Ansible testing (#1691)

tests/ansible/README.md

@@ -58,16 +58,17 @@ ansible won't be able to see them.
   variables for Debian and RedHat-based distributions, because stable releases
   require a package version suffix in the RPM file names.
 
-- `TEST_PACKAGE_FILE`: optional, file pointing to the package under test
-  (.deb, .rpm, .pkg...). If both `TEST_PACKAGE_VERSION_*` and
-  `TEST_PACKAGE_FILE` are provided, both are be installed (to test upgrades
+- `TEST_PACKAGE_FILE`: optional, file pointing to the package under test (.deb,
+  .rpm, .pkg...). It can be a glob expression but it must match a single file,
+  and the pattern works only on the filename. If both `TEST_PACKAGE_VERSION_*`
+  and `TEST_PACKAGE_FILE` are provided, both are be installed (to test upgrades
   for example). Requires `PACKAGE_TESTING=true`
 
 - `TEST_PACKAGE_DIR`: optional (but conflicts with `TEST_PACKAGE_FILE`), the path
   to a directory containing packages with the following layout:
 
-  For DEB: `{{ package_dir }}/{{ ansible_distribution_release }}_{{ ansible_architecture.replace('x86_64', 'amd64) }}/{{ ansible_distribution_release }}/{{ ansible_architecture.replace('x86_64', 'amd64' }}/crowdsec_*.deb`
-  For RPM: `{{ package_dir }}/{{ releasever }}/RPMS/{{ ansible_architecture }}/crowdsec-{{ testing_file_version }}*.{{ releasever }}.{{ ansible_architecture }}.rpm`
+  For DEB: `{{ package_dir }}/{{ ansible_distribution_release }}/{{ ansible_architecture.replace('x86_64', 'amd64' }}/crowdsec_*.deb`
+  For RPM: `{{ package_dir }}/{{ releasever }}/RPMS/{{ ansible_architecture }}/crowdsec-*.{{ releasever }}.{{ ansible_architecture }}.rpm`
 
 - `TEST_SKIP`: optional, comma-separated list of scripts that won't be executed.
   Example: `TEST_SKIP=02_nolapi.bats,03_noagent.bats`

tests/ansible/provision_dependencies.yml

@@ -1,5 +1,5 @@
 ---
-- name: "install Go (!freebsd)"
+- name: "install Go (!bsd)"
   hosts: all
   gather_facts: true
   vars_files:
@@ -8,9 +8,9 @@
     - ansible.builtin.include_role:
         name: gantsign.golang
       when:
-        - ansible_os_family != "FreeBSD"
+        - ansible_facts.system == 'Linux'
 
-- name: "install Go (freebsd)"
+- name: "install Go (bsd)"
   hosts: all
   gather_facts: true
   become: true
@@ -19,7 +19,20 @@
         name: go
         state: present
       when:
-        - ansible_os_family == "FreeBSD"
+        - ansible_facts.system == 'FreeBSD'
+
+# required for jq and basic tools on centos and rhel
+- name: "enable EPEL repository (RedHat)"
+  hosts: all
+  become: true
+  tasks:
+    - ansible.builtin.include_role:
+        name: geerlingguy.repo-epel
+      vars:
+        epel_repo_disable: false
+      when:
+        - ansible_facts.os_family == 'RedHat'
+        - ansible_facts.distribution != 'Fedora'
 
 - name: "apply common configuration to all nodes"
   hosts: all

tests/ansible/requirements.yml

@@ -1,4 +1,6 @@
 ---
-- src: geerlingguy.postgresql
 - src: geerlingguy.mysql
+- src: geerlingguy.postgresql
+- src: geerlingguy.repo-epel
 - src: gantsign.golang
+

tests/ansible/roles/bats_requirements/defaults/main.yml

@@ -1,4 +1,4 @@
 ---
 build_bash: false
 
-build_daemonize: (ansible_distribution == "Ubuntu" and ansible_distribution_version == '16.04') or ansible_distribution == 'Amazon'
+build_daemonize: (ansible_facts.distribution == "Ubuntu" and ansible_facts.distribution == '16.04') or ansible_facts.distribution == 'Amazon'

tests/ansible/roles/bats_requirements/tasks/main.yml

@@ -5,7 +5,7 @@
 - name: "Install daemonize"
   ansible.builtin.import_tasks: daemonize.yml
   when:
-    - ansible_os_family != 'FreeBSD'
+    - ansible_facts.system == 'Linux'
 
 - name: "install netcat"
   ansible.builtin.import_tasks: netcat.yml
@@ -25,15 +25,16 @@
     name:
       - bc
   when:
-    - ansible_os_family != 'FreeBSD'
+    - ansible_facts.system == 'Linux'
 
-- name: "install base64(freebsd)"
+# base64 for linux is in coreutils
+- name: "install base64 (freebsd)"
   become: true
   ansible.builtin.package:
     name:
       - base64
   when:
-    - ansible_os_family == 'FreeBSD'
+    - ansible_facts.system == 'FreeBSD'
 
 - name: "install pidof (Amazon)"
   become: true
@@ -41,7 +42,7 @@
     name:
       - procps-ng
   when:
-    - ansible_distribution == 'Amazon'
+    - ansible_facts.distribution == 'Amazon'
 
 - name: "install gcc (for go-sqlite, needs cgo)"
   become: true

tests/ansible/roles/bats_requirements/tasks/netcat.yml

@@ -5,7 +5,7 @@
     name:
       - nmap-ncat
   when:
-    - ansible_facts['distribution'] in ['Amazon',  'Fedora', 'CentOS', 'OracleLinux']
+    - ansible_facts.distribution in ['Amazon',  'Fedora', 'CentOS', 'OracleLinux']
 
 - name: "install netcat (RedHat)"
   become: true
@@ -13,7 +13,7 @@
     name:
       - netcat
   when:
-    - ansible_facts['distribution'] == 'RedHat'
+    - (ansible_facts.distribution == 'RedHat') or  (ansible_facts.distribution == 'AlmaLinux')
 
 # "netcat" does not exist in some versions (only -traditional or -openbsd)
 - name: "install netcat (Debian)"
@@ -22,4 +22,13 @@
     name:
       - netcat-traditional
   when:
-    - ansible_os_family == "Debian"
+    - ansible_facts.os_family == "Debian"
+
+# "netcat" does not exist in some versions (only -traditional or -openbsd)
+- name: "install netcat (Suse)"
+  become: true
+  ansible.builtin.package:
+    name:
+      - netcat-openbsd
+  when:
+    - ansible_facts.os_family == "Suse"

tests/ansible/roles/common/tasks/main.yml

@@ -1,19 +1,11 @@
 ---
-# required for (at least) jq
-- name: "enable EPEL"
-  become: true
-  ansible.builtin.package:
-    name: epel-release
-  when:
-    - ansible_distribution == 'CentOS'
-
 - name: "update package cache (Debian)"
   become: true
   ansible.builtin.apt:
     upgrade: false
     update_cache: true
   when:
-    - ansible_os_family == "Debian"
+    - ansible_facts.os_family == "Debian"
 
 - name: "install gcc, git"
   become: true
@@ -28,7 +20,7 @@
     name:
       - make
   when:
-    - ansible_os_family != "FreeBSD"
+    - ansible_facts.system == "Linux"
 
 - name: "install gmake (FreeBSD)"
   become: true
@@ -36,4 +28,4 @@
     name:
       - gmake
   when:
-    - ansible_os_family == "FreeBSD"
+    - ansible_facts.system == "FreeBSD"

tests/ansible/roles/install_crowdsec_package/tasks/install_from_deb.yml

@@ -1,19 +1,38 @@
 ---
 - name: "set package_file from package_dir"
   ansible.builtin.set_fact:
-    package_file: "{{ package_dir }}/{{ ansible_distribution_release }}_{{ ansible_architecture.replace('x86_64', 'amd64) }}/{{ ansible_distribution_release }}/{{ ansible_architecture.replace('x86_64', 'amd64' }}/crowdsec_*.deb"
+    package_file: "{{ package_dir }}/{{ ansible_facts.distribution_release }}/{{ ansible_facts.architecture.replace('x86_64', 'amd64') }}/crowdsec_*.deb"
   when:
     - (package_dir is defined) and (package_dir | length > 0)
 
+- name: "look for .deb file matching package_file"
+  ansible.builtin.set_fact:
+    found_file: "{{ item }}"
+  with_fileglob:
+    - "{{ package_file }}"
+  when:
+    - (package_file is defined) and (package_file | length > 0)
+
+- name: "check found_file"
+  ansible.builtin.fail:
+    msg: "No file found matching {{ package_file }}"
+  when:
+    - found_file is not defined
+    - (package_file is defined) and (package_file | length > 0)
+
 - name: "copy built file for deb-like"
   become: false
   ansible.builtin.copy:
-    src: "{{ package_file }}"
+    src: "{{ found_file }}"
     dest: "{{ ansible_env.HOME }}/crowdsec.deb"
     mode: 0o644
+  when:
+    - (package_file is defined) and (package_file | length > 0)
 
 - name: "install crowdsec on deb-like"
   become: true
   ansible.builtin.apt:
-    name: "{{ ansible_env.HOME }}/crowdsec.deb"
+    deb: "{{ ansible_env.HOME }}/crowdsec.deb"
     allow_downgrade: true
+  when:
+    - (package_file is defined) and (package_file | length > 0)

tests/ansible/roles/install_crowdsec_package/tasks/install_from_deb_repo.yml

@@ -14,7 +14,7 @@
 - name: "add crowdsec repo [2/2] (*.deb)"
   become: true
   ansible.builtin.apt_repository:
-    repo: deb https://packagecloud.io/crowdsec/crowdsec/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} main
+    repo: deb https://packagecloud.io/crowdsec/crowdsec/{{ ansible_facts.distribution | lower }}/ {{ ansible_facts.distribution_release }} main
 
 - name: "install crowdsec testing repo [1/2] (*.deb)"
   become: true
@@ -24,7 +24,7 @@
 - name: "add crowdsec testing repo [1/2] (*.deb)"
   become: true
   ansible.builtin.apt_repository:
-    repo: deb https://packagecloud.io/crowdsec/crowdsec-testing/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} main
+    repo: deb https://packagecloud.io/crowdsec/crowdsec-testing/{{ ansible_facts.distribution | lower }}/ {{ ansible_facts.distribution_release }} main
 
 - name: "install crowdsec"
   become: true

tests/ansible/roles/install_crowdsec_package/tasks/install_from_rpm.yml

@@ -1,16 +1,33 @@
 ---
 - name: "set package_file from package_dir"
   ansible.builtin.set_fact:
-    package_file: "{{ package_dir }}/{{ releasever }}/RPMS/{{ ansible_architecture }}/crowdsec-{{ testing_file_version }}*.{{ releasever }}.{{ ansible_architecture }}.rpm"
+    package_file: "{{ package_dir }}/{{ releasever }}/RPMS/{{ ansible_facts.architecture }}/crowdsec-*.{{ releasever }}.{{ ansible_facts.architecture }}.rpm"
   when:
     - (package_dir is defined) and (package_dir | length > 0)
 
+- name: "look for .rpm file matching package_file"
+  ansible.builtin.set_fact:
+    found_file: "{{ item }}"
+  with_fileglob:
+    - "{{ package_file }}"
+  when:
+    - (package_file is defined) and (package_file | length > 0)
+
+- name: "check found_file"
+  ansible.builtin.fail:
+    msg: "No file found matching {{ package_file }}"
+  when:
+    - found_file is not defined
+    - (package_file is defined) and (package_file | length > 0)
+
 - name: "copy built file for rpm-like"
   become: false
   ansible.builtin.copy:
-    src: "{{ package_file }}"
+    src: "{{ found_file }}"
     dest: "{{ ansible_env.HOME }}/crowdsec.rpm"
     mode: 0o644
+  when:
+    - (package_file is defined) and (package_file | length > 0)
 
 - name: "install crowdsec on rpm-like"
   become: true
@@ -18,3 +35,5 @@
     name: "{{ ansible_env.HOME }}/crowdsec.rpm"
     disable_gpg_check: true
     allow_downgrade: true
+  when:
+    - (package_file is defined) and (package_file | length > 0)

tests/ansible/roles/install_crowdsec_package/tasks/main.yml

@@ -2,32 +2,30 @@
 - name: "system details"
   ansible.builtin.debug:
     msg: |
-      Distribution: {{ ansible_distribution }}
-      Version: {{ ansible_distribution_version }}
-      Major: {{ ansible_distribution_major_version }}
-      Release: {{ ansible_distribution_release }}
+      Distribution: {{ ansible_facts.distribution }}
+      Version: {{ ansible_facts.distribution_version }}
+      Major: {{ ansible_facts.distribution_major_version }}
+      Release: {{ ansible_facts.distribution_release }}
       Releasever: {{ releasever }}
 
 - name: "install from binary repository (RedHat)"
   ansible.builtin.import_tasks: install_from_rpm_repo.yml
   when:
     - (package_version_rpm is defined) and (package_version_rpm|length > 0)
-    - ansible_os_family == "RedHat"
+    - ansible_facts.os_family == "RedHat"
 
 - name: "install from binary repository (Debian)"
   ansible.builtin.import_tasks: install_from_deb_repo.yml
   when:
     - (package_version_deb is defined) and (package_version_deb|length > 0)
-    - ansible_os_family == "Debian"
+    - ansible_facts.os_family == "Debian"
 
 - name: "install from *.rpm package file"
   ansible.builtin.import_tasks: install_from_rpm.yml
   when:
-    - (package_file is defined) and (package_file|length > 0)
-    - ansible_os_family == "RedHat"
+    - ansible_facts.os_family == "RedHat"
 
 - name: "install from *.deb package file"
   ansible.builtin.import_tasks: install_from_deb.yml
   when:
-    - (package_file is defined) and (package_file|length > 0)
-    - ansible_os_family == "Debian"
+    - ansible_facts.os_family == "Debian"

tests/ansible/roles/install_crowdsec_package/vars/main.yml

@@ -7,8 +7,11 @@ release:
   Ubuntu: ubuntu
   FreeBSD: freebsd
   OracleLinux: ol
+  Rocky: el
+  AlmaLinux: el
+  openSUSE Leap: opensuse
 
-releasever: "{{ release[ansible_distribution] + ansible_distribution_major_version }}"
+releasever: "{{ release[ansible_facts.distribution] + ansible_facts.distribution_major_version }}"
 
 package_version_deb: "{{ lookup('ansible.builtin.env', 'TEST_PACKAGE_VERSION_DEB') }}"
 package_version_rpm: "{{ lookup('ansible.builtin.env', 'TEST_PACKAGE_VERSION_RPM') }}"

tests/ansible/roles/install_crowdsec_tests/tasks/main.yml

@@ -60,6 +60,15 @@
   when:
     - (suite_zip is not defined) or (suite_zip|length == 0)
 
+- name: set safe.directory on crowdsec dir"
+  become: false
+  ansible.builtin.git_config:
+    scope: global
+    name: safe.directory
+    value: "{{ ansible_env.HOME }}/crowdsec"
+  when:
+    - (suite_zip is not defined) or (suite_zip|length == 0)
+
 - name: "install tests: create crowdsec tests/local dir"
   become: false
   ansible.builtin.file:

tests/ansible/roles/machine_id/tasks/main.yml

@@ -6,6 +6,11 @@
     content: "{{ machine_id }}"
     mode: 0o444
 
+- name: "see if /var/lib/dbus exists"
+  ansible.builtin.stat:
+    path: "/var/lib/dbus"
+  register: dbus
+
 # some distributions use var/lib/dbus,
 # but the directory doesn't exists on fedora
 - name: "set /var/lib/dbus/machine-id"
@@ -15,4 +20,4 @@
     content: "{{ machine_id }}"
     mode: 0o444
   when:
-    - ansible_os_family != 'FreeBSD' and ansible_distribution != "Fedora"
+    - dbus.stat.exists

tests/ansible/roles/make_fixture/tasks/main.yml

@@ -3,13 +3,13 @@
   ansible.builtin.set_fact:
     make_cmd: make
   when:
-    - ansible_os_family != 'FreeBSD'
+    - ansible_facts.system != 'FreeBSD'
 
 - name: "set make_cmd = gmake (freebsd)"
   ansible.builtin.set_fact:
     make_cmd: gmake
   when:
-    - ansible_os_family == 'FreeBSD'
+    - ansible_facts.system == 'FreeBSD'
 
 - name: "build crowdsec from sources, prepare test environment and fixture"
   become: false

tests/ansible/roles/run_func_tests/tasks/main.yml

@@ -9,7 +9,7 @@
     state: directory
   when:
     - (package_testing is defined) and (package_testing not in ['', 'false', 'False'])
-    - ansible_os_family in ["RedHat", "Debian"]
+    - ansible_facts.os_family in ["RedHat", "Debian"]
 
 - name: "override StartLimitBurst"
   become: true
@@ -23,7 +23,7 @@
     value: 100
   when:
     - (package_testing is defined) and (package_testing not in ['', 'false', 'False'])
-    - ansible_os_family in ["RedHat", "Debian"]
+    - ansible_facts.os_family in ["RedHat", "Debian"]
 
 - name: "systemctl daemon-reload"
   become: true
@@ -31,7 +31,7 @@
     daemon_reload: true
   when:
     - (package_testing is defined) and (package_testing not in ['', 'false', 'False'])
-    - ansible_os_family in ["RedHat", "Debian"]
+    - ansible_facts.os_family in ["RedHat", "Debian"]
 
 - name: "search for test scripts"
   become: false

tests/ansible/vagrant/alma-9/Vagrantfile

@@ -0,0 +1,6 @@
+common = '../Vagrantfile.common'
+load common if File.exists?(common)
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/alma9"
+end

tests/ansible/vagrant/centos-9/Vagrantfile

@@ -0,0 +1,6 @@
+common = '../Vagrantfile.common'
+load common if File.exists?(common)
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/centos9s"
+end

tests/ansible/vagrant/rocky-9/Vagrantfile

@@ -0,0 +1,6 @@
+common = '../Vagrantfile.common'
+load common if File.exists?(common)
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "generic/rocky9"
+end

tests/bats/05_config_yaml_local.bats

@@ -129,9 +129,14 @@ teardown() {
 
     ./instance-crowdsec start
     fake_log >>"${tmpfile}"
-    sleep 2
+
+    # this could be simplified, but some systems are slow and we don't want to
+    # wait more than required
+    for ((idx = 0; idx < 20; idx++)); do
+        sleep .5
+        run -0 --separate-stderr cscli decisions list -o json
+        run -0 jq --exit-status '.[].decisions[0] | [.value,.type] == ["1.1.1.172","captcha"]' <(output) && break
+    done
     rm -f -- "${tmpfile}"
-    run -0 --separate-stderr cscli decisions list -o json
-    run -0 jq -c '.[].decisions[0] | [.value,.type]' <(output)
-    assert_output '["1.1.1.172","captcha"]'
+    [[ "${status}" -eq 0 ]] || fail "captcha not triggered"
 }

tests/lib/config/config-global

@@ -58,14 +58,17 @@ make_init_data() {
 
     "${TEST_DIR}/instance-crowdsec" start
 
-    "${CSCLI}" decisions delete --all
+    for ((i=0; i<10; i++)); do
+        sleep .5
+        "${CSCLI}" decisions delete --all && break
+    done
 
-    loop_max=15
-    for ((i = 0; i <= loop_max; i++)); do
+    for ((i=0; i<15; i++)); do
         sleep 2
-        [[ $("${CSCLI}" alerts list -o json) != "null" ]] && break
+        [[ $("${CSCLI}" alerts list -a -o json) != "null" ]] && break
     done
-    [[ $("${CSCLI}" alerts list -a -o json) != "null" ]] || die "could not get community data"
+    # shellcheck disable=SC2181
+    [[ "$?" -ne "0" ]] && die "could not get community data"
 
     "${TEST_DIR}/instance-crowdsec" stop