemd-cryptenroll exists + ansible.builtin.command: command -v systemd-cryptenroll + register: __test_cryptenroll_check + changed_when: false + failed_when: false + when: not __test_skip_cryptenroll_assertions + + - name: Set fact when systemd-cryptenroll is not available + ansible.builtin.set_fact: + __test_skip_cryptenroll_assertions: "{{ __test_skip_cryptenroll_assertions or __test_cryptenroll_check.rc != 0 }}" + when: not __test_skip_cryptenroll_assertions + + - name: Run trustee_client role with disk encryption (cryptenroll path) + ansible.builtin.include_role: + name: linux-system-roles.trustee_client + public: true + when: not __test_skip_cryptenroll_assertions + + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers + when: not __test_skip_cryptenroll_assertions + + - name: Stat the encrypted disk mount point + ansible.builtin.stat: + path: "{{ trustee_client_encrypt_disk_mount_point }}" + register: __test_mount_point + when: not __test_skip_cryptenroll_assertions + + - name: Assert mount point directory exists + ansible.builtin.assert: + that: + - __test_mount_point.stat.exists + - __test_mount_point.stat.isdir + fail_msg: >- + Encrypted disk mount point + {{ trustee_client_encrypt_disk_mount_point }} does not exist + when: not __test_skip_cryptenroll_assertions + + - name: Assert the encrypted disk is mounted + ansible.builtin.command: findmnt --noheadings --output SOURCE {{ trustee_client_encrypt_disk_mount_point }} + register: __test_findmnt + changed_when: false + when: not __test_skip_cryptenroll_assertions + + - name: Assert the mounted device is the LUKS mapper device + ansible.builtin.assert: + that: + - __test_findmnt.rc == 0 + - "'/dev/mapper/trustee_client_encrypted_disk_0' in (__test_findmnt.stdout | default('') | trim)" + fail_msg: >- + Expected /dev/mapper/trustee_client_encrypted_disk_0 in the output of findmnt to be mounted at + {{ trustee_client_encrypt_disk_mount_point }} but found: + {{ __test_findmnt.stdout | default('') }} + when: not __test_skip_cryptenroll_assertions + + - name: Assert crypttab contains trustee_client_encrypted_disk_0 entry + ansible.builtin.slurp: + src: /etc/crypttab + register: __test_crypttab + when: not __test_skip_cryptenroll_assertions + + - name: Verify crypttab has trustee_client_encrypted_disk_0 with tpm2-device=auto + ansible.builtin.assert: + that: + - "'trustee_client_encrypted_disk_0' in (__test_crypttab.content | b64decode)" + - "'tpm2-device=auto' in (__test_crypttab.content | b64decode)" + fail_msg: "/etc/crypttab does not contain trustee_client_encrypted_disk_0 entry with tpm2-device=auto" + when: not __test_skip_cryptenroll_assertions + + - name: Assert fstab contains encrypted disk mount + ansible.builtin.slurp: + src: /etc/fstab + register: __test_fstab + when: not __test_skip_cryptenroll_assertions + + - name: Verify fstab has encrypted disk mount point + ansible.builtin.assert: + that: + - trustee_client_encrypt_disk_mount_point in (__test_fstab.content | b64decode) + - "'/dev/mapper/trustee_client_encrypted_disk_0' in (__test_fstab.content | b64decode)" + fail_msg: "/etc/fstab does not contain encrypted disk mount entry" + when: not __test_skip_cryptenroll_assertions + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup + when: not __test_skip_cryptenroll_assertions diff --git a/tests/tests_kbs_config.yml b/tests/tests_kbs_config.yml index 0fa58ac..84d0102 100644 --- a/tests/tests_kbs_config.yml +++ b/tests/tests_kbs_config.yml @@ -8,95 +8,106 @@ trustee_client_kbs_url: "https://kbs.example.com:8080" trustee_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\nMIIBIjANBgkq\n-----END CERTIFICATE-----" tasks: - - name: Run the role - ansible.builtin.include_tasks: - file: tasks/run_role_with_clear_facts.yml - vars: - __sr_public: true - - - name: Stat CDH config file - stat: - path: /etc/trustee-gc/cdh/config.toml - register: __test_cdh_config - - - name: Verify CDH config contains KBS URL - when: __test_cdh_config.stat.exists + - name: Run the tests block: - - name: Read CDH config file - slurp: - src: /etc/trustee-gc/cdh/config.toml - register: __test_cdh_content - - - name: Assert CDH config contains the KBS URL + - name: Run the role + ansible.builtin.include_tasks: + file: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true + + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers + + - name: Stat CDH config file + stat: + path: /etc/trustee-gc/cdh/config.toml + register: __test_cdh_config + + - name: Verify CDH config contains KBS URL + when: __test_cdh_config.stat.exists + block: + - name: Read CDH config file + slurp: + src: /etc/trustee-gc/cdh/config.toml + register: __test_cdh_content + + - name: Assert CDH config contains the KBS URL + assert: + that: + - >- + trustee_client_kbs_url in + (__test_cdh_content.content | b64decode) + fail_msg: >- + KBS URL '{{ trustee_client_kbs_url }}' not found in + /etc/trustee-gc/cdh/config.toml + + - name: Assert CDH config does not contain the KBS_URL placeholder + assert: + that: + - >- + 'KBS_URL' not in + (__test_cdh_content.content | b64decode) + fail_msg: >- + Unreplaced placeholder KBS_URL still present in + /etc/trustee-gc/cdh/config.toml + + - name: Stat AA config file + stat: + path: /etc/trustee-gc/aa/config.toml + register: __test_aa_config + + - name: Verify AA config contains KBS URL + when: __test_aa_config.stat.exists + block: + - name: Read AA config file + slurp: + src: /etc/trustee-gc/aa/config.toml + register: __test_aa_content + + - name: Assert AA config contains the KBS URL + assert: + that: + - >- + trustee_client_kbs_url in + (__test_aa_content.content | b64decode) + fail_msg: >- + KBS URL '{{ trustee_client_kbs_url }}' not found in + /etc/trustee-gc/aa/config.toml + + - name: Assert AA config does not contain the KBS_URL placeholder + assert: + that: + - >- + 'KBS_URL' not in + (__test_aa_content.content | b64decode) + fail_msg: >- + Unreplaced placeholder KBS_URL still present in + /etc/trustee-gc/aa/config.toml + + - name: Assert at least one trustee-gc config file was found assert: that: - - >- - trustee_client_kbs_url in - (__test_cdh_content.content | b64decode) - fail_msg: >- - KBS URL '{{ trustee_client_kbs_url }}' not found in - /etc/trustee-gc/cdh/config.toml - - - name: Assert CDH config does not contain the KBS_URL placeholder - assert: - that: - - >- - 'KBS_URL' not in - (__test_cdh_content.content | b64decode) + - __test_cdh_config.stat.exists or __test_aa_config.stat.exists fail_msg: >- - Unreplaced placeholder KBS_URL still present in - /etc/trustee-gc/cdh/config.toml + Neither /etc/trustee-gc/cdh/config.toml nor + /etc/trustee-gc/aa/config.toml was found after role execution - - name: Stat AA config file - stat: - path: /etc/trustee-gc/aa/config.toml - register: __test_aa_config + - name: Stat KBS certificate file + stat: + path: /etc/trustee-gc/server.crt + register: __test_kbs_cert - - name: Verify AA config contains KBS URL - when: __test_aa_config.stat.exists - block: - - name: Read AA config file - slurp: - src: /etc/trustee-gc/aa/config.toml - register: __test_aa_content - - - name: Assert AA config contains the KBS URL + - name: Assert KBS certificate was written assert: - that: - - >- - trustee_client_kbs_url in - (__test_aa_content.content | b64decode) - fail_msg: >- - KBS URL '{{ trustee_client_kbs_url }}' not found in - /etc/trustee-gc/aa/config.toml - - - name: Assert AA config does not contain the KBS_URL placeholder - assert: - that: - - >- - 'KBS_URL' not in - (__test_aa_content.content | b64decode) - fail_msg: >- - Unreplaced placeholder KBS_URL still present in - /etc/trustee-gc/aa/config.toml - - - name: Assert at least one trustee-gc config file was found - assert: - that: - - __test_cdh_config.stat.exists or __test_aa_config.stat.exists - fail_msg: >- - Neither /etc/trustee-gc/cdh/config.toml nor - /etc/trustee-gc/aa/config.toml was found after role execution - - - name: Stat KBS certificate file - stat: - path: /etc/trustee-gc/server.crt - register: __test_kbs_cert - - - name: Assert KBS certificate was written - assert: - that: __test_kbs_cert.stat.exists - fail_msg: "KBS certificate /etc/trustee-gc/server.crt was not written" + that: __test_kbs_cert.stat.exists + fail_msg: "KBS certificate /etc/trustee-gc/server.crt was not written" + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup - name: Ensure KBS certificate from path is configured in trustee-gc config files hosts: all @@ -107,70 +118,82 @@ trustee_client_kbs_cert_content: "" __test_cert_content: "-----BEGIN CERTIFICATE-----\nMIIBIjANBgkq\n-----END CERTIFICATE-----" tasks: - - name: Create cert file on control node for path test - ansible.builtin.copy: - content: "{{ __test_cert_content }}" - dest: "{{ playbook_dir }}/kbs_test_cert.crt" - mode: "0644" - run_once: true - delegate_to: localhost - - - name: Run trustee_client role with KBS cert from path - ansible.builtin.include_role: - name: linux-system-roles.trustee_client - vars: - trustee_client_kbs_cert_src: "{{ playbook_dir }}/kbs_test_cert.crt" - - - name: Stat CDH config file - ansible.builtin.stat: - path: /etc/trustee-gc/cdh/config.toml - register: __test_cdh_config - - - name: Verify CDH config contains KBS URL and cert content - when: __test_cdh_config.stat.exists + - name: Run the tests block: - - name: Read CDH config file - ansible.builtin.slurp: - src: /etc/trustee-gc/cdh/config.toml - register: __test_cdh_content - - - name: Assert CDH config contains the KBS URL + - name: Create cert file on control node for path test + ansible.builtin.copy: + content: "{{ __test_cert_content }}" + dest: "{{ playbook_dir }}/kbs_test_cert.crt" + mode: "0644" + run_once: true + delegate_to: localhost + + - name: Run trustee_client role with KBS cert from path + ansible.builtin.include_role: + name: linux-system-roles.trustee_client + public: true + vars: + trustee_client_kbs_cert_src: "{{ playbook_dir }}/kbs_test_cert.crt" + + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers + + - name: Stat CDH config file + ansible.builtin.stat: + path: /etc/trustee-gc/cdh/config.toml + register: __test_cdh_config + + - name: Verify CDH config contains KBS URL and cert content + when: __test_cdh_config.stat.exists + block: + - name: Read CDH config file + ansible.builtin.slurp: + src: /etc/trustee-gc/cdh/config.toml + register: __test_cdh_content + + - name: Assert CDH config contains the KBS URL + ansible.builtin.assert: + that: + - >- + trustee_client_kbs_url in + (__test_cdh_content.content | b64decode) + fail_msg: >- + KBS URL '{{ trustee_client_kbs_url }}' not found in + /etc/trustee-gc/cdh/config.toml + + - name: Assert CDH config contains cert content from path + ansible.builtin.assert: + that: + - >- + 'MIIBIjANBgkq' in (__test_cdh_content.content | b64decode) + fail_msg: >- + KBS cert content from path not found in + /etc/trustee-gc/cdh/config.toml + + - name: Stat KBS certificate file + ansible.builtin.stat: + path: /etc/trustee-gc/server.crt + register: __test_kbs_cert + + - name: Assert KBS certificate was written from path ansible.builtin.assert: - that: - - >- - trustee_client_kbs_url in - (__test_cdh_content.content | b64decode) - fail_msg: >- - KBS URL '{{ trustee_client_kbs_url }}' not found in - /etc/trustee-gc/cdh/config.toml + that: __test_kbs_cert.stat.exists + fail_msg: "KBS certificate /etc/trustee-gc/server.crt was not written from path" - - name: Assert CDH config contains cert content from path + - name: Assert server.crt contains expected cert content + ansible.builtin.slurp: + src: /etc/trustee-gc/server.crt + register: __test_server_crt_content + + - name: Verify server.crt content matches cert from path ansible.builtin.assert: that: - >- - 'MIIBIjANBgkq' in (__test_cdh_content.content | b64decode) - fail_msg: >- - KBS cert content from path not found in - /etc/trustee-gc/cdh/config.toml - - - name: Stat KBS certificate file - ansible.builtin.stat: - path: /etc/trustee-gc/server.crt - register: __test_kbs_cert - - - name: Assert KBS certificate was written from path - ansible.builtin.assert: - that: __test_kbs_cert.stat.exists - fail_msg: "KBS certificate /etc/trustee-gc/server.crt was not written from path" - - - name: Assert server.crt contains expected cert content - ansible.builtin.slurp: - src: /etc/trustee-gc/server.crt - register: __test_server_crt_content - - - name: Verify server.crt content matches cert from path - ansible.builtin.assert: - that: - - >- - __test_cert_content in (__test_server_crt_content.content | b64decode) - fail_msg: "KBS certificate /etc/trustee-gc/server.crt content does not match cert from path" + __test_cert_content in (__test_server_crt_content.content | b64decode) + fail_msg: "KBS certificate /etc/trustee-gc/server.crt content does not match cert from path" + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup diff --git a/tests/tests_secret_registration_client.yml b/tests/tests_secret_registration_client.yml index f575eb6..be0d628 100644 --- a/tests/tests_secret_registration_client.yml +++ b/tests/tests_secret_registration_client.yml @@ -6,35 +6,46 @@ trustee_client_trustee_gc: true trustee_client_secret_registration_enabled: true tasks: - - name: Run the role - ansible.builtin.include_tasks: - file: tasks/run_role_with_clear_facts.yml - vars: - __sr_public: true + - name: Run the tests + block: + - name: Run the role + ansible.builtin.include_tasks: + file: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true - - name: Collect package facts - ansible.builtin.package_facts: - manager: auto - no_log: true + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers - - name: Assert required packages are installed - ansible.builtin.assert: - that: item in ansible_facts.packages - fail_msg: "Required package {{ item }} is not installed" - loop: "{{ __trustee_client_trustee_gc_packages + __trustee_client_secret_registration_client_packages }}" + - name: Collect package facts + ansible.builtin.package_facts: + manager: auto + no_log: true - - name: Check secret registration client script exists - ansible.builtin.stat: - path: /usr/local/bin/secret_registration_client.sh - register: client_script + - name: Assert required packages are installed + ansible.builtin.assert: + that: item in ansible_facts.packages + fail_msg: "Required package {{ item }} is not installed" + loop: "{{ __trustee_client_trustee_gc_packages + __trustee_client_secret_registration_client_packages }}" - - name: Assert secret registration client script was deployed - ansible.builtin.assert: - that: client_script.stat.exists - fail_msg: "Secret registration client script was not deployed" + - name: Check secret registration client script exists + ansible.builtin.stat: + path: /usr/local/bin/secret_registration_client.sh + register: client_script - - name: Assert secret registration client service is enabled - ansible.builtin.service: - name: "secret_registration_client" - enabled: true - check_mode: true + - name: Assert secret registration client script was deployed + ansible.builtin.assert: + that: client_script.stat.exists + fail_msg: "Secret registration client script was not deployed" + + - name: Assert secret registration client service is enabled + ansible.builtin.service: + name: "secret_registration_client" + enabled: true + check_mode: true + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup diff --git a/tests/tests_trustee_gc_disabled.yml b/tests/tests_trustee_gc_disabled.yml index fef57df..40a4158 100644 --- a/tests/tests_trustee_gc_disabled.yml +++ b/tests/tests_trustee_gc_disabled.yml @@ -11,73 +11,85 @@ trustee_client_encrypt_disk: false __trustee_client_quadlet_install_dir: "/etc/containers/systemd" tasks: - - name: Stat quadlet install directory (before role) - ansible.builtin.stat: - path: "{{ __trustee_client_quadlet_install_dir }}" - register: __test_quadlet_dir_before + - name: Run the tests + block: + - name: Stat quadlet install directory (before role) + ansible.builtin.stat: + path: "{{ __trustee_client_quadlet_install_dir }}" + register: __test_quadlet_dir_before - - name: Find quadlet files before role run - ansible.builtin.find: - paths: "{{ __trustee_client_quadlet_install_dir }}" - patterns: - - "*.container" - - "*.volume" - - "*.network" - - "*.kube" - - "*.pod" - register: __test_quadlet_files_before - when: __test_quadlet_dir_before.stat.exists + - name: Find quadlet files before role run + ansible.builtin.find: + paths: "{{ __trustee_client_quadlet_install_dir }}" + patterns: + - "*.container" + - "*.volume" + - "*.network" + - "*.kube" + - "*.pod" + register: __test_quadlet_files_before + when: __test_quadlet_dir_before.stat.exists - - name: Stat trustee-gc config directory (before role) - ansible.builtin.stat: - path: /etc/trustee-gc - register: __test_trustee_gc_dir_before + - name: Stat trustee-gc config directory (before role) + ansible.builtin.stat: + path: /etc/trustee-gc + register: __test_trustee_gc_dir_before - - name: Run role with trustee_gc disabled - ansible.builtin.include_tasks: - file: tasks/run_role_with_clear_facts.yml - vars: - trustee_client_trustee_gc: false - trustee_client_encrypt_disk: false + - name: Run role with trustee_gc disabled + ansible.builtin.include_tasks: + file: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true + trustee_client_trustee_gc: false + trustee_client_encrypt_disk: false - - name: Stat quadlet install directory (after role) - ansible.builtin.stat: - path: "{{ __trustee_client_quadlet_install_dir }}" - register: __test_quadlet_dir_after + - name: Flush handlers to start services created by the role + ansible.builtin.meta: flush_handlers - - name: Find quadlet files after role run - ansible.builtin.find: - paths: "{{ __trustee_client_quadlet_install_dir }}" - patterns: - - "*.container" - - "*.volume" - - "*.network" - - "*.kube" - - "*.pod" - register: __test_quadlet_files_after - when: __test_quadlet_dir_after.stat.exists + - name: Stat quadlet install directory (after role) + ansible.builtin.stat: + path: "{{ __trustee_client_quadlet_install_dir }}" + register: __test_quadlet_dir_after - - name: Stat trustee-gc config directory (after role) - ansible.builtin.stat: - path: /etc/trustee-gc - register: __test_trustee_gc_dir_after + - name: Find quadlet files after role run + ansible.builtin.find: + paths: "{{ __trustee_client_quadlet_install_dir }}" + patterns: + - "*.container" + - "*.volume" + - "*.network" + - "*.kube" + - "*.pod" + register: __test_quadlet_files_after + when: __test_quadlet_dir_after.stat.exists - - name: Assert role did not add any quadlet files - ansible.builtin.assert: - that: - - >- - (__test_quadlet_files_after.files | default([]) | map(attribute='path') | sort | list) == - (__test_quadlet_files_before.files | default([]) | map(attribute='path') | sort | list) - fail_msg: >- - Role with trustee_client_trustee_gc false added or removed quadlet - files (expected no change) + - name: Stat trustee-gc config directory (after role) + ansible.builtin.stat: + path: /etc/trustee-gc + register: __test_trustee_gc_dir_after - - name: Assert role did not create trustee-gc config directory - ansible.builtin.assert: - that: - - >- - (not __test_trustee_gc_dir_after.stat.exists) or - __test_trustee_gc_dir_before.stat.exists - fail_msg: >- - Trustee GC config directory /etc/trustee-gc was created by the - role even though trustee_client_trustee_gc is false + - name: Assert role did not add any quadlet files + ansible.builtin.assert: + that: + - >- + (__test_quadlet_files_after.files | default([]) | map(attribute='path') | sort | list) == + (__test_quadlet_files_before.files | default([]) | map(attribute='path') | sort | list) + fail_msg: >- + Role with trustee_client_trustee_gc false added or removed quadlet + files (expected no change) + + - name: Assert role did not create trustee-gc config directory + ansible.builtin.assert: + that: + - >- + (not __test_trustee_gc_dir_after.stat.exists) or + __test_trustee_gc_dir_before.stat.exists + fail_msg: >- + Trustee GC config directory /etc/trustee-gc was created by the + role even though trustee_client_trustee_gc is false + always: + - name: Cleanup trustee_client test resources + ansible.builtin.include_tasks: + file: tasks/cleanup.yml + tags: + - tests::cleanup