Merge branch 'master' into selinux

aknot242 · web-flow · commit bbf0bce22ba2 · 2020-06-19T13:33:46.000-07:00
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable
diff --git a/README.md b/README.md
@@ -91,8 +91,6 @@ This is a sample playbook file for using the role to install NGINX App Protect o
 - hosts: wafs
   become: true
   vars:
-    # Installs NGINX App Protect and all dependencies to the target host
-    app_protect_enable: true
 
     # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
     # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,9 +1,6 @@
 ---
 # defaults file for ansible-role-nginx-app-protect
 
-# Installs NGINX App Protect and all dependencies to the target host
-app_protect_enable: true
-
 # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
 # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
 # Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install.
diff --git a/meta/main.yml b/meta/main.yml
@@ -16,7 +16,6 @@ galaxy_info:
     - name: Debian
       versions:
         - stretch
-        - buster
 
   galaxy_tags:
     - waf
diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst
@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ python3 -m pip install 'molecule[docker]'
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -0,0 +1,23 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    app_protect_enable: true
+    app_protect_install_signatures: true
+    app_protect_configure: true
+    app_protect_security_policy_template_enable: true
+    security_policy_enforcement_mode: blocking
+    app_protect_log_policy_template_enable: true
+    log_policy_filter_request_type: all
+    nginx_conf_template_enable: true
+    log_policy_syslog_target: 10.1.10.105:5144
+    nginx_demo_workload_protocol: http://
+    nginx_demo_workload_host: 10.1.10.105:8080
+    nginx_license: 
+      certificate: "./license/nginx-repo.crt"
+      key: "./license/nginx-repo.key"
+
+  tasks:
+    - name: "Include ansible-role-nginx-app-protect"
+      include_role:
+        name: "ansible-role-nginx-app-protect"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -0,0 +1,18 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: centos-7
+    image: docker.io/pycontribs/centos:7
+    pre_build_image: true
+provisioner:
+  name: ansible
+  log: true
+verifier:
+  name: ansible
+lint: |   
+    yamllint .
+    ansible-lint
+    flake8
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -0,0 +1,9 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  tasks:
+  - name: Example assertion
+    assert:
+      that: true
diff --git a/tasks/configure-app-protect.yml b/tasks/configure-app-protect.yml
@@ -1,7 +1,7 @@
 ---
 - name: "Ensure NGINX Main Directory Exists"
   file:
-    path: "{{ nginx_conf_template.out_file_location}}"
+    path: "{{ nginx_conf_template.out_file_location }}"
     state: directory
   when: app_protect_security_policy_template_enable or app_protect_log_policy_template_enable or nginx_conf_template_enable
 
@@ -31,7 +31,26 @@
     src: "{{ nginx_conf_template.template_file }}"
     dest: "{{ nginx_conf_template.out_file_location }}{{ nginx_conf_template.out_file_name }}"
     backup: true
-  when: nginx_conf_template_enable
+  when:
+    - nginx_conf_template_enable
+    - app_protect_state != "absent"
+
+- name: "Remove NGINX App Protect"
+  block:
+
+    - name: Comment out NGINX App Protect module reference in nginx.conf
+      replace:
+        path: /etc/nginx/nginx.conf
+        regexp: '^([ \t]*load_module.*ngx_http_app_protect_module.so;)'
+        replace: '# \1'
+
+    - name: Comment out NGINX App Protect directives in nginx.conf
+      replace:
+        path: /etc/nginx/nginx.conf
+        regexp: '^([ \t]*app_protect_)'
+        replace: '# \1'
+
+  when: app_protect_state == "absent"
 
 - name: "Reload NGINX"
   debug:
diff --git a/tasks/install-app-protect-linux.yml b/tasks/install-app-protect-linux.yml
@@ -1,27 +1,17 @@
 ---
-- import_tasks: setup-debian.yml
-  when: ansible_os_family == "Debian"
+- name: "Remove NGINX App Protect"
+  block:
 
-- import_tasks: setup-redhat.yml
-  when: ansible_os_family == "RedHat"
+    - import_tasks: setup-debian.yml
+      when: ansible_os_family == "Debian"
+
+    - import_tasks: setup-redhat.yml
+      when: ansible_os_family == "RedHat"
+
+  when: app_protect_state != "absent"
 
 - name: "(Install: Linux) Install NGINX App Protect"
   package:
-    name: "app-protect{{ nginx_version | default('') }}"
+    name: "app-protect{{ app_protect_version | default('') }}"
     state: "{{ app_protect_state }}"
   notify: "(Handler: All OSs) Restart NGINX"
-
-# - name: "Start NGINX App Protect"
-#   service:
-#     name: nginx-app-protect
-#     state: started
-#     enabled: true
-#   when:
-#     - not ansible_check_mode
-
-# - name: "Start NGINX"
-#   service:
-#     name: nginx
-#     state: reloaded
-#   when:
-#     - not ansible_check_mode
diff --git a/tasks/install-app-protect.yml b/tasks/install-app-protect.yml
@@ -5,16 +5,21 @@
     nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
   when: "'nginx-plus' in ansible_facts.packages"
 
+- name: Debug nginx plus version
+  debug:
+    msg: "nginx_plus_version {{ nginx_plus_version }}"
+    verbosity: 2
+
 - name: Fail if NGINX+ version preconditions fail
   assert:
     that:
       - nginx_plus_version is defined
       - nginx_plus_version | int >= 19
-    fail_msg: "'nginx_plus_version' release version must be a minimum of 19 for App Protect. Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
+    fail_msg: >
+      "'nginx_plus_version' release version must be a minimum of 19 for App Protect.
+      Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     quiet: true
 
 - name: "(Install: Linux) Install NGINX Plus"
   import_tasks: install-app-protect-linux.yml
-  # should not be needed, as a check is occurring for this in a higher level playbook is occuring 
-  # when: ansible_os_family in nginx_plus_linux_families
diff --git a/tasks/install-signatures.yml b/tasks/install-signatures.yml
@@ -5,12 +5,19 @@
     nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
   when: "'nginx-plus' in ansible_facts.packages"
 
+- name: Debug nginx plus version
+  debug:
+    msg: "nginx_plus_version {{ nginx_plus_version }}"
+    verbosity: 2
+
 - name: Fail if NGINX+ version preconditions fail
   assert:
     that:
       - nginx_plus_version is defined
       - nginx_plus_version | int >= 19
-    fail_msg: "'nginx_plus_version' release version must be a minimum of 19 for App Protect. Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
+    fail_msg: >
+      "'nginx_plus_version' release version must be a minimum of 19 for App Protect.
+      Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     quiet: true
 
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -21,44 +21,65 @@
     msg: "supported_os {{ supported_os }}"
     verbosity: 2
 
+- name: Debug app_protect_state
+  debug:
+    msg: "app_protect_state {{ app_protect_state }}"
+
 - name: Abort if the OS/version combination is not supported
   fail:
     msg: "NGINX App Protect is not supported on os family {{ ansible_distribution }} version {{ ansible_distribution_version }}"
   when: not supported_os
 
-- include_tasks: prerequisites/install-prerequisites.yml
-  tags: nginx_prerequisites
-
-- import_tasks: keys/apt-key.yml
-  when:
-    - ansible_os_family == "Debian"
-    - app_protect_install_signatures
-  tags: nginx_aptkey
-
-- import_tasks: keys/rpm-key.yml
-  when:
-    - ansible_os_family == "RedHat"
-    - app_protect_install_signatures
-  tags: nginx_rpmkey
-
-- name: "(All OSs) Setup license"
-  include_tasks: setup-license.yml
-  when: app_protect_enable or app_protect_install_signatures
-
-- name: "NGINX App Protect"
-  include_tasks: install-app-protect.yml
-  when: supported_os and app_protect_enable
-
-- name: "NGINX App Protect Signatures"
-  include_tasks: install-signatures.yml
-  when: supported_os and app_protect_install_signatures
-
-- name: "Remove license"
-  include_tasks: delete-license.yml
-  when:
-    - app_protect_delete_license
-  tags: app_protect_delete_license
-
-- name: "Configure NGINX Plus App Protect"
-  include_tasks: configure-app-protect.yml
-  when: supported_os and app_protect_configure
+
+- name: "Install NGINX App Protect"
+  block:
+
+    - include_tasks: prerequisites/install-prerequisites.yml
+      tags: nginx_prerequisites
+
+    - import_tasks: keys/apt-key.yml
+      when:
+        - ansible_os_family == "Debian"
+        - app_protect_install_signatures
+      tags: nginx_aptkey
+
+    - import_tasks: keys/rpm-key.yml
+      when:
+        - ansible_os_family == "RedHat"
+        - app_protect_install_signatures
+      tags: nginx_rpmkey
+
+    - name: "(All OSs) Setup license"
+      import_tasks: setup-license.yml
+      when: app_protect_install_signatures
+
+    - name: "Install NGINX App Protect"
+      import_tasks: install-app-protect.yml
+
+    - name: "NGINX App Protect Signatures"
+      import_tasks: install-signatures.yml
+      when: app_protect_install_signatures
+
+    - name: "Remove license"
+      import_tasks: delete-license.yml
+      when:
+        - app_protect_delete_license
+      tags: app_protect_delete_license
+
+    - name: "Configure NGINX App Protect"
+      import_tasks: configure-app-protect.yml
+      when: app_protect_configure
+
+  when: app_protect_state != "absent"
+
+- name: "Remove NGINX App Protect"
+  block:
+
+    - name: "Remove NGINX App Protect"
+      import_tasks: install-app-protect.yml
+
+    - name: "Disable NGINX App Protect Configuration"
+      import_tasks: configure-app-protect.yml
+      when: app_protect_configure
+
+  when: app_protect_state == "absent"
diff --git a/tasks/setup-redhat.yml b/tasks/setup-redhat.yml
@@ -26,4 +26,3 @@
     gpgcheck: true
     state: "{{ nginx_license_status | default ('present') }}"
   when: ansible_distribution != "Amazon"
-
