From 9bae6bfdb996f2a59279f241020a6ce2bb4763b4 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 17 Feb 2025 12:23:12 +0100 Subject: [PATCH] Auto-fix yaml rules In order to reduce divergance with ansible-lint rules, we apply auto-fixing of violations. In current patch we replace all kind of truthy variables with `true` or `false` values to align with recommendations along with alignment of used quotes. Change-Id: I2e7bdac26e914a62e9416d34381696ce3d2117dc --- .gitignore | 1 + defaults/main.yml | 4 +- examples/playbook.yml | 1 - meta/main.yml | 1 + molecule/default/group_vars/all.yml | 58 ++++++++++++++--------------- molecule/default/verify.yml | 3 +- requirements.yml | 1 + tasks/main_ca.yml | 6 +-- tasks/main_certs.yml | 4 +- tasks/standalone/create_ca.yml | 15 ++++---- tasks/standalone/create_cert.yml | 3 +- 11 files changed, 48 insertions(+), 49 deletions(-) diff --git a/.gitignore b/.gitignore index 3a77206..c46a9ec 100644 --- a/.gitignore +++ b/.gitignore @@ -45,6 +45,7 @@ logs/* # OS generated files # ###################### ._* +.ansible .tox *.egg-info .eggs diff --git a/defaults/main.yml b/defaults/main.yml index fc63d59..a64601e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -70,7 +70,7 @@ pki_install_ca: [] pki_search_install_ca_pattern: "pki_install_ca_" # set this to the name of a CA to regenerate, or to 'true' to regenerate all -pki_regen_ca: '' +pki_regen_ca: "" # locations of system trust stores to install CA certs to pki_trust_store_location: @@ -104,7 +104,7 @@ pki_search_certificates_pattern: "pki_certificates_" # signed_by: "SnakeRootIntermediate" # set this to the name of the certificate to regenerate, or to 'true' to regenerate all -pki_regen_cert: '' +pki_regen_cert: "" # host where the generated PKI files are kept pki_setup_host: localhost diff --git a/examples/playbook.yml b/examples/playbook.yml index fee15f9..b19bd82 100644 --- a/examples/playbook.yml +++ b/examples/playbook.yml @@ -1,5 +1,4 @@ --- - - name: Install PKI hosts: all tasks: diff --git a/meta/main.yml b/meta/main.yml index 9d50349..06df29b 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,3 +1,4 @@ +--- galaxy_info: author: City Networks, BBC description: Installation and configuration of PKI infrastructure diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml index 6de54d3..520b86b 100644 --- a/molecule/default/group_vars/all.yml +++ b/molecule/default/group_vars/all.yml @@ -20,35 +20,35 @@ functional_ca_name_1: "ExampleCorpRoot" # Example self-signed certificate authority # Using the default variable pki_authorities: - - name: "{{ functional_ca_name_1 }}" - provider: selfsigned - basic_constraints: "CA:TRUE" - cn: "Example Corp Root CA" - email_address: "pki@example.com" - country_name: "GB" - state_or_province_name: "England" - organization_name: "Example Corporation" - organizational_unit_name: "IT Security" - key_usage: - - digitalSignature - - cRLSign - - keyCertSign - not_after: "+3650d" - - name: "ExampleCorpIntermediate" - provider: ownca - basic_constraints: "CA:TRUE,pathlen:0" - cn: "Example Corp Openstack Infrastructure Intermediate CA" - email_address: "pki@example.com" - country_name: "GB" - state_or_province_name: "England" - organization_name: "Example Corporation" - organizational_unit_name: "IT Security" - key_usage: - - digitalSignature - - cRLSign - - keyCertSign - not_after: "+3650d" - signed_by: "ExampleCorpRoot" + - name: "{{ functional_ca_name_1 }}" + provider: selfsigned + basic_constraints: "CA:TRUE" + cn: "Example Corp Root CA" + email_address: "pki@example.com" + country_name: "GB" + state_or_province_name: "England" + organization_name: "Example Corporation" + organizational_unit_name: "IT Security" + key_usage: + - digitalSignature + - cRLSign + - keyCertSign + not_after: "+3650d" + - name: "ExampleCorpIntermediate" + provider: ownca + basic_constraints: "CA:TRUE,pathlen:0" + cn: "Example Corp Openstack Infrastructure Intermediate CA" + email_address: "pki@example.com" + country_name: "GB" + state_or_province_name: "England" + organization_name: "Example Corporation" + organizational_unit_name: "IT Security" + key_usage: + - digitalSignature + - cRLSign + - keyCertSign + not_after: "+3650d" + signed_by: "ExampleCorpRoot" # Custom CA generation search pattern pki_search_authorities_pattern: "foo_authorities_" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index e1ebdd0..1f22ced 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -6,7 +6,6 @@ apt: /usr/local/share/ca-certificates/ dnf: /etc/pki/ca-trust/source/anchors/ tasks: - # Check that certificate authorities are installed (or absent) at the correct path - stat: path: "{{ pki_trust_store_location[ansible_facts['pkg_mgr']] }}/{{ functional_ca_name_1 }}.crt" @@ -81,4 +80,4 @@ - name: Validate server certificate against system trust store command: certtool --verify --infile "{{ functional_install_chain_2_dest }}" - changed_when: false \ No newline at end of file + changed_when: false diff --git a/requirements.yml b/requirements.yml index 4b76f86..dd9780d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,3 +1,4 @@ +--- collections: - name: community.crypto version: 2.0.2 diff --git a/tasks/main_ca.yml b/tasks/main_ca.yml index dded460..341b56a 100644 --- a/tasks/main_ca.yml +++ b/tasks/main_ca.yml @@ -28,7 +28,7 @@ - "{{ pki_ca_dirs }}" - "{{ pki_cert_dirs }}" delegate_to: "{{ pki_setup_host }}" - check_mode: no + check_mode: false - name: Create certificate authorities include_tasks: "{{ pki_method }}/create_ca.yml" @@ -36,6 +36,6 @@ loop_control: loop_var: ca vars: - ca_dir: "{{ pki_dir }}/roots/{{ ca.name }}" - ca_cert_prefix: "{{ ca_dir ~ '/certs/' ~ ca.name }}" + ca_dir: "{{ pki_dir }}/roots/{{ ca.name }}" + ca_cert_prefix: "{{ ca_dir ~ '/certs/' ~ ca.name }}" when: pki_create_ca | bool diff --git a/tasks/main_certs.yml b/tasks/main_certs.yml index cf64cc2..5b78605 100644 --- a/tasks/main_certs.yml +++ b/tasks/main_certs.yml @@ -19,7 +19,7 @@ loop_control: loop_var: cert vars: - cert_dir: "{{ pki_dir }}/certs" + cert_dir: "{{ pki_dir }}/certs" when: - pki_create_certificates | default(true) @@ -44,7 +44,7 @@ loop_label: path: "{{ install }}" state: directory - mode: '0755' + mode: "0755" - name: Install Server certificates to targets copy: diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml index bf47227..edca967 100644 --- a/tasks/standalone/create_ca.yml +++ b/tasks/standalone/create_ca.yml @@ -19,7 +19,6 @@ ansible_python_interpreter: "{{ pki_setup_host_python_interpreter }}" delegate_to: "{{ pki_setup_host }}" block: - - name: Create directories for certificate authority {{ ca.name }} file: state: directory @@ -36,8 +35,8 @@ - path: "{{ ca_dir ~ '/certs' }}" mode: "{{ pki_cert_dir_mode }}" - # NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as - # openssl_privatekey gets changed when harmonizing ownership/permissions + # NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as + # openssl_privatekey gets changed when harmonizing ownership/permissions - name: Ensure private key has proper ownership file: state: file @@ -50,8 +49,8 @@ - name: Initialise the serial number for {{ ca.name }} copy: content: "999" - dest : "{{ ca_dir ~ '/serial' }}" - force: no + dest: "{{ ca_dir ~ '/serial' }}" + force: false - name: Generate CA private key for {{ ca.name }} community.crypto.openssl_privatekey: @@ -75,7 +74,7 @@ privatekey_path: "{{ ca_privkey.filename }}" privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}" common_name: "{{ ca.cn }}" - basic_constraints_critical: yes + basic_constraints_critical: true basic_constraints: "{{ ca.basic_constraints }}" key_usage: "{{ ca.key_usage }}" country_name: "{{ ca.country_name | default(omit) }}" @@ -99,7 +98,7 @@ community.crypto.x509_certificate: path: "{{ ca_cert_prefix ~ '-' ~ next_serial_no ~ '.crt' }}" csr_path: "{{ ca_csr.filename }}" - provider: 'selfsigned' + provider: "selfsigned" privatekey_path: "{{ ca_privkey.filename }}" privatekey_passphrase: "{{ ca.key_passphrase | default(omit) }}" selfsigned_not_after: "{{ ca.not_after }}" @@ -116,7 +115,7 @@ community.crypto.x509_certificate: path: "{{ ca_cert_prefix ~ '-' ~ next_serial_no ~ '.crt' }}" csr_path: "{{ ca_csr.filename }}" - provider: 'ownca' + provider: "ownca" ownca_privatekey_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/private/' ~ ca.signed_by ~ '.key.pem' }}" ownca_privatekey_passphrase: "{{ ca.ownca_key_passphrase | default(omit) }}" ownca_path: "{{ pki_dir ~ '/roots/' ~ ca.signed_by ~ '/certs/' ~ ca.signed_by ~ '.crt' }}" diff --git a/tasks/standalone/create_cert.yml b/tasks/standalone/create_cert.yml index b72d346..d94f726 100644 --- a/tasks/standalone/create_cert.yml +++ b/tasks/standalone/create_cert.yml @@ -21,7 +21,6 @@ _ca_file: "{{ pki_dir ~ '/roots/' ~ cert.signed_by ~ '/certs/' ~ cert.signed_by ~ '.crt' }}" delegate_to: "{{ pki_setup_host }}" block: - - name: Generate certificate private key for {{ cert.name }} community.crypto.openssl_privatekey: path: "{{ cert_dir ~ '/private/' ~ cert.name ~ '.key.pem' }}" @@ -37,7 +36,7 @@ privatekey_path: "{{ cert_privkey.filename }}" privatekey_passphrase: "{{ cert.key_passphrase | default(omit) }}" common_name: "{{ cert.cn | default(omit) }}" - basic_constraints_critical: yes + basic_constraints_critical: true basic_constraints: "{{ cert.basic_constraints | default(omit) }}" key_usage: "{{ cert.key_usage | default(omit) }}" extended_key_usage: "{{ cert.extended_key_usage | default(omit) }}"