diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fc638a0..e759c4d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -68,6 +68,15 @@ test_nginx: tags: - docker +test_sudo: + stage: test + before_script: + - bin/prepare_test_env.sh -i opensuse -g -p sudo + - bin/get_formulas.py -c -d /srv/formula -s --clone-from 'https://gitlab.infra.opensuse.org/saltstack-formulas' --clone-branch production + script: bin/test_sudo.sh + tags: + - docker + deploy_job: stage: deploy script: sudo salt-call event.fire_master $CI_DEPLOY_PASSWORD salt/fileserver/gitfs/update diff --git a/bin/test_sudo.sh b/bin/test_sudo.sh new file mode 100755 index 0000000..338a364 --- /dev/null +++ b/bin/test_sudo.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# Validate the salt-generated sudo configs + +[[ $(whoami) == 'root' ]] || { echo 'Please run this script as root'; exit 1; } + +source bin/get_colors.sh + +reset_sudo() { + rm -rf /etc/sudoers* + cp -a /etc/orig/* /etc + printf "roles:\n- $role" > /etc/salt/grains +} + +mkdir /etc/orig +cp -a /etc/sudoers* /etc/orig + +run_tests() { + salt-call --local -l quiet state.apply sudoers,sudoers.included > /dev/null + visudo -c > output 2>&1 + STATUS=$? + if [[ $STATUS == 0 ]]; then + echo_PASSED + else + cat output + echo_FAILED + fi + echo +} + +echo_INFO "Testing virtual: physical" +echo "virtual: physical" > /etc/salt/grains +run_tests + +pushd pillar > /dev/null +SUDO_ROLES=( + # Get all the roles that include common sls files, which contain sudoers entries + $(grep -lr 'sudoers:' role/common/ | while read i; do L=${i%%.*}; L=${L//\//.}; grep -lr $L role/*.sls; done) + # Get all the roles that contain sudoers entries + $(grep -lr 'sudoers:' role/*.sls) + # add additional roles that contain sudoers rules and are difficult to find in an automated way + role/worker_gitlab.sls +) +popd > /dev/null + +for _role in ${SUDO_ROLES[@]}; do + _role=${_role##*/} + role=${_role%%.*} + echo_INFO "Testing role: $role" + reset_sudo + run_tests +done + +exit $STATUS