Accept strings and lists for ssh_allow_users

[schurzi]

This makes our ssh_hardening role accept both strings and lists for ssh_allow_users.

@rndmh3ro WDYT?

Initially I thought this may be a good idea to allow more flexible use. But there is also an overlap with our documentation that states this should be a string since a long time. Also if we allow two types to be passed here we cannot use argument spec to check the variable anymore.

The alternative would be to add a type check to argument spec and simply fail before executing.

closes #838

[rndmh3ro]

It would be more flexible, yes. If we could do it in a backwards compatible way, it would be best.

Also if we allow two types to be passed here we cannot use argument spec to check the variable anymore.

We could use an assert-task for this, but I'm not really a fan.

We could also introduce a new variable ssh_allow_users_list and use this, if it exists, otherwise the string.. However this could also be complicated, e.g. what happens when both are set.

The alternative would be to add a type check to argument spec and simply fail before executing.

Can you expand on what you mean with this?

[schurzi]

It would be more flexible, yes. If we could do it in a backwards compatible way, it would be best.

Well the current proposal is backwards compatible but a bit ugly since the checks for list or string in YAML are difficult. Basically every string is also a list, so I cannot check explicitly for iterable but need to check for string.

We could use an assert-task for this, but I'm not really a fan.

Yeah, thought about that, also not a fan. This is what argument spec is for.

We could also introduce a new variable ssh_allow_users_list and use this, if it exists, otherwise the string.. However this could also be complicated, e.g. what happens when both are set.

We could just concantenate them but then we would have two variable to set users. Not a bad thing, but also not easy to understand for a new user. Seems a bit overkill here.

The alternative would be to add a type check to argument spec and simply fail before executing.

Can you expand on what you mean with this?

Currently we do not check the datatype of ssh_allow_users. In the documentation it is stated, that we accept only string for this, but since we have not added it to argument spec, no hard check is performed. Once we add the type: string to argument spec a user using a list would get an error message.

see:

ansible-collection-hardening/roles/ssh_hardening/meta/argument_specs.yml

Lines 129 to 132 in ac522c4

	ssh_allow_users:
	default: ''
	description: if specified, login is allowed only for user names that match
	one of the patterns.