Add ansible provisioning (#122)

* first ansible skeleton * first commit of ansible installation of vulnwhisperer outside docker * first ansible skeleton * first commit of ansible installation of vulnwhisperer outside docker * refactor the ansible role a bit * update readme, add fail validation step to provision.yml and fix typo when calling a logging funciton
2018-11-14 10:14:12 +01:00
parent a8671a7303
commit 3a09f60543
95 changed files with 4459 additions and 1 deletions
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/Gemfile
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/Gemfile
@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gem 'rspec-retry'
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/issue_test_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/issue_test_spec.rb
@ -0,0 +1,10 @@
+require 'spec_helper'
+require 'json'
+vars = JSON.parse(File.read('/tmp/vars.json'))
+
+shared_examples 'issue_test::init' do |vars|
+
+  #Add custom tests here for the issue-test.yml test
+
+end
+
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/multi_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/multi_spec.rb
@ -0,0 +1,139 @@
+require 'spec_helper'
+require 'json'
+vars = JSON.parse(File.read('/tmp/vars.json'))
+
+shared_examples 'multi::init' do |vars|
+
+  describe service('master_elasticsearch') do
+    it { should be_running }
+  end
+  #test configuration parameters have been set - test all appropriately set in config file
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
+    it { should be_file }
+    it { should contain 'http.port: 9201' }
+    it { should contain 'transport.tcp.port: 9301' }
+    it { should contain 'node.data: true' }
+    it { should contain 'node.master: false' }
+    it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
+    it { should_not contain 'bootstrap.memory_lock: true' }
+    if vars['es_major_version'] == '6.x'
+      it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
+    else
+      it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
+    end
+    it { should contain "path.data: /opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']},/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}" }
+    it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
+  end
+
+
+  #test configuration parameters have been set for master - test all appropriately set in config file
+  describe file('/etc/elasticsearch/master/elasticsearch.yml') do
+    it { should be_file }
+    it { should contain 'http.port: 9200' }
+    it { should contain 'transport.tcp.port: 9300' }
+    it { should contain 'node.data: false' }
+    it { should contain 'node.master: true' }
+    it { should contain 'node.name: localhost-master' }
+    it { should contain 'bootstrap.memory_lock: true' }
+    if vars['es_major_version'] == '6.x'
+      it { should_not contain 'path.conf: /etc/elasticsearch/master' }
+    else
+      it { should contain 'path.conf: /etc/elasticsearch/master' }
+    end
+    it { should contain 'path.data: /opt/elasticsearch/master/localhost-master' }
+    it { should contain 'path.logs: /var/log/elasticsearch/localhost-master' }
+  end
+
+  describe 'Master listening' do
+    it 'listening in port 9200' do
+      expect(port 9200).to be_listening
+    end
+  end
+
+  #test we started on the correct port was used for master
+  describe 'master started' do
+    it 'master node should be running', :retry => 3, :retry_wait => 10 do
+      expect(curl_json('http://localhost:9200')['name']).to eq('localhost-master')
+    end
+  end
+
+  #test we started on the correct port was used for node 1
+  describe "#{vars['es_instance_name']} started" do
+    it 'node should be running', :retry => 3, :retry_wait => 10 do
+      expect(curl_json('http://localhost:9201')['name']).to eq("localhost-#{vars['es_instance_name']}")
+    end
+  end
+
+  #Confirm scripts are on both nodes
+  describe file('/etc/elasticsearch/master/scripts') do
+    it { should be_directory }
+    it { should be_owned_by 'elasticsearch' }
+  end
+
+  describe file('/etc/elasticsearch/master/scripts/calculate-score.groovy') do
+    it { should be_file }
+    it { should be_owned_by 'elasticsearch' }
+  end
+
+  #Confirm that the data directory has only been set for the first node
+  describe file('/opt/elasticsearch/master/localhost-master') do
+    it { should be_directory }
+    it { should be_owned_by 'elasticsearch' }
+  end
+
+  describe file("/opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']}") do
+    it { should be_directory }
+    it { should be_owned_by 'elasticsearch' }
+  end
+
+
+  describe file("/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}") do
+    it { should be_directory }
+    it { should be_owned_by 'elasticsearch' }
+  end
+
+  #test to make sure mlock was applied
+  describe command('curl -s "localhost:9200/_nodes/localhost-master/process?pretty=true" | grep mlockall') do
+    its(:stdout) { should match /true/ }
+    its(:exit_status) { should eq 0 }
+  end
+
+  #test to make sure mlock was not applied
+  describe command("curl -s 'localhost:9201/_nodes/localhost-#{vars['es_instance_name']}/process?pretty=true' | grep mlockall") do
+    its(:stdout) { should match /false/ }
+    its(:exit_status) { should eq 0 }
+  end
+
+  describe 'version check on master' do
+    it 'should be reported as version '+vars['es_version'] do
+      command = command('curl -s localhost:9200 | grep number')
+      expect(command.stdout).to match(vars['es_version'])
+      expect(command.exit_status).to eq(0)
+    end
+  end
+
+  describe 'version check on data' do
+    it 'should be reported as version '+vars['es_version'] do
+      command = command('curl -s localhost:9201 | grep number')
+      expect(command.stdout).to match(vars['es_version'])
+      expect(command.exit_status).to eq(0)
+    end
+  end
+
+  for plugin in vars['es_plugins']
+    plugin = plugin['plugin']
+
+    describe command('curl -s localhost:9200/_nodes/plugins?pretty=true | grep '+plugin) do
+      its(:exit_status) { should eq 0 }
+    end
+
+    describe command('curl -s localhost:9201/_nodes/plugins?pretty=true | grep '+plugin) do
+      its(:exit_status) { should eq 0 }
+    end
+
+    describe file('/usr/share/elasticsearch/plugins/'+plugin) do
+      it { should be_directory }
+      it { should be_owned_by 'elasticsearch' }
+    end
+  end
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_spec.rb
@ -0,0 +1,13 @@
+require 'spec_helper'
+
+shared_examples 'oss::init' do |vars|
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/log4j2.properties") do
+    it { should be_file }
+    it { should be_owned_by 'elasticsearch' }
+    it { should_not contain 'CUSTOM LOG4J FILE' }
+  end
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/jvm.options") do
+    it { should be_file }
+    it { should be_owned_by vars['es_user'] }
+  end
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_to_xpack_upgrade_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_to_xpack_upgrade_spec.rb
@ -0,0 +1,4 @@
+require 'spec_helper'
+
+shared_examples 'oss_to_xpack_upgrade::init' do |vars|
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_upgrade_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/oss_upgrade_spec.rb
@ -0,0 +1,4 @@
+require 'spec_helper'
+
+shared_examples 'oss_upgrade::init' do |vars|
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/shared_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/shared_spec.rb
@ -0,0 +1,170 @@
+require 'spec_helper'
+require 'json'
+vars = JSON.parse(File.read('/tmp/vars.json'))
+
+families = {
+  'Debian' => {
+    'shell'    => '/bin/false',
+    'password' => '*',
+    'defaults_path' => '/etc/default/elasticsearch'
+  },
+  'RedHat' => {
+    'shell'    => '/sbin/nologin',
+    'password' => '!!',
+    'defaults_path' => '/etc/sysconfig/elasticsearch'
+  }
+}
+
+family = families[vars['ansible_os_family']]
+
+es_api_url = "http://localhost:#{vars['es_api_port']}"
+username = vars['es_api_basic_auth_username']
+password = vars['es_api_basic_auth_password']
+
+shared_examples 'shared::init' do |vars|
+  describe 'version check' do
+    it 'should be reported as version '+vars['es_version'] do
+      expect(curl_json(es_api_url, username=username, password=password)['version']['number']).to eq(vars['es_version'])
+    end
+  end
+  describe 'xpack checks' do
+    if vars['es_enable_xpack']
+      it 'should be be running the xpack version' do
+        expect(curl_json("#{es_api_url}/_xpack", username=username, password=password)['tagline']).to eq('You know, for X')
+      end
+      it 'xpack should be activated' do
+        expect(curl_json("#{es_api_url}/_license", username=username, password=password)['license']['status']).to eq('active')
+      end
+      features = curl_json("#{es_api_url}/_xpack", username=username, password=password)
+      curl_json("#{es_api_url}/_xpack", username=username, password=password)['features'].each do |feature,values|
+        enabled = vars['es_xpack_features'].include? feature
+		status = if enabled then 'enabled' else 'disabled' end
+		it "the xpack feature '#{feature}' to be #{status}" do
+          expect(values['enabled'] = enabled)
+        end
+      end
+      # X-Pack is no longer installed as a plugin in elasticsearch
+      if vars['es_major_version'] == '5.x'
+        describe file('/usr/share/elasticsearch/plugins/x-pack') do
+          it { should be_directory }
+          it { should be_owned_by vars['es_user'] }
+        end
+        describe file("/etc/elasticsearch/#{vars['es_instance_name']}/x-pack") do
+          it { should be_directory }
+          it { should be_owned_by vars['es_user'] }
+        end
+        describe 'x-pack-core plugin' do
+          it 'should be installed with the correct version' do
+            plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password)
+            node, data = plugins['nodes'].first
+            version = 'plugin not found'
+            name = 'x-pack'
+
+            data['plugins'].each do |plugin|
+              if plugin['name'] == name
+                version = plugin['version']
+              end
+            end
+            expect(version).to eql(vars['es_version'])
+          end
+        end
+      end
+    end
+  end
+  describe user(vars['es_user']) do
+    it { should exist }
+    it { should belong_to_group vars['es_group'] }
+    it { should have_uid vars['es_user_id'] } if vars.key?('es_user_id')
+
+    it { should have_login_shell family['shell'] }
+
+    its(:encrypted_password) { should eq(family['password']) }
+  end
+
+  describe package(vars['es_package_name']) do
+    it { should be_installed }
+  end
+
+  describe service("#{vars['es_instance_name']}_elasticsearch") do
+    it { should be_running }
+  end
+
+  describe port(vars['es_api_port']) do
+    it { should be_listening.with('tcp') }
+  end
+
+  if vars['es_templates']
+    describe file('/etc/elasticsearch/templates') do
+      it { should be_directory }
+      it { should be_owned_by vars['es_user'] }
+    end
+    describe file('/etc/elasticsearch/templates/basic.json') do
+      it { should be_file }
+      it { should be_owned_by vars['es_user'] }
+    end
+    #This is possibly subject to format changes in the response across versions so may fail in the future
+    describe 'Template Contents Correct' do
+      it 'should be reported as being installed', :retry => 3, :retry_wait => 10 do
+        template = curl_json("#{es_api_url}/_template/basic", username=username, password=password)
+        expect(template.key?('basic'))
+        expect(template['basic']['settings']['index']['number_of_shards']).to eq("1")
+        expect(template['basic']['mappings']['type1']['_source']['enabled']).to eq(false)
+      end
+    end
+  end
+  if vars['es_scripts']
+    describe file("/etc/elasticsearch/#{vars['es_instance_name']}/scripts") do
+      it { should be_directory }
+      it { should be_owned_by 'elasticsearch' }
+    end
+    describe file("/etc/elasticsearch/#{vars['es_instance_name']}/scripts/calculate-score.groovy") do
+      it { should be_file }
+      it { should be_owned_by 'elasticsearch' }
+    end
+  end
+  describe file('/etc/init.d/elasticsearch') do
+    it { should_not exist }
+  end
+
+  describe file(family['defaults_path']) do
+    its(:content) { should match '' }
+  end
+
+  describe file('/etc/elasticsearch/elasticsearch.yml') do
+    it { should_not exist }
+  end
+
+  describe file('/etc/elasticsearch/logging.yml') do
+    it { should_not exist }
+  end
+
+  if vars.key?('es_plugins')
+    vars['es_plugins'].each do |plugin|
+      name = plugin['plugin']
+      describe file('/usr/share/elasticsearch/plugins/'+name) do
+        it { should be_directory }
+        it { should be_owned_by vars['es_user'] }
+      end
+      it 'should be installed and the right version' do
+        plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password)
+        version = nil
+        _node, data = plugins['nodes'].first
+        data['plugins'].each do |p|
+          version = p['version'] if p['name'] == name
+        end
+        expect(version).to eql(vars['es_version'])
+      end
+    end
+  end
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
+    it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
+    it { should contain 'cluster.name: elasticsearch' }
+    if vars['es_major_version'] == '6.x'
+      it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
+    else
+      it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
+    end
+    its(:content) { should match "path.data: #{vars['data_dirs'].join(',')}" }
+    its(:content) { should match "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
+  end
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/spec_helper.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/spec_helper.rb
@ -0,0 +1,26 @@
+require 'serverspec'
+require 'net/http'
+require 'json'
+
+set :backend, :exec
+
+require 'rspec/retry'
+
+RSpec.configure do |config|
+  # show retry status in spec process
+  config.verbose_retry = true
+  # show exception that triggers a retry if verbose_retry is set to true
+  config.display_try_failure_messages = true
+end
+
+def curl_json(uri, username=nil, password=nil)
+  uri = URI(uri)
+  req =  Net::HTTP::Get.new(uri)
+  if username && password
+    req.basic_auth username, password
+  end
+  res = Net::HTTP.start(uri.hostname, uri.port) {|http|
+    http.request(req)
+  }
+  return JSON.parse(res.body)
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/xpack_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/xpack_spec.rb
@ -0,0 +1,17 @@
+require 'spec_helper'
+
+shared_examples 'xpack::init' do |vars|
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
+    it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
+    it { should contain 'cluster.name: elasticsearch' }
+    if vars['es_major_version'] == '6.x'
+      it { should_not contain 'path.conf: /etc/elasticsearch/security_node' }
+    else
+      it { should contain 'path.conf: /etc/elasticsearch/security_node' }
+    end
+    it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" }
+    it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
+    it { should contain 'xpack.security.enabled: false' }
+    it { should contain 'xpack.watcher.enabled: false' }
+  end
+end
--- a/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
+++ b/ansible/roles/elastic.elasticsearch/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
@ -0,0 +1,103 @@
+require 'spec_helper'
+require 'json'
+vars = JSON.parse(File.read('/tmp/vars.json'))
+
+shared_examples 'xpack_upgrade::init' do |vars|
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
+    it { should contain "node.name: localhost-#{vars['es_instance_name']}" }
+    it { should contain 'cluster.name: elasticsearch' }
+    if vars['es_major_version'] == '6.x'
+      it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
+    else
+      it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" }
+    end
+    it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" }
+    it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" }
+  end
+
+  #Test users file, users_roles and roles.yml
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users_roles") do
+    it { should be_owned_by 'elasticsearch' }
+    it { should contain 'admin:es_admin' }
+    it { should contain 'power_user:testUser' }
+  end
+
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users") do
+    it { should be_owned_by 'elasticsearch' }
+    it { should contain 'testUser:' }
+    it { should contain 'es_admin:' }
+  end
+
+  describe 'security roles' do
+    it 'should list the security roles' do
+      roles = curl_json('http://localhost:9200/_xpack/security/role', username='es_admin', password='changeMeAgain')
+      expect(roles.key?('superuser'))
+    end
+  end
+
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do
+    it { should contain 'security.authc.realms.file1.order: 0' }
+    it { should contain 'security.authc.realms.file1.type: file' }
+    it { should contain 'security.authc.realms.native1.order: 1' }
+    it { should contain 'security.authc.realms.native1.type: native' }
+  end
+
+  #Test contents of role_mapping.yml
+  describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do
+    it { should be_owned_by 'elasticsearch' }
+    it { should contain 'power_user:' }
+    it { should contain '- cn=admins,dc=example,dc=com' }
+    it { should contain 'user:' }
+    it { should contain '- cn=admins,dc=example,dc=com' }
+  end
+
+  #check accounts are correct i.e. we can auth and they have the correct roles
+  describe 'kibana4_server access check' do
+    it 'should be reported as version '+vars['es_version'] do
+      command = command('curl -s localhost:9200/ -u kibana4_server:changeMe | grep number')
+      expect(command.stdout).to match(vars['es_version'])
+      expect(command.exit_status).to eq(0)
+    end
+  end
+
+  describe 'security users' do
+    result = curl_json('http://localhost:9200/_xpack/security/user', username='elastic', password='elasticChanged')
+    it 'should have the elastic user' do
+      expect(result['elastic']['username']).to eq('elastic')
+      expect(result['elastic']['roles']).to eq(['superuser'])
+      expect(result['elastic']['enabled']).to eq(true)
+    end
+    it 'should have the kibana user' do
+      expect(result['kibana']['username']).to eq('kibana')
+      expect(result['kibana']['roles']).to eq(['kibana_system'])
+      expect(result['kibana']['enabled']).to eq(true)
+    end
+    it 'should have the kibana_server user' do
+      expect(result['kibana4_server']['username']).to eq('kibana4_server')
+      expect(result['kibana4_server']['roles']).to eq(['kibana4_server'])
+      expect(result['kibana4_server']['enabled']).to eq(true)
+    end
+    it 'should have the logstash user' do
+      expect(result['logstash_system']['username']).to eq('logstash_system')
+      expect(result['logstash_system']['roles']).to eq(['logstash_system'])
+      expect(result['logstash_system']['enabled']).to eq(true)
+    end
+  end
+
+  describe 'logstash_system access check' do
+    it 'should be reported as version '+vars['es_version'] do
+      command = command('curl -s localhost:9200/ -u logstash_system:aNewLogstashPassword | grep number')
+      expect(command.stdout).to match(vars['es_version'])
+      expect(command.exit_status).to eq(0)
+    end
+  end
+
+  if vars['es_major_version'] == '5.x' # kibana default password has been removed in 6.x
+    describe 'kibana access check' do
+      it 'should be reported as version '+vars['es_version'] do
+        result = curl_json('http://localhost:9200/', username='kibana', password='changeme')
+        expect(result['version']['number']).to eq(vars['es_version'])
+      end
+    end
+  end
+end