Support fixed mirror

defaults/main.yml

@@ -12,3 +12,6 @@ auth_duo_settings:
     value: someskey
   - key: host
     value: somehost
+
+auth_duo_specify_mirror: false
+auth_duo_mirror_url: ~

molecule/default/prepare.yml

@@ -2,9 +2,11 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Ensure openssh installed
+    - name: Ensure Pre-Requisites are installed
       yum:
-        name: openssh-server, openssh-clients, sshpass
+        name: >
+          openssh-server, openssh-clients, 
+          sshpass, passwd
         state: installed
 
     - name: Ensure sshd is running

molecule/fixed-mirror/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule[docker]'

molecule/fixed-mirror/converge.yml

@@ -0,0 +1,18 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include role under test"
+      include_role:
+        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      vars:
+        auth_duo_settings:
+          - key: ikey
+            value: "{{ lookup('env', 'AUTH_DUO_IKEY') }}"
+          - key: skey
+            value: "{{ lookup('env', 'AUTH_DUO_SKEY') }}" 
+          - key: host
+            value: "{{ lookup('env', 'AUTH_DUO_HOST') }}"
+        auth_duo_specify_mirror: true
+        auth_duo_mirror_url: https://yum-proxy.ultrafastfibre.co.nz/duo
+

molecule/fixed-mirror/molecule.yml

@@ -0,0 +1,17 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: ${MOLECULE_DISTRO:-almalinux8}-role-auth-duo
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    image: "cybercinch/docker-${MOLECULE_DISTRO:-almalinux8}-ansible:latest"
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/fixed-mirror/prepare.yml

@@ -0,0 +1,24 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Ensure Pre-Requisites are installed
+      yum:
+        name: >
+          openssh-server, openssh-clients, 
+          sshpass, passwd
+        state: installed
+
+    - name: Ensure sshd is running
+      service:
+        name: sshd
+        state: started
+        enabled: true
+        
+    - name: Ensure nologin files are absent
+      file: 
+        path: "{{ item }}"
+        state: absent
+      with_items: 
+        - /etc/nologin
+        - /var/run/nologin

molecule/fixed-mirror/verify.yml

@@ -0,0 +1,28 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  pre_tasks: 
+    - name: Create test user
+      shell: 
+        cmd: adduser "auth_duo_test" && echo "password" | passwd "auth_duo_test" --stdin
+  tasks:
+  - name: Try and Login as test user
+    shell: |
+      /usr/bin/sshpass -v -p password \
+      /usr/bin/ssh -tt -o "UserKnownHostsFile=/dev/null" \
+      -o "StrictHostKeyChecking=no" \
+      auth_duo_test@localhost > /tmp/sshtest 2>&1 | tee /tmp/sshtest
+    async: 20
+    poll: 10
+    ignore_errors: true
+  
+  - name: Retrieve SSH login info from file
+    slurp:
+      src: /tmp/sshtest
+    register: slurpfile
+
+  - name: Did duo prompt show?
+    assert:
+      that: "'Duo two-factor login for' in slurpfile['content'] | b64decode"

tasks/duo-repo.yml

@@ -5,7 +5,7 @@
     state: present
 
 - name: Ensure duo repository is present
-  copy:
-    src: etc.yum.repos.d.duosecurity
+  template:
+    src: etc.yum.repos.d.duosecurity.j2
     dest: /etc/yum.repos.d/duosecurity.repo
     

templates/etc.yum.repos.d.duosecurity.j2

@@ -0,0 +1,10 @@
+## Managed by Ansible ##
+[duosecurity]
+name=Duo Security Repository
+{% if auth_duo_specify_mirror is sameas true %}
+baseurl={{ auth_duo_mirror_url }}/RedHat/{{ ansible_distribution_major_version }}Server/$basearch
+{% else %}
+baseurl=https://pkg.duosecurity.com/RedHat/{{ ansible_distribution_major_version }}Server/$basearch
+{% endif %}
+enabled=1
+gpgcheck=1