|
|
@@ -0,0 +1,279 @@
|
|
|
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
|
|
|
+#
|
|
|
+# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
+# you may not use this file except in compliance with the License.
|
|
|
+# You may obtain a copy of the License at
|
|
|
+#
|
|
|
+# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
+#
|
|
|
+# Unless required by applicable law or agreed to in writing, software
|
|
|
+# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
+# See the License for the specific language governing permissions and
|
|
|
+# limitations under the License.
|
|
|
+---
|
|
|
+
|
|
|
+- name: Check login_vars file is encrypted
|
|
|
+ command: cat {{ login_vars_filename }}
|
|
|
+ changed_when: false
|
|
|
+ register: config_content
|
|
|
+ no_log: true
|
|
|
+ tags: init
|
|
|
+
|
|
|
+- name: Decrpyt login_vars.yml
|
|
|
+ command: >-
|
|
|
+ ansible-vault decrypt {{ login_vars_filename }}
|
|
|
+ --vault-password-file {{ vault_filename }}
|
|
|
+ changed_when: false
|
|
|
+ when: "'$ANSIBLE_VAULT;' in config_content.stdout"
|
|
|
+ tags: init
|
|
|
+
|
|
|
+- name: Include variable file login_vars.yml
|
|
|
+ include_vars: "{{ login_vars_filename }}"
|
|
|
+ no_log: true
|
|
|
+ tags: init
|
|
|
+
|
|
|
+- name: Validate input parameters are not empty
|
|
|
+ fail:
|
|
|
+ msg: "{{ login_input_config_failure_msg }}"
|
|
|
+ register: input_config_check
|
|
|
+ when:
|
|
|
+ - provision_password | length < 1 or
|
|
|
+ cobbler_password | length < 1 or
|
|
|
+ idrac_username | length < 1 or
|
|
|
+ idrac_password | length < 1
|
|
|
+ tags: [ validate, pxe, idrac ]
|
|
|
+
|
|
|
+- name: Validate security parameters when enable_security_support is set to true
|
|
|
+ fail:
|
|
|
+ msg: "{{ login_input_config_failure_msg }} for ipa server installation"
|
|
|
+ tags: [ validate, security ]
|
|
|
+ when:
|
|
|
+ - ( directory_manager_password | length < 1 or
|
|
|
+ ipa_admin_password | length < 1 ) and
|
|
|
+ enable_security_support
|
|
|
+
|
|
|
+- name: Assert provision credentials
|
|
|
+ block:
|
|
|
+ - name: Assert provision_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - provision_password | length > min_length | int - 1
|
|
|
+ - provision_password | length < max_length | int + 1
|
|
|
+ - '"-" not in provision_password '
|
|
|
+ - '"\\" not in provision_password '
|
|
|
+ - '"\"" not in provision_password '
|
|
|
+ - " \"'\" not in provision_password "
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: Provision password validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_provision_password }}"
|
|
|
+ tags: [ validate, pxe, idrac ]
|
|
|
+
|
|
|
+- name: Assert cobbler credentials
|
|
|
+ block:
|
|
|
+ - name: Assert cobbler_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - cobbler_password | length > min_length | int - 1
|
|
|
+ - cobbler_password | length < max_length | int + 1
|
|
|
+ - '"-" not in cobbler_password '
|
|
|
+ - '"\\" not in cobbler_password '
|
|
|
+ - '"\"" not in cobbler_password '
|
|
|
+ - " \"'\" not in cobbler_password "
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: Cobbler password validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_cobbler_password }}"
|
|
|
+ tags: [ validate, pxe ]
|
|
|
+
|
|
|
+- name: Assert idrac credentials
|
|
|
+ block:
|
|
|
+ - name: Assert idrac_username and idrac_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - idrac_username | length >= min_username_length
|
|
|
+ - idrac_username | length < max_length
|
|
|
+ - '"-" not in idrac_username '
|
|
|
+ - '"\\" not in idrac_username '
|
|
|
+ - '"\"" not in idrac_username '
|
|
|
+ - " \"'\" not in idrac_username "
|
|
|
+ - idrac_password | length > min_username_length | int - 1
|
|
|
+ - idrac_password | length < max_length | int + 1
|
|
|
+ - '"-" not in idrac_password '
|
|
|
+ - '"\\" not in idrac_password '
|
|
|
+ - '"\"" not in idrac_password '
|
|
|
+ - " \"'\" not in idrac_password "
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: idrac credentials validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_idrac_credentials }}"
|
|
|
+ tags: [ validate, idrac ]
|
|
|
+
|
|
|
+- name: Assert grafana credentials
|
|
|
+ block:
|
|
|
+ - name: Assert grafana_username and grafana_username
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - grafana_username | length >= min_length_grafana
|
|
|
+ - grafana_username | length <= max_length
|
|
|
+ - '"-" not in grafana_username '
|
|
|
+ - '"\\" not in grafana_username '
|
|
|
+ - '"\"" not in grafana_username '
|
|
|
+ - " \"'\" not in grafana_username "
|
|
|
+ - grafana_password | length >= min_length_grafana
|
|
|
+ - grafana_password | length <= max_length
|
|
|
+ - not grafana_password == 'admin'
|
|
|
+ - '"-" not in grafana_password '
|
|
|
+ - '"\\" not in grafana_password '
|
|
|
+ - '"\"" not in grafana_password '
|
|
|
+ - " \"'\" not in grafana_password "
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: grafana credentials validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_grafana_credentials }}"
|
|
|
+ tags: [ validate, monitoring ]
|
|
|
+
|
|
|
+- name: Assert username and password for ethernet switches
|
|
|
+ block:
|
|
|
+ - name: Verify ethernet_switch_username and ethernet_switch_password are not empty
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - ethernet_switch_username | length >= min_username_length
|
|
|
+ - ethernet_switch_username | length < max_length
|
|
|
+ - '"-" not in ethernet_switch_username '
|
|
|
+ - '"\\" not in ethernet_switch_username '
|
|
|
+ - '"\"" not in ethernet_switch_username '
|
|
|
+ - " \"'\" not in ethernet_switch_username "
|
|
|
+ - ethernet_switch_password | length > min_username_length | int - 1
|
|
|
+ - ethernet_switch_password | length < max_length | int + 1
|
|
|
+ - '"-" not in ethernet_switch_password '
|
|
|
+ - '"\\" not in ethernet_switch_password '
|
|
|
+ - '"\"" not in ethernet_switch_password '
|
|
|
+ - " \"'\" not in ethernet_switch_password "
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: ethernet switch credentials validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_ethernet_credentials }}"
|
|
|
+ when: ethernet_switch_support
|
|
|
+ tags: [ validate, network-device ]
|
|
|
+
|
|
|
+- name: Assert username and password for IB switches
|
|
|
+ block:
|
|
|
+ - name: Assert ib_username and ib_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - ib_username | length >= min_username_length
|
|
|
+ - ib_username | length < max_length
|
|
|
+ - '"-" not in ib_username '
|
|
|
+ - '"\\" not in ib_username '
|
|
|
+ - '"\"" not in ib_username '
|
|
|
+ - " \"'\" not in ib_username "
|
|
|
+ - ib_password | length > min_username_length | int - 1
|
|
|
+ - ib_password | length < max_length | int + 1
|
|
|
+ - '"-" not in ib_password '
|
|
|
+ - '"\\" not in ib_password '
|
|
|
+ - '"\"" not in ib_password '
|
|
|
+ - " \"'\" not in ib_password "
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: IB switch credentials validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_ib_credentials }}"
|
|
|
+ when: ib_switch_support
|
|
|
+ tags: [ validate, network-ib ]
|
|
|
+
|
|
|
+- name: Assert username and password for powervault me4
|
|
|
+ block:
|
|
|
+ - name: Assert powervault_me4_username and powervault_me4_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - powervault_me4_username | length >= min_username_length
|
|
|
+ - powervault_me4_username | length < max_length
|
|
|
+ - '"-" not in powervault_me4_username '
|
|
|
+ - '"\\" not in powervault_me4_username '
|
|
|
+ - '"\"" not in powervault_me4_username '
|
|
|
+ - " \"'\" not in powervault_me4_username "
|
|
|
+ - powervault_me4_password | length > min_length | int - 1
|
|
|
+ - powervault_me4_password | length < max_length | int + 1
|
|
|
+ - '"-" not in powervault_me4_password '
|
|
|
+ - '"," not in powervault_me4_password '
|
|
|
+ - '"." not in powervault_me4_password '
|
|
|
+ - '"<" not in powervault_me4_password '
|
|
|
+ - '"\\" not in powervault_me4_password '
|
|
|
+ - '"\"" not in powervault_me4_password '
|
|
|
+ - " \"'\" not in powervault_me4_password "
|
|
|
+ - powervault_me4_password | regex_search('^(?=.*[a-z]).+$')
|
|
|
+ - powervault_me4_password | regex_search('^(?=.*[A-Z]).+$')
|
|
|
+ - powervault_me4_password | regex_search('^(?=.*\\d).+$')
|
|
|
+ - powervault_me4_password | regex_search('^(?=.*[!#$%&()*+/:;=>?@^_`{} ~]).+$')
|
|
|
+ no_log: true
|
|
|
+ rescue:
|
|
|
+ - name: Powervault me4 credentials validation check
|
|
|
+ fail:
|
|
|
+ msg: "{{ fail_msg_me4_credentials }}"
|
|
|
+ when: powervault_support
|
|
|
+ tags: [ validate, network-device ]
|
|
|
+
|
|
|
+- name: Assert directory_manager_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - directory_manager_password | length > min_length | int - 1
|
|
|
+ - directory_manager_password | length < max_length | int + 1
|
|
|
+ - '"-" not in directory_manager_password '
|
|
|
+ - '"\\" not in directory_manager_password '
|
|
|
+ - '"\"" not in directory_manager_password '
|
|
|
+ - " \"'\" not in directory_manager_password "
|
|
|
+ success_msg: "{{ success_msg_dir_manager_password }}"
|
|
|
+ fail_msg: "{{ fail_msg_dir_manager_password }}"
|
|
|
+ when: enable_security_support
|
|
|
+ tags: [ validate, security ]
|
|
|
+
|
|
|
+- name: Assert ipa_admin_password
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - ipa_admin_password | length > min_length | int - 1
|
|
|
+ - ipa_admin_password | length < max_length | int + 1
|
|
|
+ - '"-" not in ipa_admin_password '
|
|
|
+ - '"\\" not in ipa_admin_password '
|
|
|
+ - '"\"" not in ipa_admin_password '
|
|
|
+ - " \"'\" not in ipa_admin_password "
|
|
|
+ success_msg: "{{ success_msg_ipa_admin_pwd }}"
|
|
|
+ fail_msg: "{{ fail_msg_ipa_admin_pwd }}"
|
|
|
+ when: enable_security_support
|
|
|
+ tags: [ validate, security ]
|
|
|
+
|
|
|
+- name: Create ansible vault key
|
|
|
+ set_fact:
|
|
|
+ vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
|
|
|
+ when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
|
|
|
+ tags: init
|
|
|
+
|
|
|
+- name: Save vault key
|
|
|
+ copy:
|
|
|
+ dest: "{{ vault_filename }}"
|
|
|
+ content: |
|
|
|
+ {{ vault_key }}
|
|
|
+ owner: root
|
|
|
+ force: yes
|
|
|
+ mode: "{{ vault_file_perm }}"
|
|
|
+ when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
|
|
|
+ tags: init
|
|
|
+
|
|
|
+- name: Encrypt input config file
|
|
|
+ command: >-
|
|
|
+ ansible-vault encrypt {{ login_vars_filename }}
|
|
|
+ --vault-password-file {{ vault_filename }}
|
|
|
+ changed_when: false
|
|
|
+ tags: init
|
|
|
+
|
|
|
+- name: Update login_vars.yml permission
|
|
|
+ file:
|
|
|
+ path: "{{ login_vars_filename }}"
|
|
|
+ mode: "{{ file_perm }}"
|
|
|
+ tags: init
|
abhishek-sa1