diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 38fe90a..efe6f99 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -7,26 +7,104 @@ jobs: test: runs-on: docker + strategy: + fail-fast: false + matrix: + include: + - distro: debian + image: docker.io/library/debian:13 + python: python3 + - distro: almalinux + image: docker.io/library/almalinux:9 + python: python3.11 + + container: + image: ${{ matrix.image }} + steps: + - name: Install system dependencies + env: + DISTRO: ${{ matrix.distro }} + PYTHON_BIN: ${{ matrix.python }} + run: | + set -eux + + case "${DISTRO}" in + debian) + mkdir -m 755 -p /etc/apt/keyrings + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + ca-certificates curl gnupg git tar gzip findutils bash nodejs procps \ + ansible ansible-lint python3 python3-venv python3-pip pipx systemctl python3-apt jq python3-jsonschema \ + puppet hiera + curl -fsSL https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public | gpg --dearmor | tee /etc/apt/keyrings/salt-archive-keyring.pgp > /dev/null + curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.sources | tee /etc/apt/sources.list.d/salt.sources + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + salt-master salt-minion salt-ssh salt-syndic salt-cloud salt-api + ;; + almalinux) + dnf -y upgrade --refresh + dnf -y install \ + ca-certificates curl-minimal gnupg2 git tar gzip findutils bash which jq nodejs procps-ng \ + dnf-plugins-core epel-release + dnf -y config-manager --set-enabled crb || true + curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo > /etc/yum.repos.d/salt.repo + dnf -y install https://yum.puppet.com/puppet8-release-el-9.noarch.rpm + dnf -y makecache + dnf -y install \ + python3.11 python3.11-devel python3.11-pip gcc make \ + ansible-core ansible-lint systemd rpm httpd \ + puppet-agent \ + salt-master salt-minion salt-ssh salt-syndic salt-cloud salt-api + echo "/opt/puppetlabs/bin" >> "$GITHUB_PATH" + ;; + *) + echo "Unsupported CI distro: ${DISTRO}" >&2 + exit 1 + ;; + esac + - name: Checkout uses: actions/checkout@v4 - - name: Install system dependencies - run: | - apt-get update - DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - ansible ansible-lint python3-venv pipx systemctl python3-apt jq python3-jsonschema - - name: Install Poetry + env: + PYTHON_BIN: ${{ matrix.python }} + POETRY_VERSION: "2.4.1" run: | - pipx install poetry==1.8.3 - /root/.local/bin/poetry --version + set -eux + if ! command -v pipx >/dev/null 2>&1; then + "${PYTHON_BIN}" -m pip install --user pipx + fi + PIPX_BIN="$(command -v pipx || true)" + if [ -z "${PIPX_BIN}" ]; then + PIPX_BIN="${HOME}/.local/bin/pipx" + fi + "${PIPX_BIN}" install --python "${PYTHON_BIN}" "poetry==${POETRY_VERSION}" echo "$HOME/.local/bin" >> "$GITHUB_PATH" + export PATH="$HOME/.local/bin:$PATH" + poetry --version + poetry --version | grep -E "Poetry \(version 2\." - name: Install project deps (including test extras) + env: + PYTHON_BIN: ${{ matrix.python }} run: | + poetry env use "${PYTHON_BIN}" poetry install --with dev + - name: Install sops + run: | + set -eux + case "$(uname -m)" in + x86_64) sops_arch=amd64 ;; + aarch64|arm64) sops_arch=arm64 ;; + *) echo "Unsupported architecture for sops: $(uname -m)" >&2; exit 1 ;; + esac + curl -L -o /usr/local/bin/sops "https://github.com/getsops/sops/releases/download/v3.13.1/sops-v3.13.1.linux.${sops_arch}" + chmod +x /usr/local/bin/sops + - name: Run test script run: | ./tests.sh diff --git a/.gitignore b/.gitignore index 07c956d..73e6c37 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,6 @@ dist *.pdf *.csv *.html +coverage.xml +*.orig +*.rej diff --git a/CHANGELOG.md b/CHANGELOG.md index ef94a82..e3e6942 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,22 @@ +# 0.7.0 (unreleased) + + * BREAKING CHANGE: Group all package and systemd-unit roles into Debian Section/RPM Group roles by default, including managed config files and unit state. This mode is not used if `--fqdn` or `--no-common-roles` is set, in which case, the traditional behaviour of preserving one role per package/unit is used instead. + * BREAKING CHANGE: Only capture user-specific .bashrc style files when using `--dangerous` mode, in case they contain sensitive env vars. + * BREAKING CHANGE: Don't allow reading `.enroll.ini` in the CWD. Use only the ENROLL_CONFIG env var, an explicit `--config` path or else the XDG default location (or `~/.config/enroll/enroll.ini` if `XDG_CONFIG_HOME` is not set). + * Detect active sysctl parameters and write them to a `/etc/sysctl.d/99-enroll.conf` file + * Use `no_log` on systemd unit interrogations to suppress potential sensitive output when applying Ansible + * Support manifesting Puppet code, as well as Ansible! + * Support manifesting Salt code, as well as Ansible and Puppet! + * Take advantage of Jinjaturtle 0.5.5 if it's present, to render .erb templates for Puppet (as well as j2 for Ansible and Salt) + * A lot of under-the-bonnet refactoring to make it easier to extend to cover other config managers (that don't suck) in future. + * Support for detecting Docker and Podman images and enforcing their presence (by SHA256 hash). + * Add support for detecting Flatpaks and Snaps. + * Stricter validation of harvests to ensure that they meet the schema and don't contain unsafe artifacts (e.g symlinks pointing outside the artifact tree) + * Perform harvest validation before trying to manifest from it. + * Stricter validation on FQDN name in multisite mode. + * Strict check of `$PATH` when running harvest as root, in case it could lead to execution of unsafe binaries during harvest. Override with `--assume-safe-path` for non-interactive or CI purposes. + * Stricter validation of the destination dirs that harvest or manifest write to, to prevent writing to a different user-controlled area. Stricter permissions on the output dirs too. + # 0.6.0 * Add support for capturing ipset and iptables configuration files diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 0000000..b5ba7cb --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,2007 @@ +# Enroll Development Guide + +Interested in the internals of Enroll? + +This guide describes the current `enroll` codebase for maintainers. It focuses on how the project is organised, what calls what, how harvest state flows into generated configuration-management output, and which invariants matter when changing the code. + +--- + +## 1. What Enroll does + +`enroll` is a Linux host inspection and configuration-management generation tool. + +Its core pipeline is: + +```text +Running Linux host + | + | enroll harvest + v +Harvest bundle + state.json + artifacts// + | + | enroll manifest --target ansible|puppet|salt + v +Generated configuration-management output + Ansible roles/playbook + Puppet modules/site.pp/Hiera data + Salt states/pillar data +``` + +The harvest bundle is deliberately target-neutral. Ansible, Puppet, and Salt renderers all consume the same `state.json` shape and the same harvested artifacts. Renderer code should translate harvest state into the target's idioms; it should not invent source facts that belong in the harvest. + +`enroll diff` is also built around harvest bundles. It compares two harvests and, when `--enforce` is requested, can generate a temporary manifest from the old harvest and apply it locally with the selected target: + +```bash +enroll diff --old ./baseline --new ./current --enforce --target ansible +enroll diff --old ./baseline --new ./current --enforce --target puppet +enroll diff --old ./baseline --new ./current --enforce --target salt +``` + +For enforcement, the user is responsible for having the chosen local apply tool on `PATH`: `ansible-playbook`, `puppet`, or `salt-call`. + +--- + +## 2. Repository layout + +The project is a single Python package under `enroll/` with tests under `tests/`. + +```text +enroll/ + __main__.py python -m enroll entry point + cli.py argparse CLI and subcommand dispatcher + version.py package version lookup + + harvest.py top-level local harvest orchestration and runtime helpers + harvest_types.py dataclasses persisted into state.json + harvest_collectors/ feature-specific collectors used by harvest.py + context.py HarvestContext and HarvestCollector base + runtime.py root-only runtime state collector wrapper + cron_logrotate.py cron/logrotate unification collector + services.py systemd service + manual package collector + users.py users, SSH public files, Flatpak, Snap collector + package_manager.py apt/dnf/yum config collectors + container_images.py Docker/Podman image collector + paths.py /usr/local and --include-path collectors + + manifest.py target router and SOPS manifest wrapper + ansible.py Ansible renderer + puppet.py Puppet renderer + salt.py Salt renderer + cm.py renderer-neutral CMModule model and grouping helpers + role_names.py reserved singleton role-name protection + + accounts.py users, SSH public files, Flatpak and Snap discovery + platform.py OS/package-backend abstraction + debian.py dpkg/apt helpers + rpm.py rpm/dnf/yum helpers + systemd.py systemctl wrappers and parsers + system_paths.py known config paths and filesystem scanners + package_hints.py service/package name and config attribution helpers + + capture.py safe file/symlink capture into artifacts/ + fsutil.py file md5 + owner/group/mode helpers + ignore.py secret/noise avoidance policy + pathfilter.py --include-path / --exclude-path matching and expansion + state.py state.json load/write helpers + yamlutil.py YAML helpers used by renderers/JinjaTurtle + jinjaturtle.py optional config-file templating integration + + diff.py harvest comparison, notifications, and target-selected enforcement + explain.py human/JSON explanation of harvest contents + validate.py schema and artifact consistency validation + remote.py Paramiko remote harvest implementation + cache.py secure local cache directories for harvests + sopsutil.py SOPS binary encryption/decryption helpers + schema/state.schema.json JSON Schema for harvest state + +tests/ + test_*.py unit tests grouped mostly by module/feature +``` + +The installed command is configured in `pyproject.toml`: + +```toml +[tool.poetry.scripts] +enroll = "enroll.cli:main" +``` + +`python -m enroll` calls the same CLI through `enroll/__main__.py`. + +--- + +## 3. Main runtime flows + +### 3.1 CLI entry flow + +All user-facing commands enter through `enroll.cli.main()`. + +```text +enroll command + -> enroll.cli.main() + -> builds argparse parser and subparsers + -> discovers optional INI config file + -> injects config-derived argv defaults before user argv + -> parses final argv + -> dispatches by args.cmd +``` + +The supported subcommands are: + +```text +harvest collect a harvest bundle from a local or remote host +manifest generate Ansible/Puppet/Salt output from a harvest bundle +single-shot run harvest and manifest in one command +diff compare two harvest bundles and optionally enforce old state +explain produce a human/JSON explanation of a harvest +validate validate state.json and referenced artifacts +``` + +`cli.py` should stay orchestration-heavy, not domain-heavy. It should parse flags, handle config/SOPS/remote branching, and then call the relevant module. It should not contain the meaning of a service, package, user, file, renderer resource, or harvest snapshot. + +### 3.2 Subcommand call graph + +```mermaid +flowchart TD + A[enroll.cli.main] --> B{args.cmd} + B -->|harvest local| C[harvest.harvest] + B -->|harvest remote| D[remote.remote_harvest] + B -->|manifest| E[manifest.manifest] + B -->|single-shot local| C + B -->|single-shot remote| D + C --> E + D --> E + B -->|diff| F[diff.compare_harvests] + F --> G[diff.format_report] + F --> H{--enforce?} + H -->|yes| I[diff.enforce_old_harvest] + I --> J[manifest.manifest target=ansible|puppet|salt] + J --> K[ansible-playbook or puppet apply or salt-call] + B -->|explain| L[explain.explain_state] + B -->|validate| M[validate.validate_harvest] +``` + +Important dependency direction: + +```text +cli.py + depends on harvest.py, manifest.py, diff.py, explain.py, validate.py, remote.py + +harvest.py + depends on harvest_collectors, platform backends, capture policy, system scanners + +manifest.py + depends on ansible.py, puppet.py, salt.py + +ansible.py / puppet.py / salt.py + depend on state.py, cm.py, harvested artifacts, and target-specific helpers +``` + +--- + +## 4. Harvest bundles + +A plaintext harvest bundle is a directory: + +```text +/ + state.json + artifacts/ + / + etc/... + usr/local/... + sysctl/... + firewall/... +``` + +`state.json` is written by `enroll.state.write_state()` and loaded by `enroll.state.load_state()`. + +The renderer relies on this invariant: + +```text +state.json roles.*.managed_files[*].src_rel + must correspond to +artifacts// +``` + +For example, a captured `/etc/nginx/nginx.conf` in role `nginx` normally becomes: + +```json +{ + "path": "/etc/nginx/nginx.conf", + "src_rel": "etc/nginx/nginx.conf", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "modified_conffile" +} +``` + +and the artifact is copied to: + +```text +artifacts/nginx/etc/nginx/nginx.conf +``` + +Renderer role/module names can differ from artifact roles, especially when common grouping is enabled. Copy helpers must therefore pass the original artifact role, not blindly use the generated renderer module name. + +--- + +## 5. `state.json` shape and snapshot dataclasses + +The top-level state assembled by `harvest.harvest()` is: + +```json +{ + "enroll": { + "version": "...", + "harvest_time": 123456789 + }, + "host": { + "hostname": "...", + "os": "debian|redhat|unknown", + "pkg_backend": "dpkg|rpm|unknown", + "os_release": {} + }, + "inventory": { + "packages": {} + }, + "roles": { + "users": {}, + "flatpak": {}, + "snap": {}, + "container_images": {}, + "services": [], + "packages": [], + "apt_config": {}, + "dnf_config": {}, + "firewall_runtime": {}, + "sysctl": {}, + "etc_custom": {}, + "usr_local_custom": {}, + "extra_paths": {} + } +} +``` + +The persisted in-memory shapes live in `enroll/harvest_types.py`. + +| Dataclass | Purpose | +|---|---| +| `ManagedFile` | A file to recreate, with destination path, artifact path, owner, group, mode, and reason. | +| `ManagedLink` | A symlink to recreate, such as `sites-enabled` entries. | +| `ManagedDir` | A directory to ensure exists, with owner/group/mode. | +| `ExcludedFile` | A path that was considered but skipped, with a reason. | +| `ServiceSnapshot` | One enabled systemd service and its packages/config/state. | +| `PackageSnapshot` | One manual package and related config. `has_config=False` is used when the package should still be installed but no config was found. | +| `UsersSnapshot` | Human users, groups, managed SSH/dotfiles, and per-user Flatpak data. | +| `FlatpakSnapshot` | System Flatpaks and system Flatpak remotes. | +| `SnapSnapshot` | System Snap installs. | +| `ContainerImagesSnapshot` | Docker/Podman image metadata. | +| `AptConfigSnapshot` / `DnfConfigSnapshot` | Package-manager configuration. | +| `EtcCustomSnapshot` | Unowned/custom `/etc` config not attributed elsewhere. | +| `UsrLocalCustomSnapshot` | Selected `/usr/local/etc` files and executable `/usr/local/bin` files. | +| `ExtraPathsSnapshot` | User-requested `--include-path` files/directories. | +| `FirewallRuntimeSnapshot` | Generated artifacts from live ipset/iptables state. | +| `SysctlSnapshot` | Generated `/etc/sysctl.d/99-enroll.conf` from live writable sysctls. | + +The JSON Schema in `enroll/schema/state.schema.json` is the validation contract for persisted harvests. + +--- + +## 6. Harvest orchestration + +The local harvest entry point is: + +```python +enroll.harvest.harvest( + bundle_dir, + policy=None, + dangerous=False, + include_paths=None, + exclude_paths=None, +) +``` + +It returns the path to the written `state.json`. + +### 6.1 High-level harvest order + +The order matters because harvest maintains a global set of captured destination paths. Once a path is captured into one role, later collectors normally skip it. + +```mermaid +flowchart TD + A[harvest.harvest] --> B[Build IgnorePolicy and PathFilter] + B --> C[detect_platform + get_backend] + C --> D[backend.build_etc_index] + D --> E[RuntimeStateCollector] + E --> F[CronLogrotateCollector] + F --> G[ServicePackageCollector] + G --> H[UsersCollector] + H --> I[ContainerImagesCollector] + I --> J[PackageManagerConfigCollector] + J --> K[etc_custom scan inside harvest.py] + K --> L[UsrLocalCustomCollector] + L --> M[ExtraPathsCollector] + M --> N[Build inventory.packages] + N --> O[Add parent ManagedDir entries] + O --> P[state.write_state] +``` + +### 6.2 `HarvestContext` + +`HarvestContext` lives in `harvest_collectors/context.py`. It is passed to collectors instead of passing many individual dependencies. + +```python +@dataclass +class HarvestContext: + bundle_dir: str + policy: IgnorePolicy + path_filter: PathFilter + platform: Dict[str, Any] + backend: Any + installed_pkgs: Dict[str, Any] + installed_names: Set[str] + owned_etc: Set[str] + etc_owner_map: Dict[str, str] + topdir_to_pkgs: Dict[str, Set[str]] + pkg_to_etc_paths: Dict[str, List[str]] + captured_global: Set[str] +``` + +New collectors should generally accept a `HarvestContext` and return dataclass snapshots from `harvest_types.py`. + +### 6.3 Global de-duplication + +The harvester tries to avoid two generated roles owning the same destination path. This avoids duplicate config-manager resources and confusing diffs. + +`captured_global` is passed into `capture.capture_file()` and `capture.capture_link()`. If a destination path has already been seen, later collection attempts return without capturing it again. + +This is one of the most important invariants in the project: + +> A destination path should normally appear in only one generated role. + +Puppet and Salt also run `cm.resolve_catalog_conflicts()` after renderer role collection because they compile a single global catalog and duplicate resources are hard failures. + +--- + +## 7. File capture and safety policy + +### 7.1 `capture_file()` + +`capture.capture_file()` decides whether to copy a file into `artifacts/` and record it in a snapshot. + +```text +capture_file(abs_path, role_name, reason, policy, path_filter, ...) + -> skip if already seen globally or in this role + -> skip if --exclude-path matches + -> ask IgnorePolicy.inspect_file(abs_path) + -> open the source through fsutil.open_no_follow_path() + -> reject symlinks in any path component, not only the leaf + -> fstat() the opened descriptor + -> reject non-regular or over-size files + -> read the exact bytes from that descriptor + -> scan those bytes for binary/secret content unless dangerous + -> use the inspected fstat() for owner/group/mode metadata + -> write the inspected bytes to artifacts// + with no-follow destination creation + -> append ManagedFile + -> mark seen in role/global +``` + +This ordering is intentional. Enroll should not scan one file and later copy a different file after a race. When `IgnorePolicy.inspect_file()` succeeds, `capture_file()` writes the exact bytes that were inspected and uses the same descriptor's stat metadata. + +`fsutil.stat_triplet()` and `stat_triplet_from_stat()` return owner, group, and a zero-padded octal mode string. They fall back to numeric uid/gid strings if user/group names cannot be resolved. + +### 7.2 `capture_link()` + +`capture.capture_link()` records symlinks as `ManagedLink` entries rather than copying their targets. It is used for meaningful enablement symlinks, especially in nginx/apache-style trees such as: + +```text +/etc/nginx/sites-enabled/* +/etc/nginx/modules-enabled/* +/etc/apache2/conf-enabled/* +/etc/apache2/mods-enabled/* +/etc/apache2/sites-enabled/* +``` + +### 7.3 User shell dotfiles + +`capture.capture_user_shell_dotfiles()` is called by `UsersCollector`, but only enabled when the harvest policy is dangerous. + +In dangerous mode: + +- `.bashrc`, `.profile`, and `.bash_logout` are captured only if they differ from `/etc/skel` baselines. +- `.bash_aliases` is captured if present because there may be no skel baseline. + +Outside dangerous mode, Enroll records a note explaining that shell dotfiles were not auto-harvested. Users can still include specific files via `--include-path`, but the normal `IgnorePolicy` still applies unless `--dangerous` is also used. + +### 7.4 `IgnorePolicy` + +`ignore.IgnorePolicy` is the default secret/noise avoidance layer. + +By default it skips likely sensitive or low-value files such as: + +- `/etc/shadow`, `/etc/gshadow`, and backup variants, +- SSH host private keys, +- private SSL/Let's Encrypt material, +- log files and editor backups, +- files larger than `max_file_bytes` (`256_000` by default), +- binary-like files except known keyring formats, +- sampled non-comment content that looks sensitive, such as private keys, `password=`, `token`, `secret`, or `api_key`. + +`--dangerous` sets `policy.dangerous = True`, disabling deny-globs and content sniffing. This is intentional and should remain explicit. + +The policy has separate methods for different filesystem types: + +- `deny_reason(path)` for regular files, +- `deny_reason_dir(path)` for directories, +- `deny_reason_link(path)` for symlinks. + +### 7.5 `PathFilter` + +`pathfilter.PathFilter` implements user-supplied path controls: + +- `--include-path` adds extra files/directories to the `extra_paths` role. +- `--exclude-path` removes matching paths from all harvesting. +- Excludes always win over includes. + +Pattern styles: + +```text +/plain/path exact path or directory-prefix match +glob:/path/**/*.x forced glob +/path/**/*.x inferred glob because it contains glob characters +re:^/path/...$ regex +regex:^/path/...$ regex +``` + +`expand_includes()` is conservative: it ignores symlinks, respects excludes, caps file counts, and returns notes for unmatched patterns or caps. + +### 7.6 Output, artifact, and cache safety helpers + +Several safety helpers protect privileged runs from following attacker-controlled paths: + +- `fsutil.open_no_follow_path()` opens source and artifact paths component-by-component, rejecting symlinked parent directories as well as symlinked leaf files. +- `harvest_safety.prepare_new_private_dir()` is used for user-facing plaintext output directories such as `harvest --out` and default manifest output; it refuses existing final paths and creates `0700` directories. +- `harvest_safety.ensure_safe_output_parent()` is used when writing output files such as reports or encrypted SOPS bundles. It validates parents before staging a temporary file and atomically replacing the final path. +- `harvest_safety.ensure_private_dir()` is used for persistent internal directories such as Enroll's cache root. Existing directories are allowed, but symlink components and unsafe root-run parents are refused. +- `cache.new_harvest_cache_dir()` creates unpredictable per-harvest cache directories beneath the hardened cache root with `mkdtemp()` and private permissions. +- `manifest_safety.safe_artifact_file()` validates referenced harvested artifacts before renderers copy them. It rejects absolute or `..` paths, symlinks, non-regular files, hardlinks, and paths that resolve outside the artifact root. +- `manifest_safety.prepare_manifest_output_dir()` refuses unsafe manifest output paths. In `--fqdn` site mode, where an existing tree is intentionally reused, it walks the existing output tree and refuses symlinks before merging generated files. + +When adding a new code path that writes plaintext host state, prefer these helpers over raw `mkdir(parents=True)`, `open()`, `shutil.copy*()`, or `tar.extract*()`. + +--- + +## 8. Platform and package backends + +`platform.py` abstracts distribution-specific package behaviour. + +```text +platform.detect_platform() + -> reads /etc/os-release + -> returns PlatformInfo(os_family, pkg_backend, os_release) + +platform.get_backend(info) + -> DpkgBackend for Debian-like systems + -> RpmBackend for RedHat/Fedora-like systems +``` + +The backend interface is `PackageBackend`: + +```python +owner_of_path(path) +list_manual_packages() +installed_packages() +build_etc_index() +specific_paths_for_hints() +is_pkg_config_path(path) +modified_paths(pkg, paths) +``` + +### 8.1 Debian backend + +`DpkgBackend` delegates to `debian.py`. + +It uses dpkg/apt data to provide package ownership, manual package lists, installed package inventory, `/etc` indexes, conffile hashes, and packaged-file md5 baselines. + +`DpkgBackend.modified_paths()` identifies: + +- `modified_conffile` when a dpkg conffile hash differs, +- `modified_packaged_file` when a packaged file md5 differs. + +It deliberately leaves `/etc/apt`-style package-manager configuration for the `apt_config` role. + +### 8.2 RPM backend + +`RpmBackend` delegates to `rpm.py`. + +It provides package ownership, manual package lists, installed package inventory, `/etc` indexes, RPM config file lists, and `rpm -V` style modified-file detection. + +RPM-family package-manager config paths such as `/etc/dnf`, `/etc/yum`, `/etc/yum.conf`, `/etc/yum.repos.d`, and `/etc/pki/rpm-gpg` are collected into `dnf_config`, not arbitrary package roles. + +### 8.3 Adding a new package backend + +To support another package system: + +1. implement a `PackageBackend` subclass, +2. route it from `platform.get_backend()`, +3. provide ownership lookup, manual package listing, installed package inventory, `/etc` indexing, modified config detection, and package-manager config exclusion, +4. add backend tests comparable to `test_debian.py`, `test_rpm.py`, and `test_platform.py`. + +--- + +## 9. Harvest collectors in detail + +Collectors live under `enroll/harvest_collectors/`. + +### 9.1 `RuntimeStateCollector` + +File: `harvest_collectors/runtime.py` + +This wrapper collects root-only live runtime state: + +- writable sysctl state, +- live ipset state, +- live IPv4 iptables state, +- live IPv6 iptables state. + +The actual helper implementations currently live in `harvest.py`: + +- `_collect_sysctl_snapshot()`, +- `_collect_firewall_runtime_snapshot()`, +- `_parse_sysctl_a_output()`, +- `_iptables_save_has_state()`, +- `_ipset_save_has_state()`. + +If the process is not root, runtime capture returns empty snapshots with explanatory notes. + +#### Sysctl capture + +Sysctl capture runs `sysctl -a`, filters to writable/persistable single-line keys, and writes a generated artifact: + +```text +artifacts/sysctl/sysctl/99-enroll.conf +``` + +The destination managed by renderers is: + +```text +/etc/sysctl.d/99-enroll.conf +``` + +The filter skips volatile/action/identity keys and inactive mutually-exclusive zero values. This avoids generating config that fails or is noisy on replay. + +#### Firewall runtime capture + +Runtime firewall capture is a fallback. Enroll first checks for persistent firewall config such as: + +```text +/etc/iptables/rules.v4 +/etc/iptables/rules.v6 +/etc/sysconfig/iptables +/etc/sysconfig/ip6tables +/etc/ipset.conf +/etc/ipset/* +``` + +If persistent files exist for a family, live runtime capture for that family is skipped. If no persistent file exists and live state is meaningful, Enroll writes generated artifacts such as: + +```text +artifacts/firewall_runtime/firewall/ipset.save +artifacts/firewall_runtime/firewall/iptables.v4 +artifacts/firewall_runtime/firewall/iptables.v6 +``` + +Renderers should only create a firewall runtime role when at least one runtime artifact exists. When firewall runtime is rendered, Ansible/Puppet/Salt also create an `enroll_runtime` role/module/state to own `/etc/enroll` before `/etc/enroll/firewall`. + +### 9.2 `CronLogrotateCollector` + +File: `harvest_collectors/cron_logrotate.py` + +This collector runs before service/package collection to prevent cron and logrotate snippets from being scattered across unrelated roles. + +It detects cron packages such as `cron`, `cronie`, `cronie-anacron`, `vixie-cron`, and `fcron`, and detects `logrotate` separately. + +It captures cron-related paths such as: + +```text +/etc/crontab +/etc/cron.d/* +/etc/cron.hourly/* +/etc/cron.daily/* +/var/spool/cron/* +/var/spool/crontabs/* +/var/spool/anacron/* +``` + +It captures logrotate paths such as: + +```text +/etc/logrotate.conf +/etc/logrotate.d/* +``` + +It returns `PackageSnapshot` objects for `cron` and `logrotate` when those packages exist. + +### 9.3 `ServicePackageCollector` + +File: `harvest_collectors/services.py` + +This collector produces: + +- `ServiceSnapshot` objects for enabled systemd services, +- `PackageSnapshot` objects for manual packages not already covered by services, +- alias maps used by later `/etc` attribution, +- `seen_by_role` state reused by later collectors. + +For each enabled service it: + +1. derives a safe role name from the unit, +2. queries systemd metadata, +3. infers packages from the unit fragment owner, `ExecStart`, and related `/etc` topdirs, +4. collects unit drop-ins, environment files, distro-specific likely config files, and modified package-owned config, +5. collects related unowned `/etc/` and `/etc/.d` files, +6. captures candidates with `capture_file()`, +7. builds a `ServiceSnapshot`. + +It also collects timer override files. If a timer triggers a known service, timer files are attached to that service snapshot. Otherwise, the timer is associated with inferred packages. + +Manual packages are processed after services. Packages already covered by service snapshots are not duplicated as standalone package roles. Packages with no detected config are still represented with `has_config=False` so renderers can install them. + +Known enablement symlinks for nginx/apache are captured as `ManagedLink` entries at the end of the collector. + +### 9.4 `UsersCollector` + +File: `harvest_collectors/users.py` + +This collector returns a `UsersCollection` containing: + +- `UsersSnapshot`, +- `FlatpakSnapshot`, +- `SnapSnapshot`. + +User discovery is in `accounts.collect_non_system_users()`. It reads `/etc/login.defs`, `/etc/passwd`, `/etc/group`, home directories, and user Flatpak installs. It filters out users below `UID_MIN`, `root`, `nobody`, and non-login shells such as `nologin` and `/bin/false`. + +Default user file capture is intentionally narrow: + +- `authorized_keys`, +- safe public SSH material where supported by helpers. + +Automatic shell dotfile capture only runs in dangerous mode. + +The same collector discovers: + +- system Flatpaks, +- system Flatpak remotes, +- per-user Flatpaks, +- per-user Flatpak remotes, +- system Snaps. + +### 9.5 `ContainerImagesCollector` + +File: `harvest_collectors/container_images.py` + +This collector inspects Docker and Podman image caches when the relevant engine exists. + +For each engine it: + +1. runs ` image ls -q --no-trunc`, +2. inspects images in chunks with ` image inspect ...`, +3. normalises image IDs, tags, digests, OS/architecture/platform fields, and tag aliases, +4. prefers digest-pinned pull refs from `RepoDigests`. + +Renderers only enforce exact pull state for images with a usable digest. Images with only local tags and no digest are represented with notes rather than fake reproducibility. + +### 9.6 `PackageManagerConfigCollector` + +File: `harvest_collectors/package_manager.py` + +This collector emits a dedicated package-manager config snapshot: + +- `apt_config` on dpkg systems, +- `dnf_config` on rpm systems. + +APT capture includes `/etc/apt`, sources, `.sources` files, trusted keyrings, and keyrings referenced through `signed-by` / `Signed-By`. + +DNF/YUM capture includes `/etc/dnf`, `/etc/yum`, `/etc/yum.conf`, `/etc/yum.repos.d/*.repo`, and `/etc/pki/rpm-gpg/*`. + +### 9.7 `etc_custom` scan + +`etc_custom` is still assembled inside `harvest.harvest()` rather than in its own collector. + +It captures: + +1. essential system config from `system_paths.iter_system_capture_paths()`, +2. remaining unowned config-like files found by walking `/etc`. + +Before adding shared snippets such as `/etc/logrotate.d/*` or `/etc/cron.d/*` to `etc_custom`, `_target_role_for_shared_snippet()` tries to attach them to a more meaningful service/package role. + +### 9.8 `UsrLocalCustomCollector` + +File: `harvest_collectors/paths.py` + +This collector creates `usr_local_custom` from: + +- files under `/usr/local/etc`, +- executable files under `/usr/local/bin`. + +It respects `IgnorePolicy`, `PathFilter`, and global de-duplication. + +### 9.9 `ExtraPathsCollector` + +File: `harvest_collectors/paths.py` + +This collector handles `--include-path` and `--exclude-path` and creates `extra_paths`. + +For included directories, it records directory metadata as `ManagedDir` entries while walking. For included files, it relies on `expand_includes()` and then `capture_file()`. + +--- + +## 10. Path scanners and package hints + +`system_paths.py` contains known path lists and filesystem scanners. + +Important functions and constants: + +- `ALLOWED_UNOWNED_EXTS` decides which unowned `/etc` files look config-like. +- `MAX_FILES_CAP` and `MAX_UNOWNED_FILES_PER_ROLE` cap broad scans. +- `is_confish()` checks whether a path looks like configuration. +- `scan_unowned_under_roots()` finds unowned files under candidate roots. +- `iter_matching_files()` expands glob specs and walks directory hits. +- `iter_apt_capture_paths()` and `iter_dnf_capture_paths()` collect package-manager config. +- `iter_system_capture_paths()` returns fixed essential system config candidates. +- `persistent_ipset_globs()`, `persistent_iptables_v4_globs()`, and `persistent_iptables_v6_globs()` support runtime firewall fallback decisions. + +`package_hints.py` turns package/unit names into stable role names and attempts to infer relationships. + +Important helpers: + +- `safe_name()`, +- `role_id()`, +- `role_name_from_unit()`, +- `role_name_from_pkg()`, +- `package_section_from_installations()`, +- `hint_names()`, +- `add_pkgs_from_etc_topdirs()`, +- `maybe_add_specific_paths()`. + +`SHARED_ETC_TOPDIRS` in `package_hints.py` prevents shared directories such as `/etc/default`, `/etc/pam.d`, `/etc/systemd`, `/etc/ssh`, `/etc/apt`, and `/etc/dnf` from being attributed too broadly to one package. + +`role_names.py` protects singleton role names such as `users`, `flatpak`, `snap`, `container_images`, `apt_config`, `dnf_config`, `firewall_runtime`, `sysctl`, `etc_custom`, `usr_local_custom`, and `extra_paths` from collisions with package/service-derived roles. + +--- + +## 11. Manifest orchestration + +`manifest.py` is a target router and SOPS wrapper. It does not render target resources itself. + +Entry point: + +```python +manifest( + bundle_dir, + out, + fqdn=None, + jinjaturtle="auto", + sops_fingerprints=None, + no_common_roles=False, + target="ansible", +) +``` + +Plain mode dispatches to: + +```text +target=ansible -> ansible.manifest_from_bundle_dir(..., jinjaturtle=..., no_common_roles=...) +target=puppet -> puppet.manifest_from_bundle_dir(..., jinjaturtle=..., no_common_roles=...) +target=salt -> salt.manifest_from_bundle_dir(..., jinjaturtle=..., no_common_roles=...) +``` + +SOPS mode: + +1. accepts an already-decrypted bundle directory or a SOPS-encrypted harvest tarball, +2. decrypts/extracts with safe tar extraction when needed, +3. renders target output into a secure temp directory, +4. tars the manifest directory under a `manifest/` prefix, +5. encrypts the tarball with SOPS, +6. returns the encrypted output path. + +The renderers do not know about SOPS. + +Before dispatching to a renderer, `manifest.manifest()` calls `validate.validate_harvest()` with normal schema validation enabled. That means generated configuration-management code is only rendered after Enroll has checked the bundle schema, referenced artifact existence, and artifact safety. If validation fails, manifest generation stops rather than trying to produce best-effort output from a malformed or tampered bundle. + +--- + +## 12. The renderer-neutral `CMModule` model + +File: `cm.py` + +`CMModule` is the shared resource model used heavily by Puppet and Salt and partially by Ansible. + +```python +@dataclass +class CMModule: + role_name: str + module_name: str + packages: Set[str] + groups: Set[str] + users: Dict[str, Dict[str, Any]] + dirs: Dict[str, Dict[str, Any]] + files: Dict[str, Dict[str, Any]] + links: Dict[str, Dict[str, Any]] + services: Dict[str, Dict[str, Any]] + firewall_runtime: Dict[str, Any] + notes: List[str] +``` + +Important methods and helpers include: + +- `add_managed_dir()`, `add_managed_file()`, `add_managed_link()`, +- `add_package_snapshot()`, +- `add_service_snapshot_state()`, +- `user_records_from_snapshot()`, +- `add_flatpak_snapshot()`, `add_snap_snapshot()`, +- `add_firewall_runtime_snapshot()`, +- `package_service_entries()`, +- `active_service_units_by_package()`, +- `active_service_units_for_package_snapshot()`, +- `remove_directory_resource_conflicts()`. + +### 12.1 Common role grouping + +`CMModule.package_service_entries()` is the shared grouping mechanism for package and service snapshots. + +`use_common_roles=True` groups package/service snapshots into section/group roles such as Debian Section or RPM Group labels. `use_common_roles=False` preserves one generated role/module/state per package or service snapshot. + +Default behaviour: + +```text +normal manifest, no --no-common-roles: group package/service roles +--fqdn mode: no common grouping +--no-common-roles: no common grouping +``` + +`--fqdn` implies no common roles because host-specific output should preserve per-host state rather than merging unrelated resources into shared roles. + +### 12.2 Catalog conflict resolution + +`resolve_catalog_conflicts()` runs for Puppet and Salt. + +It removes duplicates across generated modules/states for: + +- packages, +- groups, +- users, +- directories, +- files, +- symlinks, +- services. + +It also removes directory resources that conflict with a file or link at the same path. This matters because Puppet and Salt compile a single catalog; duplicates that Ansible might tolerate can fail hard there. + +--- + +## 13. Ansible renderer + +File: `ansible.py` + +Entry point: + +```python +ansible.manifest_from_bundle_dir( + bundle_dir, + out_dir, + fqdn=None, + jinjaturtle="auto", + no_common_roles=False, +) +``` + +It instantiates `AnsibleManifestRenderer(...).render()`. + +### 13.1 Ansible render flow + +```mermaid +flowchart TD + A[AnsibleManifestRenderer.render] --> B[AnsibleRole.load_state] + B --> C[roles_from_state + inventory_packages_from_state] + C --> D[_prepare_ansible_context] + D --> E[_write_site_scaffold] + E --> F[_collect_ansible_roles] + F --> G[_render_managed_file_roles] + F --> H[_render_users_role] + F --> I[_render_flatpak_role] + F --> J[_render_snap_role] + F --> K[_render_container_images_role] + F --> L[_render_sysctl_role] + F --> M[_render_firewall_runtime_role] + M --> N[_render_enroll_runtime_role if firewall runtime exists] + F --> O[_render_service_roles] + F --> P[_render_common_ansible_roles] + F --> Q[_render_package_roles] + Q --> R[_write_manifest_playbook] + R --> S[README.md] +``` + +### 13.2 Output layout + +Default single-site output: + +```text +/ + ansible.cfg + playbook.yml + README.md + requirements.yml + roles/ + / + tasks/main.yml + handlers/main.yml + defaults/main.yml + meta/main.yml + files/... + templates/... +``` + +`--fqdn` site-mode output adds inventory and host vars: + +```text +/ + inventory/ + hosts.yml + host_vars/// + main.yml + .files/... + roles//... +``` + +In default mode, variables normally live in `roles//defaults/main.yml` and raw files live under `roles//files/`. + +In `--fqdn` mode, host-specific values and artifacts live under `inventory/host_vars///`, while reusable role scaffolding remains under `roles/`. + +### 13.3 Role ordering + +Ansible playbook roles are ordered intentionally: + +1. package-manager config roles (`apt_config`, `dnf_config`), +2. common grouped roles, +3. standalone package roles, +4. service roles, +5. custom file roles (`etc_custom`, `usr_local_custom`, `extra_paths`), +6. Flatpak, Snap, container images, users, +7. cron/logrotate moved toward the end when present, +8. runtime roles (`enroll_runtime`, `sysctl`, `firewall_runtime`). + +`enroll_runtime` is rendered only when firewall runtime is rendered. + +### 13.4 Role tags + +Generated playbooks tag roles with `role_`. `diff --enforce --target ansible` uses these tags to narrow enforcement to roles relevant to the drift report when it can. + +Puppet and Salt enforcement do not currently narrow to per-role tags; they run the full generated local manifest/state tree. + +### 13.5 Ansible and JinjaTurtle + +Ansible uses `jinjaturtle.jinjify_managed_files()`. + +When JinjaTurtle is enabled and supports a harvested config file, the renderer can write: + +- a Jinja2 template under `templates/`, +- variables in `defaults/main.yml` or `inventory/host_vars///main.yml`. + +If JinjaTurtle is unavailable in `auto` mode, fails, emits missing variables, or does not support the path, Ansible falls back to copying the raw harvested file. + +--- + +## 14. Puppet renderer + +File: `puppet.py` + +Entry point: + +```python +puppet.manifest_from_bundle_dir( + bundle_dir, + out_dir, + fqdn=None, + no_common_roles=False, + jinjaturtle="auto", +) +``` + +It instantiates `PuppetManifestRenderer(...).render()`. + +### 14.1 Puppet render flow + +```mermaid +flowchart TD + A[PuppetManifestRenderer.render] --> B[PuppetRole.load_state] + B --> C[resolve_jinjaturtle_mode] + C --> D[_collect_puppet_roles] + D --> E[resolve_catalog_conflicts] + E --> F[_sync_service_notifications] + F --> G[write modules//manifests/init.pp] + G --> H[write metadata.json] + H --> I{fqdn?} + I -->|no| J[write manifests/site.pp with node default] + I -->|yes| K[write hiera.yaml] + K --> L[write data/nodes/.yaml] + L --> M[write Hiera-driven site.pp] + J --> N[README.md] + M --> N +``` + +### 14.2 `PuppetRole` + +`PuppetRole` extends `CMModule` and converts snapshots into Puppet-friendly resources. It handles: + +- packages, +- users and groups, +- managed dirs/files/symlinks, +- services, +- sysctl apply execs, +- Flatpak remotes/apps via guarded `exec`, +- Snap installs via guarded `exec`, +- Docker/Podman images by digest via guarded `exec`, +- firewall runtime files and refresh-only restore execs, +- JinjaTurtle ERB templates and class/Hiera parameter values. + +`_puppet_name()` sanitises module names and avoids Puppet reserved words such as `default`, `class`, `node`, `site`, and `init`. + +### 14.3 Output layout + +Default mode: + +```text +/ + manifests/site.pp + README.md + modules/ + / + metadata.json + manifests/init.pp + files/... + templates/... +``` + +Default `site.pp` includes generated classes in manifest order under a `node default` or named node block. + +### 14.4 Puppet `--fqdn` / Hiera mode + +When `--fqdn` is supplied, Puppet output switches to Hiera-style node data: + +```text +/ + hiera.yaml + manifests/site.pp + data/ + common.yaml + nodes/.yaml + modules/ + / + metadata.json + manifests/init.pp + files/nodes//... + templates/... +``` + +In this mode: + +- `site.pp` includes classes from Hiera key `enroll::classes`, +- `data/nodes/.yaml` contains class list and parameter data, +- module classes are data-driven via Automatic Parameter Lookup, +- node-specific raw file artifacts live under `modules//files/nodes//...`, +- JinjaTurtle ERB template values are written into node Hiera data. + +Re-running Enroll with another `--fqdn` into the same output directory is intended to add or replace that node's YAML without deleting existing node data. + +### 14.5 Puppet and JinjaTurtle + +Puppet now participates in the shared JinjaTurtle integration. + +When enabled, Puppet calls `jinjaturtle` with ERB-specific options: + +```text +--template-engine erb +--puppet-class +``` + +The resulting template is written under: + +```text +modules//templates/.erb +``` + +Static single-node mode renders class parameters with defaults and uses: + +```puppet +content => template('/.erb') +``` + +Hiera mode writes template parameter values into `data/nodes/.yaml` and renders data-driven file resources. + +`jinjaturtle.missing_erb_template_vars()` checks that ERB instance variables such as `@main_key` have matching context/Hiera data. If variables are missing, Enroll falls back to raw file copying rather than emitting a broken Puppet template. + +--- + +## 15. Salt renderer + +File: `salt.py` + +Entry point: + +```python +salt.manifest_from_bundle_dir( + bundle_dir, + out_dir, + fqdn=None, + no_common_roles=False, + jinjaturtle="auto", +) +``` + +It instantiates `SaltManifestRenderer(...).render()`. + +### 15.1 Salt render flow + +```mermaid +flowchart TD + A[SaltManifestRenderer.render] --> B[SaltRole.load_state] + B --> C[resolve_jinjaturtle_mode] + C --> D[_collect_salt_roles] + D --> E[resolve_catalog_conflicts] + E --> F[write states/roles//init.sls] + F --> G{fqdn?} + G -->|no| H[write states/top.sls target '*'] + G -->|yes| I[write pillar node data] + I --> J[write states/top.sls and pillar/top.sls] + H --> K[write config/master.d/enroll.conf] + J --> K + K --> L[README.md] +``` + +### 15.2 `SaltRole` + +`SaltRole` extends `CMModule` and changes `managed_owner_attr` to `user`, because Salt `file.managed` uses `user` rather than `owner`. + +It prepares: + +- packages as `pkg.installed`, +- groups as `group.present`, +- users as `user.present`, +- dirs/files/symlinks as Salt `file.*` states, +- services as `service.running` or `service.dead`, +- Flatpaks/Snaps via guarded `cmd.run`, +- Docker/Podman images via guarded `cmd.run`, +- firewall runtime restore commands, +- optional Jinja templates for managed files. + +### 15.3 Output layout + +Default mode: + +```text +/ + README.md + config/master.d/enroll.conf + states/ + top.sls + roles// + init.sls + files/... + templates/... +``` + +`--fqdn` mode: + +```text +/ + states/ + top.sls + roles//init.sls + pillar/ + top.sls + nodes/_.sls +``` + +The Salt renderer can accumulate node data in `--fqdn` mode and preserves existing top data where appropriate. + +### 15.4 Salt and JinjaTurtle + +Salt uses `jinjaturtle.jinjify_artifact()` directly. When successful, a managed file becomes a Salt `file.managed` with: + +```yaml +source: salt://roles//templates/.j2 +template: jinja +context: {...} +``` + +Salt has one additional compatibility step: `_saltify_jinjaturtle_template()` rewrites Ansible-oriented `to_json(...)` filters emitted by JinjaTurtle into Salt-safe context variables or `tojson` filters. + +If templating fails or is unsupported, the renderer falls back to a literal file copy under `files/`. + +--- + +## 16. Shared JinjaTurtle integration + +File: `jinjaturtle.py` + +JinjaTurtle mode is resolved by: + +```python +resolve_jinjaturtle_mode("auto" | "on" | "off") +``` + +Semantics: + +- `auto`: use `jinjaturtle` when it exists on `PATH`; otherwise copy raw files. +- `on`: require `jinjaturtle`; error if missing. +- `off`: never use it. + +Supported path types include structured config suffixes: + +```text +.ini .cfg .json .toml .yaml .yml .xml .repo +``` + +and systemd unit-like suffixes: + +```text +.service .socket .target .timer .path .mount .automount .slice .swap .scope .link .netdev .network +``` + +Special format forcing is used for: + +- `main.cf` -> `postfix`, +- systemd unit files -> `systemd`, +- `sshd_config`, `ssh_config`, and matching `*.conf` snippets under `sshd_config.d` / `ssh_config.d` -> `ssh`. + +The central helper is: + +```python +jinjify_artifact( + bundle_dir, + artifact_role, + src_rel, + dest_path, + template_root, + jt_exe=..., + jt_enabled=..., + template_engine="jinja2" | "erb", + puppet_class=..., # Puppet only +) +``` + +Ansible uses `jinjify_managed_files()` because it merges variables into role defaults or host vars. Salt uses `jinjify_artifact()` directly because context lives with each `file.managed`. Puppet uses `jinjify_artifact(..., template_engine="erb", puppet_class=)` so variables line up with Puppet class/Hiera names. + +Safety checks: + +- `missing_jinja_template_vars()` rejects Jinja2 templates that reference absent variables. +- `missing_erb_template_vars()` rejects ERB templates that reference absent Puppet/Hiera variables. + +When checks fail, Enroll deletes obsolete generated templates when appropriate and falls back to raw file copying. + +--- + +## 17. Diff, notifications, and enforcement + +File: `diff.py` + +### 17.1 Inputs + +`compare_harvests()` accepts: + +- bundle directories, +- direct `state.json` paths, +- plain `.tar.gz` / `.tgz` bundles, +- SOPS-encrypted bundles when `sops_mode=True` or the name ends with `.sops`. + +Bundle resolution is handled by `_bundle_from_input()`, which reuses `remote._safe_extract_tar()` for tarball extraction. + +### 17.2 What diff compares + +`compare_harvests()` compares: + +- package add/remove/version changes, +- enabled systemd unit add/remove/state/package changes, +- user add/remove/field changes, +- managed file add/remove/content/metadata changes. + +File content changes are detected by hashing artifacts. + +`--exclude-path` filtering applies only to file drift reporting, not package/service/user diffs. + +`--ignore-package-versions` suppresses package version-only drift from both the report and `has_changes`, but package additions/removals are still reported. + +Reports are formatted by: + +```python +format_report(report, fmt="text" | "markdown" | "json") +``` + +### 17.3 Enforcement decision + +`has_enforceable_drift()` is intentionally conservative. + +Enforceable drift includes: + +- packages that were removed from the current host but existed in the baseline, +- baseline services that were removed or changed in meaningful non-package fields, +- baseline users that were removed or changed, +- baseline files that were removed or changed. + +Not enforceable: + +- newly installed packages, +- package version changes alone, +- newly enabled services, +- newly added users, +- newly added managed files. + +This keeps `--enforce` focused on restoring baseline state rather than deleting unknown current state or downgrading packages. + +### 17.4 Target-selected enforcement + +`enforce_old_harvest()` now accepts `target="ansible" | "puppet" | "salt"`. + +It performs: + +1. resolve the old/baseline harvest, +2. build a best-effort enforcement plan from the diff report, +3. generate a temporary manifest from the old harvest using the selected target, +4. run the matching local apply tool, +5. attach enforcement metadata to the diff report. + +Target commands: + +```text +ansible -> ansible-playbook -i localhost, -c local playbook.yml +puppet -> puppet apply --modulepath ./modules [--hiera_config ./hiera.yaml] manifests/site.pp +salt -> salt-call --local --file-root ./states [--pillar-root ./pillar] state.apply +``` + +Only Ansible uses generated per-role tags to narrow the apply scope. Puppet and Salt enforcement deliberately run the full generated local manifest/state tree for now. The JSON report keeps target-specific compatibility fields such as `ansible_playbook`, `puppet`, or `salt_call`. + +### 17.5 Notifications + +`diff.py` also supports webhooks and email notifications: + +- `post_webhook()` sends JSON/text/markdown payloads with optional extra headers. +- `send_email()` uses SMTP when configured or local sendmail when SMTP is omitted. + +CLI notification options are only sent when differences exist unless `--notify-always` is set. + +--- + +## 18. Explanation and validation + +### 18.1 `explain.py` + +`explain_state()` reads a harvest and produces text or JSON explaining: + +- host metadata, +- role summaries, +- users, +- services, +- package snapshots, +- runtime firewall, +- sysctl, +- custom files, +- inventory packages, +- notes and exclusion reasons. + +This is intended to answer “what did Enroll collect and why?” + +### 18.2 `validate.py` + +`validate_harvest()` checks: + +1. `state.json` exists, +2. it parses as JSON, +3. it validates against the vendored schema unless `--no-schema` is set, +4. every `managed_file.src_rel` is relative and points to a safe artifact file, +5. firewall runtime generated artifacts exist and are safe, +6. the top-level `artifacts/` path is a real directory rather than a symlink or file, +7. the whole artifact tree contains no symlink directories, symlink files, hardlinks, special files, or paths that escape the artifact root, +8. unreferenced artifact files are reported as warnings. + +`validate_harvest()` is used in three important contexts: + +- `enroll validate` exposes the checks directly to users. +- `manifest.manifest()` validates before rendering Ansible/Puppet/Salt output. +- `diff.compare_harvests()` validates both input bundles before comparing them, using `no_schema=True` so older harvests can still be inspected while artifact safety checks remain active. + +`diff --enforce` renders the old harvest through `manifest.manifest()`, so enforcement also passes through manifest-time validation before a local apply tool is invoked. + +It returns a `ValidationResult` with `errors`, `warnings`, `ok()`, `to_dict()`, and `to_text()`. + +The CLI supports local schema override with `--schema`, warning failure with `--fail-on-warnings`, JSON/text output, and `--out`. + +--- + +## 19. Remote harvesting + +File: `remote.py` + +Remote mode is called from `cli.py` when `--remote-host` is supplied. + +Public entry point: + +```python +remote_harvest(...) +``` + +It wraps `_remote_harvest()` and handles: + +- optional sudo password prompting, +- optional SSH key passphrase prompting or environment variable lookup, +- retrying when remote sudo requires a password, +- retrying when an encrypted SSH private key needs a passphrase. + +### 19.1 Remote harvest flow + +```mermaid +flowchart TD + A[remote_harvest] --> B[resolve sudo password] + B --> C[resolve SSH key passphrase] + C --> D[_remote_harvest] + D --> E[build local enroll.pyz zipapp] + E --> F[connect with Paramiko] + F --> G[upload zipapp] + G --> H[run remote enroll harvest] + H --> I[tar/gzip remote bundle] + I --> J[download tarball] + J --> K[_safe_extract_tar locally] + K --> L[return local state.json path] +``` + +`_build_enroll_pyz()` packages the local `enroll` Python package into a zipapp and uses `enroll.cli:main` as its entry point. + +### 19.2 SSH config support + +`--remote-ssh-config` enables Paramiko `SSHConfig` support for settings such as: + +- `HostName`, +- `Port`, +- `User`, +- `IdentityFile`, +- `ConnectTimeout`, +- `ProxyCommand`, +- `AddressFamily`, +- `HostKeyAlias` where supported by the connection logic. + +Unknown host keys are rejected by default through Paramiko's reject policy. Users should have valid host keys in known hosts. + +### 19.3 Safe tar extraction + +`_safe_extract_tar()` validates tar members before extraction and rejects: + +- absolute paths, +- `..` traversal, +- symlinks, +- hardlinks, +- device nodes, +- anything resolving outside the destination. + +This helper is reused by remote harvest, manifest SOPS extraction, validate/diff bundle resolution, and any code path that needs to unpack a harvest tarball. Do not use raw `tar.extractall()` for user- or remote-provided bundles. + +--- + +## 20. SOPS support + +File: `sopsutil.py` + +SOPS support is binary tarball encryption, not field-level YAML encryption. + +### 20.1 Harvest SOPS mode + +`enroll harvest --sops `: + +1. harvests into a secure temp directory, +2. tars the bundle, +3. encrypts it with SOPS binary mode, +4. writes `harvest.tar.gz.sops` or the requested output file. + +### 20.2 Manifest SOPS mode + +`enroll manifest --sops `: + +1. decrypts/extracts the harvest if needed, +2. generates the chosen target manifest in a temp directory, +3. tars the generated output, +4. encrypts it as a single SOPS file. + +### 20.3 Helpers + +`sopsutil.py` provides: + +- `find_sops_cmd()`, +- `require_sops_cmd()`, +- `encrypt_file_binary()`, +- `decrypt_file_binary_to()`. + +Encryption/decryption helpers write via temp files and default to mode `0600`. + +--- + +## 21. Configuration file support + +`cli.py` supports optional INI config files. + +Discovery order: + +1. `--no-config` disables config loading, +2. `--config PATH` or `-c PATH`, +3. `$ENROLL_CONFIG`, +6. `$XDG_CONFIG_HOME/enroll/enroll.ini`, +7. `~/.config/enroll/enroll.ini`. + +Config sections are translated into argv tokens by `_inject_config_argv()`: + +- `[enroll]` for global options, +- `[harvest]`, `[manifest]`, `[single-shot]`, `[diff]`, `[explain]`, `[validate]` for subcommand options, +- `[single_shot]` is accepted as an alias for `[single-shot]`. + +CLI flags win because config-derived tokens are inserted before user-supplied argv tokens. + +The translation is argparse-driven, so new flags often gain config-file support automatically as long as they are represented by normal argparse actions. + +--- + +## 22. CLI flags that affect multiple layers + +### 22.1 `--target` + +`--target ansible|puppet|salt` exists for: + +- `enroll manifest`, +- `enroll single-shot`, +- `enroll diff --enforce`. + +For `manifest` and `single-shot`, it chooses the output renderer. For `diff --enforce`, it chooses both the temporary manifest target and the local apply tool. + +### 22.2 `--fqdn` + +`--fqdn` changes output semantics, not just filenames: + +- Ansible: uses inventory/host_vars and host-specific artifacts. +- Puppet: uses Hiera node data and Hiera-driven classes. +- Salt: uses pillar node data and minion-targeted top files. + +`--fqdn` implies no common role grouping. + +### 22.3 `--no-common-roles` + +Disables the default grouping of package/service snapshots by Debian Section or RPM Group. This preserves one generated role/module/state per package or unit snapshot. + +### 22.4 `--jinjaturtle` / `--no-jinjaturtle` + +The CLI maps these to renderer mode strings: + +```text +no flag -> auto +--jinjaturtle -> on +--no-jinjaturtle -> off +``` + +All three manifest targets receive this mode. Puppet uses ERB when JinjaTurtle is enabled; Ansible and Salt use Jinja2. + +--- + +## 23. Tests and how to navigate them + +Run tests with: + +```bash +poetry install +poetry run pytest +``` + +or the repository helper when appropriate: + +```bash +./tests.sh +``` + +Important test files: + +| Test file | What it covers | +|---|---| +| `test_cli.py` | argparse dispatch, remote flags, manifest target forwarding, single-shot flow. | +| `test_cli_config_and_sops.py`, `test_cli_helpers.py` | config-file injection and SOPS output helpers. | +| `test_harvest.py`, `test_harvest_helpers.py` | harvest orchestration, sysctl/firewall helpers, role naming. | +| `test_harvest_collectors.py` | runtime and container image collectors. | +| `test_harvest_cron_logrotate.py` | cron/logrotate unification. | +| `test_harvest_symlinks.py` | nginx/apache enabled symlink capture. | +| `test_accounts.py` | users, Flatpak, Snap parsing/discovery. | +| `test_ignore.py`, `test_ignore_dir.py` | secret/noise policy. | +| `test_pathfilter.py` | include/exclude matching and expansion. | +| `test_platform.py`, `test_platform_backends.py` | platform detection and backend behaviour. | +| `test_debian.py`, `test_rpm.py`, `test_rpm_run.py` | package manager helpers. | +| `test_manifest.py`, `test_manifest_ansible.py` | Ansible rendering and role behaviour. | +| `test_manifest_puppet.py` | Puppet rendering, Hiera mode, reserved names, firewall/container/Flatpak/Snap/JinjaTurtle support. | +| `test_manifest_salt.py` | Salt rendering, pillar mode, JinjaTurtle, firewall/container/Flatpak/Snap support. | +| `test_manifest_symlinks.py` | symlink manifest output. | +| `test_jinjaturtle.py` | shared template generation and fallback safety. | +| `test_diff_bundle.py`, `test_diff_ignore_versions_exclude_enforce.py`, `test_diff_notifications.py` | diff, bundle resolution, target-selected enforcement, notifications. | +| `test_remote.py` | remote harvest, SSH/sudo prompts, safe tar extraction. | +| `test_explain.py` | harvest explanation output. | +| `test_validate.py` | schema/artifact validation. | +| `test_cm.py` | `CMModule` conflict resolution and service-package helpers. | +| `test_fsutil.py`, `test_fsutil_extra.py` | file hashing and stat metadata helpers. | + +When changing behaviour, extend the closest specific tests rather than relying only on broad integration tests. + +--- + +## 24. Common maintenance tasks + +### 24.1 Add a new thing to harvest + +1. Add or extend a dataclass in `harvest_types.py` if existing snapshots cannot represent it. +2. Add a collector under `harvest_collectors/` if it is a distinct feature. +3. Add the collector to the sequence in `harvest.harvest()`. +4. Add the snapshot to the `state = {...}` object in `harvest.harvest()`. +5. Update `schema/state.schema.json`. +6. Update renderers that should emit the new resource. +7. Update `explain.py` and `validate.py` if users need visibility or artifact checks. +8. Add tests for harvest and each renderer. + +### 24.2 Add a new renderer target + +1. Create `.py` with `manifest_from_bundle_dir()`. +2. Load state via `CMModule.load_state()` or `state.load_state()`. +3. Consume `roles_from_state()` and `inventory_packages_from_state()`. +4. Convert snapshots into renderer-specific role/module/state objects. +5. Reuse `CMModule.package_service_entries()` for package/service grouping. +6. Run conflict resolution if the target compiles a global catalog. +7. Write target output and README. +8. Add the target to `manifest.manifest()` validation and dispatch. +9. Add CLI choices in `_add_common_manifest_args()` and diff enforcement if applicable. +10. Add tests. + +### 24.3 Add a new CLI flag + +For harvest-affecting flags: + +1. add the flag to `cli.py` for `harvest` and possibly `single-shot`, +2. forward it to `harvest.harvest()` or `remote.remote_harvest()`, +3. forward it through remote command construction if remote mode needs it, +4. check whether config-file injection handles it, +5. add tests in `test_cli.py` and feature-specific tests. + +For manifest-affecting flags: + +1. add it to `_add_common_manifest_args()` if all manifest-like commands need it, +2. forward it through `manifest.manifest()`, +3. forward it to target renderers, +4. add tests for forwarding and output. + +For diff enforcement flags: + +1. add argparse support under the `diff` subparser, +2. pass values to `compare_harvests()` or `enforce_old_harvest()`, +3. update report formatting if new fields appear, +4. add tests in `test_diff_ignore_versions_exclude_enforce.py` or `test_diff_notifications.py`. + +### 24.4 Change file safety rules + +Modify `ignore.py` and add tests in `test_ignore.py` / `test_ignore_dir.py`. + +Be careful: + +- relaxing safety affects secret exposure risk, +- tightening safety can make expected config disappear, +- binary allowance matters for APT/RPM keyrings, +- `--dangerous` must remain explicit for risky harvesting. + +### 24.5 Change service/package attribution + +Most logic is in: + +- `harvest_collectors/services.py`, +- `package_hints.py`, +- `system_paths.py`, +- package backend `modified_paths()` implementations. + +Preserve these invariants: + +- cron/logrotate should stay unified when installed, +- shared directories should not be attributed too broadly, +- package-manager config belongs in `apt_config`/`dnf_config`, +- `captured_global` should prevent duplicates, +- stopped services should not receive broad restart notifications. + +### 24.6 Change manifest role grouping + +Common grouping uses: + +- `CMModule.package_service_entries()`, +- `package_section_label()`, +- `section_label_for_packages()`. + +Remember: + +- default non-`--fqdn` output groups package/service roles unless `--no-common-roles` is set, +- `--fqdn` implies per-role output, +- Ansible, Puppet, and Salt grouping should stay conceptually aligned, +- Puppet/Salt need `resolve_catalog_conflicts()` after grouping. + +### 24.7 Change JinjaTurtle support + +Shared path support and safety checks belong in `jinjaturtle.py`. + +Renderer-specific behaviour belongs in the renderer: + +- Ansible: variables in defaults or host vars, templates under role `templates/`. +- Puppet: ERB templates, class params or Hiera values. +- Salt: `file.managed` context and Salt-safe Jinja rewrites. + +Fallback-to-raw-copy is part of the product contract unless JinjaTurtle was explicitly required and missing. + +### 24.8 Change diff enforcement + +`diff --enforce` now has a target dimension. + +When changing it, keep these distinctions clear: + +- `has_enforceable_drift()` decides whether enforcement should run. +- `_enforcement_plan()` finds relevant baseline roles. +- Ansible uses role tags from the plan. +- Puppet and Salt currently run a full manifest/state apply. +- `_enforcement_command()` is the source of truth for local apply commands. +- `cli.py` attaches enforcement metadata to the report and formats it. + +Do not make enforcement delete newly added packages/users/files/services unless the safety model is explicitly redesigned. + +--- + +## 25. Important maintenance hazards + +### 25.1 Renderer output is downstream of harvest state + +If a renderer needs information, first ask whether that information belongs in `state.json`. Avoid papering over missing harvest facts inside a renderer. + +### 25.2 `--fqdn` mode is not cosmetic + +`--fqdn` changes where variables and artifacts live and how target inclusion works. + +A change that works in default mode can still break: + +- Ansible host vars, +- Puppet Hiera node data, +- Salt pillar node data. + +### 25.3 Puppet and Salt are stricter about duplicates + +Ansible often tolerates repeated packages or tasks. Puppet and Salt compile catalogs where duplicate resources can fail. Keep `resolve_catalog_conflicts()` in mind whenever adding resources. + +### 25.4 Secret avoidance is part of the product contract + +Default harvest should avoid likely secrets. `--dangerous` exists because useful files may contain secrets. Do not silently make risky harvesting the default. + +### 25.5 Runtime state should not override persistent config + +Firewall runtime capture is skipped when persistent firewall config exists. Preserve this principle for future runtime snapshots. + +### 25.6 JinjaTurtle is best-effort except when explicitly required + +`auto` mode should not make manifest generation fail merely because templating failed. `on` should require the executable; unsupported or unsafe individual files should still fall back to raw copy unless code explicitly changes that contract. + +### 25.7 Role names must be sanitised + +Raw package/service names can be invalid or reserved in Ansible roles, Puppet classes, or Salt SLS names. Use role-name helpers and singleton collision protection. + +### 25.8 Tests encode edge cases + +Many behaviours exist because of previously found edge cases: + +- non-root/no-sudo harvests, +- Puppet reserved words, +- Salt Docker module availability limitations, +- symlink capture, +- JinjaTurtle missing variables, +- Salt JSON filter compatibility, +- file caps, +- SOPS secure temp files, +- tar path traversal, +- target-selected diff enforcement. + +Before simplifying logic, search the tests. + +--- + +## 26. Troubleshooting guide + +### 26.1 Generated manifest references a missing artifact + +Likely causes: + +- `managed_files[*].src_rel` was added without copying into `artifacts/`, +- a renderer used the generated role/module name instead of the artifact role, +- a role was renamed after harvest but before artifact lookup, +- `--fqdn` file prefixes are wrong. + +Start with: + +```bash +enroll validate /path/to/harvest +``` + +Then inspect: + +```text +state.json roles.*.managed_files[*] +artifacts// +``` + +### 26.2 Puppet fails with duplicate resources + +Check: + +- `_collect_puppet_roles()`, +- `resolve_catalog_conflicts()`, +- `role_order_key()`, +- whether a new resource type needs conflict resolution, +- whether a directory resource conflicts with a file/link of the same path. + +### 26.3 Salt fails with duplicate IDs or missing modules + +Check: + +- `_state_id()` naming, +- `_collect_salt_roles()` grouping, +- `resolve_catalog_conflicts()`, +- guarded `cmd.run` fallbacks for Docker/Podman/Snap/Flatpak. + +Salt uses guarded shell commands for some resources because native states/modules are not consistently available across Salt installations. + +### 26.4 Ansible check mode reports unexpected changes + +Check: + +- role ordering, +- grouped mode versus `--fqdn` / `--no-common-roles`, +- handler notifications, +- whether runtime roles were emitted without runtime artifacts, +- harvested directory/file mode normalisation. + +Grouped and per-role output can legitimately produce different numbers of reported changes. + +### 26.5 A file was not harvested + +Check, in order: + +1. Was it excluded by `--exclude-path`? +2. Was it denied by `IgnorePolicy`? +3. Was it too large? +4. Did it look binary? +5. Did it contain sensitive-looking content? +6. Was it already captured by another role via `captured_global`? +7. Is it outside known scanned locations? +8. Would `--include-path` collect it? +9. Does it require `--dangerous`? + +`enroll explain` can show notes and exclusion reasons. + +### 26.6 `diff --enforce` fails + +Check: + +- whether the selected `--target` tool is on `PATH`, +- `ansible-playbook` for Ansible, +- `puppet` for Puppet, +- `salt-call` for Salt, +- whether the generated temp manifest has the expected target entrypoint, +- whether the report contains enforceable drift, +- whether package drift is only version changes or additions, which enforcement skips. + +### 26.7 Remote harvest fails with sudo or SSH key prompts + +Relevant flags: + +- `--ask-become-pass`, +- `--ask-key-passphrase`, +- `--ssh-key-passphrase-env`, +- `--no-sudo`, +- `--remote-ssh-config`. + +Interactive sessions can prompt and retry. Non-interactive sessions should pass explicit flags or environment variables. + +--- + +## 27. Practical code-reading map + +| Feature/question | Start with | Then read | +|---|---|---| +| CLI option behaviour | `cli.py` | called module for `args.cmd` | +| Local harvest ordering | `harvest.py:harvest()` | `harvest_collectors/` | +| Why a file was skipped | `capture.py`, `ignore.py`, `pathfilter.py` | `explain.py` | +| File metadata/hash helpers | `fsutil.py` | `debian.py`, `capture.py` | +| Service/package attribution | `harvest_collectors/services.py` | `package_hints.py`, `platform.py` | +| APT/DNF config capture | `harvest_collectors/package_manager.py` | `system_paths.py` | +| Users and SSH keys | `harvest_collectors/users.py` | `accounts.py` | +| Flatpak/Snap parsing | `accounts.py` | renderer Flatpak/Snap helpers | +| Docker/Podman images | `harvest_collectors/container_images.py` | renderer container image helpers | +| Runtime firewall | `harvest_collectors/runtime.py`, `harvest.py` | renderer firewall helpers | +| Sysctl | `harvest.py` sysctl helpers | renderer sysctl role functions | +| Ansible output | `ansible.py:AnsibleManifestRenderer.render()` | `_render_*` helpers | +| Puppet output | `puppet.py:PuppetManifestRenderer.render()` | `_collect_puppet_roles()` | +| Salt output | `salt.py:SaltManifestRenderer.render()` | `_collect_salt_roles()` | +| Grouping/common roles | `cm.py` | renderer collection functions | +| JinjaTurtle | `jinjaturtle.py` | renderer managed-content code | +| Diff/enforce | `diff.py` | `manifest.py`, target renderer | +| Validation | `validate.py` | schema file and `state.json` | +| Remote mode | `remote.py` | `cli.py` remote branches | +| SOPS | `sopsutil.py` | `cli.py`, `manifest.py`, `diff.py` | + +--- + +## 28. Glossary + +**Harvest bundle** +A directory or encrypted tarball containing `state.json` and `artifacts/`. + +**Snapshot** +A structured object under `roles` in `state.json`, such as a `ServiceSnapshot` or `PackageSnapshot`. + +**Managed file** +A file Enroll intends generated CM code to recreate. It has a destination path and a matching artifact file. + +**Managed link** +A symlink Enroll intends generated CM code to recreate. + +**Managed dir** +A directory Enroll intends generated CM code to ensure exists with recorded metadata. + +**Role** +The Enroll logical group for related resources. In Ansible it usually maps to an Ansible role. In Puppet it maps to a module/class. In Salt it maps to an SLS role. + +**Artifact role** +The role directory under `artifacts/` that contains a harvested file. This can differ from the generated renderer role when grouping is enabled. + +**Common/grouped role** +A generated role/module/state that merges multiple package/service snapshots by Debian Section or RPM Group. + +**Site mode / `--fqdn` mode** +Host-specific output mode. Ansible uses host vars, Puppet uses Hiera node data, and Salt uses pillar node data. + +**Dangerous mode** +Explicit opt-in mode that relaxes safety checks and enables risky capture such as user shell dotfiles. + +**JinjaTurtle** +Optional external tool used to convert recognised config files into Jinja2 or ERB templates plus variable defaults/context. + +**Enforcement target** +The config manager chosen for `diff --enforce` with `--target ansible|puppet|salt`. + +--- + +## 29. Final maintenance model + +Most changes should preserve this pipeline: + +```text +Collect facts and files safely + -> represent them in target-neutral state.json + -> keep artifact references consistent + -> let each renderer translate the same state into its own idioms + -> validate the bundle and test each target +``` + +Before changing code, ask: + +1. Is this a harvest concern or renderer concern? +2. Does `state.json` or the schema need to change? +3. Does this affect `--fqdn` mode? +4. Does this introduce duplicate ownership of a path/resource? +5. Does this weaken default secret avoidance? +6. Do Puppet and Salt need conflict handling? +7. Does JinjaTurtle fallback still behave safely? +8. Does `diff --enforce --target ...` still do the conservative thing? +9. Do existing tests explain why the current behaviour exists? + +Keeping those boundaries clear is the main way to maintain Enroll without creating subtle cross-target regressions. diff --git a/README.md b/README.md index d2d51ad..08f96db 100644 --- a/README.md +++ b/README.md @@ -4,629 +4,10 @@ Enroll logo -**enroll** inspects a Linux machine (Debian-like or RedHat-like) and generates Ansible roles/playbooks (and optionally inventory) for what it finds. +Hi folks. I spent a lot of time working on what was to be 0.7.0 of Enroll, before finding too many potental security risks along the way. After tens of security audits by LLMs and the like, to be told over and over 'this is really solid engineering', I'd end up with one that would find a critical vulnerability. I could no longer assume there weren't more. I am not a good programmer, and AI is an echo chamber of optimism. -- Detects packages that have been installed. -- Detects package ownership of `/etc` files where possible -- Captures config that has **changed from packaged defaults** where possible (e.g dpkg conffile hashes + package md5sums when available). -- Also captures **service-relevant custom/unowned files** under `/etc//...` (e.g. drop-in config includes). -- Defensively excludes likely secrets (path denylist + content sniff + size caps). -- Captures non-system users and their SSH public keys and any .bashrc or .bash_aliases or .profile files that deviate from the skel defaults. -- Captures miscellaneous `/etc` files it can't attribute to a package and installs them in an `etc_custom` role. -- Captures live ipset and iptables runtime state into a fallback `firewall_runtime` role, when active ipsets/iptables rules are present *and* no corresponding persistent ipset/iptables *files* were found. -- Captures symlinks in common applications that rely on them, e.g apache2/nginx 'sites-enabled' -- Ditto for /usr/local/bin (for non-binary files) and /usr/local/etc -- Avoids trying to start systemd services that were detected as inactive during harvest. +I decided it was better that such a project didn't exist. To that end, I'm removing it from the repos and PyPI. ---- +Please uninstall it. -## Mental model - -`enroll` works in two phases: - -1) **Harvest**: collect host facts + relevant files into a harvest bundle (`state.json` + harvested artifacts) -2) **Manifest**: turn that harvest into Ansible roles/playbooks (and optionally inventory) - -Additionally, some other functionalities exist: - -- **Diff**: compare two harvests and report what changed (packages/services/users/files) since the previous snapshot. -- **Single-shot mode**: run both harvest and manifest at once. - ---- - -## Output modes: single-site vs multi-site (`--fqdn`) - -`enroll manifest` (and `enroll single-shot`) support two distinct output styles. - -### Single-site mode (default: *no* `--fqdn`) -Use when enrolling **one server** (or generating a “golden” role set you intend to reuse). - -**Characteristics** -- Roles are more self-contained. -- Raw config files live in the role's `files/`. -- Template variables live in the role's `defaults/main.yml`. - -### Multi-site mode (`--fqdn`) -Use when enrolling **several existing servers** quickly, especially if they differ. - -**Characteristics** -- Roles are shared, host-specific state lives in inventory. -- Host inventory drives what gets managed (files/packages/services). -- Non-templated raw files live per-host under `inventory/host_vars///.files/...`. - -**Rule of thumb** -- “Make this one server reproducible/provisionable” → start with **single-site** -- “Get multiple already-running servers under management quickly” → use **multi-site** - ---- - -## Subcommands - -### `enroll harvest` -Harvest state about a host and write a harvest bundle. - -**What it captures (high level)** -- Detected services + service-relevant packages -- “Manual” packages -- Changed-from-default config (plus related custom/unowned files under service dirs) -- Non-system users + SSH public keys -- Misc `/etc` that can't be attributed to a package (`etc_custom` role) -- Static firewall config files such as nftables, UFW, firewalld, `/etc/iptables/rules.v4`, `/etc/iptables/rules.v6`, and `/etc/ipset*` -- Live kernel ipset/iptables state via `ipset save`, `iptables-save`, and `ip6tables-save` as a fallback, but only when the corresponding persistent config was not found (`firewall_runtime` role at manifest time) -- Optional user-specified extra files/dirs via `--include-path` (emitted as an `extra_paths` role at manifest time) - -**Common flags** -- Remote harvesting: - - `--remote-host`, `--remote-user`, `--remote-port`, `--remote-ssh-config` - - `--no-sudo` (if you don't want/need sudo) -- Sensitive-data behaviour: - - default: tries to avoid likely secrets - - `--dangerous`: disables secret-safety checks (see “Sensitive data” below) -- Encrypt bundles at rest: - - `--sops `: writes a single encrypted `harvest.tar.gz.sops` instead of a plaintext directory -- Path selection (include/exclude): - - `--include-path ` (repeatable): add extra files/dirs to harvest (even from locations normally ignored, like `/home`). Still subject to secret-safety checks unless `--dangerous`. - - `--exclude-path ` (repeatable): skip files/dirs even if they would normally be harvested. - - Pattern syntax: - - plain path: matches that file; directories match the directory + everything under it - - glob (default): supports `*` and `**` (prefix with `glob:` to force) - - regex: prefix with `re:` or `regex:` - - Precedence: excludes win over includes. - * Using remote mode and auth requires secrets? - * sudo password: - * `--ask-become-pass` (or `-K`) prompts for the sudo password. - * If you forget, and remote sudo requires a password, Enroll will still fall back to prompting in interactive mode (slightly slower due to retry). - * SSH private-key passphrase: - * `--ask-key-passphrase` prompts for the SSH key passphrase. - * `--ssh-key-passphrase-env ENV_VAR` reads the SSH key passphrase from an environment variable (useful for CI/non-interactive runs). - * If neither is provided, and Enroll detects an encrypted key in an interactive session, it will still fall back to prompting on-demand. - * In non-interactive sessions, pass `--ask-key-passphrase` or `--ssh-key-passphrase-env ENV_VAR` when using encrypted private keys. - * Note: `--ask-key-passphrase` and `--ssh-key-passphrase-env` are mutually exclusive. - -Examples (encrypted SSH key) - -```bash -# Interactive -enroll harvest --remote-host myhost.example.com --remote-user myuser --ask-key-passphrase --out /tmp/enroll-harvest - -# Non-interactive / CI -export ENROLL_SSH_KEY_PASSPHRASE='correct horse battery staple' -enroll single-shot --remote-host myhost.example.com --remote-user myuser --ssh-key-passphrase-env ENROLL_SSH_KEY_PASSPHRASE --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible --fqdn myhost.example.com -``` - ---- - -### `enroll manifest` -Generate Ansible output from an existing harvest bundle. - -**Inputs** -- `--harvest /path/to/harvest` (directory) - or `--harvest /path/to/harvest.tar.gz.sops` (if using `--sops`) - -**Output** -- In plaintext mode: an Ansible repo-like directory structure (roles/playbooks, and inventory in multi-site mode). -- In `--sops` mode: a single encrypted file `manifest.tar.gz.sops` containing the generated output. - -**Common flags** -- `--fqdn `: enables **multi-site** output style - -**Role tags** -Generated playbooks tag each role so you can target just the parts you need: - -- Tag format: `role_` (e.g. `role_services`, `role_users`) -- Fallback/safe tag: `role_other` - -Example: -```bash -ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml --tags role_services,role_users -``` - ---- - -### `enroll single-shot` -Convenience wrapper that runs **harvest → manifest** in one command. - -Use this when you want “get me something workable ASAP”. - -Supports the same general flags as harvest/manifest, including `--fqdn`, remote harvest flags, and `--sops`. - ---- - -### `enroll diff` -Compare two harvest bundles and report what changed. - -**What it reports** -- Packages added/removed -- Services enabled added/removed, plus key state changes -- Users added/removed, plus field changes (uid/gid/home/shell/groups, etc.) -- Managed files added/removed/changed (metadata + content hash changes where available) - -**Inputs** -- `--old ` and `--new ` (directories or `state.json` paths) -- `--sops` when comparing SOPS-encrypted harvest bundles -- `--exclude-path ` (repeatable) to ignore file/dir drift under matching paths (same pattern syntax as harvest) -- `--ignore-package-versions` to ignore package version-only drift (upgrades/downgrades) -- `--enforce` to apply the **old** harvest state locally (requires `ansible-playbook` on `PATH`) - -**Noise suppression** -- `--exclude-path` is useful for things that change often but you still want in the harvest baseline (e.g. `/var/anacron`). -- `--ignore-package-versions` keeps routine upgrades from alerting; package add/remove drift is still reported. - -**Enforcement (`--enforce`)** -If a diff exists and `ansible-playbook` is available, Enroll will: -1) generate a manifest from the **old** harvest into a temporary directory -2) run `ansible-playbook -i localhost, -c local /playbook.yml` (often with `--tags role_<...>` to limit runtime) -3) record in the diff report that the old harvest was enforced - -Enforcement is intentionally “safe”: -- reinstalls packages that were removed (`state: present`), but does **not** attempt downgrades/pinning -- restores users, files (contents + permissions/ownership), and service enable/start state - -If `ansible-playbook` is not on `PATH`, Enroll returns an error and does not enforce. - - -**Output formats** -- `--format json` (default for webhooks) -- `--format markdown` / `--format text` (human-oriented) - -**Notifications** -- Webhook: - - `--webhook ` - - `--webhook-format json|markdown|text` - - `--webhook-header 'Header-Name: value'` (repeatable) -- Email (optional): - - `--email-to ` (plus optional SMTP/sendmail-related flags, depending on your install) - ---- - -### `enroll explain` -Analyze a harvest and provide user-friendly explanations for what's in it and why. - -This may also explain why something *wasn't* included (e.g a binary file, a file that was too large, unreadable due to permissions, or looked like a log file/secret. - -Provide either the path to the harvest or the path to its state.json. It can also handle SOPS-encrypted harvests. - -Output can be provided in plaintext or json. - ---- - -### `enroll validate` - -Validates a harvest by checking: - - * state.json exists and is valid JSON - * state.json validates against a JSON Schema (by default the vendored one) - * Every `managed_file` entry has a corresponding artifact at: `artifacts//` - * That there are no **unreferenced files** sitting in `artifacts/` that aren't in the state. - -#### Schema location + overrides - -The master schema lives at: `enroll/schema/state.schema.json`. - -You can override with a local file or URL: - -``` -enroll validate /path/to/harvest --schema ./state.schema.json -enroll validate /path/to/harvest --schema https://enroll.sh/schema/state.schema.json -``` - -Or skip schema checks (still does artifact consistency checks): - -``` -enroll validate /path/to/harvest --no-schema -``` - -#### CLI usage examples - -Validate a local harvest: - -``` -enroll validate ./harvest -``` - -Validate a harvest tarball or a sops bundle: - -``` -enroll validate ./harvest.tar.gz -enroll validate ./harvest.sops --sops -``` - -JSON output + write to file: - -``` -enroll validate ./harvest --format json --out validate.json -``` - -Return exit code 1 for any warnings, not just errors (useful for CI): - -``` -enroll validate ./harvest --fail-on-warnings -``` - ---- - -## Sensitive data - -By default, `enroll` does **not** assume how you handle secrets in Ansible. It will attempt to avoid harvesting likely sensitive data (private keys, passwords, tokens, etc.). This can mean it skips some config files you may ultimately want to manage. - -If you opt in to collecting everything: - -### `--dangerous` -**WARNING:** disables “likely secret” safety checks. This can copy private keys, TLS key material, API tokens, database passwords, and other credentials into the harvest output **in plaintext**. - -If you intend to keep harvests/manifests long-term (especially in git), strongly consider encrypting them at rest. - -### Encrypt bundles at rest with `--sops` -`--sops` encrypts the harvest and/or manifest outputs into a single `.tar.gz.sops` file (GPG). This is for **storage-at-rest**, not for direct “Ansible SOPS inventory” workflows. - -⚠️ Important: `manifest --sops` produces one encrypted file. You must decrypt + extract it before running `ansible-playbook`. - ---- - -## JinjaTurtle integration (both modes) - -If [JinjaTurtle](https://git.mig5.net/mig5/jinjaturtle) is installed, `enroll` can generate Jinja2 templates for ini/json/xml/toml-style config. - -- Templates live in `roles//templates/...` -- Variables live in: - - single-site: `roles//defaults/main.yml` - - multi-site: `inventory/host_vars//.yml` - -You can force it on with `--jinjaturtle` or disable with `--no-jinjaturtle`. - ---- - -## How multi-site avoids “shared role breaks a host” - -In multi-site mode, roles are **data-driven**. The role tasks are generic (“deploy the files listed for this host”, “install the packages listed for this host”, “apply systemd enable/start state listed for this host”). Host inventory decides what applies per-host, avoiding the classic “host2 adds config, host1 breaks” failure mode. - ---- - -# Install - -## Ubuntu/Debian apt repository -```bash -sudo mkdir -p /usr/share/keyrings -curl -fsSL https://mig5.net/static/mig5.asc | sudo gpg --dearmor -o /usr/share/keyrings/mig5.gpg -echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mig5.list -sudo apt update -sudo apt install enroll -``` - -## Fedora - -```bash -sudo rpm --import https://mig5.net/static/mig5.asc - -sudo tee /etc/yum.repos.d/mig5.repo > /dev/null << 'EOF' -[mig5] -name=mig5 Repository -baseurl=https://rpm.mig5.net/$releasever/rpm/$basearch -enabled=1 -gpgcheck=1 -repo_gpgcheck=1 -gpgkey=https://mig5.net/static/mig5.asc -EOF - -sudo dnf upgrade --refresh -sudo dnf install enroll -``` - -## AppImage -Download it from my Releases page, then: - -```bash -chmod +x Enroll.AppImage -./Enroll.AppImage -``` - -## Pip/PipX -```bash -pip install enroll -``` - -## Poetry (dev) -```bash -poetry install -poetry run enroll --help -``` - ---- - -## Found a bug / have a suggestion? - -My Forgejo doesn't currently support federation, so I haven't opened registration/login for issues. - -Instead, email me (see `pyproject.toml`) or contact me on the Fediverse: - -https://goto.mig5.net/@mig5 - ---- - -# Examples - -## Harvest - -### Local harvest -```bash -enroll harvest --out /tmp/enroll-harvest -``` - -### Remote harvest over SSH -```bash -enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest -``` - -### Remote harvest over SSH, where the SSH configuration is in ~/.ssh/config (e.g a different SSH key) - -Note: you must still pass `--remote-host`, but in this case, its value can be the 'Host' alias of an entry in your `~/.ssh/config`. - -```bash -enroll harvest --remote-host myhostalias --remote-ssh-config ~/.ssh/config --out /tmp/enroll-harvest -``` - -### Include paths (`--include-path`) -```bash -# Add a few dotfiles from /home (still secret-safe unless --dangerous) -enroll harvest --out /tmp/enroll-harvest --include-path '/home/*/.bashrc' --include-path '/home/*/.profile' -``` - -### Exclude paths (`--exclude-path`) -```bash -# Skip specific /usr/local/bin entries (or patterns) -enroll harvest --out /tmp/enroll-harvest --exclude-path '/usr/local/bin/docker-*' --exclude-path '/usr/local/bin/some-tool' -``` - -### Regex include -```bash -enroll harvest --out /tmp/enroll-harvest --include-path 're:^/home/[^/]+/\.config/myapp/.*$' -``` - -### `--dangerous` -```bash -enroll harvest --out /tmp/enroll-harvest --dangerous -``` - -### Remote + dangerous: -```bash -enroll harvest --remote-host myhost.example.com --remote-user myuser --dangerous -``` - -### `--sops` (encrypt at rest) -```bash -# Encrypted harvest bundle (writes /tmp/enroll-harvest/harvest.tar.gz.sops) -enroll harvest --out /tmp/enroll-harvest --dangerous --sops -``` - ---- - -## Manifest - -### Single-site (default: no --fqdn) -```bash -enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible -``` - -### Multi-site (--fqdn) -```bash -enroll manifest --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible --fqdn "$(hostname -f)" -``` - -### Manifest with `--sops` -```bash -# Generate encrypted manifest bundle (writes /tmp/enroll-ansible/manifest.tar.gz.sops) -enroll manifest --harvest /tmp/enroll-harvest/harvest.tar.gz.sops --out /tmp/enroll-ansible --sops - -# Decrypt/extract the manifest bundle, then run Ansible from inside ./manifest/ -cd /tmp/enroll-ansible -sops -d manifest.tar.gz.sops | tar -xzvf - -cd manifest -``` - ---- - -## Single-shot - -```bash -enroll single-shot --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible --fqdn "$(hostname -f)" -``` - -Remote single-shot (run harvest over SSH, then manifest locally): -```bash -enroll single-shot --remote-host myhost.example.com --remote-user myuser --harvest /tmp/enroll-harvest --out /tmp/enroll-ansible --fqdn "myhost.example.com" -``` - ---- - -## Diff - -### Compare two harvest directories, output in json -```bash -enroll diff --old /path/to/harvestA --new /path/to/harvestB --format json -``` - -### Diff + webhook notify -```bash -enroll diff --old /path/to/golden/harvest --new /path/to/new/harvest --webhook https://nr.mig5.net/forms/webhooks/xxxx --webhook-format json --webhook-header 'X-Enroll-Secret: xxxx' -``` - -`diff` mode also supports email sending and text or markdown format, as well as `--exit-code` mode to trigger a return code of 2 (useful for crons or CI) - -### Ignore a specific directory or file from the diff -```bash -enroll diff --old /path/to/harvestA --new /path/to/harvestB --exclude-path /var/anacron -``` - -### Ignore package version drift (routine upgrades) but still alert on add/remove -```bash -enroll diff --old /path/to/harvestA --new /path/to/harvestB --ignore-package-versions -``` - -### Enforce the old harvest state when drift is detected (requires Ansible) -```bash -enroll diff --old /path/to/harvestA --new /path/to/harvestB --enforce --ignore-package-versions --exclude-path /var/anacron -``` - ---- - -## Explain - -### Explain a harvest - -All of these do the same thing: - -```bash -enroll explain /path/to/state.json -enroll explain /path/to/bundle_dir -enroll explain /path/to/harvest.tar.gz -``` - -### Explain a SOPS-encrypted harvest - -```bash -enroll explain /path/to/harvest.tar.gz.sops --sops -``` - -### Explain with JSON output and more examples - -```bash -enroll explain /path/to/state.json --format json --max-examples 25 -``` - -### Example output - -``` -❯ enroll explain /tmp/syrah.harvest -Enroll explain: /tmp/syrah.harvest -Host: syrah.mig5.net (os: debian, pkg: dpkg) -Enroll: 0.2.3 - -Inventory -- Packages: 254 -- Why packages were included (observed_via): - - user_installed: 248 – Package appears explicitly installed (as opposed to only pulled in as a dependency). - - package_role: 232 – Package was referenced by an enroll packages snapshot/role. (e.g. acl, acpid, adduser) - - systemd_unit: 22 – Package is associated with a systemd unit that was harvested. (e.g. postfix.service, tor.service, apparmor.service) - -Roles collected -- users: 1 user(s), 1 file(s), 0 excluded -- services: 19 unit(s), 111 file(s), 6 excluded -- packages: 232 package snapshot(s), 41 file(s), 0 excluded -- apt_config: 26 file(s), 7 dir(s), 10 excluded -- dnf_config: 0 file(s), 0 dir(s), 0 excluded -- firewall_runtime: 2 snapshot(s), 1 ipset(s) -- etc_custom: 70 file(s), 20 dir(s), 0 excluded -- usr_local_custom: 35 file(s), 1 dir(s), 0 excluded -- extra_paths: 0 file(s), 0 dir(s), 0 excluded - -Why files were included (managed_files.reason) -- custom_unowned (179): A file not owned by any package (often custom/operator-managed).. Examples: /etc/apparmor.d/local/lsb_release, /etc/apparmor.d/local/nvidia_modprobe, /etc/apparmor.d/local/sbin.dhclient -- usr_local_bin_script (35): Executable scripts under /usr/local/bin (often operator-installed).. Examples: /usr/local/bin/check_firewall, /usr/local/bin/awslogs -- apt_keyring (13): Repository signing key material used by APT.. Examples: /etc/apt/keyrings/openvpn-repo-public.asc, /etc/apt/trusted.gpg, /etc/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg -- modified_conffile (10): A package-managed conffile differs from the packaged/default version.. Examples: /etc/dnsmasq.conf, /etc/ssh/moduli, /etc/tor/torrc -- logrotate_snippet (9): logrotate snippets/configs referenced in system configuration.. Examples: /etc/logrotate.d/rsyslog, /etc/logrotate.d/tor, /etc/logrotate.d/apt -- apt_config (7): APT configuration affecting package installation and repository behavior.. Examples: /etc/apt/apt.conf.d/01autoremove, /etc/apt/apt.conf.d/20listchanges, /etc/apt/apt.conf.d/70debconf -[...] -``` - ---- - -## Run Ansible - -### Single-site -```bash -ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml -``` - -### Multi-site (--fqdn) -```bash -ansible-playbook /tmp/enroll-ansible/playbooks/"$(hostname -f)".yml -``` - -### Run only specific roles (tags) -Generated playbooks tag each role as `role_` (e.g. `role_users`, `role_services`), so you can speed up targeted runs: -```bash -ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml --tags role_users -``` - -## Configuration file - -As can be seen above, there are a lot of powerful 'permutations' available to all four subcommands. - -Sometimes, it can be easier to store them in a config file so you don't have to remember them! - -Enroll supports reading an ini-style file of all the arguments for each subcommand. - -### Location of the config file - -The path the config file can be specified with `-c` or `--config` on the command-line. Otherwise, -Enroll will look for `./enroll.ini`, `./.enroll.ini` (in the current working directory), -`~/.config/enroll/enroll.ini` (or `$XDG_CONFIG_HOME/enroll/enroll.ini`). - -You may also pass `--no-config` if you deliberately want to ignore the config file even if it existed. - -### Precedence - -Highest wins: - - * Explicit CLI flags - * INI config ([cmd], [enroll]) - * argparse defaults - -### Example config file - -Here is an example. - -Whenever an argument on the command-line has a 'hyphen' in it, just be sure to change it to an underscore in the ini file. - -```ini -[enroll] -# (future global flags may live here) - -[harvest] -dangerous = false -include_path = - /home/*/.bashrc - /home/*/.profile -exclude_path = /usr/local/bin/docker-*, /usr/local/bin/some-tool -# remote_host = yourserver.example.com -# remote_user = you -# remote_port = 2222 - -[manifest] -# you can set defaults here too, e.g. -no_jinjaturtle = true -sops = 54A91143AE0AB4F7743B01FE888ED1B423A3BC99 - -[diff] -# ignore noisy drift -exclude_path = /var/anacron -ignore_package_versions = true -# enforce = true # requires ansible-playbook on PATH - -[single-shot] -# if you use single-shot, put its defaults here. -# It does not inherit those of the subsections above, so you -# may wish to repeat them here. -include_path = re:^/home/[^/]+/\.config/myapp/.*$ -``` +Thanks for all the love in 2026. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..a9df1e3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,97 @@ +# Enroll Threat Model and Security Scope + +Enroll is a command-line systems administration tool. It is designed to be executed intentionally by a system administrator, often with elevated privileges, in order to inspect a host, harvest selected system state, and optionally generate or apply configuration-management output. + +Because of that design, Enroll’s security model is different from that of a network service, web application, daemon, or setuid program. Enroll does not attempt to defend against arbitrary local compromise of the account executing it. If an attacker can control the command line, environment, configuration file, working directory, `PATH`, harvested input bundle, or configuration-management tools used by the administrator, they may be able to influence what Enroll does. That situation is considered a local trust-boundary failure outside Enroll’s intended security model. + +## Core assumptions + +Enroll assumes that the person running the tool understands what they are asking it to do. + +In particular: + +* If Enroll is run as root, the root user is assumed to control and understand the command line, environment, configuration file, and output location being used. +* If an `enroll.ini` configuration file is loaded, its location and contents are assumed to be owned, selected, and understood by the operator. +* The operator is expected to understand the implications of options such as `--dangerous`, `--assume-safe-path`, `--sops`, `--enforce`, `--remote-host`, and `--remote-ssh-config`. +* Harvest bundles used for `manifest`, `diff`, or `diff --enforce` are assumed to come from a trusted source unless the operator is deliberately inspecting untrusted input without applying it. +* Configuration-management tools invoked by Enroll, such as Ansible, Puppet, Salt, SOPS, SSH, `sudo`, Docker, Podman, Flatpak, Snap, package managers, and system utilities, are assumed to be the trusted tools the operator intended to use. + +## What is in scope + +Enroll tries to protect careful administrators from common and serious mistakes that can occur when a privileged CLI tool reads and writes host state. + +In-scope security concerns include: + +* Avoiding accidental capture of obvious secrets in default safe mode. +* Refusing known sensitive paths such as shadow files, SSH host keys, private key material, and common certificate/private-key locations unless the operator explicitly opts into dangerous collection. +* Warning when `--dangerous` is used, especially without encrypted output. +* Supporting encrypted harvest bundles via `--sops`. +* Avoiding symlink traversal and time-of-check/time-of-use mistakes when copying harvested files. +* Refusing unsafe artifact paths, symlinks, hardlinks, device nodes, and tar path traversal in harvest bundles. +* Writing plaintext harvest outputs into private directories by default. +* Hardening root-run output path handling so Enroll does not accidentally write through attacker-prepared symlinks or unsafe parent directories. +* Refusing to continue non-interactively when run as root with an unsafe `PATH`, unless the operator explicitly confirms with `--assume-safe-path`. +* Avoiding shell injection in generated manifests where harvested values are embedded into Ansible, Puppet, or Salt output. +* Rejecting unknown SSH host keys by default during remote harvests. + +These measures are defense-in-depth. They are intended to reduce the chance of accidental exposure, unsafe filesystem writes, path traversal, command injection, or dangerous behavior when Enroll is used normally by an administrator. + +## What is out of scope + +The following are generally out of scope and should not be reported as Enroll vulnerabilities unless they also bypass one of Enroll’s explicit hardening mechanisms: + +* A malicious local user who can already control the root user’s command line, shell environment, config file, `PATH`, SSH config, working directory, or invoked binaries. +* A root user loading an `enroll.ini` file whose contents intentionally request dangerous behavior. +* A root user passing `--dangerous` and then observing that Enroll may collect sensitive information. +* A root user passing `--assume-safe-path` and then observing that Enroll does not prompt about `PATH` safety. +* A root user enforcing a malicious or manually edited harvest bundle with `diff --enforce`. +* A user applying generated Ansible, Puppet, or Salt manifests from an untrusted harvest. +* A user configuring a webhook, email target, SSH proxy command, SOPS binary, package manager, or configuration-management tool that they do not trust. +* A compromised system where an attacker already controls root-owned files, root’s shell, root’s configuration, or the privileged tools Enroll invokes. +* Reports that amount to “if root runs this tool with malicious options, root can make the system do dangerous things.” +* Enroll harvesting a file that has a *commented out* secret even with `--dangerous` disabled (it ignores comments so as to not be totally useless when it comes to harvesting config files). It is still the responsibility of the user to use `--sops` or appropriate at-rest encryption if in the slightest doubt about what might get harvested. + +Enroll is a tool for administrators, not a sandbox for hostile local users. It cannot make unsafe local trust decisions safe if the operator’s own execution environment is already attacker-controlled. + +## Trusted harvests and enforcement + +Harvest bundles should be treated as sensitive and trusted administrative artifacts. + +A harvest may contain hostnames, usernames, package lists, service state, filesystem metadata, configuration files, firewall snapshots, container image references, Flatpak/Snap state, and other operational details. In `--dangerous` mode it may contain substantially more sensitive material. + +Before running `manifest`, `diff`, or especially `diff --enforce`, the operator should be confident that the harvest bundle came from a trusted source and has not been tampered with. + +Enroll validates harvest structure and artifact safety. Validation can detect many unsafe filesystem constructs, such as path traversal, missing artifacts, symlinks, hardlinks, and schema mismatches. Validation does not and cannot prove that the desired state represented by a harvest is safe to apply. + +## Local compromise + +Enroll includes hardening against some local filesystem attack patterns because it is often run with high privileges. For example, it tries to avoid symlink races, unsafe output directories, path traversal, and accidental secret capture. + +However, local compromise cannot be ruled out completely for a privileged CLI tool. If an attacker can influence the administrator’s shell, environment, config file, binaries, SSH configuration, SOPS binary, configuration-management tools, or harvest inputs, they may be able to influence Enroll’s behavior. + +Such scenarios are treated as local compromise or operator trust failures, not as vulnerabilities in Enroll by themselves. + +## Security report guidance + +Useful vulnerability reports include issues where Enroll behaves unsafely despite the documented trust model. Examples include: + +* Enroll captures a clearly sensitive default-denied file without `--dangerous`. +* Enroll follows a symlink or hardlink in a way that causes privileged file disclosure or overwrite. +* Enroll extracts a tar member outside the intended harvest directory. +* Enroll accepts a malicious harvest artifact that escapes the artifact root. +* Enroll generates an Ansible, Puppet, or Salt manifest where ordinary harvested data can cause command injection. +* Enroll writes root-run output into an unsafe attacker-controlled path despite its safety checks. +* Enroll silently ignores a failed safety check and proceeds anyway. +* Enroll accepts an unknown SSH host key unexpectedly. +* Enroll exposes secrets in logs, errors, reports, or generated output when not explicitly requested by the operator. + +Less useful reports, and normally out of scope, include: + +* “Root can configure Enroll to collect sensitive files.” +* “Root can pass `--dangerous` and collect dangerous data.” +* “Root can pass `--assume-safe-path` and bypass the root `PATH` warning.” +* “Root can point Enroll at a malicious config file.” +* “Root can enforce a malicious harvest bundle.” +* “A malicious local user can compromise Enroll after already controlling root’s environment or binaries.” + +Reports about concrete bypasses of Enroll's hardening are welcomed (see https://enroll.sh/security.html), but the project does not treat intentional administrator-controlled execution as a vulnerability. diff --git a/debian/changelog b/debian/changelog index 5292e0e..4a3c7bd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,9 @@ enroll (0.6.0) unstable; urgency=medium - * Add support for capturing ipset and iptables configuration files - * Add support for generating ipset and iptables configuration files from runtime, if the former weren't present ('firewall_runtime' role) + * Add support for capturing ipset and iptables configuration files + * Add support for generating ipset and iptables configuration files from runtime, if the former weren't present ('firewall_runtime' role) - -- Miguel Jacq Thu, 14 May 2026 15:00 +1000 + -- Miguel Jacq Thu, 14 May 2026 15:00:00 +1000 enroll (0.5.0) unstable; urgency=medium diff --git a/enroll/accounts.py b/enroll/accounts.py index cf2fcd3..16890d6 100644 --- a/enroll/accounts.py +++ b/enroll/accounts.py @@ -1,8 +1,48 @@ from __future__ import annotations +import configparser import os -from dataclasses import dataclass -from typing import Dict, List, Set, Tuple +import re +import shutil +import subprocess # nosec +from dataclasses import dataclass, field +from typing import Dict, List, Optional, Set, Tuple + + +@dataclass +class FlatpakInstall: + name: str + method: str + remote: Optional[str] = None + branch: Optional[str] = None + arch: Optional[str] = None + kind: Optional[str] = None + ref: Optional[str] = None + user: Optional[str] = None + home: Optional[str] = None + source: str = "filesystem" + + +@dataclass +class FlatpakRemote: + name: str + method: str + url: str + user: Optional[str] = None + home: Optional[str] = None + source: str = "filesystem" + + +@dataclass +class SnapInstall: + name: str + channel: Optional[str] = None + revision: Optional[int] = None + classic: bool = False + devmode: bool = False + dangerous: bool = False + notes: List[str] = field(default_factory=list) + source: str = "snap-list" @dataclass @@ -16,6 +56,7 @@ class UserRecord: primary_group: str supplementary_groups: List[str] ssh_files: List[str] + flatpaks: List[FlatpakInstall] = field(default_factory=list) def parse_login_defs(path: str = "/etc/login.defs") -> Dict[str, int]: @@ -105,7 +146,12 @@ def is_human_user(uid: int, shell: str, uid_min: int) -> bool: def find_user_ssh_files(home: str) -> List[str]: sshdir = os.path.join(home, ".ssh") out: List[str] = [] - if not os.path.isdir(sshdir): + # ``os.path.isdir`` follows symlinks, so a user who replaces ``~/.ssh`` + # with a link to a sensitive directory (e.g. /etc/ssl/private) could + # otherwise have a regular file inside it harvested through the symlinked + # parent. Refuse a symlinked .ssh outright; capture_file() applies the + # same parent-symlink protection at copy time as defense in depth. + if os.path.islink(sshdir) or not os.path.isdir(sshdir): return out ak = os.path.join(sshdir, "authorized_keys") @@ -115,6 +161,612 @@ def find_user_ssh_files(home: str) -> List[str]: return sorted(set(out)) +def _read_first_existing_text(paths: List[str]) -> Optional[str]: + for path in paths: + try: + with open(path, "r", encoding="utf-8", errors="replace") as f: + value = f.read().strip() + if value: + return value + except OSError: + continue + return None + + +def _parse_flatpak_ref( + ref: str, +) -> Tuple[Optional[str], str, Optional[str], Optional[str]]: + """Return (kind, name, arch, branch) for a Flatpak ref. + + refs look like app/org.example.App/x86_64/stable or + runtime/org.example.Platform/x86_64/23.08. If the value is already just an + application/runtime ID, keep it as the name and leave the other fields empty. + """ + parts = [p for p in (ref or "").strip().split("/") if p] + if len(parts) >= 4 and parts[0] in {"app", "runtime"}: + return parts[0], parts[1], parts[2], parts[3] + return None, (ref or "").strip(), None, None + + +def _parse_plain_flatpak_list_output( + output: str, + *, + method: str, + user: Optional[str] = None, + home: Optional[str] = None, +) -> List[FlatpakInstall]: + """Parse default `flatpak list` table output. + + Example: + Name Application ID Version Branch Installation + OnionShare org.onionshare.OnionShare 2.6.4 stable system + """ + out: List[FlatpakInstall] = [] + seen: Set[ + Tuple[str, Optional[str], Optional[str], Optional[str], Optional[str]] + ] = set() + id_re = re.compile(r"\b(?:[A-Za-z0-9_-]+\.)+[A-Za-z0-9_-]+\b") + for line in output.splitlines(): + line = line.rstrip() + if not line.strip(): + continue + if "Application ID" in line and "Installation" in line: + continue + match = id_re.search(line) + if not match: + continue + name = match.group(0) + tail = line[match.end() :].split() + installation = tail[-1] if tail else "" + if installation in {"system", "user"} and installation != method: + continue + branch = None + if len(tail) >= 2 and tail[-1] in {"system", "user"}: + branch = tail[-2] + elif tail: + branch = tail[-1] + + key = (name, None, branch, None, None) + if key in seen: + continue + seen.add(key) + out.append( + FlatpakInstall( + name=name, + method=method, + remote=None, + branch=branch, + arch=None, + kind=None, + ref=None, + user=user, + home=home, + source="flatpak-list", + ) + ) + return sorted(out, key=lambda f: (f.name, f.branch or "")) + + +def _parse_flatpak_list_output( + output: str, + *, + method: str, + columns: Optional[Tuple[str, ...]] = None, + user: Optional[str] = None, + home: Optional[str] = None, +) -> List[FlatpakInstall]: + """Parse Flatpak list output. + + If columns is None, parse the default table. Otherwise columns names must + match the order passed to `flatpak list --columns=...`. + """ + if columns is None: + return _parse_plain_flatpak_list_output( + output, method=method, user=user, home=home + ) + + out: List[FlatpakInstall] = [] + seen: Set[ + Tuple[str, Optional[str], Optional[str], Optional[str], Optional[str]] + ] = set() + for line in output.splitlines(): + line = line.strip() + if not line: + continue + lower = line.lower() + if lower.startswith("ref") or lower.startswith("application id"): + continue + + parts = line.split("\t") + if len(parts) < len(columns): + parts = line.split() + if not parts: + continue + + fields = { + name: parts[idx].strip() + for idx, name in enumerate(columns) + if idx < len(parts) + } + ref = fields.get("ref") or fields.get("application") or "" + kind, name, ref_arch, ref_branch = _parse_flatpak_ref(ref) + if not name: + continue + + remote = fields.get("origin") or None + branch = fields.get("branch") or ref_branch + arch = fields.get("arch") or ref_arch + if remote in {"", "-"}: + remote = None + if branch in {"", "-"}: + branch = None + if arch in {"", "-"}: + arch = None + + key = (name, remote, branch, arch, kind) + if key in seen: + continue + seen.add(key) + out.append( + FlatpakInstall( + name=name, + method=method, + remote=remote, + branch=branch, + arch=arch, + kind=kind, + ref=ref if "/" in ref else None, + user=user, + home=home, + source="flatpak-list", + ) + ) + return sorted( + out, + key=lambda f: ( + f.kind or "", + f.name, + f.remote or "", + f.branch or "", + f.arch or "", + ), + ) + + +_KNOWN_FLATPAK_LIST_COLUMNS = { + "name", + "description", + "application", + "version", + "branch", + "arch", + "origin", + "installation", + "ref", + "active", + "latest", + "size", + "options", +} + + +def _parse_flatpak_columns_help(output: str) -> Set[str]: + """Parse `flatpak list --columns=help` output into supported fields.""" + supported: Set[str] = set() + for line in output.splitlines(): + # Help output varies a bit between Flatpak versions. Treat any known + # token as a supported field, whether it appears alone or in a + # description table. + for token in re.findall(r"[A-Za-z_][A-Za-z0-9_-]*", line.lower()): + if token in _KNOWN_FLATPAK_LIST_COLUMNS: + supported.add(token) + return supported + + +def _run_flatpak_columns_help() -> Optional[Set[str]]: + if shutil.which("flatpak") is None: + return None + try: + proc = subprocess.run( # nosec + ["flatpak", "list", "--columns=help"], + shell=False, + check=False, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + timeout=10, + ) + except Exception: + return None + if proc.returncode != 0: + return None + supported = _parse_flatpak_columns_help(proc.stdout or "") + return supported or None + + +def _flatpak_list_attempts( + scope: str, supported: Optional[Set[str]] +) -> List[Tuple[List[str], Optional[Tuple[str, ...]]]]: + def supported_columns(*wanted: str) -> Optional[Tuple[str, ...]]: + if supported is not None and not set(wanted).issubset(supported): + return None + return tuple(wanted) + + column_sets: List[Tuple[str, ...]] = [] + for wanted in ( + ("application", "origin", "branch", "arch"), + ("application", "branch", "arch"), + ("application", "branch"), + ("application",), + ("ref", "origin", "branch", "arch"), + ("ref", "branch", "arch"), + ("ref", "branch"), + ("ref",), + ): + cols = supported_columns(*wanted) + if cols is not None and cols not in column_sets: + column_sets.append(cols) + + attempts: List[Tuple[List[str], Optional[Tuple[str, ...]]]] = [ + ( + ["flatpak", "list", scope, "--columns=" + ",".join(cols)], + cols, + ) + for cols in column_sets + ] + attempts.append((["flatpak", "list", scope], None)) + return attempts + + +def _run_flatpak_list(method: str) -> Optional[Tuple[str, Optional[Tuple[str, ...]]]]: + if shutil.which("flatpak") is None: + return None + + scope = "--system" if method == "system" else "--user" + supported = _run_flatpak_columns_help() + for args, columns in _flatpak_list_attempts(scope, supported): + try: + proc = subprocess.run( # nosec + args, + shell=False, + check=False, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + timeout=10, + ) + except Exception: # nosec B112 + continue + if proc.returncode == 0: + return proc.stdout or "", columns + return None + + +def _flatpak_remote_from_ref( + flatpak_root: str, app_id: str, arch: str, branch: str, remote_names: List[str] +) -> Optional[str]: + for remote_name in remote_names: + ref = os.path.join( + flatpak_root, + "repo", + "refs", + "remotes", + remote_name, + "app", + app_id, + arch, + branch, + ) + if os.path.exists(ref): + return remote_name + return None + + +def _parse_flatpak_deploy_origin(branch_dir: str) -> Optional[str]: + active_dir = os.path.join(branch_dir, "active") + candidates = [ + os.path.join(active_dir, "origin"), + os.path.join(active_dir, "metadata"), + ] + + origin = _read_first_existing_text([candidates[0]]) + if origin: + return origin + + metadata = candidates[1] + if os.path.isfile(metadata): + parser = configparser.ConfigParser(interpolation=None) + try: + parser.read(metadata, encoding="utf-8") + except Exception: + return None + for section in ("Application", "Runtime"): + if parser.has_option(section, "origin"): + value = parser.get(section, "origin", fallback="").strip() + if value: + return value + return None + + +def _find_flatpaks_in_root( + flatpak_root: str, + *, + method: str, + user: Optional[str] = None, + home: Optional[str] = None, +) -> List[FlatpakInstall]: + apps_dir = os.path.join(flatpak_root, "app") + if not os.path.isdir(apps_dir): + return [] + + remote_names = [ + r.name + for r in find_flatpak_remotes(flatpak_root, method=method, user=user, home=home) + ] + out: List[FlatpakInstall] = [] + + try: + app_ids = sorted(os.listdir(apps_dir)) + except OSError: + return [] + + seen: Set[Tuple[str, Optional[str], Optional[str], Optional[str]]] = set() + for app_id in app_ids: + app_path = os.path.join(apps_dir, app_id) + if not os.path.isdir(app_path): + continue + try: + arches = sorted(os.listdir(app_path)) + except OSError: + continue + for arch in arches: + arch_path = os.path.join(app_path, arch) + if not os.path.isdir(arch_path): + continue + try: + branches = sorted(os.listdir(arch_path)) + except OSError: + continue + for branch in branches: + branch_path = os.path.join(arch_path, branch) + if not os.path.isdir(branch_path): + continue + active_dir = os.path.join(branch_path, "active") + if not os.path.exists(active_dir): + continue + remote = _parse_flatpak_deploy_origin(branch_path) + if not remote: + remote = _flatpak_remote_from_ref( + flatpak_root, app_id, arch, branch, remote_names + ) + key = (app_id, remote, branch, arch) + if key in seen: + continue + seen.add(key) + out.append( + FlatpakInstall( + name=app_id, + method=method, + remote=remote, + branch=branch or None, + arch=arch or None, + kind="app", + ref=f"app/{app_id}/{arch}/{branch}", + user=user, + home=home, + ) + ) + + return sorted( + out, key=lambda f: (f.name, f.remote or "", f.branch or "", f.arch or "") + ) + + +def find_flatpak_remotes( + flatpak_root: str, + *, + method: str, + user: Optional[str] = None, + home: Optional[str] = None, +) -> List[FlatpakRemote]: + """Return configured Flatpak remotes for a Flatpak installation root. + + Flatpak stores remotes in the OSTree repo config. This gives us the remote + names and repository URLs. It does not reliably preserve the original + .flatpakref/.flatpakrepo URL that was used during installation. + """ + config_path = os.path.join(flatpak_root, "repo", "config") + if not os.path.isfile(config_path): + return [] + + parser = configparser.ConfigParser(interpolation=None, strict=False) + try: + parser.read(config_path, encoding="utf-8") + except Exception: + return [] + + out: List[FlatpakRemote] = [] + for section in parser.sections(): + match = re.fullmatch(r'remote\s+"(.+)"', section) + if not match: + continue + name = match.group(1).strip() + url = parser.get(section, "url", fallback="").strip() + if not name or not url: + continue + out.append( + FlatpakRemote( + name=name, + method=method, + url=url, + user=user, + home=home, + ) + ) + + return sorted(out, key=lambda r: (r.method, r.user or "", r.name)) + + +def find_user_flatpaks(home: str, user: Optional[str] = None) -> List[FlatpakInstall]: + """Return per-user Flatpak applications installed under a home directory.""" + flatpak_root = os.path.join(home, ".local", "share", "flatpak") + return _find_flatpaks_in_root(flatpak_root, method="user", user=user, home=home) + + +def find_user_flatpak_remotes( + home: str, user: Optional[str] = None +) -> List[FlatpakRemote]: + flatpak_root = os.path.join(home, ".local", "share", "flatpak") + return find_flatpak_remotes(flatpak_root, method="user", user=user, home=home) + + +def find_system_flatpaks() -> List[FlatpakInstall]: + """Return Flatpak refs installed system-wide. + + Prefer `flatpak list --system` because it is Flatpak's own view of + installed refs and includes layouts the filesystem scanner might miss. + Fall back to the on-disk app deployment tree when the command is + unavailable or produces unparsable output. + """ + listing = _run_flatpak_list("system") + if listing is not None: + output, columns = listing + parsed = _parse_flatpak_list_output(output, method="system", columns=columns) + if parsed or not output.strip(): + return parsed + return _find_flatpaks_in_root("/var/lib/flatpak", method="system") + + +def find_system_flatpak_remotes() -> List[FlatpakRemote]: + return find_flatpak_remotes("/var/lib/flatpak", method="system") + + +def _parse_snap_notes(notes: str) -> List[str]: + if not notes or notes == "-": + return [] + cleaned = notes.replace(",", " ").replace(";", " ") + return sorted( + {n.strip().lower() for n in cleaned.split() if n.strip() and n.strip() != "-"} + ) + + +def _parse_snap_list_output(output: str) -> List[SnapInstall]: + out: List[SnapInstall] = [] + for idx, line in enumerate(output.splitlines()): + line = line.strip() + if not line: + continue + if idx == 0 and line.lower().startswith("name"): + continue + parts = line.split(maxsplit=5) + if len(parts) < 5: + continue + name = parts[0] + revision: Optional[int] + try: + revision = int(parts[2]) + except ValueError: + revision = None + tracking = parts[3] + channel = None if tracking in {"-", ""} else tracking + notes = _parse_snap_notes(parts[5] if len(parts) > 5 else "") + out.append( + SnapInstall( + name=name, + channel=channel, + revision=revision, + classic="classic" in notes, + devmode="devmode" in notes, + dangerous="dangerous" in notes, + notes=notes, + source="snap-list", + ) + ) + return sorted(out, key=lambda s: s.name) + + +def _run_snap_list() -> Optional[str]: + if shutil.which("snap") is None: + return None + try: + proc = subprocess.run( # nosec + ["snap", "list"], + shell=False, + check=False, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + timeout=10, + ) + except Exception: + return None + if proc.returncode != 0: + return None + return proc.stdout or "" + + +def _find_system_snaps_from_filesystem() -> List[SnapInstall]: + snapd_snaps = "/var/lib/snapd/snaps" + if not os.path.isdir(snapd_snaps): + return [] + + current_revisions: Dict[str, int] = {} + snap_mounts = "/snap" + if os.path.isdir(snap_mounts): + try: + mount_names = os.listdir(snap_mounts) + except OSError: + mount_names = [] + for name in mount_names: + current = os.path.join(snap_mounts, name, "current") + try: + target = os.readlink(current) + except OSError: + continue + try: + current_revisions[name] = int(os.path.basename(target.rstrip("/"))) + except ValueError: + continue + + candidates: Dict[str, List[int]] = {} + try: + entries = os.listdir(snapd_snaps) + except OSError: + return [] + + for entry in entries: + if not entry.endswith(".snap") or "_" not in entry: + continue + name, rev_text = entry[:-5].rsplit("_", 1) + try: + revision = int(rev_text) + except ValueError: + continue + candidates.setdefault(name, []).append(revision) + + out: List[SnapInstall] = [] + for name, revisions in candidates.items(): + revision = current_revisions.get(name) + if revision is None: + revision = max(revisions) + out.append(SnapInstall(name=name, revision=revision, source="filesystem")) + return sorted(out, key=lambda s: s.name) + + +def find_system_snaps() -> List[SnapInstall]: + """Return system-wide snap packages. + + Prefer `snap list` because it exposes channel tracking and confinement notes. + Fall back to snapd's on-disk snap filenames when the command is unavailable. + """ + output = _run_snap_list() + if output is not None: + parsed = _parse_snap_list_output(output) + if parsed: + return parsed + return _find_system_snaps_from_filesystem() + + def collect_non_system_users() -> List[UserRecord]: defs = parse_login_defs() uid_min = defs.get("UID_MIN", 1000) @@ -139,6 +791,10 @@ def collect_non_system_users() -> List[UserRecord]: ssh_files = find_user_ssh_files(home) if home and home.startswith("/") else [] + flatpaks: List[FlatpakInstall] = [] + if home and home.startswith("/"): + flatpaks = find_user_flatpaks(home, user=name) + users.append( UserRecord( name=name, @@ -150,6 +806,7 @@ def collect_non_system_users() -> List[UserRecord]: primary_group=primary_group, supplementary_groups=supp, ssh_files=ssh_files, + flatpaks=flatpaks, ) ) diff --git a/enroll/ansible.py b/enroll/ansible.py new file mode 100644 index 0000000..2eaec0a --- /dev/null +++ b/enroll/ansible.py @@ -0,0 +1,2442 @@ +from __future__ import annotations + +import os +import re +import stat +import tempfile +from dataclasses import dataclass +from pathlib import Path +from typing import Any, Dict, List, Optional, Set, Tuple + +from .cm import CMModule, markdown_list, snapshot_excluded_lines, snapshot_note_lines +from .jinjaturtle import ( + jinjify_managed_files as _jinjify_managed_files, + resolve_jinjaturtle_mode, +) +from .manifest_safety import ( + copy_safe_artifact_file, + iter_safe_artifact_files, + prepare_manifest_output_dir, +) +from .render_safety import ansible_unsafe_data +from .role_names import avoid_reserved_role_name +from .state import inventory_packages_from_state, roles_from_state +from .yamlutil import yaml_dump_mapping, yaml_load_mapping + + +@dataclass +class AnsibleManifestContext: + bundle_dir: str + out_dir: str + roles_root: str + fqdn: Optional[str] + site_mode: bool + jt_exe: Optional[str] + jt_enabled: bool + + +class AnsibleRole(CMModule): + """Ansible-specific view of a renderer-neutral CMModule.""" + + def __init__( + self, + role_name: str, + *, + var_prefix: Optional[str] = None, + section_label: Optional[str] = None, + grouped: bool = False, + ) -> None: + super().__init__(role_name=role_name, module_name=role_name) + self.var_prefix = var_prefix or role_name + self.section_label = section_label + self.grouped = grouped + self.entries: List[Dict[str, Any]] = [] + self.excluded: List[Dict[str, Any]] = [] + self.origin_lines: List[str] = [] + self.container_images: List[Dict[str, Any]] = [] + self.flatpak_remotes: List[Dict[str, Any]] = [] + self.flatpaks: List[Dict[str, Any]] = [] + self.snaps: List[Dict[str, Any]] = [] + self.users_groups: List[str] = [] + self.users_data: List[Dict[str, Any]] = [] + self.users_ssh_dirs: List[Dict[str, Any]] = [] + self.users_ssh_files: List[Dict[str, Any]] = [] + + def has_resources(self) -> bool: + return self.has_resources_or_attrs( + "container_images", + "flatpak_remotes", + "flatpaks", + "snaps", + "users_data", + "users_ssh_files", + ) + + def add_package_snapshot(self, snap: Dict[str, Any]) -> None: + pkg = self.package_name_from_snapshot(snap) + source_role = str(snap.get("role_name") or pkg or self.role_name) + self.entries.append({"kind": "package", "snapshot": snap}) + super().add_package_snapshot(snap) + if pkg: + self.origin_lines.append(f"package `{pkg}` from role `{source_role}`") + self.add_managed_content(snap) + + def add_service_snapshot(self, snap: Dict[str, Any]) -> None: + unit = self.service_unit_from_snapshot(snap) + source_role = str(snap.get("role_name") or unit or self.role_name) + self.entries.append({"kind": "service", "snapshot": snap}) + self.add_service_packages_from_snapshot(snap) + if unit: + self.services.setdefault( + unit, + { + "name": unit, + "manage": True, + "enabled": self.service_enabled_from_snapshot(snap), + "state": self.service_state_from_snapshot( + snap, running="started", stopped="stopped" + ), + }, + ) + self.origin_lines.append(f"service `{unit}` from role `{source_role}`") + self.add_managed_content(snap) + + def add_managed_content(self, snap: Dict[str, Any]) -> None: + for d in self.managed_dirs_from_snapshot(snap): + path = str(d.get("path") or "").strip() + self.add_managed_dir( + path, + dest=path, + owner=d.get("owner") or "root", + group=d.get("group") or "root", + mode=d.get("mode") or "0755", + ) + + for mf in self.managed_files_from_snapshot(snap): + path = str(mf.get("path") or "").strip() + src_rel = str(mf.get("src_rel") or "").strip() + if not path or not src_rel: + continue + self.add_managed_file( + path, + dest=path, + src_rel=src_rel, + owner=mf.get("owner") or "root", + group=mf.get("group") or "root", + mode=mf.get("mode") or "0644", + reason=mf.get("reason") or "managed_file", + ) + + for ml in self.managed_links_from_snapshot(snap): + path = str(ml.get("path") or "").strip() + target = str(ml.get("target") or "").strip() + if not path or not target: + continue + self.add_managed_link(path, dest=path, src=target) + + self.excluded.extend(snap.get("excluded", []) or []) + self.add_snapshot_notes(snap) + + @property + def sorted_packages(self) -> List[str]: + return sorted(self.packages) + + @property + def systemd_units_var(self) -> List[Dict[str, Any]]: + return [self.services[k] for k in sorted(self.services)] + + def add_firewall_runtime_snapshot(self, snap: Dict[str, Any]) -> None: + self.add_service_packages_from_snapshot(snap) + self.firewall_runtime.update(self.firewall_runtime_source_refs(snap)) + ipset_sets = self.firewall_runtime_ipset_sets(snap) + if ipset_sets: + self.firewall_runtime["ipset_sets"] = ipset_sets + self.add_snapshot_notes(snap) + + def prepare_flatpak_remote(self, item: Dict[str, Any]) -> Dict[str, Any]: + return dict(item) + + def prepare_flatpak_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + return dict(item) + + def prepare_snap_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _normalise_snap_item(item) + + def add_container_images_snapshot(self, snap: Dict[str, Any]) -> None: + self.container_images = [ + _normalise_container_image_item(img) + for img in (snap.get("images", []) or []) + ] + self.add_snapshot_notes(snap) + + def add_users_snapshot(self, snap: Dict[str, Any]) -> None: + users_data = self.user_records_from_snapshot(snap) + for user in users_data: + user["ssh_dir"] = str(user.get("home") or "").rstrip("/") + "/.ssh" + + ssh_files: List[Dict[str, Any]] = [] + for mf in snap.get("managed_files", []) or []: + dest = mf.get("path") or "" + src_rel = mf.get("src_rel") or "" + if not dest or not src_rel: + continue + + owner = "root" + group = "root" + for u in users_data: + home_prefix = (u.get("home") or "").rstrip("/") + "/" + if home_prefix and dest.startswith(home_prefix): + owner = str(u.get("name") or "root") + group = str(u.get("primary_group") or owner) + break + + mode = mf.get("mode") or "0644" + if mf.get("reason") == "authorized_keys": + mode = "0600" + ssh_files.append( + { + "dest": dest, + "src_rel": src_rel, + "owner": owner, + "group": group, + "mode": mode, + } + ) + + ssh_dirs_by_dest: Dict[str, Dict[str, Any]] = {} + for item in ssh_files: + dest = str(item.get("dest") or "") + if not dest: + continue + for user in users_data: + ssh_dir = str(user.get("ssh_dir") or "").rstrip("/") + if not ssh_dir or not dest.startswith(ssh_dir + "/"): + continue + ssh_dirs_by_dest.setdefault( + ssh_dir, + { + "dest": ssh_dir, + "owner": str(user.get("name") or item.get("owner") or "root"), + "group": str( + user.get("primary_group") or item.get("group") or "root" + ), + "mode": "0700", + }, + ) + break + + self.users_groups = sorted(self.user_group_names_from_records(users_data)) + self.users_data = users_data + self.users_ssh_files = ssh_files + self.users_ssh_dirs = sorted( + ssh_dirs_by_dest.values(), key=lambda item: str(item.get("dest") or "") + ) + self.add_user_flatpaks_snapshot(snap) + self.excluded.extend(snap.get("excluded", []) or []) + self.add_snapshot_notes(snap) + + def render_firewall_runtime_tasks(self) -> str: + var_prefix = self.role_name + return f"""- name: Ensure firewall runtime snapshot directory exists + ansible.builtin.file: + path: {self.firewall_runtime_dir} + state: directory + owner: root + group: root + mode: "0750" + +- name: Deploy captured ipset snapshot + vars: + _enroll_ff: + files: + - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_ipset_save }}}}" + - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_ipset_save }}}}" + ansible.builtin.copy: + src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" + dest: {self.firewall_runtime_dest_path('ipset.save')} + owner: root + group: root + mode: "0600" + notify: Restore captured ipsets + when: ({var_prefix}_ipset_save | default('') | length) > 0 + +- name: Deploy captured IPv4 iptables snapshot + vars: + _enroll_ff: + files: + - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_iptables_v4_save }}}}" + - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_iptables_v4_save }}}}" + ansible.builtin.copy: + src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" + dest: {self.firewall_runtime_dest_path('iptables.v4')} + owner: root + group: root + mode: "0600" + notify: Restore captured IPv4 iptables rules + when: ({var_prefix}_iptables_v4_save | default('') | length) > 0 + +- name: Deploy captured IPv6 iptables snapshot + vars: + _enroll_ff: + files: + - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_iptables_v6_save }}}}" + - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_iptables_v6_save }}}}" + ansible.builtin.copy: + src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" + dest: {self.firewall_runtime_dest_path('iptables.v6')} + owner: root + group: root + mode: "0600" + notify: Restore captured IPv6 iptables rules + when: ({var_prefix}_iptables_v6_save | default('') | length) > 0 +""" + + def render_firewall_runtime_handlers(self) -> str: + var_prefix = self.role_name + return f"""--- +- name: Flush captured ipsets before restoring members + ansible.builtin.command: + cmd: "ipset flush {{{{ item }}}}" + loop: "{{{{ {var_prefix}_ipset_sets | default([]) }}}}" + listen: Restore captured ipsets + register: _enroll_ipset_flush + failed_when: false + changed_when: false + when: {var_prefix}_sync_ipsets_exact | default(true) | bool + +- name: Restore captured ipsets + ansible.builtin.shell: "ipset restore -exist < {self.firewall_runtime_dest_path('ipset.save')}" + args: + executable: /bin/sh + listen: Restore captured ipsets + when: ({var_prefix}_ipset_save | default('') | length) > 0 + +- name: Restore captured IPv4 iptables rules + ansible.builtin.command: + cmd: iptables-restore {self.firewall_runtime_dest_path('iptables.v4')} + listen: Restore captured IPv4 iptables rules + when: + - ({var_prefix}_iptables_v4_save | default('') | length) > 0 + - {var_prefix}_restore_iptables | default(true) | bool + +- name: Restore captured IPv6 iptables rules + ansible.builtin.command: + cmd: ip6tables-restore {self.firewall_runtime_dest_path('iptables.v6')} + listen: Restore captured IPv6 iptables rules + when: + - ({var_prefix}_iptables_v6_save | default('') | length) > 0 + - {var_prefix}_restore_iptables | default(true) | bool +""" + + +def _role_id(raw: str) -> str: + """Return an Ansible-safe role identifier from an arbitrary label.""" + + s = re.sub(r"[^A-Za-z0-9]+", "_", raw or "misc") + s = re.sub(r"([a-z0-9])([A-Z])", r"\1_\2", s) + s = s.lower() + s = re.sub(r"_+", "_", s).strip("_") + if not s: + s = "misc" + if not re.match(r"^[a-z_]", s): + s = "r_" + s + return s + + +def _section_role_name(label: str, occupied_roles: Set[str]) -> str: + """Create a stable section role name, avoiding generated-role collisions.""" + + base = avoid_reserved_role_name(_role_id(label), prefix="section") + role = base if base not in occupied_roles else f"section_{base}" + n = 2 + while role in occupied_roles: + role = f"section_{base}_{n}" + n += 1 + occupied_roles.add(role) + return role + + +def _collect_ansible_roles( + roles: Dict[str, Any], + inventory_packages: Dict[str, Any], + *, + use_common_roles: bool, +) -> Tuple[List[Dict[str, Any]], List[Dict[str, Any]], Dict[str, List[Dict[str, Any]]]]: + """Collect package/service role inputs from shared CMModule grouping logic.""" + + services: List[Dict[str, Any]] = [] + packages: List[Dict[str, Any]] = [] + common_role_groups: Dict[str, List[Dict[str, Any]]] = {} + for entry in CMModule.package_service_entries( + roles, inventory_packages, use_common_roles=use_common_roles + ): + kind = str(entry.get("kind") or "package") + snap = entry.get("snapshot") or {} + if use_common_roles: + common_role_groups.setdefault( + str(entry.get("role_label") or "misc"), [] + ).append({"kind": kind, "snapshot": snap}) + elif kind == "service": + services.append(snap) + else: + packages.append(snap) + return services, packages, common_role_groups + + +def _add_role(roles: List[str], role: Optional[str]) -> None: + if role and role not in roles: + roles.append(role) + + +def _add_roles(roles: List[str], incoming: List[str]) -> None: + for role in incoming: + _add_role(roles, role) + + +def _ordered_playbook_roles( + rendered_roles: List[str], tail_roles: List[str] +) -> List[str]: + """Return generated role names in playbook order.""" + tail = {role for role in tail_roles if role in rendered_roles} + ordered = [role for role in rendered_roles if role not in tail] + ordered.extend(role for role in tail_roles if role in tail and role not in ordered) + return ordered + + +def _prepare_ansible_context( + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str], + jinjaturtle: str, +) -> AnsibleManifestContext: + site_mode = fqdn is not None and fqdn != "" + jt_exe, jt_enabled = resolve_jinjaturtle_mode(jinjaturtle) + + out = prepare_manifest_output_dir(out_dir, allow_existing=site_mode) + out_dir = str(out) + roles_root = os.path.join(out_dir, "roles") + os.makedirs(roles_root, exist_ok=True) + + return AnsibleManifestContext( + bundle_dir=bundle_dir, + out_dir=out_dir, + roles_root=roles_root, + fqdn=fqdn, + site_mode=site_mode, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + ) + + +def _merge_mappings_overwrite( + existing: Dict[str, Any], incoming: Dict[str, Any] +) -> Dict[str, Any]: + """Merge incoming into existing with overwrite. + + NOTE: Unlike role defaults merging, host_vars should reflect the current + harvest for a host. Therefore lists are replaced rather than unioned. + """ + merged = dict(existing) + merged.update(incoming) + return merged + + +# --- Ansible layout helpers --- +def _copy2_replace(src: str, dst: str) -> None: + dst_dir = os.path.dirname(dst) + os.makedirs(dst_dir, exist_ok=True) + + # Copy to a temp file in the same directory, then atomically replace. + fd, tmp = tempfile.mkstemp(prefix=".enroll-tmp-", dir=dst_dir) + os.close(fd) + try: + copy_safe_artifact_file(src, tmp) + + # Ensure the working tree stays mergeable: make the file user-writable. + st = os.stat(tmp, follow_symlinks=False) + mode = stat.S_IMODE(st.st_mode) + if not (mode & stat.S_IWUSR): + os.chmod(tmp, mode | stat.S_IWUSR) + + os.replace(tmp, dst) + finally: + try: + os.unlink(tmp) + except FileNotFoundError: + pass + + +def _copy_artifacts( + bundle_dir: str, + role: str, + dst_files_dir: str, + *, + preserve_existing: bool = False, + exclude_rels: Optional[Set[str]] = None, +) -> None: + """Copy harvested artifacts for a role into a destination *files* directory. + + In non --fqdn mode, this is usually /files. + In --fqdn site mode, this is usually: + inventory/host_vars///.files + """ + for src, rel in iter_safe_artifact_files(bundle_dir, role): + dst = os.path.join(dst_files_dir, rel) + + # If a file was successfully templatised by JinjaTurtle, do NOT + # also materialise the raw copy in the destination files dir. + if exclude_rels and rel in exclude_rels: + try: + if os.path.isfile(dst): + os.remove(dst) + except Exception: + pass # nosec + continue + + if preserve_existing and os.path.exists(dst): + continue + os.makedirs(os.path.dirname(dst), exist_ok=True) + _copy2_replace(str(src), dst) + + +def _write_role_scaffold(role_dir: str) -> None: + os.makedirs(os.path.join(role_dir, "tasks"), exist_ok=True) + os.makedirs(os.path.join(role_dir, "handlers"), exist_ok=True) + os.makedirs(os.path.join(role_dir, "defaults"), exist_ok=True) + os.makedirs(os.path.join(role_dir, "meta"), exist_ok=True) + os.makedirs(os.path.join(role_dir, "files"), exist_ok=True) + os.makedirs(os.path.join(role_dir, "templates"), exist_ok=True) + + +def _role_tag(role: str) -> str: + """Return a stable Ansible tag name for a role. + + Used by `enroll diff --enforce` to run only the roles needed to repair drift. + """ + r = str(role or "").strip() + # Ansible tag charset is fairly permissive, but keep it portable and consistent. + safe = re.sub(r"[^A-Za-z0-9_-]+", "_", r).strip("_") + if not safe: + safe = "other" + return f"role_{safe}" + + +def _write_playbook_all(path: str, roles: List[str]) -> None: + pb_lines = [ + "---", + "- name: Apply all roles on all hosts", + " gather_facts: true", + " hosts: all", + " become: true", + " roles:", + ] + for r in roles: + pb_lines.append(f" - role: {r}") + pb_lines.append(f" tags: [{_role_tag(r)}]") + with open(path, "w", encoding="utf-8") as f: + f.write("\n".join(pb_lines) + "\n") + + +def _write_playbook_host(path: str, fqdn: str, roles: List[str]) -> None: + pb_lines = [ + "---", + f"- name: Apply all roles on {fqdn}", + f" hosts: {fqdn}", + " gather_facts: true", + " become: true", + " roles:", + ] + for r in roles: + pb_lines.append(f" - role: {r}") + pb_lines.append(f" tags: [{_role_tag(r)}]") + with open(path, "w", encoding="utf-8") as f: + f.write("\n".join(pb_lines) + "\n") + + +def _ensure_ansible_cfg(cfg_path: str) -> None: + if not os.path.exists(cfg_path): + with open(cfg_path, "w", encoding="utf-8") as f: + f.write("[defaults]\n") + f.write("roles_path = roles\n") + f.write("interpreter_python=/usr/bin/python3\n") + f.write("inventory = inventory\n") + f.write("stdout_callback = unixy\n") + f.write("force_color = 1\n") + f.write("vars_plugins_enabled = host_group_vars\n") + f.write("fact_caching = jsonfile\n") + f.write("fact_caching_connection = .enroll_cached_facts\n") + f.write("forks = 30\n") + f.write("remote_tmp = /tmp/ansible-${USER}\n") + f.write("timeout = 12\n") + f.write("[ssh_connection]\n") + f.write("pipelining = True\n") + f.write("scp_if_ssh = True\n") + return + + +def _ensure_requirements_yaml( + req_path: str, + collections: Optional[List[Dict[str, str]]] = None, +) -> None: + requested = collections or [{"name": "community.general", "version": ">=13.0.0"}] + + existing: Dict[str, Any] = {} + if os.path.exists(req_path): + try: + existing = yaml_load_mapping(Path(req_path).read_text(encoding="utf-8")) + except Exception: + existing = {} + + current_items = existing.get("collections") + if not isinstance(current_items, list): + current_items = [] + + by_name: Dict[str, Dict[str, str]] = {} + ordered_names: List[str] = [] + for item in current_items: + if isinstance(item, str): + name = item.strip() + if not name: + continue + entry: Dict[str, str] = {"name": name} + elif isinstance(item, dict): + name = str(item.get("name") or "").strip() + if not name: + continue + entry = {str(k): str(v) for k, v in item.items() if v is not None} + entry["name"] = name + else: + continue + if name not in by_name: + ordered_names.append(name) + by_name[name] = entry + + for item in requested: + name = str(item.get("name") or "").strip() + if not name: + continue + entry = dict(item) + entry["name"] = name + if name not in by_name: + ordered_names.append(name) + by_name[name] = entry + else: + by_name[name].update( + {k: v for k, v in entry.items() if v not in (None, "")} + ) + + out = {"collections": [by_name[name] for name in ordered_names]} + Path(req_path).parent.mkdir(parents=True, exist_ok=True) + Path(req_path).write_text( + "---\n" + yaml_dump_mapping(out, sort_keys=False), encoding="utf-8" + ) + + +def _ensure_inventory_host(inv_path: str, fqdn: str) -> None: + os.makedirs(os.path.dirname(inv_path), exist_ok=True) + if not os.path.exists(inv_path): + with open(inv_path, "w", encoding="utf-8") as f: + f.write("[all]\n") + f.write(fqdn + "\n") + return + + with open(inv_path, "r", encoding="utf-8") as f: + lines = [ln.rstrip("\n") for ln in f.readlines()] + + # ensure there is an [all] group; if not, create it at top + if not any(ln.strip() == "[all]" for ln in lines): + lines = ["[all]"] + lines + + # check if fqdn already present (exact match, ignoring whitespace) + if any(ln.strip() == fqdn for ln in lines): + return + + # append at end + lines.append(fqdn) + with open(inv_path, "w", encoding="utf-8") as f: + f.write("\n".join(lines) + "\n") + + +def _hostvars_path(site_root: str, fqdn: str, role: str) -> str: + return os.path.join(site_root, "inventory", "host_vars", fqdn, f"{role}.yml") + + +def _host_role_files_dir(site_root: str, fqdn: str, role: str) -> str: + """Host-specific files dir for a given role. + + Layout: + inventory/host_vars///.files/ + """ + return os.path.join(site_root, "inventory", "host_vars", fqdn, role, ".files") + + +def _write_hostvars(site_root: str, fqdn: str, role: str, data: Dict[str, Any]) -> None: + """Write host_vars YAML for a role for a specific host. + + This is host-specific state and should track the current harvest output. + Existing keys not mentioned in `data` are preserved, but keys in `data` + are overwritten (including list values). + """ + path = _hostvars_path(site_root, fqdn, role) + os.makedirs(os.path.dirname(path), exist_ok=True) + + existing_map: Dict[str, Any] = {} + if os.path.exists(path): + try: + existing_text = Path(path).read_text(encoding="utf-8") + existing_map = yaml_load_mapping(existing_text) + except Exception: + existing_map = {} + + merged = _merge_mappings_overwrite(existing_map, ansible_unsafe_data(data)) + + out = "---\n" + yaml_dump_mapping(merged, sort_keys=True) + with open(path, "w", encoding="utf-8") as f: + f.write(out) + + +def _write_role_defaults(role_dir: str, mapping: Dict[str, Any]) -> None: + """Overwrite role defaults/main.yml with the provided mapping.""" + defaults_path = os.path.join(role_dir, "defaults", "main.yml") + os.makedirs(os.path.dirname(defaults_path), exist_ok=True) + out = "---\n" + yaml_dump_mapping(ansible_unsafe_data(mapping), sort_keys=True) + with open(defaults_path, "w", encoding="utf-8") as f: + f.write(out) + + +def _write_role_meta(role_dir: str, collections: Optional[List[str]] = None) -> None: + meta_path = os.path.join(role_dir, "meta", "main.yml") + with open(meta_path, "w", encoding="utf-8") as f: + f.write("---\n") + f.write("dependencies: []\n") + if collections: + f.write("collections:\n") + for collection in collections: + f.write(f" - {collection}\n") + + +def _write_ansible_role_vars( + ctx: AnsibleManifestContext, + role_dir: str, + role: str, + vars_map: Dict[str, Any], + *, + site_defaults: Optional[Dict[str, Any]] = None, +) -> None: + """Write role variables using the same mode split as Puppet Hiera/Salt Pillar.""" + + if ctx.site_mode: + _write_role_defaults(role_dir, site_defaults or {}) + _write_hostvars(ctx.out_dir, ctx.fqdn or "", role, vars_map) + else: + _write_role_defaults(role_dir, vars_map) + + +def _write_ansible_role( + ctx: AnsibleManifestContext, + role: str, + *, + vars_map: Optional[Dict[str, Any]] = None, + site_defaults: Optional[Dict[str, Any]] = None, + tasks: str = "---\n", + handlers: str = "---\n", + collections: Optional[List[str]] = None, +) -> str: + """Write an Ansible role through one common logistical path. + + The CM-specific rendering remains target-specific, but role directory layout, + defaults/host_vars splitting and metadata writing are no longer repeated + in every feature renderer. + """ + + role_dir = os.path.join(ctx.roles_root, role) + _write_role_scaffold(role_dir) + _write_ansible_role_vars( + ctx, role_dir, role, vars_map or {}, site_defaults=site_defaults + ) + + with open(os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8") as f: + f.write(tasks.rstrip() + "\n") + + with open( + os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" + ) as f: + f.write(handlers.rstrip() + "\n") + + _write_role_meta(role_dir, collections) + + return role + + +def _copy_role_artifacts( + ctx: AnsibleManifestContext, + role: str, + artifact_role: str, + *, + exclude_rels: Optional[Set[str]] = None, + preserve_existing: bool = False, +) -> None: + role_dir = os.path.join(ctx.roles_root, role) + dst_files_dir = ( + _host_role_files_dir(ctx.out_dir, ctx.fqdn or "", role) + if ctx.site_mode + else os.path.join(role_dir, "files") + ) + _copy_artifacts( + ctx.bundle_dir, + artifact_role, + dst_files_dir, + preserve_existing=preserve_existing, + exclude_rels=exclude_rels, + ) + + +def _render_readme( + state: Dict[str, Any], + rendered_roles: List[str], + *, + fqdn: Optional[str] = None, +) -> str: + host = state.get("host", {}) if isinstance(state.get("host"), dict) else {} + hostname = host.get("hostname") or "unknown" + roles = state.get("roles", {}) if isinstance(state.get("roles"), dict) else {} + excluded = snapshot_excluded_lines(roles) + notes = snapshot_note_lines(roles) + role_lines = "\n".join(f"- `{role}`" for role in rendered_roles) or "- None." + excluded_text = markdown_list(excluded) + notes_text = markdown_list(notes) + + if fqdn: + layout = f"""- `playbooks/{fqdn}.yml` applies the generated roles to `{fqdn}`. +- `inventory/hosts.ini` defines the target host. +- `inventory/host_vars/{fqdn}//main.yml` contains host-specific role variables. +- `inventory/host_vars/{fqdn}//.files/...` contains host-specific harvested file artifacts. +- `roles//tasks/main.yml` contains reusable Ansible tasks. +- `roles//files/...` and `roles//templates/...` contain reusable role artifacts where applicable.""" + apply = f"""```bash +ansible-galaxy collection install -r requirements.yml +ansible-playbook -i inventory/hosts.ini playbooks/{fqdn}.yml --check --diff +```""" + else: + layout = """- `playbook.yml` applies the generated roles to the current inventory. +- `roles//tasks/main.yml` contains reusable Ansible tasks. +- `roles//defaults/main.yml` contains harvested/default role variables. +- `roles//files/...` and `roles//templates/...` contain harvested role artifacts where applicable. +- `roles//handlers/main.yml` contains any restore/restart/apply handlers.""" + apply = """```bash +ansible-galaxy collection install -r requirements.yml +ansible-playbook -i localhost, -c local playbook.yml --check --diff +```""" + + return f"""# Enroll Ansible manifest + +Generated from harvested state for `{hostname}`. + +## Layout + +{layout} + +## Roles + +{role_lines} + +## Excluded captured paths + +{excluded_text} + +## Notes + +{notes_text} + +## Apply / dry-run + +{apply} +""" + + +def _write_site_scaffold(ctx: AnsibleManifestContext) -> None: + if not ctx.site_mode: + return + os.makedirs(os.path.join(ctx.out_dir, "inventory"), exist_ok=True) + os.makedirs(os.path.join(ctx.out_dir, "inventory", "host_vars"), exist_ok=True) + os.makedirs(os.path.join(ctx.out_dir, "playbooks"), exist_ok=True) + _ensure_inventory_host( + os.path.join(ctx.out_dir, "inventory", "hosts.ini"), ctx.fqdn or "" + ) + _ensure_ansible_cfg(os.path.join(ctx.out_dir, "ansible.cfg")) + _ensure_requirements_yaml(os.path.join(ctx.out_dir, "requirements.yml")) + + +def _write_manifest_playbook(ctx: AnsibleManifestContext, roles: List[str]) -> None: + if ctx.site_mode: + _write_playbook_host( + os.path.join(ctx.out_dir, "playbooks", f"{ctx.fqdn}.yml"), + ctx.fqdn or "", + roles, + ) + else: + _write_playbook_all(os.path.join(ctx.out_dir, "playbook.yml"), roles) + + +# --- Ansible task snippets --- +def _render_generic_files_tasks(var_prefix: str) -> str: + """Render generic tasks to deploy _managed_files safely.""" + # Using first_found makes roles work in both modes: + # - site-mode: inventory/host_vars///.files/... + # - non-site: roles//files/... + return f"""- name: Ensure managed directories exist (preserve owner/group/mode) + ansible.builtin.file: + path: "{{{{ item.dest }}}}" + state: directory + owner: "{{{{ item.owner }}}}" + group: "{{{{ item.group }}}}" + mode: "{{{{ item.mode }}}}" + loop: "{{{{ {var_prefix}_managed_dirs | default([]) }}}}" + +- name: Deploy any systemd unit files (templates) + ansible.builtin.template: + src: "{{{{ item.src_rel }}}}.j2" + dest: "{{{{ item.dest }}}}" + owner: "{{{{ item.owner }}}}" + group: "{{{{ item.group }}}}" + mode: "{{{{ item.mode }}}}" + loop: >- + {{{{ {var_prefix}_managed_files | default([]) + | selectattr('is_systemd_unit', 'equalto', true) + | selectattr('kind', 'equalto', 'template') + | list }}}} + notify: "{{{{ item.notify | default([]) }}}}" + +- name: Deploy any systemd unit files (raw files) + vars: + _enroll_ff: + files: + - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ item.src_rel }}}}" + - "{{{{ role_path }}}}/files/{{{{ item.src_rel }}}}" + ansible.builtin.copy: + src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" + dest: "{{{{ item.dest }}}}" + owner: "{{{{ item.owner }}}}" + group: "{{{{ item.group }}}}" + mode: "{{{{ item.mode }}}}" + loop: >- + {{{{ {var_prefix}_managed_files | default([]) + | selectattr('is_systemd_unit', 'equalto', true) + | selectattr('kind', 'equalto', 'copy') + | list }}}} + notify: "{{{{ item.notify | default([]) }}}}" + +- name: Reload systemd to pick up unit changes + ansible.builtin.meta: flush_handlers + when: >- + ({var_prefix}_managed_files | default([]) + | selectattr('is_systemd_unit', 'equalto', true) + | list + | length) > 0 + +- name: Deploy any other managed files (templates) + ansible.builtin.template: + src: "{{{{ item.src_rel }}}}.j2" + dest: "{{{{ item.dest }}}}" + owner: "{{{{ item.owner }}}}" + group: "{{{{ item.group }}}}" + mode: "{{{{ item.mode }}}}" + loop: >- + {{{{ {var_prefix}_managed_files | default([]) + | selectattr('is_systemd_unit', 'equalto', false) + | selectattr('kind', 'equalto', 'template') + | list }}}} + notify: "{{{{ item.notify | default([]) }}}}" + +- name: Deploy any other managed files (raw files) + vars: + _enroll_ff: + files: + - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ item.src_rel }}}}" + - "{{{{ role_path }}}}/files/{{{{ item.src_rel }}}}" + ansible.builtin.copy: + src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" + dest: "{{{{ item.dest }}}}" + owner: "{{{{ item.owner }}}}" + group: "{{{{ item.group }}}}" + mode: "{{{{ item.mode }}}}" + loop: >- + {{{{ {var_prefix}_managed_files | default([]) + | selectattr('is_systemd_unit', 'equalto', false) + | selectattr('kind', 'equalto', 'copy') + | list }}}} + notify: "{{{{ item.notify | default([]) }}}}" + +- name: Ensure managed symlinks exist + ansible.builtin.file: + src: "{{{{ item.src }}}}" + dest: "{{{{ item.dest }}}}" + state: link + force: true + loop: "{{{{ {var_prefix}_managed_links | default([]) }}}}" +""" + + +def _render_install_packages_tasks(role: str, var_prefix: str) -> str: + """Render package installation through Ansible's generic package provider.""" + + return f"""- name: Install packages for {role} + ansible.builtin.package: + name: "{{{{ {var_prefix}_packages | default([]) }}}}" + state: present + when: ({var_prefix}_packages | default([])) | length > 0 + +""" + + +def _render_grouped_systemd_tasks(var_prefix: str) -> str: + """Render tasks to manage multiple systemd units in a common role.""" + + return f"""- name: Probe whether grouped systemd units exist and are manageable + ansible.builtin.systemd: + name: "{{{{ item.name }}}}" + no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" + check_mode: true + loop: "{{{{ {var_prefix}_systemd_units | default([]) }}}}" + register: _enroll_unit_probes + failed_when: false + changed_when: false + when: + - enroll_manage_systemd_runtime | default(true) | bool + - item.manage | default(false) + +- name: Ensure grouped unit enablement matches harvest + ansible.builtin.systemd: + name: "{{{{ item.item.name }}}}" + enabled: "{{{{ item.item.enabled | bool }}}}" + no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" + loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" + when: + - enroll_manage_systemd_runtime | default(true) | bool + - item.item.manage | default(false) + - not (item.failed | default(false)) + +- name: Ensure grouped unit running state matches harvest + ansible.builtin.systemd: + name: "{{{{ item.item.name }}}}" + state: "{{{{ item.item.state }}}}" + no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" + loop: "{{{{ _enroll_unit_probes.results | default([]) }}}}" + when: + - enroll_manage_systemd_runtime | default(true) | bool + - item.item.manage | default(false) + - not (item.failed | default(false)) +""" + + +def _render_sysctl_tasks(var_prefix: str) -> str: + return f"""- name: Ensure sysctl.d exists + ansible.builtin.file: + path: /etc/sysctl.d + state: directory + owner: root + group: root + mode: "0755" + +- name: Deploy captured sysctl configuration + vars: + _enroll_ff: + files: + - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_conf_src_rel }}}}" + - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_conf_src_rel }}}}" + ansible.builtin.copy: + src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" + dest: /etc/sysctl.d/99-enroll.conf + owner: root + group: root + mode: "0644" + when: ({var_prefix}_conf_src_rel | default('') | length) > 0 + notify: Apply captured sysctl configuration +""" + + +def _render_sysctl_handlers(var_prefix: str) -> str: + return f"""--- +- name: Apply captured sysctl configuration + ansible.builtin.command: + argv: + - sysctl + - -e + - -p + - /etc/sysctl.d/99-enroll.conf + register: _enroll_sysctl_apply + changed_when: false + failed_when: + - not ({var_prefix}_ignore_apply_errors | default(true) | bool) + - _enroll_sysctl_apply.rc != 0 + when: {var_prefix}_apply | default(true) | bool +""" + + +def _task_body(tasks: str) -> str: + return (tasks or "").strip().removeprefix("---").lstrip("\n") + + +def _render_single_systemd_tasks(var_prefix: str) -> str: + return f"""- name: Probe whether systemd unit exists and is manageable + ansible.builtin.systemd: + name: "{{{{ {var_prefix}_unit_name }}}}" + no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" + check_mode: true + register: _unit_probe + failed_when: false + changed_when: false + when: + - enroll_manage_systemd_runtime | default(true) | bool + - {var_prefix}_manage_unit | default(false) + +- name: Ensure unit enablement matches harvest + ansible.builtin.systemd: + name: "{{{{ {var_prefix}_unit_name }}}}" + enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}" + no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" + when: + - enroll_manage_systemd_runtime | default(true) | bool + - {var_prefix}_manage_unit | default(false) + - _unit_probe is succeeded + +- name: Ensure unit running state matches harvest + ansible.builtin.systemd: + name: "{{{{ {var_prefix}_unit_name }}}}" + state: "{{{{ {var_prefix}_systemd_state }}}}" + no_log: "{{{{ enroll_hide_systemd_status | default(true) | bool }}}}" + when: + - enroll_manage_systemd_runtime | default(true) | bool + - {var_prefix}_manage_unit | default(false) + - _unit_probe is succeeded +""" + + +def _render_role_tasks( + role: AnsibleRole, + *, + packages: bool = False, + managed_content: bool = False, + single_service: bool = False, + grouped_services: bool = False, + sysctl: bool = False, + firewall_runtime: bool = False, + extra_tasks: str = "", +) -> str: + parts: List[str] = [] + if packages: + parts.append(_render_install_packages_tasks(role.role_name, role.var_prefix)) + if managed_content: + parts.append(_render_generic_files_tasks(role.var_prefix)) + if single_service: + parts.append(_render_single_systemd_tasks(role.var_prefix)) + if grouped_services: + parts.append(_render_grouped_systemd_tasks(role.var_prefix)) + if sysctl: + parts.append(_render_sysctl_tasks(role.var_prefix)) + if firewall_runtime: + parts.append(role.render_firewall_runtime_tasks()) + if extra_tasks: + parts.append(extra_tasks) + + body = "\n\n".join(_task_body(part) for part in parts if _task_body(part)) + return "---\n" + (body.rstrip() + "\n" if body else "") + + +def _single_service_restart_handler_body(var_prefix: str) -> str: + return f"""- name: Restart service + ansible.builtin.service: + name: "{{{{ {var_prefix}_unit_name }}}}" + state: restarted + when: + - enroll_manage_systemd_runtime | default(true) | bool + - {var_prefix}_manage_unit | default(false) + - ({var_prefix}_systemd_state | default('stopped')) == 'started' +""" + + +def _service_restart_handler_name(unit: str) -> str: + return f"Restart managed service {unit}" + + +def _grouped_service_restart_handlers_body(role: AnsibleRole) -> str: + handlers: List[str] = [] + for unit, svc in sorted(role.services.items()): + name = str(svc.get("name") or unit).strip() + if not name or str(svc.get("state") or "stopped") != "started": + continue + handlers.append( + f"""- name: {_service_restart_handler_name(name)} + ansible.builtin.service: + name: {name} + state: restarted + when: enroll_manage_systemd_runtime | default(true) | bool +""" + ) + return "\n".join(_task_body(handler) for handler in handlers if _task_body(handler)) + + +def _render_role_handlers( + role: AnsibleRole, + *, + systemd_reload: bool = False, + single_service: bool = False, + grouped_services: bool = False, + restart_grouped_services: bool = False, + sysctl: bool = False, + firewall_runtime: bool = False, + extra_handlers: str = "", +) -> str: + parts: List[str] = [] + if systemd_reload or single_service or grouped_services: + parts.append(_SYSTEMD_DAEMON_RELOAD_HANDLER) + if single_service: + parts.append(_single_service_restart_handler_body(role.var_prefix)) + if grouped_services and restart_grouped_services: + parts.append(_grouped_service_restart_handlers_body(role)) + if sysctl: + parts.append(_render_sysctl_handlers(role.var_prefix)) + if firewall_runtime: + parts.append(role.render_firewall_runtime_handlers()) + if extra_handlers: + parts.append(extra_handlers) + + body = "\n\n".join(_task_body(part) for part in parts if _task_body(part)) + return "---\n" + (body.rstrip() + "\n" if body else "") + + +# --- Ansible variable builders --- +def _normalise_flatpak_item( + item: Any, + *, + method: str, + user: Optional[str] = None, + home: Optional[str] = None, +) -> Dict[str, Any]: + return CMModule.normalise_flatpak_item(item, method=method, user=user, home=home) + + +def _normalise_flatpak_remote(item: Any) -> Dict[str, Any]: + return CMModule.normalise_flatpak_remote(item) + + +def _normalise_snap_item(item: Any) -> Dict[str, Any]: + out = CMModule.normalise_snap_item(item) + + # The Ansible snap module's revision parameter pins/holds the snap. For + # ordinary store snaps that track a channel, preserve the channel instead + # of freezing every harvested host at today's revision. + if out.get("revision") is not None and not out.get("channel"): + out["install_revision"] = True + else: + out["install_revision"] = False + return out + + +def _build_managed_dirs_var( + managed_dirs: List[Dict[str, Any]], +) -> List[Dict[str, Any]]: + """Convert enroll managed_dirs into an Ansible-friendly list of dicts. + + Each dict drives a role task loop and is safe across hosts. + """ + out: List[Dict[str, Any]] = [] + for d in managed_dirs: + dest = d.get("path") or "" + if not dest: + continue + out.append( + { + "dest": dest, + "owner": d.get("owner") or "root", + "group": d.get("group") or "root", + "mode": d.get("mode") or "0755", + } + ) + return out + + +def _build_managed_files_var( + managed_files: List[Dict[str, Any]], + templated_src_rels: Set[str], + *, + notify_other: Optional[Any] = None, + notify_systemd: Optional[str] = None, +) -> List[Dict[str, Any]]: + """Convert enroll managed_files into an Ansible-friendly list of dicts. + + Each dict drives a role task loop and is safe across hosts. + """ + out: List[Dict[str, Any]] = [] + for mf in managed_files: + dest = mf.get("path") or "" + src_rel = mf.get("src_rel") or "" + if not dest or not src_rel: + continue + is_unit = str(dest).startswith("/etc/systemd/system/") + kind = "template" if src_rel in templated_src_rels else "copy" + notify: List[str] = [] + if is_unit and notify_systemd: + notify.append(notify_systemd) + if (not is_unit) and notify_other: + if isinstance(notify_other, (list, tuple, set)): + notify.extend(str(item) for item in notify_other if str(item)) + else: + notify.append(str(notify_other)) + item = { + "dest": dest, + "src_rel": src_rel, + "owner": mf.get("owner") or "root", + "group": mf.get("group") or "root", + "mode": mf.get("mode") or "0644", + "kind": kind, + "is_systemd_unit": bool(is_unit), + } + if notify: + item["notify"] = notify + out.append(item) + + return out + + +def _build_managed_links_var( + managed_links: List[Dict[str, Any]], +) -> List[Dict[str, Any]]: + """Convert enroll managed_links into an Ansible-friendly list of dicts.""" + out: List[Dict[str, Any]] = [] + for ml in managed_links or []: + dest = ml.get("path") or "" + src = ml.get("target") or "" + if not dest or not src: + continue + out.append({"dest": dest, "src": src}) + return out + + +def _normalise_container_image_item(item: Any) -> Dict[str, Any]: + if isinstance(item, dict): + out = dict(item) + else: + out = {"pull_ref": str(item)} + out.setdefault("engine", "docker") + out.setdefault("scope", "system") + out.setdefault("user", None) + out.setdefault("home", None) + out.setdefault("repo_tags", []) + out.setdefault("repo_digests", []) + out.setdefault("tag_aliases", []) + out.setdefault("notes", []) + return out + + +# --- Container image role renderer --- +_CONTAINER_COLLECTIONS = [ + {"name": "community.docker", "version": ">=4.0.0"}, + {"name": "containers.podman", "version": ">=1.20.0"}, +] + + +def _render_container_images_role( + ctx: AnsibleManifestContext, + container_images_snapshot: Dict[str, Any], +) -> Optional[str]: + raw_images = container_images_snapshot.get("images", []) or [] + if not container_images_snapshot and not raw_images: + return + + arole = AnsibleRole(container_images_snapshot.get("role_name", "container_images")) + arole.add_container_images_snapshot(container_images_snapshot) + if not arole.container_images and not arole.notes: + return + + _ensure_requirements_yaml( + os.path.join(ctx.out_dir, "requirements.yml"), _CONTAINER_COLLECTIONS + ) + + vars_map = {"container_images": arole.container_images} + tasks = """--- + +- name: Pull Docker images by immutable registry digest + community.docker.docker_image_pull: + name: "{{ item.pull_ref }}" + pull: not_present + platform: "{{ item.platform | default(omit, true) }}" + loop: "{{ container_images | default([]) | selectattr('engine', 'equalto', 'docker') | selectattr('pull_ref') | list }}" + when: + - item.pull_ref | default('', true) | length > 0 + become: true + +- name: Tag Docker images with harvested tag aliases + community.docker.docker_image_tag: + name: "{{ item.0.pull_ref }}" + repository: + - "{{ item.1.ref }}" + loop: "{{ query('subelements', container_images | default([]) | selectattr('engine', 'equalto', 'docker') | selectattr('pull_ref') | list, 'tag_aliases', {'skip_missing': True}) }}" + when: + - item.0.pull_ref | default('', true) | length > 0 + - item.1.repository | default('', true) | length > 0 + - item.1.tag | default('', true) | length > 0 + become: true + +- name: Pull system Podman images by immutable registry digest + containers.podman.podman_image: + name: "{{ item.pull_ref }}" + state: present + force: false + platform: "{{ item.platform | default(omit, true) }}" + loop: "{{ container_images | default([]) | selectattr('engine', 'equalto', 'podman') | rejectattr('scope', 'equalto', 'user') | selectattr('pull_ref') | list }}" + when: + - item.pull_ref | default('', true) | length > 0 + become: true + +- name: Tag system Podman images with harvested tag aliases + containers.podman.podman_tag: + image: "{{ item.0.pull_ref }}" + target_names: + - "{{ item.1.ref }}" + loop: "{{ query('subelements', container_images | default([]) | selectattr('engine', 'equalto', 'podman') | rejectattr('scope', 'equalto', 'user') | selectattr('pull_ref') | list, 'tag_aliases', {'skip_missing': True}) }}" + when: + - item.0.pull_ref | default('', true) | length > 0 + - item.1.ref | default('', true) | length > 0 + become: true + +- name: Pull user Podman images by immutable registry digest + containers.podman.podman_image: + name: "{{ item.pull_ref }}" + state: present + force: false + platform: "{{ item.platform | default(omit, true) }}" + loop: "{{ container_images | default([]) | selectattr('engine', 'equalto', 'podman') | selectattr('scope', 'equalto', 'user') | selectattr('pull_ref') | list }}" + when: + - item.pull_ref | default('', true) | length > 0 + - item.user | default('', true) | length > 0 + become: true + become_user: "{{ item.user }}" + +- name: Tag user Podman images with harvested tag aliases + containers.podman.podman_tag: + image: "{{ item.0.pull_ref }}" + target_names: + - "{{ item.1.ref }}" + loop: "{{ query('subelements', container_images | default([]) | selectattr('engine', 'equalto', 'podman') | selectattr('scope', 'equalto', 'user') | selectattr('pull_ref') | list, 'tag_aliases', {'skip_missing': True}) }}" + when: + - item.0.pull_ref | default('', true) | length > 0 + - item.0.user | default('', true) | length > 0 + - item.1.ref | default('', true) | length > 0 + become: true + become_user: "{{ item.0.user }}" +""" + return _write_ansible_role( + ctx, + arole.role_name, + vars_map=vars_map, + site_defaults={"container_images": []}, + tasks=_render_role_tasks(arole, extra_tasks=tasks), + collections=["community.docker", "containers.podman"], + ) + + +# --- Desktop package role renderers --- +def _render_flatpak_role( + ctx: AnsibleManifestContext, + flatpak_snapshot: Dict[str, Any], +) -> Optional[str]: + if not flatpak_snapshot: + return + + arole = AnsibleRole(flatpak_snapshot.get("role_name", "flatpak")) + arole.add_flatpak_snapshot(flatpak_snapshot) + + _ensure_requirements_yaml(os.path.join(ctx.out_dir, "requirements.yml")) + vars_map = { + "flatpak_system_flatpaks": arole.flatpaks, + "flatpak_remotes": arole.flatpak_remotes, + } + tasks = """--- + +- name: Ensure system Flatpak remotes exist + ansible.builtin.command: + argv: + - flatpak + - remote-add + - --system + - --if-not-exists + - "{{ item.name }}" + - "{{ item.url }}" + loop: "{{ flatpak_remotes | default([]) }}" + when: + - item.name is defined + - item.url is defined + - item.url | length > 0 + become: true + changed_when: false + +- name: Install system-wide Flatpaks + community.general.flatpak: + name: + - "{{ item.name }}" + state: present + method: system + remote: "{{ item.remote | default(omit) }}" + from_url: "{{ item.from_url | default(omit) }}" + loop: "{{ flatpak_system_flatpaks | default([]) }}" + when: + - item.name is defined + - item.name | length > 0 + become: true +""" + return _write_ansible_role( + ctx, + arole.role_name, + vars_map=vars_map, + site_defaults={"flatpak_system_flatpaks": [], "flatpak_remotes": []}, + tasks=_render_role_tasks(arole, extra_tasks=tasks), + collections=["community.general"], + ) + + +def _render_snap_role( + ctx: AnsibleManifestContext, + snap_snapshot: Dict[str, Any], +) -> Optional[str]: + if not ( + snap_snapshot + and (snap_snapshot.get("system_snaps") or snap_snapshot.get("notes")) + ): + return + + arole = AnsibleRole(snap_snapshot.get("role_name", "snap")) + arole.add_snap_snapshot(snap_snapshot) + if not (arole.snaps or arole.notes): + return + + _ensure_requirements_yaml(os.path.join(ctx.out_dir, "requirements.yml")) + vars_map = {"snap_system_snaps": arole.snaps} + tasks = """--- + +- name: Install system-wide snaps with full detected attributes + community.general.snap: + name: + - "{{ item.name }}" + state: present + channel: "{{ item.channel | default(omit) if not (item.install_revision | default(false)) else omit }}" + revision: "{{ item.revision | default(omit) if (item.install_revision | default(false)) else omit }}" + classic: "{{ item.classic | default(false) }}" + devmode: "{{ item.devmode | default(false) }}" + dangerous: "{{ item.dangerous | default(false) }}" + loop: "{{ snap_system_snaps | default([]) }}" + when: + - item.name is defined + - item.name | length > 0 + become: true + register: _enroll_snap_full_results + ignore_errors: true + +- name: Install system-wide snaps with compatibility options + community.general.snap: + name: + - "{{ item.item.name }}" + state: present + channel: "{{ item.item.channel | default(omit) if not (item.item.install_revision | default(false)) else omit }}" + classic: "{{ item.item.classic | default(false) }}" + loop: "{{ (_enroll_snap_full_results | default({})).results | default([]) }}" + when: + - item.failed | default(false) + - item.item.name is defined + - item.item.name | length > 0 + become: true + register: _enroll_snap_compat_results + ignore_errors: true + +- name: Install system-wide snaps with minimal options + community.general.snap: + name: + - "{{ item.item.item.name }}" + state: present + loop: "{{ (_enroll_snap_compat_results | default({})).results | default([]) }}" + when: + - item.failed | default(false) + - item.item.item.name is defined + - item.item.item.name | length > 0 + become: true + ignore_errors: true +""" + return _write_ansible_role( + ctx, + arole.role_name, + vars_map=vars_map, + site_defaults={"snap_system_snaps": []}, + tasks=_render_role_tasks(arole, extra_tasks=tasks), + collections=["community.general"], + ) + + +# --- Managed-file role renderers --- +@dataclass(frozen=True) +class AnsibleManagedFileRoleSpec: + """Declarative managed-file singleton role rendering spec.""" + + key: str + default_role: str + category: str + notify_systemd: Optional[str] = None + handlers: str = "---\n" + include_dirs_when_empty: bool = False + + +_SYSTEMD_DAEMON_RELOAD_HANDLER = """--- +- name: Run systemd daemon-reload + ansible.builtin.systemd: + daemon_reload: true + no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}" + when: enroll_manage_systemd_runtime | default(true) | bool +""" + + +MANAGED_FILE_ROLE_SPECS: Tuple[AnsibleManagedFileRoleSpec, ...] = ( + AnsibleManagedFileRoleSpec( + key="apt_config", + default_role="apt_config", + category="apt_config", + ), + AnsibleManagedFileRoleSpec( + key="dnf_config", + default_role="dnf_config", + category="dnf_config", + ), + AnsibleManagedFileRoleSpec( + key="etc_custom", + default_role="etc_custom", + category="etc_custom", + notify_systemd="Run systemd daemon-reload", + handlers=_SYSTEMD_DAEMON_RELOAD_HANDLER, + ), + AnsibleManagedFileRoleSpec( + key="usr_local_custom", + default_role="usr_local_custom", + category="usr_local_custom", + ), + AnsibleManagedFileRoleSpec( + key="extra_paths", + default_role="extra_paths", + category="extra_paths", + include_dirs_when_empty=True, + ), +) + + +def _managed_file_role_has_resources( + snapshot: Dict[str, Any], spec: AnsibleManagedFileRoleSpec +) -> bool: + if not snapshot: + return False + if snapshot.get("managed_files"): + return True + return bool(spec.include_dirs_when_empty and snapshot.get("managed_dirs")) + + +def _write_managed_files_role_from_spec( + ctx: AnsibleManifestContext, + snapshot: Dict[str, Any], + spec: AnsibleManagedFileRoleSpec, +) -> str: + role = _write_managed_files_role( + snapshot=snapshot, + default_role=spec.default_role, + bundle_dir=ctx.bundle_dir, + roles_root=ctx.roles_root, + out_dir=ctx.out_dir, + fqdn=ctx.fqdn, + site_mode=ctx.site_mode, + jt_exe=ctx.jt_exe, + jt_enabled=ctx.jt_enabled, + notify_systemd=spec.notify_systemd, + handlers=spec.handlers, + ) + return role + + +def _write_managed_files_role( + *, + snapshot: Dict[str, Any], + default_role: str, + bundle_dir: str, + roles_root: str, + out_dir: str, + fqdn: Optional[str], + site_mode: bool, + jt_exe: Optional[str], + jt_enabled: bool, + notify_systemd: Optional[str], + handlers: str, +) -> str: + """Render an Ansible role whose main purpose is managed files/dirs. + + This covers apt_config, dnf_config, etc_custom, usr_local_custom, and + extra_paths. Their harvested state shape is the same; only optional + handlers differ. + """ + + role = snapshot.get("role_name", default_role) + role_dir = os.path.join(roles_root, role) + _write_role_scaffold(role_dir) + + var_prefix = role + managed_files = snapshot.get("managed_files", []) or [] + managed_dirs = snapshot.get("managed_dirs", []) or [] + templated, jt_vars = _jinjify_managed_files( + bundle_dir, + role, + os.path.join(role_dir, "templates"), + managed_files, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not site_mode, + ) + + if site_mode: + _copy_artifacts( + bundle_dir, + role, + _host_role_files_dir(out_dir, fqdn or "", role), + exclude_rels=templated, + ) + else: + _copy_artifacts( + bundle_dir, + role, + os.path.join(role_dir, "files"), + exclude_rels=templated, + ) + + files_var = _build_managed_files_var( + managed_files, + templated, + notify_other=None, + notify_systemd=notify_systemd, + ) + dirs_var = _build_managed_dirs_var(managed_dirs) + + jt_map = yaml_load_mapping(jt_vars) if jt_vars.strip() else {} + vars_map: Dict[str, Any] = { + f"{var_prefix}_managed_files": files_var, + f"{var_prefix}_managed_dirs": dirs_var, + } + vars_map = _merge_mappings_overwrite(vars_map, jt_map) + + if site_mode: + _write_role_defaults( + role_dir, + {f"{var_prefix}_managed_files": [], f"{var_prefix}_managed_dirs": []}, + ) + _write_hostvars(out_dir, fqdn or "", role, vars_map) + else: + _write_role_defaults(role_dir, vars_map) + + tasks = _render_role_tasks(AnsibleRole(role), managed_content=True) + with open(os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8") as f: + f.write(tasks.rstrip() + "\n") + + with open( + os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" + ) as f: + f.write(handlers.rstrip() + "\n") + + with open(os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8") as f: + f.write("---\ndependencies: []\n") + + return role + + +def _render_managed_file_roles( + ctx: AnsibleManifestContext, + roles: Dict[str, Any], +) -> Dict[str, str]: + """Render file-centric singleton roles.""" + + rendered_roles: Dict[str, str] = {} + for spec in MANAGED_FILE_ROLE_SPECS: + snapshot = roles.get(spec.key, {}) + if not isinstance(snapshot, dict): + continue + if not _managed_file_role_has_resources(snapshot, spec): + continue + rendered_roles[spec.category] = _write_managed_files_role_from_spec( + ctx, snapshot, spec + ) + return rendered_roles + + +# --- Package and service role renderers --- +def _role_managed_content_vars( + ctx: AnsibleManifestContext, + role: str, + entries: List[Dict[str, Any]], + *, + notify_by_kind: Optional[Dict[str, Optional[str]]] = None, + notify_service_handlers: bool = False, + overwrite_templates: bool, +) -> Tuple[ + List[Dict[str, Any]], + List[Dict[str, Any]], + List[Dict[str, Any]], + Dict[str, Any], +]: + role_dir = os.path.join(ctx.roles_root, role) + files_var: List[Dict[str, Any]] = [] + dirs_var: List[Dict[str, Any]] = [] + links_var: List[Dict[str, Any]] = [] + jt_combined: Dict[str, Any] = {} + seen_files: Set[Tuple[Any, Any, Any]] = set() + seen_dirs: Set[Tuple[Any, Any, Any, Any]] = set() + seen_links: Set[Tuple[Any, Any]] = set() + service_units_by_package = CMModule.active_service_units_by_package(entries) + + for entry in entries: + kind = str(entry.get("kind") or "package") + snap = entry.get("snapshot") or {} + source_role = str(snap.get("role_name") or "") + managed_files = snap.get("managed_files", []) or [] + managed_dirs = snap.get("managed_dirs", []) or [] + managed_links = snap.get("managed_links", []) or [] + + templated: Set[str] = set() + jt_vars = "" + if managed_files and source_role: + templated, jt_vars = _jinjify_managed_files( + ctx.bundle_dir, + source_role, + os.path.join(role_dir, "templates"), + managed_files, + jt_exe=ctx.jt_exe, + jt_enabled=ctx.jt_enabled, + overwrite_templates=overwrite_templates, + ) + _copy_role_artifacts(ctx, role, source_role, exclude_rels=templated) + + notify_other = (notify_by_kind or {}).get(kind) + if notify_service_handlers and kind == "service": + unit = str(snap.get("unit") or "").strip() + if unit and str(snap.get("active_state") or "") == "active": + notify_other = _service_restart_handler_name(unit) + else: + notify_other = None + elif notify_service_handlers and kind == "package": + notify_other = [ + _service_restart_handler_name(unit) + for unit in CMModule.active_service_units_for_package_snapshot( + snap, service_units_by_package + ) + ] + + for item in _build_managed_files_var( + managed_files, + templated, + notify_other=notify_other, + notify_systemd="Run systemd daemon-reload", + ): + key = (item.get("dest"), item.get("src_rel"), item.get("kind")) + if key not in seen_files: + seen_files.add(key) + files_var.append(item) + + for item in _build_managed_dirs_var(managed_dirs): + key = ( + item.get("dest"), + item.get("owner"), + item.get("group"), + item.get("mode"), + ) + if key not in seen_dirs: + seen_dirs.add(key) + dirs_var.append(item) + + for item in _build_managed_links_var(managed_links): + key = (item.get("dest"), item.get("src")) + if key not in seen_links: + seen_links.add(key) + links_var.append(item) + + jt_map = yaml_load_mapping(jt_vars) if jt_vars.strip() else {} + jt_combined = _merge_mappings_overwrite(jt_combined, jt_map) + + return ( + sorted(files_var, key=lambda item: str(item.get("dest") or "")), + sorted(dirs_var, key=lambda item: str(item.get("dest") or "")), + sorted(links_var, key=lambda item: str(item.get("dest") or "")), + jt_combined, + ) + + +def _resource_role_vars( + role: AnsibleRole, + *, + files_var: List[Dict[str, Any]], + dirs_var: List[Dict[str, Any]], + links_var: List[Dict[str, Any]], + extra_vars: Optional[Dict[str, Any]] = None, + jt_vars: Optional[Dict[str, Any]] = None, +) -> Dict[str, Any]: + var_prefix = role.var_prefix + vars_map: Dict[str, Any] = { + f"{var_prefix}_packages": role.sorted_packages, + f"{var_prefix}_managed_files": files_var, + f"{var_prefix}_managed_dirs": dirs_var, + f"{var_prefix}_managed_links": links_var, + } + if extra_vars: + vars_map.update(extra_vars) + return _merge_mappings_overwrite(vars_map, jt_vars or {}) + + +def _resource_role_site_defaults( + var_prefix: str, + *, + extra_defaults: Optional[Dict[str, Any]] = None, +) -> Dict[str, Any]: + defaults: Dict[str, Any] = { + f"{var_prefix}_packages": [], + f"{var_prefix}_managed_files": [], + f"{var_prefix}_managed_dirs": [], + f"{var_prefix}_managed_links": [], + } + if extra_defaults: + defaults.update(extra_defaults) + return defaults + + +def _single_service_extra_vars(role: AnsibleRole) -> Dict[str, Any]: + var_prefix = role.var_prefix + unit = next(iter(role.services), "") + unit_state = role.services.get(unit, {}) + return { + f"{var_prefix}_unit_name": unit, + f"{var_prefix}_manage_unit": bool(unit), + f"{var_prefix}_systemd_enabled": bool(unit_state.get("enabled")), + f"{var_prefix}_systemd_state": str(unit_state.get("state") or "stopped"), + } + + +def _single_service_site_defaults(var_prefix: str, unit: str) -> Dict[str, Any]: + return { + f"{var_prefix}_unit_name": unit, + f"{var_prefix}_manage_unit": False, + f"{var_prefix}_systemd_enabled": False, + f"{var_prefix}_systemd_state": "stopped", + } + + +def _write_resource_ansible_role( + ctx: AnsibleManifestContext, + role: AnsibleRole, + *, + notify_by_kind: Dict[str, Optional[str]], + overwrite_templates: bool, + extra_vars: Optional[Dict[str, Any]] = None, + site_defaults: Optional[Dict[str, Any]] = None, + single_service: bool = False, + grouped_services: bool = False, + restart_grouped_services: bool = False, + notify_service_handlers: bool = False, + systemd_reload: bool = False, +) -> str: + files_var, dirs_var, links_var, jt_vars = _role_managed_content_vars( + ctx, + role.role_name, + role.entries, + notify_by_kind=notify_by_kind, + notify_service_handlers=notify_service_handlers, + overwrite_templates=overwrite_templates, + ) + vars_map = _resource_role_vars( + role, + files_var=files_var, + dirs_var=dirs_var, + links_var=links_var, + extra_vars=extra_vars, + jt_vars=jt_vars, + ) + return _write_ansible_role( + ctx, + role.role_name, + vars_map=vars_map, + site_defaults=site_defaults, + tasks=_render_role_tasks( + role, + packages=True, + managed_content=True, + single_service=single_service, + grouped_services=grouped_services, + ), + handlers=_render_role_handlers( + role, + systemd_reload=systemd_reload, + single_service=single_service, + grouped_services=grouped_services, + restart_grouped_services=restart_grouped_services, + ), + ) + + +def _render_service_roles( + ctx: AnsibleManifestContext, + services_to_manifest: List[Dict[str, Any]], +) -> List[str]: + rendered_roles: List[str] = [] + for svc in services_to_manifest: + source_role = str(svc.get("role_name") or svc.get("unit") or "service") + role_name = avoid_reserved_role_name(source_role, prefix="service") + role = AnsibleRole(role_name) + role.add_service_snapshot(svc) + var_prefix = role.var_prefix + unit = next(iter(role.services), str(svc.get("unit") or "")) + _write_resource_ansible_role( + ctx, + role, + notify_by_kind={"service": "Restart service"}, + overwrite_templates=not ctx.site_mode, + extra_vars=_single_service_extra_vars(role), + site_defaults=_resource_role_site_defaults( + var_prefix, + extra_defaults=_single_service_site_defaults(var_prefix, unit), + ), + single_service=True, + ) + _add_role(rendered_roles, role.role_name) + return rendered_roles + + +def _render_common_ansible_roles( + ctx: AnsibleManifestContext, + common_role_groups: Dict[str, List[Dict[str, Any]]], + package_roles: List[Dict[str, Any]], + occupied_role_names: Set[str], +) -> Tuple[List[str], List[str]]: + rendered_roles: List[str] = [] + common_tail_roles: List[str] = [] + occupied_roles: Set[str] = set(occupied_role_names) + for pr in package_roles: + occupied_roles.add( + avoid_reserved_role_name(str(pr.get("role_name") or ""), prefix="package") + ) + + for section_label, entries in sorted(common_role_groups.items()): + role_name = _section_role_name(section_label, occupied_roles) + role = AnsibleRole( + role_name, + var_prefix=role_name, + section_label=section_label, + grouped=True, + ) + for entry in entries: + snap = entry.get("snapshot") or {} + if (entry.get("kind") or "package") == "service": + role.add_service_snapshot(snap) + else: + role.add_package_snapshot(snap) + + systemd_units = role.systemd_units_var + if {"cron", "logrotate"}.intersection(role.packages): + common_tail_roles.append(role.role_name) + + _write_resource_ansible_role( + ctx, + role, + notify_by_kind={"service": None}, + overwrite_templates=True, + extra_vars={f"{role.var_prefix}_systemd_units": systemd_units}, + grouped_services=True, + restart_grouped_services=True, + notify_service_handlers=True, + ) + _add_role(rendered_roles, role.role_name) + + return rendered_roles, common_tail_roles + + +def _render_package_roles( + ctx: AnsibleManifestContext, + package_roles: List[Dict[str, Any]], +) -> List[str]: + rendered_roles: List[str] = [] + for pr in package_roles: + source_role = str(pr.get("role_name") or pr.get("package") or "package") + role_name = avoid_reserved_role_name(source_role, prefix="package") + role = AnsibleRole(role_name) + role.add_package_snapshot(pr) + _write_resource_ansible_role( + ctx, + role, + notify_by_kind={"package": None}, + overwrite_templates=not ctx.site_mode, + site_defaults=_resource_role_site_defaults(role.var_prefix), + systemd_reload=True, + ) + _add_role(rendered_roles, role.role_name) + return rendered_roles + + +# --- Runtime state role renderers --- +def _render_sysctl_role( + ctx: AnsibleManifestContext, + sysctl_snapshot: Dict[str, Any], +) -> Optional[str]: + if not (sysctl_snapshot and (sysctl_snapshot.get("managed_files") or [])): + return + + role = sysctl_snapshot.get("role_name", "sysctl") + managed_files = sysctl_snapshot.get("managed_files", []) or [] + conf_src_rel = "" + for mf in managed_files: + if mf.get("path") == "/etc/sysctl.d/99-enroll.conf": + conf_src_rel = mf.get("src_rel") or "" + break + if not conf_src_rel and managed_files: + conf_src_rel = managed_files[0].get("src_rel") or "" + + _write_role_scaffold(os.path.join(ctx.roles_root, role)) + _copy_role_artifacts(ctx, role, role) + + var_prefix = role + vars_map: Dict[str, Any] = { + f"{var_prefix}_conf_src_rel": conf_src_rel, + f"{var_prefix}_apply": True, + f"{var_prefix}_ignore_apply_errors": True, + } + return _write_ansible_role( + ctx, + role, + vars_map=vars_map, + site_defaults={ + f"{var_prefix}_conf_src_rel": "", + f"{var_prefix}_apply": True, + f"{var_prefix}_ignore_apply_errors": True, + }, + tasks=_render_role_tasks(AnsibleRole(role), sysctl=True), + handlers=_render_role_handlers(AnsibleRole(role), sysctl=True), + ) + + +def _render_enroll_runtime_role(ctx: AnsibleManifestContext) -> str: + tasks = """--- +- name: Ensure Enroll runtime directory exists + ansible.builtin.file: + path: /etc/enroll + state: directory + owner: root + group: root + mode: "0750" +""" + return _write_ansible_role( + ctx, + "enroll_runtime", + tasks=_render_role_tasks(AnsibleRole("enroll_runtime"), extra_tasks=tasks), + ) + + +def _render_firewall_runtime_role( + ctx: AnsibleManifestContext, + firewall_runtime_snapshot: Dict[str, Any], +) -> Optional[str]: + role = firewall_runtime_snapshot.get("role_name", "firewall_runtime") + arole = AnsibleRole(role) + if not arole.firewall_runtime_snapshot_has_artifacts(firewall_runtime_snapshot): + return + arole.add_firewall_runtime_snapshot(firewall_runtime_snapshot) + _write_role_scaffold(os.path.join(ctx.roles_root, role)) + _copy_role_artifacts(ctx, role, role) + + var_prefix = role + packages = list(arole.package_names_from_snapshot(firewall_runtime_snapshot)) + refs = arole.firewall_runtime + ipset_save = refs.get("ipset_save", "") + ipset_sets = refs.get("ipset_sets", []) or [] + iptables_v4_save = refs.get("iptables_v4_save", "") + iptables_v6_save = refs.get("iptables_v6_save", "") + vars_map: Dict[str, Any] = { + f"{var_prefix}_packages": packages, + f"{var_prefix}_ipset_save": ipset_save, + f"{var_prefix}_ipset_sets": ipset_sets, + f"{var_prefix}_iptables_v4_save": iptables_v4_save, + f"{var_prefix}_iptables_v6_save": iptables_v6_save, + f"{var_prefix}_sync_ipsets_exact": True, + f"{var_prefix}_restore_iptables": True, + } + return _write_ansible_role( + ctx, + role, + vars_map=vars_map, + site_defaults={ + f"{var_prefix}_packages": [], + f"{var_prefix}_ipset_save": "", + f"{var_prefix}_ipset_sets": [], + f"{var_prefix}_iptables_v4_save": "", + f"{var_prefix}_iptables_v6_save": "", + f"{var_prefix}_sync_ipsets_exact": True, + f"{var_prefix}_restore_iptables": True, + }, + tasks=_render_role_tasks(arole, packages=True, firewall_runtime=True), + handlers=_render_role_handlers(arole, firewall_runtime=True), + ) + + +# --- User role renderer --- +def _render_users_role( + ctx: AnsibleManifestContext, + users_snapshot: Dict[str, Any], +) -> Optional[str]: + if not users_snapshot: + return + + role = users_snapshot.get("role_name", "users") + arole = AnsibleRole(role) + arole.add_users_snapshot(users_snapshot) + + _write_role_scaffold(os.path.join(ctx.roles_root, role)) + _copy_role_artifacts(ctx, role, role) + + users_needs_community = bool(arole.flatpak_remotes or arole.flatpaks) + if users_needs_community: + _ensure_requirements_yaml(os.path.join(ctx.out_dir, "requirements.yml")) + + vars_map = { + "users_groups": arole.users_groups, + "users_users": arole.users_data, + "users_ssh_dirs": arole.users_ssh_dirs, + "users_ssh_files": arole.users_ssh_files, + "users_flatpaks": arole.flatpaks, + "users_flatpak_remotes": arole.flatpak_remotes, + } + + users_tasks = """--- + +- name: Ensure groups exist + ansible.builtin.group: + name: "{{ item }}" + state: present + loop: "{{ users_groups | default([]) }}" + +- name: Ensure users exist + ansible.builtin.user: + name: "{{ item.name }}" + uid: "{{ item.uid | default(omit) }}" + group: "{{ item.primary_group }}" + home: "{{ item.home }}" + create_home: true + shell: "{{ item.shell | default(omit) }}" + comment: "{{ item.gecos | default(omit) }}" + state: present + loop: "{{ users_users | default([]) }}" + +- name: Ensure users supplementary groups + ansible.builtin.user: + name: "{{ item.name }}" + groups: "{{ item.supplementary_groups | default([]) | join(',') }}" + append: true + loop: "{{ users_users | default([]) }}" + when: (item.supplementary_groups | default([])) | length > 0 + +- name: Ensure .ssh directories exist for managed SSH files + ansible.builtin.file: + path: "{{ item.dest }}" + state: directory + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop: "{{ users_ssh_dirs | default([]) }}" + +- name: Deploy user-managed files + vars: + _enroll_ff: + files: + - "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/{{ role_name }}/.files/{{ item.src_rel }}" + - "{{ role_path }}/files/{{ item.src_rel }}" + ansible.builtin.copy: + src: "{{ lookup('ansible.builtin.first_found', _enroll_ff) }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + loop: "{{ users_ssh_files | default([]) }}" +""" + + if users_needs_community: + users_tasks += """ +- name: Ensure user Flatpak remotes exist + ansible.builtin.command: + argv: + - flatpak + - remote-add + - --user + - --if-not-exists + - "{{ item.name }}" + - "{{ item.url }}" + loop: "{{ users_flatpak_remotes | default([]) | selectattr('method', 'equalto', 'user') | list }}" + when: + - item.name is defined + - item.url is defined + - item.url | length > 0 + - item.user is defined + become: true + become_user: "{{ item.user }}" + environment: + HOME: "{{ item.home | default('/home/' ~ item.user, true) }}" + XDG_DATA_HOME: "{{ (item.home | default('/home/' ~ item.user, true)) ~ '/.local/share' }}" + changed_when: false + +- name: Install user Flatpaks + community.general.flatpak: + name: + - "{{ item.name }}" + state: present + method: user + remote: "{{ item.remote | default(omit) }}" + from_url: "{{ item.from_url | default(omit) }}" + loop: "{{ users_flatpaks | default([]) }}" + when: + - item.name is defined + - item.name | length > 0 + - item.user is defined + become: true + become_user: "{{ item.user }}" + environment: + HOME: "{{ item.home | default('/home/' ~ item.user, true) }}" + XDG_DATA_HOME: "{{ (item.home | default('/home/' ~ item.user, true)) ~ '/.local/share' }}" +""" + + return _write_ansible_role( + ctx, + role, + vars_map=vars_map, + site_defaults={ + "users_groups": [], + "users_users": [], + "users_ssh_dirs": [], + "users_ssh_files": [], + "users_flatpaks": [], + "users_flatpak_remotes": [], + }, + tasks=_render_role_tasks(arole, extra_tasks=users_tasks), + collections=["community.general"] if users_needs_community else None, + ) + + +class AnsibleManifestRenderer: + """Render Ansible roles and playbook from a harvest bundle.""" + + def __init__( + self, + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str] = None, + jinjaturtle: str = "auto", + no_common_roles: bool = False, + ) -> None: + self.bundle_dir = bundle_dir + self.out_dir = out_dir + self.fqdn = fqdn + self.jinjaturtle = jinjaturtle + self.no_common_roles = no_common_roles + + def render(self) -> None: + state = AnsibleRole.load_state(self.bundle_dir) + roles = roles_from_state(state) + inventory_packages = inventory_packages_from_state(state) + + ctx = _prepare_ansible_context( + self.bundle_dir, + self.out_dir, + fqdn=self.fqdn, + jinjaturtle=self.jinjaturtle, + ) + _write_site_scaffold(ctx) + + use_common_roles = (not ctx.site_mode) and (not self.no_common_roles) + services_to_manifest, package_roles, common_role_groups = ( + _collect_ansible_roles( + roles, + inventory_packages, + use_common_roles=use_common_roles, + ) + ) + + # Render the concrete roles, then derive playbook order from the role + # names actually written. + managed_roles = _render_managed_file_roles(ctx, roles) + users_role = _render_users_role(ctx, roles.get("users", {})) + flatpak_role = _render_flatpak_role(ctx, roles.get("flatpak", {})) + snap_role = _render_snap_role(ctx, roles.get("snap", {})) + container_role = _render_container_images_role( + ctx, roles.get("container_images", {}) + ) + sysctl_role = _render_sysctl_role(ctx, roles.get("sysctl", {})) + firewall_role = _render_firewall_runtime_role( + ctx, roles.get("firewall_runtime", {}) + ) + enroll_runtime_role = ( + _render_enroll_runtime_role(ctx) if firewall_role else None + ) + service_roles = _render_service_roles(ctx, services_to_manifest) + + occupied_role_names = set(managed_roles.values()) + for role in ( + users_role, + flatpak_role, + snap_role, + container_role, + sysctl_role, + firewall_role, + enroll_runtime_role, + ): + if role: + occupied_role_names.add(role) + occupied_role_names.update(service_roles) + + common_roles, common_tail_roles = _render_common_ansible_roles( + ctx, common_role_groups, package_roles, occupied_role_names + ) + standalone_package_roles = _render_package_roles(ctx, package_roles) + + rendered_roles: List[str] = [] + for category in ("apt_config", "dnf_config"): + _add_role(rendered_roles, managed_roles.get(category)) + _add_roles(rendered_roles, common_roles) + _add_roles(rendered_roles, standalone_package_roles) + _add_roles(rendered_roles, service_roles) + for category in ("etc_custom", "usr_local_custom", "extra_paths"): + _add_role(rendered_roles, managed_roles.get(category)) + for role in (flatpak_role, snap_role, container_role, users_role): + _add_role(rendered_roles, role) + + # Keep the old safety rule without a plan class: packages that restore + # per-user cron/logrotate state should run after the users role. + ordered_roles = _ordered_playbook_roles( + rendered_roles, ["cron", "logrotate"] + common_tail_roles + ) + for role in (enroll_runtime_role, sysctl_role, firewall_role): + _add_role(ordered_roles, role) + + _write_manifest_playbook(ctx, ordered_roles) + Path(ctx.out_dir, "README.md").write_text( + _render_readme(state, ordered_roles, fqdn=ctx.fqdn), + encoding="utf-8", + ) + + +def manifest_from_bundle_dir( + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str] = None, + jinjaturtle: str = "auto", + no_common_roles: bool = False, +) -> None: + AnsibleManifestRenderer( + bundle_dir, + out_dir, + fqdn=fqdn, + jinjaturtle=jinjaturtle, + no_common_roles=no_common_roles, + ).render() diff --git a/enroll/cache.py b/enroll/cache.py index 1dc656b..3a53b87 100644 --- a/enroll/cache.py +++ b/enroll/cache.py @@ -8,6 +8,8 @@ from datetime import datetime from pathlib import Path from typing import Optional +from .harvest_safety import OutputSafetyError, ensure_private_dir + def _safe_component(s: str) -> str: s = s.strip() @@ -44,16 +46,17 @@ class HarvestCache: def _ensure_dir_secure(path: Path) -> None: - """Create a directory with restrictive permissions; refuse symlinks.""" - # Refuse a symlink at the leaf. - if path.exists() and path.is_symlink(): - raise RuntimeError(f"Refusing to use symlink path: {path}") - path.mkdir(parents=True, exist_ok=True, mode=0o700) + """Create a private cache directory with output-path safety checks. + + Cache roots are persistent, so existing directories are allowed, but they + still need the same symlink-component and root-parent trust checks as + plaintext harvest/manifest output paths. + """ + try: - os.chmod(path, 0o700) - except OSError: - # Best-effort; on some FS types chmod may fail. - pass + ensure_private_dir(path, label="cache directory") + except OutputSafetyError as e: + raise RuntimeError(str(e)) from e def new_harvest_cache_dir(*, hint: Optional[str] = None) -> HarvestCache: diff --git a/enroll/capture.py b/enroll/capture.py new file mode 100644 index 0000000..66065e6 --- /dev/null +++ b/enroll/capture.py @@ -0,0 +1,343 @@ +from __future__ import annotations + +import os +import errno +import stat +from typing import List, Optional, Set + +from .fsutil import open_no_follow_path, stat_triplet, stat_triplet_from_stat +from .harvest_types import ExcludedFile, ManagedFile, ManagedLink +from .ignore import IgnorePolicy +from .pathfilter import PathFilter + + +def files_differ(a: str, b: str, *, max_bytes: int = 2_000_000) -> bool: + """Return True if file ``a`` differs from file ``b``. + + Best-effort and conservative: unreadable/missing baselines, non-regular + files, and unexpectedly large files are treated as different so callers err + on the side of preserving user state. + """ + + try: + st_a = os.stat(a, follow_symlinks=True) + except OSError: + return True + + if not stat.S_ISREG(st_a.st_mode): + return True + + try: + st_b = os.stat(b, follow_symlinks=True) + except OSError: + return True + + if not stat.S_ISREG(st_b.st_mode): + return True + + if st_a.st_size != st_b.st_size: + return True + + if st_a.st_size > max_bytes: + return True + + try: + with open(a, "rb") as fa, open(b, "rb") as fb: + while True: + ca = fa.read(1024 * 64) + cb = fb.read(1024 * 64) + if ca != cb: + return True + if not ca: + return False + except OSError: + return True + + +def _open_no_follow_write(path: str, mode: int = 0o600) -> int: + return open_no_follow_path(path, write=True, mode=mode) + + +def write_bytes_into_bundle( + bundle_dir: str, role_name: str, src_rel: str, data: bytes +) -> None: + dst = os.path.join(bundle_dir, "artifacts", role_name, src_rel) + os.makedirs(os.path.dirname(dst), exist_ok=True) + + fd = -1 + try: + fd = _open_no_follow_write(dst, 0o600) + with os.fdopen(fd, "wb") as f: + fd = -1 + f.write(data) + try: + os.chmod(dst, 0o600) + except OSError: + pass + finally: + if fd >= 0: + os.close(fd) + + +def copy_into_bundle( + bundle_dir: str, role_name: str, abs_path: str, src_rel: str +) -> None: + """Legacy safe copy helper used by tests and non-IgnorePolicy callers. + + Real harvests using IgnorePolicy copy the exact bytes read from the safely + opened source file in capture_file(). This helper still refuses source + symlinks at copy time and refuses destination symlink overwrites. + """ + + fd = -1 + try: + try: + fd = open_no_follow_path(abs_path) + except OSError as e: + if e.errno in {errno.ELOOP, errno.ENOTDIR}: + raise OSError("refusing to copy symlink source") from e + raise + st = os.fstat(fd) + if not stat.S_ISREG(st.st_mode): + raise OSError("refusing to copy non-regular source") + chunks: list[bytes] = [] + while True: + chunk = os.read(fd, 1024 * 1024) + if not chunk: + break + chunks.append(chunk) + write_bytes_into_bundle(bundle_dir, role_name, src_rel, b"".join(chunks)) + finally: + if fd >= 0: + os.close(fd) + + +def capture_file( + *, + bundle_dir: str, + role_name: str, + abs_path: str, + reason: str, + policy: IgnorePolicy, + path_filter: PathFilter, + managed_out: List[ManagedFile], + excluded_out: List[ExcludedFile], + seen_role: Optional[Set[str]] = None, + seen_global: Optional[Set[str]] = None, + metadata: Optional[tuple[str, str, str]] = None, +) -> bool: + """Try to capture a single file into the bundle. + + Returns True if the file was copied and appended to ``managed_out``. + ``seen_role`` de-duplicates within a role; ``seen_global`` de-duplicates + across harvest stages so multiple generated roles do not manage one path. + """ + + if seen_global is not None and abs_path in seen_global: + return False + if seen_role is not None and abs_path in seen_role: + return False + + def _mark_seen() -> None: + if seen_role is not None: + seen_role.add(abs_path) + if seen_global is not None: + seen_global.add(abs_path) + + if path_filter.is_excluded(abs_path): + excluded_out.append(ExcludedFile(path=abs_path, reason="user_excluded")) + _mark_seen() + return False + + inspection = None + inspect_file = getattr(policy, "inspect_file", None) + if callable(inspect_file): + inspected = inspect_file(abs_path) + if isinstance(inspected, tuple) and len(inspected) == 2: + deny, inspection = inspected + else: + # Some tests and third-party callers use MagicMock/spec policies that + # expose inspect_file but have not configured it. Fall back to the + # legacy deny_reason/copy path for those non-real policies. + deny = policy.deny_reason(abs_path) + else: + deny = policy.deny_reason(abs_path) + if deny: + excluded_out.append(ExcludedFile(path=abs_path, reason=deny)) + _mark_seen() + return False + + try: + if metadata is not None: + owner, group, mode = metadata + elif inspection is not None: + owner, group, mode = stat_triplet_from_stat(inspection.stat_result) + else: + owner, group, mode = stat_triplet(abs_path) + except OSError: + excluded_out.append(ExcludedFile(path=abs_path, reason="unreadable")) + _mark_seen() + return False + + src_rel = abs_path.lstrip("/") + try: + if inspection is not None: + write_bytes_into_bundle(bundle_dir, role_name, src_rel, inspection.data) + else: + copy_into_bundle(bundle_dir, role_name, abs_path, src_rel) + except OSError: + excluded_out.append(ExcludedFile(path=abs_path, reason="unreadable")) + _mark_seen() + return False + + managed_out.append( + ManagedFile( + path=abs_path, + src_rel=src_rel, + owner=owner, + group=group, + mode=mode, + reason=reason, + ) + ) + _mark_seen() + return True + + +USER_SHELL_DOTFILES_WITH_SKEL_BASELINE = [ + (".bashrc", "user_shell_rc"), + (".profile", "user_profile"), + (".bash_logout", "user_shell_logout"), +] + +USER_SHELL_DOTFILES_WITHOUT_SKEL_BASELINE = [ + (".bash_aliases", "user_shell_aliases"), +] + + +def capture_user_shell_dotfiles( + *, + bundle_dir: str, + role_name: str, + home: str, + skel_dir: str, + enabled: bool, + policy: IgnorePolicy, + path_filter: PathFilter, + managed_out: List[ManagedFile], + excluded_out: List[ExcludedFile], + seen_role: Optional[Set[str]], + seen_global: Optional[Set[str]], +) -> int: + """Capture selected per-user shell dotfiles when explicitly enabled.""" + + if not enabled: + return 0 + + home = (home or "").rstrip("/") + if not home or not home.startswith("/"): + return 0 + + captured = 0 + max_compare_bytes = int(getattr(policy, "max_file_bytes", 256_000)) + + for rel, reason in USER_SHELL_DOTFILES_WITH_SKEL_BASELINE: + upath = os.path.join(home, rel) + if not os.path.isfile(upath) or os.path.islink(upath): + continue + skel_path = os.path.join(skel_dir, rel) + if not files_differ(upath, skel_path, max_bytes=max_compare_bytes): + continue + if capture_file( + bundle_dir=bundle_dir, + role_name=role_name, + abs_path=upath, + reason=reason, + policy=policy, + path_filter=path_filter, + managed_out=managed_out, + excluded_out=excluded_out, + seen_role=seen_role, + seen_global=seen_global, + ): + captured += 1 + + for rel, reason in USER_SHELL_DOTFILES_WITHOUT_SKEL_BASELINE: + upath = os.path.join(home, rel) + if not os.path.isfile(upath) or os.path.islink(upath): + continue + if capture_file( + bundle_dir=bundle_dir, + role_name=role_name, + abs_path=upath, + reason=reason, + policy=policy, + path_filter=path_filter, + managed_out=managed_out, + excluded_out=excluded_out, + seen_role=seen_role, + seen_global=seen_global, + ): + captured += 1 + + return captured + + +def capture_link( + *, + role_name: str, + abs_path: str, + reason: str, + policy: IgnorePolicy, + path_filter: PathFilter, + managed_out: List[ManagedLink], + excluded_out: List[ExcludedFile], + seen_role: Optional[Set[str]] = None, + seen_global: Optional[Set[str]] = None, +) -> bool: + """Record a symlink for later materialisation by the manifest renderer.""" + + if seen_global is not None and abs_path in seen_global: + return False + if seen_role is not None and abs_path in seen_role: + return False + + def _mark_seen() -> None: + if seen_role is not None: + seen_role.add(abs_path) + if seen_global is not None: + seen_global.add(abs_path) + + if path_filter.is_excluded(abs_path): + excluded_out.append(ExcludedFile(path=abs_path, reason="user_excluded")) + _mark_seen() + return False + + deny_link = getattr(policy, "deny_reason_link", None) + if callable(deny_link): + deny = deny_link(abs_path) + else: + deny = policy.deny_reason(abs_path) + if deny in ("not_regular_file", "not_file", "not_regular"): + deny = None + + if deny: + excluded_out.append(ExcludedFile(path=abs_path, reason=deny)) + _mark_seen() + return False + + if not os.path.islink(abs_path): + excluded_out.append(ExcludedFile(path=abs_path, reason="not_symlink")) + _mark_seen() + return False + + try: + target = os.readlink(abs_path) + except OSError: + excluded_out.append(ExcludedFile(path=abs_path, reason="unreadable")) + _mark_seen() + return False + + managed_out.append(ManagedLink(path=abs_path, target=target, reason=reason)) + _mark_seen() + return True diff --git a/enroll/cli.py b/enroll/cli.py index 44de047..24c8593 100644 --- a/enroll/cli.py +++ b/enroll/cli.py @@ -4,6 +4,7 @@ import argparse import configparser import json import os +import stat import sys import tarfile import tempfile @@ -21,6 +22,7 @@ from .diff import ( ) from .explain import explain_state from .harvest import harvest +from .harvest_safety import ensure_safe_output_parent, write_text_output_file from .manifest import manifest from .remote import ( remote_harvest, @@ -39,8 +41,10 @@ def _discover_config_path(argv: list[str]) -> Optional[Path]: 1) --no-config disables loading. 2) --config PATH (or -c PATH) 3) $ENROLL_CONFIG - 4) ./enroll.ini, ./.enroll.ini - 5) $XDG_CONFIG_HOME/enroll/enroll.ini (or ~/.config/enroll/enroll.ini) + 4) $XDG_CONFIG_HOME/enroll/enroll.ini (or ~/.config/enroll/enroll.ini) + + Current-directory config files are deliberately not auto-loaded; use + --config ./enroll.ini if that behaviour is desired. The config file is optional; if no file is found, returns None. """ @@ -66,12 +70,6 @@ def _discover_config_path(argv: list[str]) -> Optional[Path]: if envp: return Path(envp).expanduser() - cwd = Path.cwd() - for name in ("enroll.ini", ".enroll.ini"): - cp = cwd / name - if cp.exists() and cp.is_file(): - return cp - xdg = os.environ.get("XDG_CONFIG_HOME") if xdg: base = Path(xdg).expanduser() @@ -115,6 +113,15 @@ def _action_lookup(p: argparse.ArgumentParser) -> dict[str, argparse.Action]: return m +def _warn_dangerous_harvest(*, sops_enabled: bool) -> None: + if not sops_enabled: + print( + "warning: --dangerous is enabled. The harvest may contain sensitive " + "files, credentials, private keys, tokens, or application secrets. " + "Consider using --sops to encrypt the harvest at rest." + ) + + def _choose_flag(a: argparse.Action) -> Optional[str]: # Prefer a long flag if available (e.g. --dangerous over -d) for s in getattr(a, "option_strings", []) or []: @@ -138,6 +145,149 @@ def _split_list_value(v: str) -> list[str]: return [raw] if raw else [] +def _root_trust_reason(path: Path, *, final: bool) -> Optional[str]: + """Return why a PATH directory/ancestor is unsafe for root execution.""" + + running_as_root = _is_effective_root() + if not final and not running_as_root: + return None + try: + st = os.stat(path) + except OSError: + return None + if not stat.S_ISDIR(st.st_mode): + return None + + subject = "directory" if final else "parent directory" + if running_as_root and st.st_uid != 0: + return f"{subject} is not owned by root" + + writable_by_group = bool(st.st_mode & stat.S_IWGRP) + writable_by_other = bool(st.st_mode & stat.S_IWOTH) + sticky = bool(st.st_mode & stat.S_ISVTX) + + # A sticky shared ancestor such as /tmp may contain a root-owned PATH + # directory safely enough for this check, but the PATH entry itself must + # never be writable by group/other because that permits command planting. + if final or not sticky: + if writable_by_other: + return f"{subject} is world-writable" + if writable_by_group: + return f"{subject} is group-writable" + return None + + +def _root_parent_trust_reason(path: Path) -> Optional[str]: + """Check original and resolved PATH ancestors for root trust.""" + + if not _is_effective_root(): + return None + + candidates: list[Path] = [] + candidates.extend(reversed(path.parents)) + try: + resolved = path.resolve(strict=True) + except OSError: + resolved = None + if resolved is not None and resolved != path: + candidates.extend(reversed(resolved.parents)) + + seen: set[str] = set() + for parent in candidates: + key = str(parent) + if key in seen: + continue + seen.add(key) + reason = _root_trust_reason(parent, final=False) + if reason: + return f"{reason}: {parent}" + return None + + +def _path_entry_is_unsafe(entry: str) -> Optional[str]: + """Return a human-readable reason if a PATH entry is unsafe for root. + + Empty PATH entries and relative entries resolve via the current working + directory, which is equivalent to trusting whatever directory the operator + happens to be in. Existing group/world-writable directories are also risky + when Enroll is run as root because Enroll deliberately invokes host tools + from PATH while harvesting and enforcing state. When running as root, an + existing PATH directory must also be root-owned; a non-root-owned 0755 + directory is still attacker-controlled by its owner. + """ + + if entry == "": + return "empty PATH entry resolves to the current directory" + if entry == ".": + return "'.' resolves to the current directory" + if not os.path.isabs(entry): + return "relative PATH entry resolves from the current directory" + + p = Path(entry) + parent_reason = _root_parent_trust_reason(p) + if parent_reason: + return parent_reason + + try: + st = os.stat(entry) + except OSError: + return None + if not stat.S_ISDIR(st.st_mode): + return None + + final_reason = _root_trust_reason(p, final=True) + if final_reason: + return final_reason + return None + + +def _unsafe_root_path_reasons(path_value: Optional[str] = None) -> list[str]: + """Return unsafe PATH entries that should make root execution interactive.""" + + raw = os.environ.get("PATH", "") if path_value is None else str(path_value) + out: list[str] = [] + for entry in raw.split(os.pathsep): + reason = _path_entry_is_unsafe(entry) + if reason: + label = entry if entry else "" + out.append(f"{label}: {reason}") + return out + + +def _is_effective_root() -> bool: + geteuid = getattr(os, "geteuid", None) + return bool(geteuid is not None and geteuid() == 0) + + +def _confirm_root_path_safety(*, force: bool = False) -> None: + """Prompt before running as root with a PATH that trusts writable entries.""" + + if force or not _is_effective_root(): + return + + reasons = _unsafe_root_path_reasons() + if not reasons: + return + + details = "\n".join(f" - {r}" for r in reasons) + msg = ( + "warning: enroll is running as root and PATH contains entries that " + "could allow an untrusted binary to be executed:\n" + f"{details}\n" + ) + + if not sys.stdin.isatty(): + raise SystemExit( + msg + "error: refusing to continue non-interactively. Re-run with " + "--assume-safe-path if you intentionally trust this PATH." + ) + + print(msg, file=sys.stderr, end="") + answer = input("Are you sure you want to continue? [y/N] ") + if answer.strip().lower() not in {"y", "yes"}: + raise SystemExit("aborted: unsafe root PATH was not confirmed") + + def _section_to_argv( p: argparse.ArgumentParser, cfg: configparser.ConfigParser, section: str ) -> list[str]: @@ -279,7 +429,7 @@ def _resolve_sops_out_file(out: Optional[str], *, hint: str) -> Path: def _tar_dir_to(path_dir: Path, tar_path: Path) -> None: - tar_path.parent.mkdir(parents=True, exist_ok=True) + ensure_safe_output_parent(tar_path, label="harvest tar output") with tarfile.open(tar_path, mode="w:gz") as tf: # Keep a stable on-disk layout when extracted: state.json + artifacts/ tf.add(str(path_dir), arcname=".") @@ -289,7 +439,7 @@ def _encrypt_harvest_dir_to_sops( bundle_dir: Path, out_file: Path, fps: list[str] ) -> Path: out_file = Path(out_file) - out_file.parent.mkdir(parents=True, exist_ok=True) + ensure_safe_output_parent(out_file, label="encrypted harvest output") # Create the tarball alongside the output file (keeps filesystem permissions/locality sane). fd, tmp_tgz = tempfile.mkstemp( @@ -308,9 +458,23 @@ def _encrypt_harvest_dir_to_sops( def _add_common_manifest_args(p: argparse.ArgumentParser) -> None: + p.add_argument( + "--target", + choices=["ansible", "puppet", "salt"], + default="ansible", + help="Manifest target to generate (default: ansible).", + ) p.add_argument( "--fqdn", - help="Host FQDN/name for site-mode output (creates inventory/, inventory/host_vars/, playbooks/).", + help="Host FQDN/name for site-mode output (creates target-specific host inventory/data such as Ansible host_vars, Puppet Hiera, or Salt pillar).", + ) + p.add_argument( + "--no-common-roles", + action="store_true", + help=( + "Do not group package and systemd-unit roles into common section/group roles. " + "This preserves one generated role per package/unit. --fqdn implies this." + ), ) g = p.add_mutually_exclusive_group() g.add_argument( @@ -338,8 +502,8 @@ def _add_config_args(p: argparse.ArgumentParser) -> None: "-c", "--config", help=( - "Path to an INI config file for default options. If omitted, enroll will look for " - "./enroll.ini, ./.enroll.ini, or ~/.config/enroll/enroll.ini (or $XDG_CONFIG_HOME/enroll/enroll.ini)." + "Path to an INI config file for default options. If omitted, enroll will look for a path defined by the " + "ENROLL_CONFIG environment variable , ~/.config/enroll/enroll.ini (or $XDG_CONFIG_HOME/enroll/enroll.ini)." ), ) p.add_argument( @@ -349,6 +513,21 @@ def _add_config_args(p: argparse.ArgumentParser) -> None: ) +def _add_path_safety_args( + p: argparse.ArgumentParser, *, default: object = False +) -> None: + p.add_argument( + "--assume-safe-path", + action="store_true", + default=default, + help=( + "When running as root, continue without confirmation even if PATH " + "contains '.', an empty/relative entry, or a group/world-writable " + "directory. Intended for trusted non-interactive automation." + ), + ) + + def _add_remote_args(p: argparse.ArgumentParser) -> None: p.add_argument( "--remote-host", @@ -422,10 +601,12 @@ def main() -> None: version=f"{get_enroll_version()}", ) _add_config_args(ap) + _add_path_safety_args(ap) sub = ap.add_subparsers(dest="cmd", required=True) h = sub.add_parser("harvest", help="Harvest service/package/config state") _add_config_args(h) + _add_path_safety_args(h, default=argparse.SUPPRESS) _add_remote_args(h) h.add_argument( "--out", @@ -459,7 +640,6 @@ def main() -> None: "Excludes apply to all harvesting, including defaults." ), ) - h.add_argument( "--sops", nargs="+", @@ -475,8 +655,11 @@ def main() -> None: help="Don't use sudo on the remote host (when using --remote options). This may result in a limited harvest due to permission restrictions.", ) - m = sub.add_parser("manifest", help="Render Ansible roles from a harvest") + m = sub.add_parser( + "manifest", help="Render configuration-management code from a harvest" + ) _add_config_args(m) + _add_path_safety_args(m, default=argparse.SUPPRESS) m.add_argument( "--harvest", required=True, @@ -507,9 +690,11 @@ def main() -> None: _add_common_manifest_args(m) s = sub.add_parser( - "single-shot", help="Harvest state, then manifest Ansible code, in one shot" + "single-shot", + help="Harvest state, then manifest configuration-management code, in one shot", ) _add_config_args(s) + _add_path_safety_args(s, default=argparse.SUPPRESS) _add_remote_args(s) s.add_argument( "--harvest", @@ -543,7 +728,6 @@ def main() -> None: "Excludes apply to all harvesting, including defaults." ), ) - s.add_argument( "--sops", nargs="+", @@ -571,6 +755,7 @@ def main() -> None: d = sub.add_parser("diff", help="Compare two harvests and report differences") _add_config_args(d) + _add_path_safety_args(d, default=argparse.SUPPRESS) d.add_argument( "--old", required=True, @@ -619,10 +804,19 @@ def main() -> None: action="store_true", help=( "If differences are detected, attempt to enforce the old harvest state locally by generating a manifest and " - "running ansible-playbook. Requires ansible-playbook on PATH. " + "running the selected local apply tool. " "Enroll does not attempt to downgrade packages; if the only drift is package version upgrades (or newly installed packages), enforcement is skipped." ), ) + d.add_argument( + "--target", + choices=["ansible", "puppet", "salt"], + default="ansible", + help=( + "Configuration-management target to use with --enforce (default: ansible). " + "Requires ansible-playbook, puppet, or salt-call on PATH as appropriate." + ), + ) d.add_argument( "--out", help="Write the report to this file instead of stdout.", @@ -683,6 +877,7 @@ def main() -> None: e = sub.add_parser("explain", help="Explain a harvest state.json") _add_config_args(e) + _add_path_safety_args(e, default=argparse.SUPPRESS) e.add_argument( "harvest", help=( @@ -711,6 +906,7 @@ def main() -> None: "validate", help="Validate a harvest bundle (state.json + artifacts)" ) _add_config_args(v) + _add_path_safety_args(v, default=argparse.SUPPRESS) v.add_argument( "harvest", help=( @@ -767,6 +963,13 @@ def main() -> None: ) args = ap.parse_args(argv) + if args.cmd in {"harvest", "single-shot"} and bool( + getattr(args, "dangerous", False) + ): + _warn_dangerous_harvest(sops_enabled=bool(getattr(args, "sops", None))) + + _confirm_root_path_safety(force=bool(getattr(args, "assume_safe_path", False))) + # Preserve historical defaults for remote harvesting unless ssh_config lookup is enabled. # This lets ssh_config values take effect when the user did not explicitly set # --remote-user / --remote-port. @@ -806,6 +1009,7 @@ def main() -> None: no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=True, ) _encrypt_harvest_dir_to_sops( tmp_bundle, out_file, list(sops_fps) @@ -832,6 +1036,7 @@ def main() -> None: no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=not bool(args.out), ) print(str(state)) else: @@ -849,6 +1054,7 @@ def main() -> None: dangerous=bool(args.dangerous), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=True, ) _encrypt_harvest_dir_to_sops( tmp_bundle, out_file, list(sops_fps) @@ -868,6 +1074,7 @@ def main() -> None: dangerous=bool(args.dangerous), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=not bool(args.out), ) print(path) elif args.cmd == "explain": @@ -895,9 +1102,7 @@ def main() -> None: out_path = getattr(args, "out", None) if out_path: - p = Path(out_path).expanduser() - p.parent.mkdir(parents=True, exist_ok=True) - p.write_text(txt, encoding="utf-8") + write_text_output_file(out_path, txt, label="validation report") else: sys.stdout.write(txt) @@ -913,6 +1118,8 @@ def main() -> None: fqdn=args.fqdn, jinjaturtle=_jt_mode(args), sops_fingerprints=getattr(args, "sops", None), + no_common_roles=bool(getattr(args, "no_common_roles", False)), + target=getattr(args, "target", "ansible"), ) if getattr(args, "sops", None) and out_enc: print(str(out_enc)) @@ -928,7 +1135,7 @@ def main() -> None: ) # Optional enforcement: if drift is detected, attempt to restore the - # system to the *old* (baseline) state using ansible-playbook. + # system to the *old* (baseline) state using the selected target. if bool(getattr(args, "enforce", False)): if has_changes: if not has_enforceable_drift(report): @@ -946,6 +1153,7 @@ def main() -> None: args.old, sops_mode=bool(getattr(args, "sops", False)), report=report, + target=getattr(args, "target", "ansible"), ) except Exception as e: raise SystemExit( @@ -965,9 +1173,7 @@ def main() -> None: txt = format_report(report, fmt=str(getattr(args, "format", "text"))) out_path = getattr(args, "out", None) if out_path: - p = Path(out_path).expanduser() - p.parent.mkdir(parents=True, exist_ok=True) - p.write_text(txt, encoding="utf-8") + write_text_output_file(out_path, txt, label="diff report") else: print(txt, end="" if txt.endswith("\n") else "\n") @@ -1039,6 +1245,7 @@ def main() -> None: no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=True, ) _encrypt_harvest_dir_to_sops( tmp_bundle, out_file, list(sops_fps) @@ -1050,6 +1257,8 @@ def main() -> None: fqdn=args.fqdn, jinjaturtle=_jt_mode(args), sops_fingerprints=list(sops_fps), + no_common_roles=bool(getattr(args, "no_common_roles", False)), + target=getattr(args, "target", "ansible"), ) if not args.harvest: print(str(out_file)) @@ -1074,12 +1283,15 @@ def main() -> None: no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=not bool(args.harvest), ) manifest( str(harvest_dir), args.out, fqdn=args.fqdn, jinjaturtle=_jt_mode(args), + no_common_roles=bool(getattr(args, "no_common_roles", False)), + target=getattr(args, "target", "ansible"), ) # For usability (when --harvest wasn't provided), print the harvest path. if not args.harvest: @@ -1099,6 +1311,7 @@ def main() -> None: dangerous=bool(args.dangerous), include_paths=list(getattr(args, "include_path", []) or []), exclude_paths=list(getattr(args, "exclude_path", []) or []), + allow_existing_output=True, ) _encrypt_harvest_dir_to_sops( tmp_bundle, out_file, list(sops_fps) @@ -1110,6 +1323,8 @@ def main() -> None: fqdn=args.fqdn, jinjaturtle=_jt_mode(args), sops_fingerprints=list(sops_fps), + no_common_roles=bool(getattr(args, "no_common_roles", False)), + target=getattr(args, "target", "ansible"), ) if not args.harvest: print(str(out_file)) @@ -1129,6 +1344,8 @@ def main() -> None: args.out, fqdn=args.fqdn, jinjaturtle=_jt_mode(args), + no_common_roles=bool(getattr(args, "no_common_roles", False)), + target=getattr(args, "target", "ansible"), ) except RemoteSudoPasswordRequired: raise SystemExit( diff --git a/enroll/cm.py b/enroll/cm.py new file mode 100644 index 0000000..f452313 --- /dev/null +++ b/enroll/cm.py @@ -0,0 +1,859 @@ +from __future__ import annotations + +import shlex +from dataclasses import dataclass, field +from pathlib import Path +from typing import ( + Any, + Callable, + ClassVar, + Dict, + Iterable, + Iterator, + List, + Mapping, + Set, +) + +from .state import load_state, state_path, write_state + + +@dataclass +class CMModule: + """Renderer-neutral configuration-management resource group. + + A CMModule is intentionally small: it captures the resources that a target + renderer can turn into Ansible tasks, Puppet resources, Salt states, etc. + The renderer may still decide how to name/include/order the group. + """ + + role_name: str + module_name: str + packages: Set[str] = field(default_factory=set) + groups: Set[str] = field(default_factory=set) + users: Dict[str, Dict[str, Any]] = field(default_factory=dict) + dirs: Dict[str, Dict[str, Any]] = field(default_factory=dict) + files: Dict[str, Dict[str, Any]] = field(default_factory=dict) + links: Dict[str, Dict[str, Any]] = field(default_factory=dict) + services: Dict[str, Dict[str, Any]] = field(default_factory=dict) + firewall_runtime: Dict[str, Any] = field(default_factory=dict) + notes: List[str] = field(default_factory=list) + + managed_owner_attr: ClassVar[str] = "owner" + firewall_runtime_dir: ClassVar[str] = "/etc/enroll/firewall" + firewall_runtime_artifacts: ClassVar[tuple[tuple[str, str, str], ...]] = ( + ("ipset_save", "ipset.save", "0600"), + ("iptables_v4_save", "iptables.v4", "0600"), + ("iptables_v6_save", "iptables.v6", "0600"), + ) + + def has_core_resources(self) -> bool: + return bool( + self.packages + or self.groups + or self.users + or self.dirs + or self.files + or self.links + or self.services + or self.firewall_runtime + or self.notes + ) + + def has_resources(self) -> bool: + return self.has_core_resources() + + def has_resources_or_attrs(self, *attrs: str) -> bool: + """Return true if core resources or named renderer extras are present.""" + + return self.has_core_resources() or any( + bool(getattr(self, attr, None)) for attr in attrs + ) + + @staticmethod + def state_path(bundle_dir: str | Path) -> Path: + """Return the canonical state.json path for a harvest bundle.""" + + return state_path(bundle_dir) + + @classmethod + def load_state(cls, bundle_dir: str | Path) -> Dict[str, Any]: + """Load state.json for a renderer using the shared bundle state loader.""" + + return load_state(bundle_dir) + + @classmethod + def _load_state(cls, bundle_dir: str | Path) -> Dict[str, Any]: + """Backward-compatible alias for renderer subclasses.""" + + return cls.load_state(bundle_dir) + + @classmethod + def write_state( + cls, + bundle_dir: str | Path, + state: Mapping[str, Any], + *, + indent: int = 2, + sort_keys: bool = True, + ) -> Path: + """Write state.json using the shared bundle state writer.""" + + return write_state(bundle_dir, state, indent=indent, sort_keys=sort_keys) + + @staticmethod + def _snapshot_items(snap: Dict[str, Any], key: str) -> Iterator[Dict[str, Any]]: + values = snap.get(key) or [] + if not isinstance(values, list): + return + for item in values: + if isinstance(item, dict): + yield item + + @classmethod + def managed_dirs_from_snapshot( + cls, snap: Dict[str, Any] + ) -> Iterator[Dict[str, Any]]: + return cls._snapshot_items(snap, "managed_dirs") + + @classmethod + def managed_files_from_snapshot( + cls, snap: Dict[str, Any] + ) -> Iterator[Dict[str, Any]]: + return cls._snapshot_items(snap, "managed_files") + + @classmethod + def managed_links_from_snapshot( + cls, snap: Dict[str, Any] + ) -> Iterator[Dict[str, Any]]: + return cls._snapshot_items(snap, "managed_links") + + def add_managed_dir( + self, + path: str, + *, + owner: Any = "root", + group: Any = "root", + mode: Any = "0755", + **attrs: Any, + ) -> None: + if not path: + return + data: Dict[str, Any] = { + "owner": owner or "root", + "group": group or "root", + "mode": mode or "0755", + } + data.update(attrs) + self.dirs.setdefault(path, data) + + def add_managed_file( + self, + path: str, + *, + owner: Any = "root", + group: Any = "root", + mode: Any = "0644", + **attrs: Any, + ) -> None: + if not path: + return + data: Dict[str, Any] = { + "owner": owner or "root", + "group": group or "root", + "mode": mode or "0644", + } + data.update(attrs) + self.files.setdefault(path, data) + + def add_managed_link(self, path: str, **attrs: Any) -> None: + if path: + self.links.setdefault(path, attrs) + + def add_snapshot_notes(self, snap: Dict[str, Any]) -> None: + self.notes.extend(str(n) for n in (snap.get("notes", []) or [])) + + @staticmethod + def package_name_from_snapshot(snap: Dict[str, Any]) -> str: + return str(snap.get("package") or "").strip() + + @staticmethod + def package_names_from_snapshot(snap: Dict[str, Any]) -> Iterator[str]: + for pkg in snap.get("packages", []) or []: + pkg_s = str(pkg or "").strip() + if pkg_s: + yield pkg_s + + def add_package_snapshot(self, snap: Dict[str, Any]) -> None: + pkg = self.package_name_from_snapshot(snap) + if pkg: + self.packages.add(pkg) + + def add_service_packages_from_snapshot(self, snap: Dict[str, Any]) -> None: + self.packages.update(self.package_names_from_snapshot(snap)) + + def service_unit_from_snapshot(self, snap: Dict[str, Any]) -> str: + return str(snap.get("unit") or "").strip() + + def service_enabled_from_snapshot(self, snap: Dict[str, Any]) -> bool: + unit_file_state = str(snap.get("unit_file_state") or "") + return unit_file_state in ("enabled", "enabled-runtime") + + def service_state_from_snapshot( + self, + snap: Dict[str, Any], + *, + running: str, + stopped: str, + ) -> str: + return running if snap.get("active_state") == "active" else stopped + + def add_service_snapshot_state( + self, + snap: Dict[str, Any], + *, + state_key: str, + running: str, + stopped: str, + include_manage: bool = False, + ) -> None: + """Add the common systemd service parts, parameterised per renderer.""" + + self.add_service_packages_from_snapshot(snap) + unit = self.service_unit_from_snapshot(snap) + if not unit: + return + + data: Dict[str, Any] = { + "name": unit, + state_key: self.service_state_from_snapshot( + snap, running=running, stopped=stopped + ), + "enable": self.service_enabled_from_snapshot(snap), + } + if include_manage: + data["manage"] = True + self.services[unit] = data + + @staticmethod + def normalise_flatpak_item( + item: Any, + *, + method: str, + user: str | None = None, + home: str | None = None, + ) -> Dict[str, Any]: + if isinstance(item, dict): + out = dict(item) + elif isinstance(item, str): + out = {"name": item} + else: + out = {"name": str(item)} + + out["method"] = str(out.get("method") or method or "system").strip() or "system" + if user and not out.get("user"): + out["user"] = user + if home and not out.get("home"): + out["home"] = home + ref = str(out.get("ref") or "").strip() + if ref and not out.get("name"): + out["name"] = ref.rsplit("/", 1)[-1] + name = str(out.get("name") or out.get("app_id") or "").strip() + if name: + out["name"] = name + remote = str(out.get("remote") or "").strip() + if remote: + out["remote"] = remote + branch = str(out.get("branch") or out.get("origin") or "").strip() + if branch: + out["branch"] = branch + if ref: + out["ref"] = ref + return out + + @staticmethod + def normalise_flatpak_remote(item: Any) -> Dict[str, Any]: + if isinstance(item, dict): + out = dict(item) + else: + out = {"name": str(item)} + name = str(out.get("name") or out.get("remote") or "").strip() + url = str(out.get("url") or out.get("from_url") or "").strip() + method = ( + str(out.get("method") or out.get("scope") or "system").strip() or "system" + ) + if name: + out["name"] = name + if url: + out["url"] = url + out["method"] = "user" if method == "user" else "system" + return out + + @staticmethod + def normalise_snap_item(item: Any) -> Dict[str, Any]: + if isinstance(item, dict): + out = dict(item) + elif isinstance(item, str): + out = {"name": item} + else: + out = {"name": str(item)} + + name = str(out.get("name") or "").strip() + if name: + out["name"] = name + channel = str(out.get("tracking") or out.get("channel") or "").strip() + if channel: + out["channel"] = channel + raw_notes = out.get("notes") or [] + if isinstance(raw_notes, str): + raw_notes = [raw_notes] + notes = [str(note).lower() for note in raw_notes] + confinement = str(out.get("confinement") or "").strip().lower() + out["classic"] = bool( + out.get("classic") + or confinement == "classic" + or any("classic" in note for note in notes) + ) + out["devmode"] = bool( + out.get("devmode") + or any("devmode" in note or "dev mode" in note for note in notes) + ) + out["dangerous"] = bool( + out.get("dangerous") or any("dangerous" in note for note in notes) + ) + revision = str(out.get("revision") or "").strip() + if revision and not channel: + out["revision"] = revision + return out + + def prepare_flatpak_remote(self, item: Dict[str, Any]) -> Dict[str, Any]: + raise NotImplementedError + + def prepare_flatpak_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + raise NotImplementedError + + def prepare_snap_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + raise NotImplementedError + + @staticmethod + def user_records_from_snapshot(snap: Dict[str, Any]) -> List[Dict[str, Any]]: + records: List[Dict[str, Any]] = [] + for raw in snap.get("users", []) or []: + if not isinstance(raw, dict): + continue + name = str(raw.get("name") or "").strip() + if not name: + continue + primary_group = str(raw.get("primary_group") or name).strip() + supplementary = sorted( + { + str(group).strip() + for group in (raw.get("supplementary_groups") or []) + if str(group).strip() + } + ) + records.append( + { + "name": name, + "uid": raw.get("uid"), + "gid": raw.get("gid"), + "primary_group": primary_group, + "home": raw.get("home") or f"/home/{name}", + "shell": raw.get("shell"), + "gecos": raw.get("gecos"), + "supplementary_groups": supplementary, + } + ) + return records + + @staticmethod + def user_group_names_from_records(records: Iterable[Mapping[str, Any]]) -> Set[str]: + groups: Set[str] = set() + for record in records: + primary_group = str(record.get("primary_group") or "").strip() + if primary_group: + groups.add(primary_group) + groups.update( + str(group).strip() + for group in (record.get("supplementary_groups") or []) + if str(group).strip() + ) + return groups + + @staticmethod + def package_service_entries( + roles: Mapping[str, Any], + inventory_packages: Mapping[str, Any], + *, + use_common_roles: bool, + ) -> Iterator[Dict[str, Any]]: + for svc in roles.get("services", []) or []: + if not isinstance(svc, dict): + continue + own_label = str(svc.get("role_name") or svc.get("unit") or "service") + role_label = ( + section_label_for_packages( + svc.get("packages", []) or [], inventory_packages + ) + if use_common_roles + else own_label + ) + yield {"kind": "service", "snapshot": svc, "role_label": role_label} + + for pkg in roles.get("packages", []) or []: + if not isinstance(pkg, dict): + continue + own_label = str(pkg.get("role_name") or pkg.get("package") or "package") + role_label = ( + package_section_label(pkg, inventory_packages) + if use_common_roles + else own_label + ) + yield {"kind": "package", "snapshot": pkg, "role_label": role_label} + + @staticmethod + def active_service_units_by_package( + entries: Iterable[Mapping[str, Any]], + ) -> Dict[str, List[Dict[str, str]]]: + """Return active service units keyed by the packages that produced them. + + Renderers use this when a package-owned managed file should refresh the + service that package provides. The helper is deliberately conservative: + stopped/inactive services are not included, and ambiguous package->many + service mappings are left to the renderer/caller to resolve. + """ + + by_package: Dict[str, List[Dict[str, str]]] = {} + for entry in entries: + if str(entry.get("kind") or "package") != "service": + continue + snap = entry.get("snapshot") or {} + if not isinstance(snap, Mapping): + continue + unit = str(snap.get("unit") or "").strip() + if not unit or str(snap.get("active_state") or "") != "active": + continue + role_name = str(snap.get("role_name") or unit).strip() + for pkg in snap.get("packages", []) or []: + package = str(pkg or "").strip() + if package: + by_package.setdefault(package, []).append( + {"unit": unit, "role_name": role_name} + ) + for package, services in list(by_package.items()): + seen: Set[str] = set() + unique: List[Dict[str, str]] = [] + for svc in services: + unit = svc.get("unit") or "" + if unit and unit not in seen: + seen.add(unit) + unique.append(svc) + by_package[package] = sorted(unique, key=lambda svc: svc.get("unit", "")) + return by_package + + @staticmethod + def active_service_units_for_package_snapshot( + package_snapshot: Mapping[str, Any], + service_units_by_package: Mapping[str, List[Dict[str, str]]], + ) -> List[str]: + """Return active service units that a package snapshot can safely refresh. + + If one active service is associated with the package, return it. If + several are associated, only return a role-name match; otherwise avoid + guessing and return no services. This prevents package-level config from + recreating the old broad-restart problem. + """ + + package = str(package_snapshot.get("package") or "").strip() + if not package: + return [] + services = list(service_units_by_package.get(package) or []) + if len(services) == 1: + unit = services[0].get("unit") or "" + return [unit] if unit else [] + + role_name = str(package_snapshot.get("role_name") or "").strip() + if role_name: + matched = [ + svc.get("unit") or "" + for svc in services + if svc.get("role_name") == role_name and svc.get("unit") + ] + if matched: + return sorted(set(matched)) + return [] + + def add_user_flatpaks_snapshot(self, snap: Dict[str, Any]) -> None: + home_by_user = { + str(u.get("name")): str(u.get("home") or "") + for u in (snap.get("users", []) or []) + if isinstance(u, dict) and u.get("name") + } + for remote in snap.get("user_flatpak_remotes", []) or []: + item = self.normalise_flatpak_remote(remote) + user = str(item.get("user") or "").strip() + if user and not item.get("home"): + item["home"] = home_by_user.get(user) or f"/home/{user}" + if item.get("method") == "user" and item.get("name") and item.get("url"): + self.flatpak_remotes.append( # type: ignore[attr-defined] + self.prepare_flatpak_remote(item) + ) + for uname, flatpaks in (snap.get("user_flatpaks", {}) or {}).items(): + user = str(uname) + for fp in flatpaks or []: + item = self.normalise_flatpak_item( + fp, method="user", user=user, home=home_by_user.get(user) or None + ) + if item.get("name"): + self.flatpaks.append( # type: ignore[attr-defined] + self.prepare_flatpak_item(item) + ) + + def add_flatpak_snapshot(self, snap: Dict[str, Any]) -> None: + for remote in snap.get("remotes", []) or []: + item = self.normalise_flatpak_remote(remote) + if item.get("name") and item.get("url"): + self.flatpak_remotes.append( # type: ignore[attr-defined] + self.prepare_flatpak_remote(item) + ) + for fp in snap.get("system_flatpaks", []) or []: + item = self.normalise_flatpak_item(fp, method="system") + if item.get("name"): + self.flatpaks.append( # type: ignore[attr-defined] + self.prepare_flatpak_item(item) + ) + self.add_snapshot_notes(snap) + + def add_snap_snapshot(self, snap: Dict[str, Any]) -> None: + for raw in snap.get("system_snaps", []) or []: + item = self.normalise_snap_item(raw) + if item.get("name"): + self.snaps.append( # type: ignore[attr-defined] + self.prepare_snap_item(item) + ) + self.add_snapshot_notes(snap) + + def firewall_runtime_snapshot_has_artifacts(self, snap: Mapping[str, Any]) -> bool: + return any( + str(snap.get(key) or "").strip() + for key, _dest, _mode in self.firewall_runtime_artifacts + ) + + def firewall_runtime_source_refs(self, snap: Mapping[str, Any]) -> Dict[str, str]: + return { + key: str(snap.get(key) or "").strip() + for key, _dest, _mode in self.firewall_runtime_artifacts + if str(snap.get(key) or "").strip() + } + + def firewall_runtime_dest_path(self, dest_name: str) -> str: + return f"{self.firewall_runtime_dir}/{dest_name}" + + def firewall_runtime_ipset_sets(self, snap: Mapping[str, Any]) -> List[str]: + return [ + str(x).strip() for x in (snap.get("ipset_sets") or []) if str(x).strip() + ] + + @staticmethod + def shell_quote(value: Any) -> str: + return shlex.quote(str(value or "")) + + def firewall_ipset_restore_cmd(self, path: str, sets: List[str]) -> str: + flush_parts = [f"ipset flush {self.shell_quote(name)} || true" for name in sets] + flush = "; ".join(flush_parts) + restore = f"ipset restore -exist < {self.shell_quote(path)}" + if flush: + return f"/bin/sh -c {self.shell_quote(flush + '; ' + restore)}" + return f"/bin/sh -c {self.shell_quote(restore)}" + + def firewall_runtime_commands(self, runtime: Mapping[str, Any]) -> Dict[str, Any]: + out: Dict[str, Any] = {} + ipset_path = str(runtime.get("ipset_save") or "") + if ipset_path: + sets = [str(x) for x in (runtime.get("ipset_sets") or []) if str(x)] + out["ipset_restore_cmd"] = self.firewall_ipset_restore_cmd(ipset_path, sets) + ipt4_path = str(runtime.get("iptables_v4_save") or "") + if ipt4_path: + out["iptables_v4_restore_cmd"] = ( + f"iptables-restore {self.shell_quote(ipt4_path)}" + ) + ipt6_path = str(runtime.get("iptables_v6_save") or "") + if ipt6_path: + out["iptables_v6_restore_cmd"] = ( + f"ip6tables-restore {self.shell_quote(ipt6_path)}" + ) + return out + + def _managed_owner_attrs(self, owner: Any) -> Dict[str, Any]: + return {self.managed_owner_attr: owner or "root"} + + def add_firewall_runtime_snapshot( + self, + snap: Dict[str, Any], + *, + bundle_dir: str, + artifact_role: str, + files_dir: Path, + copy_artifact: Callable[..., str | None], + source_uri: Callable[[str, str], str], + file_prefix: str | None = None, + dir_attrs: Mapping[str, Any] | None = None, + file_attrs: Mapping[str, Any] | None = None, + ) -> None: + """Add captured live firewall state using renderer-supplied file hooks.""" + + self.add_service_packages_from_snapshot(snap) + attrs: Dict[str, Any] = { + **self._managed_owner_attrs("root"), + "group": "root", + "mode": "0750", + "reason": "firewall_runtime", + } + if dir_attrs: + attrs.update(dir_attrs) + self.add_managed_dir(self.firewall_runtime_dir, **attrs) + + runtime: Dict[str, Any] = {} + for key, dest_name, mode in self.firewall_runtime_artifacts: + src_rel = str(snap.get(key) or "").strip() + if not src_rel: + continue + role_rel = copy_artifact( + bundle_dir, + artifact_role, + src_rel, + files_dir, + dst_prefix=file_prefix, + ) + if not role_rel: + self.notes.append( + f"Firewall runtime artifact {src_rel!r} was referenced but not found." + ) + continue + file_data: Dict[str, Any] = { + **self._managed_owner_attrs("root"), + "group": "root", + "mode": mode, + "source": source_uri(self.module_name, role_rel), + "reason": "firewall_runtime", + } + if file_attrs: + file_data.update(file_attrs) + dest = self.firewall_runtime_dest_path(dest_name) + self.add_managed_file(dest, **file_data) + runtime[key] = dest + + ipset_sets = self.firewall_runtime_ipset_sets(snap) + if ipset_sets: + runtime["ipset_sets"] = ipset_sets + if runtime: + runtime.update(self.firewall_runtime_commands(runtime)) + self.firewall_runtime.update(runtime) + self.add_snapshot_notes(snap) + + def remove_directory_resource_conflicts(self) -> None: + for path in set(self.files) | set(self.links): + self.dirs.pop(path, None) + + +def package_section_label( + package_role: Dict[str, Any], inventory_packages: Dict[str, Any] +) -> str: + """Return the Debian Section/RPM Group label for a package role.""" + + pkg = str(package_role.get("package") or "").strip() + inv = inventory_packages.get(pkg) or {} + candidates: List[str] = [] + + for value in (package_role.get("section"), inv.get("section"), inv.get("group")): + if isinstance(value, str) and value.strip(): + candidates.append(value.strip()) + + for inst in inv.get("installations", []) or []: + if not isinstance(inst, dict): + continue + for key in ("section", "group"): + value = inst.get(key) + if isinstance(value, str) and value.strip(): + candidates.append(value.strip()) + + for value in candidates: + if value.lower() not in {"(none)", "none", "unspecified"}: + return value + return "misc" + + +def section_label_for_packages( + packages: List[str], inventory_packages: Dict[str, Any] +) -> str: + """Return a stable section/group label for a set of packages.""" + + for pkg in packages or []: + label = package_section_label({"package": pkg}, inventory_packages) + if label and label.lower() != "misc": + return label + return "misc" + + +def role_order_key(role: str) -> tuple[int, str]: + # Keep broadly similar ordering to generated Ansible playbooks: package/config + # scaffolding first, then services/users, then host-specific runtime state. + priority = { + "apt_config": 10, + "dnf_config": 11, + "etc_custom": 80, + "usr_local_custom": 81, + "extra_paths": 82, + "container_images": 88, + "users": 90, + "enroll_runtime": 94, + "sysctl": 95, + "firewall_runtime": 99, + } + return (priority.get(role, 50), role) + + +def markdown_list(items: Iterable[Any], *, empty: str = "None.") -> str: + values = [str(item) for item in items if str(item)] + return "\n".join(f"- {item}" for item in values) or f"- {empty}" + + +def path_reason_lines( + items: Iterable[Mapping[str, Any]], *, source_key: str = "path" +) -> List[str]: + lines: List[str] = [] + for item in items or []: + path = str(item.get(source_key) or "") + if not path: + continue + reason = str(item.get("reason") or "") + lines.append(f"{path} ({reason})" if reason else path) + return lines + + +def iter_role_snapshots(roles: Mapping[str, Any]) -> Iterator[Mapping[str, Any]]: + for value in roles.values(): + if isinstance(value, list): + for item in value: + if isinstance(item, Mapping): + yield item + elif isinstance(value, Mapping): + yield value + + +def snapshot_note_lines(roles: Mapping[str, Any]) -> List[str]: + notes: List[str] = [] + for snap in iter_role_snapshots(roles): + source = str( + snap.get("role_name") or snap.get("unit") or snap.get("package") or "role" + ) + notes.extend(f"`{source}`: {note}" for note in snap.get("notes", []) or []) + return notes + + +def snapshot_excluded_lines(roles: Mapping[str, Any]) -> List[str]: + excluded: List[str] = [] + for snap in iter_role_snapshots(roles): + source = str( + snap.get("role_name") or snap.get("unit") or snap.get("package") or "role" + ) + for line in path_reason_lines(snap.get("excluded", []) or []): + excluded.append(f"`{source}`: {line}") + return excluded + + +def _drop_duplicate_set_items( + module: CMModule, + values: Set[str], + seen: Set[str], + resource_type: str, +) -> Set[str]: + kept: Set[str] = set() + for value in sorted(values): + if value in seen: + module.notes.append( + f"Skipped duplicate {resource_type}[{value}] already emitted earlier in this catalog." + ) + continue + kept.add(value) + seen.add(value) + return kept + + +def _drop_duplicate_mapping_items( + module: CMModule, + values: Dict[str, Dict[str, Any]], + seen: Set[str], + resource_type: str, + *, + excluded_titles: Set[str] | None = None, + excluded_reason: str = "conflicts with another resource", +) -> Dict[str, Dict[str, Any]]: + kept: Dict[str, Dict[str, Any]] = {} + excluded_titles = excluded_titles or set() + for title, attrs in values.items(): + if title in excluded_titles: + module.notes.append(f"Skipped {resource_type}[{title}]: {excluded_reason}.") + continue + if title in seen: + module.notes.append( + f"Skipped duplicate {resource_type}[{title}] already emitted earlier in this catalog." + ) + continue + kept[title] = attrs + seen.add(title) + return kept + + +def resolve_catalog_conflicts(modules: Iterable[CMModule]) -> None: + """Resolve global catalog conflicts before renderer output. + + Puppet and Salt compile a single resource catalog. Ansible can tolerate the + same package, service, or parent directory appearing in more than one role; + catalog targets cannot. Resolve those conflicts in the shared model rather + than deleting renderer output after the fact. + """ + + ordered = list(modules) + concrete_file_paths: Set[str] = set() + for module in ordered: + concrete_file_paths.update(module.files) + concrete_file_paths.update(module.links) + + seen_packages: Set[str] = set() + seen_groups: Set[str] = set() + seen_users: Set[str] = set() + seen_dirs: Set[str] = set() + seen_files: Set[str] = set() + seen_links: Set[str] = set() + seen_services: Set[str] = set() + + for module in ordered: + module.packages = _drop_duplicate_set_items( + module, module.packages, seen_packages, "Package" + ) + module.groups = _drop_duplicate_set_items( + module, module.groups, seen_groups, "Group" + ) + module.users = _drop_duplicate_mapping_items( + module, module.users, seen_users, "User" + ) + module.dirs = _drop_duplicate_mapping_items( + module, + module.dirs, + seen_dirs, + "File", + excluded_titles=concrete_file_paths, + excluded_reason="a file or link with the same path is emitted in this catalog", + ) + module.files = _drop_duplicate_mapping_items( + module, module.files, seen_files | seen_links, "File" + ) + seen_files.update(module.files) + module.links = _drop_duplicate_mapping_items( + module, module.links, seen_links | seen_files, "File" + ) + seen_links.update(module.links) + module.services = _drop_duplicate_mapping_items( + module, module.services, seen_services, "Service" + ) diff --git a/enroll/debian.py b/enroll/debian.py index 9bf847e..14becad 100644 --- a/enroll/debian.py +++ b/enroll/debian.py @@ -69,7 +69,7 @@ def list_installed_packages() -> Dict[str, List[Dict[str, str]]]: Uses dpkg-query and is expected to work on Debian/Ubuntu-like systems. Output format: - {"pkg": [{"version": "...", "arch": "..."}, ...], ...} + {"pkg": [{"version": "...", "arch": "...", "section": "..."}, ...], ...} """ try: @@ -77,7 +77,7 @@ def list_installed_packages() -> Dict[str, List[Dict[str, str]]]: [ "dpkg-query", "-W", - "-f=${Package}\t${Version}\t${Architecture}\n", + "-f=${Package}\t${Version}\t${Architecture}\t${Section}\n", ], text=True, capture_output=True, @@ -97,7 +97,10 @@ def list_installed_packages() -> Dict[str, List[Dict[str, str]]]: name, ver, arch = parts[0].strip(), parts[1].strip(), parts[2].strip() if not name: continue - out.setdefault(name, []).append({"version": ver, "arch": arch}) + instance = {"version": ver, "arch": arch} + if len(parts) >= 4 and parts[3].strip(): + instance["section"] = parts[3].strip() + out.setdefault(name, []).append(instance) # Stable ordering for deterministic JSON dumps. for k in list(out.keys()): @@ -183,7 +186,12 @@ def parse_status_conffiles( if m: out[pkg] = m - with open(status_path, "r", encoding="utf-8", errors="replace") as f: + try: + f = open(status_path, "r", encoding="utf-8", errors="replace") + except OSError: + return out + + with f: for line in f: if line.strip() == "": if cur: diff --git a/enroll/diff.py b/enroll/diff.py index 8d54bb1..110ca9d 100644 --- a/enroll/diff.py +++ b/enroll/diff.py @@ -21,10 +21,37 @@ from pathlib import Path from typing import Any, Dict, Iterable, List, Optional, Tuple from .remote import _safe_extract_tar +from .state import ( + inventory_packages_from_state as _packages_inventory, + load_state as _load_state, + roles_from_state as _roles, + state_path, +) from .pathfilter import PathFilter from .sopsutil import decrypt_file_binary_to, require_sops_cmd +def _validate_diff_bundle(label: str, bundle_dir: Path) -> None: + """Validate a resolved harvest bundle before diff reads artifacts. + + `diff` intentionally compares older harvests, so keep schema validation out + of this internal safety pass. The important security property here is that + the bundle's artifact tree has the same path/symlink/hardlink/special-file + checks that `manifest` relies on before copying artifacts. + """ + + # Import lazily to avoid a module-level cycle: enroll.validate imports + # BundleRef/_bundle_from_input from this module. + from .validate import validate_harvest + + validation = validate_harvest(str(bundle_dir), no_schema=True) + if not validation.ok: + raise RuntimeError( + f"{label} harvest failed validation; refusing to diff unsafe bundle.\n" + + validation.to_text().strip() + ) + + def _progress_enabled() -> bool: """Return True if we should display interactive progress UI on the CLI. @@ -116,7 +143,7 @@ class BundleRef: @property def state_path(self) -> Path: - return self.dir / "state.json" + return state_path(self.dir) def _bundle_from_input(path: str, *, sops_mode: bool) -> BundleRef: @@ -189,24 +216,10 @@ def _bundle_from_input(path: str, *, sops_mode: bool) -> BundleRef: ) -def _load_state(bundle_dir: Path) -> Dict[str, Any]: - sp = bundle_dir / "state.json" - with open(sp, "r", encoding="utf-8") as f: - return json.load(f) - - -def _packages_inventory(state: Dict[str, Any]) -> Dict[str, Any]: - return (state.get("inventory") or {}).get("packages") or {} - - def _all_packages(state: Dict[str, Any]) -> List[str]: return sorted(_packages_inventory(state).keys()) -def _roles(state: Dict[str, Any]) -> Dict[str, Any]: - return state.get("roles") or {} - - def _pkg_version_key(entry: Dict[str, Any]) -> Optional[str]: """Return a stable string used for version comparison.""" installs = entry.get("installations") or [] @@ -303,6 +316,12 @@ def _iter_managed_files(state: Dict[str, Any]) -> Iterable[Tuple[str, Dict[str, for mf in ac.get("managed_files", []) or []: yield str(ac_role), mf + # sysctl + sc = _roles(state).get("sysctl") or {} + sc_role = sc.get("role_name") or "sysctl" + for mf in sc.get("managed_files", []) or []: + yield str(sc_role), mf + # etc_custom ec = _roles(state).get("etc_custom") or {} ec_role = ec.get("role_name") or "etc_custom" @@ -373,6 +392,9 @@ def compare_harvests( if new_b.tempdir: stack.callback(new_b.tempdir.cleanup) + _validate_diff_bundle("old", old_b.dir) + _validate_diff_bundle("new", new_b.dir) + old_state = _load_state(old_b.dir) new_state = _load_state(new_b.dir) @@ -660,6 +682,113 @@ def _role_tag(role: str) -> str: return f"role_{safe}" +def _normalise_enforcement_target(target: str) -> str: + t = str(target or "ansible").strip().lower() + if t not in {"ansible", "puppet", "salt"}: + raise ValueError(f"unsupported enforcement target: {target!r}") + return t + + +def _enforcement_tool(target: str) -> Tuple[str, str]: + """Return (binary-name, human-label) for a local enforcement target.""" + if target == "puppet": + return "puppet", "puppet apply" + if target == "salt": + return "salt-call", "salt-call" + return "ansible-playbook", "ansible-playbook" + + +def _require_enforcement_tool(target: str) -> Tuple[str, str]: + binary, label = _enforcement_tool(target) + exe = shutil.which(binary) + if not exe: + install_hint = { + "ansible": "Ansible", + "puppet": "Puppet", + "salt": "Salt", + }.get(target, target) + raise RuntimeError( + f"{binary} not found on PATH " + f"(cannot enforce with target {target}; install {install_hint})" + ) + return exe, label + + +def _enforcement_command( + target: str, + exe: str, + manifest_dir: Path, + *, + tags: Optional[List[str]] = None, +) -> Tuple[List[str], Dict[str, str]]: + """Return the local apply command and environment for a rendered manifest.""" + env = dict(os.environ) + + if target == "ansible": + playbook = manifest_dir / "playbook.yml" + if not playbook.exists(): + raise RuntimeError( + f"manifest did not produce expected playbook.yml at {playbook}" + ) + + cfg = manifest_dir / "ansible.cfg" + if cfg.exists(): + env["ANSIBLE_CONFIG"] = str(cfg) + + cmd = [ + exe, + "-i", + "localhost,", + "-c", + "local", + str(playbook), + ] + if tags: + cmd.extend(["--tags", ",".join(tags)]) + return cmd, env + + if target == "puppet": + site_pp = manifest_dir / "manifests" / "site.pp" + if not site_pp.exists(): + raise RuntimeError( + f"manifest did not produce expected Puppet site.pp at {site_pp}" + ) + + cmd = [ + exe, + "apply", + "--modulepath", + str(manifest_dir / "modules"), + ] + hiera_config = manifest_dir / "hiera.yaml" + if hiera_config.exists(): + cmd.extend(["--hiera_config", str(hiera_config)]) + cmd.append(str(site_pp)) + return cmd, env + + if target == "salt": + states_dir = manifest_dir / "states" + top_sls = states_dir / "top.sls" + if not top_sls.exists(): + raise RuntimeError( + f"manifest did not produce expected Salt top.sls at {top_sls}" + ) + + cmd = [ + exe, + "--local", + "--file-root", + str(states_dir), + ] + pillar_dir = manifest_dir / "pillar" + if pillar_dir.exists(): + cmd.extend(["--pillar-root", str(pillar_dir)]) + cmd.extend(["state.apply"]) + return cmd, env + + raise ValueError(f"unsupported enforcement target: {target!r}") + + def _enforcement_plan( report: Dict[str, Any], old_state: Dict[str, Any], @@ -769,22 +898,22 @@ def enforce_old_harvest( *, sops_mode: bool = False, report: Optional[Dict[str, Any]] = None, + target: str = "ansible", ) -> Dict[str, Any]: """Enforce the *old* (baseline) harvest state on the current machine. - When Ansible is available, this: - 1) renders a temporary manifest from the old harvest, and - 2) runs ansible-playbook locally to apply it. + This renders a temporary manifest from the old harvest using the requested + target, then runs the target's local apply command: + - ansible: ansible-playbook -i localhost, -c local playbook.yml + - puppet: puppet apply --modulepath ./modules manifests/site.pp + - salt: salt-call --local --file-root ./states state.apply Returns a dict suitable for attaching to the diff report under report['enforcement']. """ - ansible_playbook = shutil.which("ansible-playbook") - if not ansible_playbook: - raise RuntimeError( - "ansible-playbook not found on PATH (cannot enforce; install Ansible)" - ) + target = _normalise_enforcement_target(target) + tool_exe, tool_label = _require_enforcement_tool(target) # Import lazily to avoid heavy import cost and potential CLI cycles. from .manifest import manifest @@ -804,8 +933,12 @@ def enforce_old_harvest( if report is not None: plan = _enforcement_plan(report, old_state, old_b.dir) roles = list(plan.get("roles") or []) - t = list(plan.get("tags") or []) - tags = t if t else None + # Only Ansible has generated per-role tags that can safely narrow + # the apply scope. Puppet and Salt enforcement deliberately run the + # full generated local manifest/catalog for now. + if target == "ansible": + t = list(plan.get("tags") or []) + tags = t if t else None with tempfile.TemporaryDirectory(prefix="enroll-enforce-") as td: td_path = Path(td) @@ -814,31 +947,19 @@ def enforce_old_harvest( except OSError: pass - # 1) Generate a manifest in a temp directory. - manifest(str(old_b.dir), str(td_path)) - - playbook = td_path / "playbook.yml" - if not playbook.exists(): - raise RuntimeError( - f"manifest did not produce expected playbook.yml at {playbook}" - ) + # 1) Generate a manifest in a temp directory. The renderer now + # refuses to write into an existing destination, so use a fresh + # child path under the secure temporary directory. + manifest_dir = td_path / "manifest" + manifest(str(old_b.dir), str(manifest_dir), target=target) # 2) Apply it locally. - env = dict(os.environ) - cfg = td_path / "ansible.cfg" - if cfg.exists(): - env["ANSIBLE_CONFIG"] = str(cfg) - - cmd = [ - ansible_playbook, - "-i", - "localhost,", - "-c", - "local", - str(playbook), - ] - if tags: - cmd.extend(["--tags", ",".join(tags)]) + cmd, env = _enforcement_command( + target, + tool_exe, + manifest_dir, + tags=tags, + ) spinner: Optional[_Spinner] = None p: Optional[subprocess.CompletedProcess[str]] = None @@ -846,12 +967,12 @@ def enforce_old_harvest( if _progress_enabled(): if tags: sys.stderr.write( - f"Enforce: running ansible-playbook (tags: {','.join(tags)})\n", + f"Enforce: running {tool_label} (tags: {','.join(tags)})\n", ) else: - sys.stderr.write("Enforce: running ansible-playbook\n") + sys.stderr.write(f"Enforce: running {tool_label}\n") sys.stderr.flush() - spinner = _Spinner(" ansible-playbook") + spinner = _Spinner(f" {tool_label}") spinner.start() try: @@ -869,8 +990,8 @@ def enforce_old_harvest( rc = p.returncode if p is not None else None spinner.stop( final_line=( - f"Enforce: ansible-playbook finished in {elapsed:0.1f}s" - + (f" (rc={rc})" if rc is not None else ""), + f"Enforce: {tool_label} finished in {elapsed:0.1f}s" + + (f" (rc={rc})" if rc is not None else "") ), ) @@ -878,23 +999,32 @@ def enforce_old_harvest( info: Dict[str, Any] = { "status": "applied" if p.returncode == 0 else "failed", + "target": target, + "tool": tool_label, + "executable": tool_exe, "started_at": started_at, "finished_at": finished_at, - "ansible_playbook": ansible_playbook, "command": cmd, "returncode": int(p.returncode), } + # Keep the original Ansible-specific field for compatibility with + # existing consumers of the JSON report. + if target == "ansible": + info["ansible_playbook"] = tool_exe + elif target == "puppet": + info["puppet"] = tool_exe + elif target == "salt": + info["salt_call"] = tool_exe - # Record tag selection (if we could attribute drift to specific roles). info["roles"] = roles info["tags"] = list(tags or []) if not tags: - info["scope"] = "full_playbook" + info["scope"] = "full_manifest" if p.returncode != 0: err = (p.stderr or p.stdout or "").strip() raise RuntimeError( - "ansible-playbook failed" + f"{tool_label} failed" + (f" (rc={p.returncode})" if p.returncode is not None else "") + (f": {err}" if err else "") ) @@ -939,6 +1069,9 @@ def _report_text(report: Dict[str, Any]) -> str: if enf: lines.append("\nEnforcement") status = str(enf.get("status") or "").strip().lower() + tool = str(enf.get("tool") or "ansible-playbook") + target = str(enf.get("target") or "ansible") + via = f"{tool} ({target})" if target and target not in tool else tool if status == "applied": extra = "" tags = enf.get("tags") or [] @@ -948,7 +1081,7 @@ def _report_text(report: Dict[str, Any]) -> str: elif scope: extra = f" ({scope})" lines.append( - f" applied old harvest via ansible-playbook (rc={enf.get('returncode')})" + f" applied old harvest via {via} (rc={enf.get('returncode')})" + extra + ( f" (finished {enf.get('finished_at')})" @@ -958,7 +1091,7 @@ def _report_text(report: Dict[str, Any]) -> str: ) elif status == "failed": lines.append( - f" attempted enforcement but ansible-playbook failed (rc={enf.get('returncode')})" + f" attempted enforcement but {via} failed (rc={enf.get('returncode')})" ) elif status == "skipped": r = enf.get("reason") @@ -1098,6 +1231,9 @@ def _report_markdown(report: Dict[str, Any]) -> str: if enf: out.append("\n## Enforcement\n") status = str(enf.get("status") or "").strip().lower() + tool = str(enf.get("tool") or "ansible-playbook") + target = str(enf.get("target") or "ansible") + via = f"{tool} ({target})" if target and target not in tool else tool if status == "applied": extra = "" tags = enf.get("tags") or [] @@ -1107,7 +1243,7 @@ def _report_markdown(report: Dict[str, Any]) -> str: elif scope: extra = f" ({scope})" out.append( - "- ✅ Applied old harvest via ansible-playbook" + f"- ✅ Applied old harvest via {via}" + extra + ( f" (rc={enf.get('returncode')})" @@ -1123,7 +1259,7 @@ def _report_markdown(report: Dict[str, Any]) -> str: ) elif status == "failed": out.append( - "- ⚠️ Attempted enforcement but ansible-playbook failed" + f"- ⚠️ Attempted enforcement but {via} failed" + ( f" (rc={enf.get('returncode')})" if enf.get("returncode") is not None @@ -1345,8 +1481,14 @@ def send_email( try: s.starttls() s.ehlo() - except Exception: - # STARTTLS is optional; ignore if unsupported. + except Exception as e: + if smtp_user or smtp_password: + raise RuntimeError( + "email: SMTP STARTTLS failed; refusing to send credentials " + "without TLS" + ) from e + # Without credentials, keep STARTTLS opportunistic so localhost or + # unauthenticated relay setups continue to work. pass # nosec if smtp_user: s.login(smtp_user, smtp_password or "") diff --git a/enroll/explain.py b/enroll/explain.py index 131f2df..17f1b4b 100644 --- a/enroll/explain.py +++ b/enroll/explain.py @@ -5,7 +5,8 @@ from collections import Counter, defaultdict from dataclasses import dataclass from typing import Any, Dict, Iterable, List, Tuple -from .diff import _bundle_from_input, _load_state # reuse existing bundle handling +from .diff import _bundle_from_input # reuse existing bundle handling +from .state import load_state @dataclass(frozen=True) @@ -188,6 +189,12 @@ _EXCLUDED_REASONS: Dict[str, ReasonInfo] = { "Not a regular file", "Excluded because it was not a regular file (device, socket, etc.).", ), + "symlink_component": ReasonInfo( + "Unsafe symlinked path", + "Excluded because a directory in the path was a symlink, which could " + "redirect capture into a sensitive location; Enroll refuses to follow " + "symlinked parents when harvesting files.", + ), "binary_like": ReasonInfo( "Binary-like", "Excluded because it looked like binary content (not useful for config management).", @@ -289,7 +296,7 @@ def explain_state( - a SOPS-encrypted bundle (.sops) """ bundle = _bundle_from_input(harvest, sops_mode=sops_mode) - state = _load_state(bundle.dir) + state = load_state(bundle.dir) host = state.get("host") or {} enroll = state.get("enroll") or {} @@ -383,6 +390,7 @@ def explain_state( for rname in [ "apt_config", "dnf_config", + "sysctl", "etc_custom", "usr_local_custom", "extra_paths", @@ -435,6 +443,7 @@ def explain_state( for rname in [ "apt_config", "dnf_config", + "sysctl", "etc_custom", "usr_local_custom", "extra_paths", diff --git a/enroll/fsutil.py b/enroll/fsutil.py index c852b9e..b4f6c3d 100644 --- a/enroll/fsutil.py +++ b/enroll/fsutil.py @@ -1,10 +1,150 @@ from __future__ import annotations +import errno import hashlib import os +import stat from typing import Tuple +def open_no_follow_path(path: str, *, write: bool = False, mode: int = 0o600) -> int: + """Open ``path`` without following a symlink in *any* path component. + + ``O_NOFOLLOW`` only protects the final component of a path. A regular + file reached through a symlinked *parent* directory (for example a user + replacing ``~/.ssh`` with a link to a sensitive directory) would still be + opened by a plain ``os.open(path, O_NOFOLLOW)``. + + This helper resolves the path one component at a time with ``openat`` + semantics: + + - each intermediate component is opened relative to its parent's + descriptor without following symlinks; + - the final component is opened with ``O_NOFOLLOW`` (read, or + ``O_WRONLY | O_CREAT | O_EXCL`` when ``write`` is True). + + The important detail is that intermediate components are opened with + ``O_PATH | O_NOFOLLOW`` when ``O_PATH`` is available, and then verified + with ``fstat()``. On Linux, ``O_RDONLY | O_DIRECTORY | O_NOFOLLOW`` is not + sufficient for this job: a symlink whose target is a directory can still be + opened as the target directory on some kernels. Opening with ``O_PATH`` and + checking the resulting descriptor reliably exposes such a component as a + symlink instead. + + A symlink (or a ``..`` component) anywhere in the path raises + ``OSError(ELOOP)``. On platforms without ``openat``/``O_DIRECTORY`` + support, this falls back to a single ``O_NOFOLLOW`` open of the whole path, + which is no worse than the historical behaviour. + """ + + cloexec = getattr(os, "O_CLOEXEC", 0) + nofollow = getattr(os, "O_NOFOLLOW", 0) + o_directory = getattr(os, "O_DIRECTORY", 0) + o_path = getattr(os, "O_PATH", 0) + + if write: + final_flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL | cloexec | nofollow + else: + final_flags = os.O_RDONLY | cloexec | nofollow + + supports_openat = bool( + o_directory and nofollow and os.open in getattr(os, "supports_dir_fd", set()) + ) + if not supports_openat: + return os.open(path, final_flags, mode) + + absolute = path.startswith("/") + parts = [p for p in path.split("/") if p not in ("", ".")] + if not parts: + return os.open(path, final_flags, mode) + + *parent_parts, leaf = parts + + # Use O_PATH for directory descriptors when available. O_PATH descriptors + # can be used as dir_fd anchors for later openat-style calls, and with + # O_NOFOLLOW they let us fstat() a symlink component instead of silently + # following it. If O_PATH is unavailable, use O_RDONLY and an lstat() + # pre-check for intermediate components as a best-effort fallback. + dir_base_flags = (o_path if o_path else os.O_RDONLY) | cloexec | o_directory + component_flags = ( + (o_path if o_path else os.O_RDONLY) | cloexec | o_directory | nofollow + ) + + dir_fd = os.open("/" if absolute else ".", dir_base_flags) + try: + for component in parent_parts: + if component == "..": + raise OSError(errno.ELOOP, "unsafe '..' path component", path) + + if not o_path: + # Best-effort fallback for platforms without O_PATH. This is not + # as race-resistant as the descriptor-only path, but it avoids + # known symlink parents where we cannot open the component itself + # as a non-followed O_PATH descriptor. + try: + st = os.lstat(component, dir_fd=dir_fd) + except OSError: + raise + if stat.S_ISLNK(st.st_mode): + raise OSError(errno.ELOOP, "symlinked path component", path) + if not stat.S_ISDIR(st.st_mode): + raise OSError(errno.ENOTDIR, "non-directory path component", path) + + try: + next_fd = os.open(component, component_flags, dir_fd=dir_fd) + except OSError as e: + if e.errno in {errno.ELOOP, errno.ENOTDIR}: + try: + st = os.lstat(component, dir_fd=dir_fd) + except OSError: + raise + if stat.S_ISLNK(st.st_mode): + raise OSError( + errno.ELOOP, + "symlinked path component", + path, + ) from e + raise + + try: + st = os.fstat(next_fd) + if stat.S_ISLNK(st.st_mode): + raise OSError(errno.ELOOP, "symlinked path component", path) + if not stat.S_ISDIR(st.st_mode): + raise OSError(errno.ENOTDIR, "non-directory path component", path) + except Exception: + os.close(next_fd) + raise + + os.close(dir_fd) + dir_fd = next_fd + + if leaf == "..": + raise OSError(errno.ELOOP, "unsafe '..' path component", path) + return os.open(leaf, final_flags, mode, dir_fd=dir_fd) + finally: + os.close(dir_fd) + + +def stat_triplet_from_stat(st: os.stat_result) -> Tuple[str, str, str]: + """Return (owner, group, mode) for an existing stat result.""" + + mode = oct(st.st_mode & 0o7777)[2:].zfill(4) + + import grp + import pwd + + try: + owner = pwd.getpwuid(st.st_uid).pw_name + except KeyError: + owner = str(st.st_uid) + try: + group = grp.getgrgid(st.st_gid).gr_name + except KeyError: + group = str(st.st_gid) + return owner, group, mode + + def file_md5(path: str) -> str: """Return hex MD5 of a file. @@ -23,18 +163,4 @@ def stat_triplet(path: str) -> Tuple[str, str, str]: owner/group are usernames/group names when resolvable, otherwise numeric ids. mode is a zero-padded octal string (e.g. "0644"). """ - st = os.stat(path, follow_symlinks=True) - mode = oct(st.st_mode & 0o7777)[2:].zfill(4) - - import grp - import pwd - - try: - owner = pwd.getpwuid(st.st_uid).pw_name - except KeyError: - owner = str(st.st_uid) - try: - group = grp.getgrgid(st.st_gid).gr_name - except KeyError: - group = str(st.st_gid) - return owner, group, mode + return stat_triplet_from_stat(os.stat(path, follow_symlinks=True)) diff --git a/enroll/harvest.py b/enroll/harvest.py index b64862e..43eb002 100644 --- a/enroll/harvest.py +++ b/enroll/harvest.py @@ -1,7 +1,5 @@ from __future__ import annotations -import glob -import json import os import re import shutil @@ -9,230 +7,55 @@ import shlex import stat import subprocess # nosec import time -from dataclasses import dataclass, asdict, field -from typing import Dict, List, Optional, Set, Tuple +from dataclasses import asdict +from typing import Any, Dict, List, Optional, Set, Tuple -from .systemd import ( - list_enabled_services, - list_enabled_timers, - get_unit_info, - get_timer_info, - UnitQueryError, -) +from . import accounts as _accounts +from . import systemd as _systemd from .fsutil import stat_triplet from .platform import detect_platform, get_backend from .ignore import IgnorePolicy -from .pathfilter import PathFilter, expand_includes -from .accounts import collect_non_system_users +from .harvest_safety import ensure_private_empty_dir, prepare_new_private_dir +from .pathfilter import PathFilter from .version import get_enroll_version +from .state import write_state +from .harvest_collectors.context import HarvestContext +from .harvest_types import ( + EtcCustomSnapshot, + ExcludedFile, + FirewallRuntimeSnapshot, + ManagedDir, + ManagedFile, + PackageSnapshot, + ServiceSnapshot, + SysctlSnapshot, +) + +from .capture import capture_file +from . import system_paths +from .package_hints import package_section_from_installations, safe_name + +UnitQueryError = _systemd.UnitQueryError -@dataclass -class ManagedFile: - path: str - src_rel: str - owner: str - group: str - mode: str - reason: str +def list_enabled_services() -> List[str]: + return _systemd.list_enabled_services() -@dataclass -class ManagedLink: - """A symlink we want to materialise on the target host. - - For configuration enablement patterns (e.g. sites-enabled), the symlink is - meaningful state even when the link target is captured elsewhere. - """ - - path: str - target: str - reason: str +def list_enabled_timers() -> List[str]: + return _systemd.list_enabled_timers() -@dataclass -class ManagedDir: - path: str - owner: str - group: str - mode: str - reason: str +def get_unit_info(unit: str) -> Any: + return _systemd.get_unit_info(unit) -@dataclass -class ExcludedFile: - path: str - reason: str +def get_timer_info(timer: str) -> Any: + return _systemd.get_timer_info(timer) -@dataclass -class ServiceSnapshot: - unit: str - role_name: str - packages: List[str] - active_state: Optional[str] - sub_state: Optional[str] - unit_file_state: Optional[str] - condition_result: Optional[str] - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - managed_links: List[ManagedLink] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class PackageSnapshot: - package: str - role_name: str - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - managed_links: List[ManagedLink] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class UsersSnapshot: - role_name: str - users: List[dict] - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class AptConfigSnapshot: - role_name: str - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class DnfConfigSnapshot: - role_name: str - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class EtcCustomSnapshot: - role_name: str - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class UsrLocalCustomSnapshot: - role_name: str - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class ExtraPathsSnapshot: - role_name: str - include_patterns: List[str] = field(default_factory=list) - exclude_patterns: List[str] = field(default_factory=list) - managed_dirs: List[ManagedDir] = field(default_factory=list) - managed_files: List[ManagedFile] = field(default_factory=list) - managed_links: List[ManagedLink] = field(default_factory=list) - excluded: List[ExcludedFile] = field(default_factory=list) - notes: List[str] = field(default_factory=list) - - -@dataclass -class FirewallRuntimeSnapshot: - role_name: str - packages: List[str] = field(default_factory=list) - ipset_save: Optional[str] = None - ipset_sets: List[str] = field(default_factory=list) - iptables_v4_save: Optional[str] = None - iptables_v6_save: Optional[str] = None - notes: List[str] = field(default_factory=list) - - -ALLOWED_UNOWNED_EXTS = { - ".cfg", - ".cnf", - ".conf", - ".ini", - ".json", - ".link", - ".mount", - ".netdev", - ".network", - ".path", - ".rules", - ".service", - ".socket", - ".target", - ".timer", - ".toml", - ".yaml", - ".yml", - "", # allow extensionless (common in /etc/default and /etc/init.d) -} - -MAX_FILES_CAP = 4000 -MAX_UNOWNED_FILES_PER_ROLE = 500 - - -def _files_differ(a: str, b: str, *, max_bytes: int = 2_000_000) -> bool: - """Return True if file `a` differs from file `b`. - - Best-effort and conservative: - - If `b` (baseline) does not exist or is not a regular file, treat as - "different" so we err on the side of capturing user state. - - If we can't stat/read either file, treat as "different" (capture will - later be filtered via IgnorePolicy). - - If files are large, avoid reading them fully. - """ - - try: - st_a = os.stat(a, follow_symlinks=True) - except OSError: - return True - - # Refuse to do content comparisons on non-regular files. - if not stat.S_ISREG(st_a.st_mode): - return True - - try: - st_b = os.stat(b, follow_symlinks=True) - except OSError: - return True - - if not stat.S_ISREG(st_b.st_mode): - return True - - if st_a.st_size != st_b.st_size: - return True - - # If it's unexpectedly big, treat as different to avoid expensive reads. - if st_a.st_size > max_bytes: - return True - - try: - with open(a, "rb") as fa, open(b, "rb") as fb: - while True: - ca = fa.read(1024 * 64) - cb = fb.read(1024 * 64) - if ca != cb: - return True - if not ca: # EOF on both - return False - except OSError: - return True +def collect_non_system_users() -> List[Any]: + return _accounts.collect_non_system_users() def _merge_parent_dirs( @@ -310,614 +133,11 @@ def _merge_parent_dirs( return [by_path[k] for k in sorted(by_path)] -# Directories that are shared across many packages. -# Never attribute all unowned files in these trees -# to one single package. -SHARED_ETC_TOPDIRS = { - "apparmor.d", - "apt", - "cron.d", - "cron.daily", - "cron.weekly", - "cron.monthly", - "cron.hourly", - "default", - "init.d", - "logrotate.d", - "modprobe.d", - "network", - "pam.d", - "ssh", - "ssl", - "sudoers.d", - "sysctl.d", - "systemd", - # RPM-family shared trees - "dnf", - "yum", - "yum.repos.d", - "sysconfig", - "pki", - "firewalld", -} - - -def _safe_name(s: str) -> str: - out: List[str] = [] - for ch in s: - out.append(ch if ch.isalnum() or ch in ("_", "-") else "_") - return "".join(out).replace("-", "_") - - -def _role_id(raw: str) -> str: - # normalise separators first - s = re.sub(r"[^A-Za-z0-9]+", "_", raw) - # split CamelCase -> snake_case - s = re.sub(r"([a-z0-9])([A-Z])", r"\1_\2", s) - s = s.lower() - s = re.sub(r"_+", "_", s).strip("_") - if not re.match(r"^[a-z_]", s): - s = "r_" + s - return s - - -def _role_name_from_unit(unit: str) -> str: - base = _role_id(unit.removesuffix(".service")) - return _safe_name(base) - - -def _role_name_from_pkg(pkg: str) -> str: - return _safe_name(pkg) - - -def _copy_into_bundle( - bundle_dir: str, role_name: str, abs_path: str, src_rel: str -) -> None: - dst = os.path.join(bundle_dir, "artifacts", role_name, src_rel) - os.makedirs(os.path.dirname(dst), exist_ok=True) - shutil.copy2(abs_path, dst) - - -def _capture_file( - *, - bundle_dir: str, - role_name: str, - abs_path: str, - reason: str, - policy: IgnorePolicy, - path_filter: PathFilter, - managed_out: List[ManagedFile], - excluded_out: List[ExcludedFile], - seen_role: Optional[Set[str]] = None, - seen_global: Optional[Set[str]] = None, - metadata: Optional[tuple[str, str, str]] = None, -) -> bool: - """Try to capture a single file into the bundle. - - Returns True if the file was copied (managed), False otherwise. - - * seen_role: de-dupe within a role (prevents duplicate tasks/records) - * seen_global: de-dupe across roles/stages (prevents multiple roles copying same path) - * metadata: optional (owner, group, mode) tuple to avoid re-statting - """ - - if seen_global is not None and abs_path in seen_global: - return False - if seen_role is not None and abs_path in seen_role: - return False - - def _mark_seen() -> None: - if seen_role is not None: - seen_role.add(abs_path) - if seen_global is not None: - seen_global.add(abs_path) - - if path_filter.is_excluded(abs_path): - excluded_out.append(ExcludedFile(path=abs_path, reason="user_excluded")) - _mark_seen() - return False - - deny = policy.deny_reason(abs_path) - if deny: - excluded_out.append(ExcludedFile(path=abs_path, reason=deny)) - _mark_seen() - return False - - try: - owner, group, mode = ( - metadata if metadata is not None else stat_triplet(abs_path) - ) - except OSError: - excluded_out.append(ExcludedFile(path=abs_path, reason="unreadable")) - _mark_seen() - return False - - src_rel = abs_path.lstrip("/") - try: - _copy_into_bundle(bundle_dir, role_name, abs_path, src_rel) - except OSError: - excluded_out.append(ExcludedFile(path=abs_path, reason="unreadable")) - _mark_seen() - return False - - managed_out.append( - ManagedFile( - path=abs_path, - src_rel=src_rel, - owner=owner, - group=group, - mode=mode, - reason=reason, - ) - ) - _mark_seen() - return True - - -def _capture_link( - *, - role_name: str, - abs_path: str, - reason: str, - policy: IgnorePolicy, - path_filter: PathFilter, - managed_out: List[ManagedLink], - excluded_out: List[ExcludedFile], - seen_role: Optional[Set[str]] = None, - seen_global: Optional[Set[str]] = None, -) -> bool: - """Try to capture a symlink into the manifest. - - NOTE: Symlinks are *not* copied into artifacts; we record their link target - and materialise them via ansible.builtin.file state=link. - """ - - if seen_global is not None and abs_path in seen_global: - return False - if seen_role is not None and abs_path in seen_role: - return False - - def _mark_seen() -> None: - if seen_role is not None: - seen_role.add(abs_path) - if seen_global is not None: - seen_global.add(abs_path) - - if path_filter.is_excluded(abs_path): - excluded_out.append(ExcludedFile(path=abs_path, reason="user_excluded")) - _mark_seen() - return False - - deny_link = getattr(policy, "deny_reason_link", None) - if callable(deny_link): - deny = deny_link(abs_path) - else: - # Fallback: apply deny_reason() but treat "not_regular_file" as acceptable - # for symlinks. - deny = policy.deny_reason(abs_path) - if deny in ("not_regular_file", "not_file", "not_regular"): - deny = None - - if deny: - excluded_out.append(ExcludedFile(path=abs_path, reason=deny)) - _mark_seen() - return False - - if not os.path.islink(abs_path): - excluded_out.append(ExcludedFile(path=abs_path, reason="not_symlink")) - _mark_seen() - return False - - try: - target = os.readlink(abs_path) - except OSError: - excluded_out.append(ExcludedFile(path=abs_path, reason="unreadable")) - _mark_seen() - return False - - managed_out.append(ManagedLink(path=abs_path, target=target, reason=reason)) - _mark_seen() - return True - - -def _is_confish(path: str) -> bool: - base = os.path.basename(path) - _, ext = os.path.splitext(base) - return ext in ALLOWED_UNOWNED_EXTS - - -def _hint_names(unit: str, pkgs: Set[str]) -> Set[str]: - base = unit.removesuffix(".service") - hints = {base} - if "@" in base: - hints.add(base.split("@", 1)[0]) - hints |= set(pkgs) - hints |= {h.split(".", 1)[0] for h in list(hints) if "." in h} - return {h for h in hints if h} - - -def _add_pkgs_from_etc_topdirs( - hints: Set[str], topdir_to_pkgs: Dict[str, Set[str]], pkgs: Set[str] -) -> None: - """Expand a service's package set using dpkg-owned /etc top-level dirs. - - This is a heuristic: many Debian packages split a service across multiple - packages (e.g. nginx + nginx-common) while sharing a single /etc/ - tree. - - We intentionally *avoid* using shared trees (e.g. /etc/cron.d, /etc/ssl, - /etc/apparmor.d) to expand package sets, because many unrelated packages - legitimately install files there. - - We also consider the common ".d" variant (e.g. hint "apparmor" -> - topdir "apparmor.d") so we can explicitly skip known shared trees. - """ - - for h in hints: - for top in (h, f"{h}.d"): - if top in SHARED_ETC_TOPDIRS: - continue - for p in topdir_to_pkgs.get(top, set()): - pkgs.add(p) - - -def _maybe_add_specific_paths(hints: Set[str], backend) -> List[str]: - # Delegate to backend-specific conventions (e.g. /etc/default on Debian, - # /etc/sysconfig on Fedora/RHEL). Always include sysctl.d. - try: - return backend.specific_paths_for_hints(hints) - except Exception: - # Best-effort fallback (Debian-ish). - paths: List[str] = [] - for h in hints: - paths.extend( - [ - f"/etc/default/{h}", - f"/etc/init.d/{h}", - f"/etc/sysctl.d/{h}.conf", - ] - ) - return paths - - -def _scan_unowned_under_roots( - roots: List[str], - owned_etc: Set[str], - limit: int = MAX_UNOWNED_FILES_PER_ROLE, - *, - confish_only: bool = True, -) -> List[str]: - found: List[str] = [] - for root in roots: - if not os.path.isdir(root): - continue - for dirpath, _, filenames in os.walk(root): - if len(found) >= limit: - return found - for fn in filenames: - if len(found) >= limit: - return found - p = os.path.join(dirpath, fn) - if not p.startswith("/etc/"): - continue - if p in owned_etc: - continue - if not os.path.isfile(p) or os.path.islink(p): - continue - if confish_only and not _is_confish(p): - continue - found.append(p) - return found - - -def _topdirs_for_package(pkg: str, pkg_to_etc_paths: Dict[str, List[str]]) -> Set[str]: - topdirs: Set[str] = set() - for path in pkg_to_etc_paths.get(pkg, []): - parts = path.split("/", 3) - if len(parts) >= 3 and parts[1] == "etc" and parts[2]: - topdirs.add(parts[2]) - return topdirs - - -# ------------------------- -# System capture helpers -# ------------------------- - -_APT_SOURCE_GLOBS = [ - "/etc/apt/sources.list", - "/etc/apt/sources.list.d/*.list", - "/etc/apt/sources.list.d/*.sources", -] - -_APT_MISC_GLOBS = [ - "/etc/apt/apt.conf", - "/etc/apt/apt.conf.d/*", - "/etc/apt/preferences", - "/etc/apt/preferences.d/*", - "/etc/apt/auth.conf", - "/etc/apt/auth.conf.d/*", - "/etc/apt/trusted.gpg", - "/etc/apt/trusted.gpg.d/*", - "/etc/apt/keyrings/*", -] - -_SYSTEM_CAPTURE_GLOBS: List[tuple[str, str]] = [ - # mounts - ("/etc/fstab", "system_mounts"), - ("/etc/crypttab", "system_mounts"), - # sysctl / modules - ("/etc/sysctl.conf", "system_sysctl"), - ("/etc/sysctl.d/*", "system_sysctl"), - ("/etc/modprobe.d/*", "system_modprobe"), - ("/etc/modules", "system_modprobe"), - ("/etc/modules-load.d/*", "system_modprobe"), - # network - ("/etc/netplan/*", "system_network"), - ("/etc/systemd/network/*", "system_network"), - ("/etc/network/interfaces", "system_network"), - ("/etc/network/interfaces.d/*", "system_network"), - ("/etc/resolvconf.conf", "system_network"), - ("/etc/resolvconf/resolv.conf.d/*", "system_network"), - ("/etc/NetworkManager/system-connections/*", "system_network"), - ("/etc/sysconfig/network*", "system_network"), - ("/etc/sysconfig/network-scripts/*", "system_network"), - # firewall - ("/etc/nftables.conf", "system_firewall"), - ("/etc/nftables.d/*", "system_firewall"), - ("/etc/iptables/rules.v4", "system_firewall"), - ("/etc/iptables/rules.v6", "system_firewall"), - ("/etc/sysconfig/iptables", "system_firewall"), - ("/etc/sysconfig/ip6tables", "system_firewall"), - ("/etc/ipset.conf", "system_firewall"), - ("/etc/ipset/*", "system_firewall"), - ("/etc/ipset.d/*", "system_firewall"), - ("/etc/sysconfig/ipset", "system_firewall"), - ("/etc/default/ipset", "system_firewall"), - ("/etc/ufw/*", "system_firewall"), - ("/etc/default/ufw", "system_firewall"), - ("/etc/firewalld/*", "system_firewall"), - ("/etc/firewalld/zones/*", "system_firewall"), - # SELinux - ("/etc/selinux/config", "system_security"), - # other - ("/etc/rc.local", "system_rc"), -] - - -# Persistent firewall files that are treated as authoritative for their -# respective runtime state. If any matching file exists, the runtime capture -# for that family is retained only as static managed-file harvest output and -# not duplicated through the generated firewall_runtime role. -_PERSISTENT_IPTABLES_V4_GLOBS = [ - "/etc/iptables/rules.v4", - "/etc/sysconfig/iptables", -] - -_PERSISTENT_IPTABLES_V6_GLOBS = [ - "/etc/iptables/rules.v6", - "/etc/sysconfig/ip6tables", -] - -_PERSISTENT_IPSET_GLOBS = [ - "/etc/ipset.conf", - "/etc/ipset/*", - "/etc/ipset.d/*", - "/etc/sysconfig/ipset", -] - - -def _persistent_firewall_files(globs: List[str]) -> List[str]: - """Return persistent firewall files matching ``globs``. - - This intentionally uses the same file walking helper as the static system - capture path so the runtime fallback decision matches what Enroll can - harvest as managed files. - """ - seen: Set[str] = set() - out: List[str] = [] - for spec in globs: - for path in _iter_matching_files(spec): - if path in seen: - continue - seen.add(path) - out.append(path) - return sorted(out) - - -def _iter_matching_files(spec: str, *, cap: int = MAX_FILES_CAP) -> List[str]: - """Expand a glob spec and also walk directories to collect files.""" - out: List[str] = [] - for p in glob.glob(spec): - if len(out) >= cap: - break - if os.path.islink(p): - continue - if os.path.isfile(p): - out.append(p) - continue - if os.path.isdir(p): - for dirpath, _, filenames in os.walk(p): - for fn in filenames: - if len(out) >= cap: - break - fp = os.path.join(dirpath, fn) - if os.path.islink(fp) or not os.path.isfile(fp): - continue - out.append(fp) - if len(out) >= cap: - break - return out - - -def _parse_apt_signed_by(source_files: List[str]) -> Set[str]: - """Return absolute keyring paths referenced via signed-by / Signed-By.""" - out: Set[str] = set() - - # deb line: deb [signed-by=/usr/share/keyrings/foo.gpg] ... - re_signed_by = re.compile(r"signed-by\s*=\s*([^\]\s]+)", re.IGNORECASE) - # deb822: Signed-By: /usr/share/keyrings/foo.gpg - re_signed_by_hdr = re.compile(r"^\s*Signed-By\s*:\s*(.+)$", re.IGNORECASE) - - for sf in source_files: - try: - with open(sf, "r", encoding="utf-8", errors="replace") as f: - for raw in f: - line = raw.strip() - if not line or line.startswith("#"): - continue - - m = re_signed_by_hdr.match(line) - if m: - val = m.group(1).strip() - if val.startswith("|"): - continue - toks = re.split(r"[\s,]+", val) - for t in toks: - if t.startswith("/"): - out.add(t) - continue - - # Try bracketed options first (common for .list files) - if "[" in line and "]" in line: - bracket = line.split("[", 1)[1].split("]", 1)[0] - for mm in re_signed_by.finditer(bracket): - val = mm.group(1).strip().strip("\"'") - for t in re.split(r"[\s,]+", val): - if t.startswith("/"): - out.add(t) - continue - - # Fallback: signed-by= in whole line - for mm in re_signed_by.finditer(line): - val = mm.group(1).strip().strip("\"'") - for t in re.split(r"[\s,]+", val): - if t.startswith("/"): - out.add(t) - except OSError: - continue - - return out - - -def _iter_apt_capture_paths() -> List[tuple[str, str]]: - """Return (path, reason) pairs for APT configuration. - - This captures the full /etc/apt tree (subject to IgnorePolicy at copy time), - plus any keyrings referenced via signed-by/Signed-By which may live outside - /etc (e.g. /usr/share/keyrings). - """ - reasons: Dict[str, str] = {} - - # Capture all regular files under /etc/apt (no symlinks). - if os.path.isdir("/etc/apt"): - for dirpath, _, filenames in os.walk("/etc/apt"): - for fn in filenames: - p = os.path.join(dirpath, fn) - if os.path.islink(p) or not os.path.isfile(p): - continue - reasons.setdefault(p, "apt_config") - - # Identify source files explicitly for nicer reasons and keyring discovery. - apt_sources: List[str] = [] - for g in _APT_SOURCE_GLOBS: - apt_sources.extend(_iter_matching_files(g)) - for p in sorted(set(apt_sources)): - reasons[p] = "apt_source" - - # Keyrings in standard locations. - for g in ( - "/etc/apt/trusted.gpg", - "/etc/apt/trusted.gpg.d/*", - "/etc/apt/keyrings/*", - ): - for p in _iter_matching_files(g): - reasons[p] = "apt_keyring" - - # Keyrings referenced by sources (may live outside /etc/apt). - signed_by = _parse_apt_signed_by(sorted(set(apt_sources))) - for p in sorted(signed_by): - if os.path.islink(p) or not os.path.isfile(p): - continue - if p.startswith("/etc/apt/"): - reasons[p] = "apt_keyring" - else: - reasons[p] = "apt_signed_by_keyring" - - # De-dup with stable ordering. - uniq: List[tuple[str, str]] = [] - for p in sorted(reasons.keys()): - uniq.append((p, reasons[p])) - return uniq - - -def _iter_dnf_capture_paths() -> List[tuple[str, str]]: - """Return (path, reason) pairs for DNF/YUM configuration on RPM systems. - - Captures: - - /etc/dnf/* (dnf.conf, vars, plugins, modules, automatic) - - /etc/yum.conf (legacy) - - /etc/yum.repos.d/*.repo - - /etc/pki/rpm-gpg/* (GPG key files) - """ - reasons: Dict[str, str] = {} - - for root, tag in ( - ("/etc/dnf", "dnf_config"), - ("/etc/yum", "yum_config"), - ): - if os.path.isdir(root): - for dirpath, _, filenames in os.walk(root): - for fn in filenames: - p = os.path.join(dirpath, fn) - if os.path.islink(p) or not os.path.isfile(p): - continue - reasons.setdefault(p, tag) - - # Legacy yum.conf. - if os.path.isfile("/etc/yum.conf") and not os.path.islink("/etc/yum.conf"): - reasons.setdefault("/etc/yum.conf", "yum_conf") - - # Repositories. - if os.path.isdir("/etc/yum.repos.d"): - for p in _iter_matching_files("/etc/yum.repos.d/*.repo"): - reasons[p] = "yum_repo" - - # RPM GPG keys. - if os.path.isdir("/etc/pki/rpm-gpg"): - for dirpath, _, filenames in os.walk("/etc/pki/rpm-gpg"): - for fn in filenames: - p = os.path.join(dirpath, fn) - if os.path.islink(p) or not os.path.isfile(p): - continue - reasons.setdefault(p, "rpm_gpg_key") - - # Stable ordering. - return [(p, reasons[p]) for p in sorted(reasons.keys())] - - -def _iter_system_capture_paths() -> List[tuple[str, str]]: - """Return (path, reason) pairs for essential system config/state (non-APT).""" - out: List[tuple[str, str]] = [] - - for spec, reason in _SYSTEM_CAPTURE_GLOBS: - for p in _iter_matching_files(spec): - out.append((p, reason)) - - # De-dup while preserving first reason - seen: Set[str] = set() - uniq: List[tuple[str, str]] = [] - for p, r in out: - if p in seen: - continue - seen.add(p) - uniq.append((p, r)) - return uniq - - _FIREWALL_CAPTURE_COMMANDS: Dict[str, Tuple[str, ...]] = { "ipset_save": ("ipset", "save"), "iptables_v4_save": ("iptables-save",), "iptables_v6_save": ("ip6tables-save",), + "sysctl_all": ("sysctl", "-a"), } @@ -973,6 +193,199 @@ def _write_generated_artifact( f.write(content) +_SYSCTL_KEY_RE = re.compile(r"^[A-Za-z0-9_.-]+$") +_SYSCTL_GENERATED_DEST = "/etc/sysctl.d/99-enroll.conf" +_SYSCTL_GENERATED_SRC_REL = "sysctl/99-enroll.conf" + +# Writable-looking action/identity keys that are poor candidates for persistent +# config. This avoids generating a file that tries to replay one-shot triggers or +# host identity that should be managed elsewhere (e.g. /etc/hostname). +_SYSCTL_VOLATILE_KEYS = { + "fs.binfmt_misc.status", + "kernel.domainname", + "kernel.hostname", + "kernel.kexec_load_disabled", + "kernel.kexec_load_limit_panic", + "kernel.kexec_load_limit_reboot", + "kernel.max_rcu_stall_to_panic", + "kernel.modules_disabled", + "kernel.ns_last_pid", + "net.ipv4.route.flush", + "net.ipv6.route.flush", + "vm.compact_memory", + "vm.drop_caches", + "vm.stat_refresh", +} + +_SYSCTL_VOLATILE_PREFIXES = ( + "fs.binfmt_misc.", + "kernel.sched_domain.", +) + +# These are paired with ratio/byte counterparts. The inactive side appears as 0 +# when read; replaying that 0 through sysctl -p is noisy and can be rejected by +# kernels that enforce minimum values. +_SYSCTL_SKIP_ZERO_VALUE_KEYS = { + "vm.dirty_background_bytes", + "vm.dirty_background_ratio", + "vm.dirty_bytes", + "vm.dirty_ratio", +} + + +def _sysctl_proc_path(key: str) -> str: + return "/proc/sys/" + key.replace(".", "/") + + +def _sysctl_key_is_persistable(key: str) -> tuple[bool, str]: + if not key or not _SYSCTL_KEY_RE.fullmatch(key): + return False, "invalid key" + if key in _SYSCTL_VOLATILE_KEYS or any( + key.startswith(prefix) for prefix in _SYSCTL_VOLATILE_PREFIXES + ): + return False, "volatile/action key" + + proc_path = _sysctl_proc_path(key) + try: + st = os.stat(proc_path) + except OSError: + return False, "no /proc/sys entry" + + if not stat.S_ISREG(st.st_mode): + return False, "not a regular /proc/sys entry" + if (stat.S_IMODE(st.st_mode) & 0o222) == 0: + return False, "read-only /proc/sys entry" + return True, "" + + +def _sysctl_entry_is_persistable(key: str, value: str) -> tuple[bool, str]: + ok, reason = _sysctl_key_is_persistable(key) + if not ok: + return ok, reason + + if key in _SYSCTL_SKIP_ZERO_VALUE_KEYS and str(value).strip() == "0": + return False, "inactive mutually-exclusive zero value" + + return True, "" + + +def _parse_sysctl_a_output( + text: str, + *, + require_persistable: bool = True, +) -> tuple[Dict[str, str], Dict[str, int]]: + """Parse `sysctl -a` output into persistable key/value pairs. + + `sysctl -a` includes read-only, write-only, multiline, action-like, and + host-identity values. Persisting those can create noisy or failing Ansible + runs, so the default parser keeps only single-line writable-looking keys. + """ + + out: Dict[str, str] = {} + skipped: Dict[str, int] = { + "malformed": 0, + "empty_value": 0, + "non_persistable": 0, + "duplicate": 0, + } + + for raw in (text or "").splitlines(): + line = raw.strip() + if not line: + continue + if " = " in line: + key, value = line.split(" = ", 1) + elif "=" in line: + key, value = line.split("=", 1) + else: + skipped["malformed"] += 1 + continue + + key = key.strip() + value = value.strip() + if not key: + skipped["malformed"] += 1 + continue + if value == "": + skipped["empty_value"] += 1 + continue + if key in out: + skipped["duplicate"] += 1 + continue + if require_persistable: + ok, _reason = _sysctl_entry_is_persistable(key, value) + if not ok: + skipped["non_persistable"] += 1 + continue + out[key] = value + + return dict(sorted(out.items())), skipped + + +def _render_sysctl_conf(parameters: Dict[str, str], notes: List[str]) -> str: + lines = [ + "# Generated by Enroll from live sysctl state.", + "# Review before applying broadly; runtime sysctl state can be host/kernel-specific.", + ] + for note in notes: + lines.append(f"# {note}") + lines.append("") + for key, value in sorted((parameters or {}).items()): + safe_value = str(value).replace("\n", " ").strip() + lines.append(f"{key} = {safe_value}") + lines.append("") + return "\n".join(lines) + + +def _collect_sysctl_snapshot(bundle_dir: str) -> SysctlSnapshot: + role_name = "sysctl" + notes: List[str] = [] + managed_files: List[ManagedFile] = [] + + out, err = _run_capture_command("sysctl_all", timeout=20) + if err: + notes.append(err) + return SysctlSnapshot(role_name=role_name, notes=notes) + + parameters, skipped = _parse_sysctl_a_output(out or "") + if not parameters: + notes.append("No persistable live sysctl parameters were detected.") + return SysctlSnapshot(role_name=role_name, parameters=parameters, notes=notes) + + notes.append(f"Captured {len(parameters)} live writable sysctl parameter(s).") + skipped_total = sum(skipped.values()) + if skipped_total: + details = ", ".join(f"{k}={v}" for k, v in sorted(skipped.items()) if v) + notes.append( + "Skipped " + f"{skipped_total} sysctl entr{'y' if skipped_total == 1 else 'ies'} " + f"that were not suitable for persistence ({details})." + ) + + _write_generated_artifact( + bundle_dir, + role_name, + _SYSCTL_GENERATED_SRC_REL, + _render_sysctl_conf(parameters, notes), + ) + managed_files.append( + ManagedFile( + path=_SYSCTL_GENERATED_DEST, + src_rel=_SYSCTL_GENERATED_SRC_REL, + owner="root", + group="root", + mode="0644", + reason="system_sysctl", + ) + ) + return SysctlSnapshot( + role_name=role_name, + managed_files=managed_files, + parameters=parameters, + notes=notes, + ) + + def _ipset_save_has_state(text: str) -> bool: for raw in (text or "").splitlines(): line = raw.strip() @@ -1115,6 +528,7 @@ def harvest( dangerous: bool = False, include_paths: Optional[List[str]] = None, exclude_paths: Optional[List[str]] = None, + allow_existing_output: bool = False, ) -> str: # If a policy is not supplied, build one. `--dangerous` relaxes secret # detection and deny-glob skipping. @@ -1124,12 +538,25 @@ def harvest( # If callers explicitly provided a policy but also requested # dangerous behaviour, honour the CLI intent. policy.dangerous = True - os.makedirs(bundle_dir, exist_ok=True) + bundle_path = ( + ensure_private_empty_dir(bundle_dir, label="harvest output") + if allow_existing_output + else prepare_new_private_dir(bundle_dir, label="harvest output") + ) + bundle_dir = str(bundle_path) # User-provided includes/excludes. Excludes apply to all harvesting; # includes are harvested into an extra role. path_filter = PathFilter(include=include_paths or (), exclude=exclude_paths or ()) + from .harvest_collectors.container_images import ContainerImagesCollector + from .harvest_collectors.cron_logrotate import CronLogrotateCollector + from .harvest_collectors.package_manager import PackageManagerConfigCollector + from .harvest_collectors.paths import ExtraPathsCollector, UsrLocalCustomCollector + from .harvest_collectors.runtime import RuntimeStateCollector + from .harvest_collectors.services import ServicePackageCollector + from .harvest_collectors.users import UsersCollector + if hasattr(os, "geteuid") and os.geteuid() != 0: print( "Warning: not running as root; harvest may miss files or metadata.", @@ -1161,798 +588,87 @@ def harvest( installed_pkgs = backend.installed_packages() or {} installed_names: Set[str] = set(installed_pkgs.keys()) - persistent_ipset_files = _persistent_firewall_files(_PERSISTENT_IPSET_GLOBS) - persistent_iptables_v4_files = _persistent_firewall_files( - _PERSISTENT_IPTABLES_V4_GLOBS + persistent_ipset_files = system_paths.persistent_firewall_files( + system_paths.persistent_ipset_globs() ) - persistent_iptables_v6_files = _persistent_firewall_files( - _PERSISTENT_IPTABLES_V6_GLOBS + persistent_iptables_v4_files = system_paths.persistent_firewall_files( + system_paths.persistent_iptables_v4_globs() + ) + persistent_iptables_v6_files = system_paths.persistent_firewall_files( + system_paths.persistent_iptables_v6_globs() ) - if hasattr(os, "geteuid") and os.geteuid() != 0: - firewall_runtime_snapshot = FirewallRuntimeSnapshot( - role_name="firewall_runtime", - notes=[ - "Live ipset/iptables runtime capture skipped because harvest is not running as root." - ], - ) - else: - firewall_runtime_snapshot = _collect_firewall_runtime_snapshot( - bundle_dir, - persistent_ipset_files=persistent_ipset_files, - persistent_iptables_v4_files=persistent_iptables_v4_files, - persistent_iptables_v6_files=persistent_iptables_v6_files, - ) - - def _pick_installed(cands: List[str]) -> Optional[str]: - for c in cands: - if c in installed_names: - return c - return None - - cron_pkg = _pick_installed( - ["cron", "cronie", "cronie-anacron", "vixie-cron", "fcron"] - ) - logrotate_pkg = _pick_installed(["logrotate"]) - - cron_role_name = "cron" - logrotate_role_name = "logrotate" - - def _is_cron_path(p: str) -> bool: - return ( - p == "/etc/crontab" - or p == "/etc/anacrontab" - or p in ("/etc/cron.allow", "/etc/cron.deny") - or p.startswith("/etc/cron.") - or p.startswith("/etc/cron.d/") - or p.startswith("/etc/anacron/") - or p.startswith("/var/spool/cron/") - or p.startswith("/var/spool/crontabs/") - or p.startswith("/var/spool/anacron/") - ) - - def _is_logrotate_path(p: str) -> bool: - return p == "/etc/logrotate.conf" or p.startswith("/etc/logrotate.d/") - - cron_snapshot: Optional[PackageSnapshot] = None - logrotate_snapshot: Optional[PackageSnapshot] = None - - if cron_pkg: - cron_managed: List[ManagedFile] = [] - cron_excluded: List[ExcludedFile] = [] - cron_notes: List[str] = [] - cron_seen: Set[str] = set() - - cron_globs = [ - "/etc/crontab", - "/etc/cron.d/*", - "/etc/cron.hourly/*", - "/etc/cron.daily/*", - "/etc/cron.weekly/*", - "/etc/cron.monthly/*", - "/etc/cron.allow", - "/etc/cron.deny", - "/etc/anacrontab", - "/etc/anacron/*", - # user crontabs / spool state - "/var/spool/cron/*", - "/var/spool/cron/crontabs/*", - "/var/spool/crontabs/*", - "/var/spool/anacron/*", - ] - for spec in cron_globs: - for path in _iter_matching_files(spec): - if not os.path.isfile(path) or os.path.islink(path): - continue - _capture_file( - bundle_dir=bundle_dir, - role_name=cron_role_name, - abs_path=path, - reason="system_cron", - policy=policy, - path_filter=path_filter, - managed_out=cron_managed, - excluded_out=cron_excluded, - seen_role=cron_seen, - seen_global=captured_global, - ) - - cron_snapshot = PackageSnapshot( - package=cron_pkg, - role_name=cron_role_name, - managed_files=cron_managed, - excluded=cron_excluded, - notes=cron_notes, - ) - - if logrotate_pkg: - lr_managed: List[ManagedFile] = [] - lr_excluded: List[ExcludedFile] = [] - lr_notes: List[str] = [] - lr_seen: Set[str] = set() - - lr_globs = [ - "/etc/logrotate.conf", - "/etc/logrotate.d/*", - ] - for spec in lr_globs: - for path in _iter_matching_files(spec): - if not os.path.isfile(path) or os.path.islink(path): - continue - _capture_file( - bundle_dir=bundle_dir, - role_name=logrotate_role_name, - abs_path=path, - reason="system_logrotate", - policy=policy, - path_filter=path_filter, - managed_out=lr_managed, - excluded_out=lr_excluded, - seen_role=lr_seen, - seen_global=captured_global, - ) - - logrotate_snapshot = PackageSnapshot( - package=logrotate_pkg, - role_name=logrotate_role_name, - managed_files=lr_managed, - excluded=lr_excluded, - notes=lr_notes, - ) - # ------------------------- - # Service roles - # ------------------------- - service_snaps: List[ServiceSnapshot] = [] - # Track alias strings (service names, package names, stems) that should map - # back to the service role for shared snippet attribution (cron.d/logrotate.d). - service_role_aliases: Dict[str, Set[str]] = {} - # De-dupe per-role captures (avoids duplicate tasks in manifest generation). - seen_by_role: Dict[str, Set[str]] = {} - # Managed/excluded lists keyed by role so helper services can attribute shared - # configuration to their parent service role. - managed_by_role: Dict[str, List[ManagedFile]] = {} - excluded_by_role: Dict[str, List[ExcludedFile]] = {} - - enabled_services = list_enabled_services() - - # Avoid role-name collisions with dedicated cron/logrotate package roles. - if cron_snapshot is not None or logrotate_snapshot is not None: - blocked_roles = set() - if cron_snapshot is not None: - blocked_roles.add(cron_role_name) - if logrotate_snapshot is not None: - blocked_roles.add(logrotate_role_name) - enabled_services = [ - u for u in enabled_services if _role_name_from_unit(u) not in blocked_roles - ] - enabled_set = set(enabled_services) - - def _service_sort_key(unit: str) -> tuple[int, str, str]: - # Prefer "parent" services over helpers (e.g. NetworkManager.service before - # NetworkManager-dispatcher.service) so shared config lands in the main role. - base = unit.removesuffix(".service") - base = base.split("@", 1)[0] - return (base.count("-"), base.lower(), unit.lower()) - - def _parent_service_unit(unit: str) -> Optional[str]: - # If unit name contains '-' segments, treat dashed prefixes as potential parents. - # Example: NetworkManager-dispatcher.service -> NetworkManager.service (if enabled). - if not unit.endswith(".service"): - return None - base = unit.removesuffix(".service") - base = base.split("@", 1)[0] - parts = base.split("-") - for i in range(len(parts) - 1, 0, -1): - cand = "-".join(parts[:i]) + ".service" - if cand in enabled_set: - return cand - return None - - parent_unit_for: Dict[str, str] = {} - for u in enabled_services: - pu = _parent_service_unit(u) - if pu: - parent_unit_for[u] = pu - - for unit in sorted(enabled_services, key=_service_sort_key): - role = _role_name_from_unit(unit) - parent_unit = parent_unit_for.get(unit) - parent_role = _role_name_from_unit(parent_unit) if parent_unit else None - - try: - ui = get_unit_info(unit) - except UnitQueryError as e: - # Even when we can't query the unit, keep a minimal alias mapping so - # shared snippets can still be attributed to this role by name. - service_role_aliases.setdefault(role, _hint_names(unit, set()) | {role}) - seen_by_role.setdefault(role, set()) - managed = managed_by_role.setdefault(role, []) - excluded = excluded_by_role.setdefault(role, []) - service_snaps.append( - ServiceSnapshot( - unit=unit, - role_name=role, - packages=[], - active_state=None, - sub_state=None, - unit_file_state=None, - condition_result=None, - managed_files=managed, - excluded=excluded, - notes=[str(e)], - ) - ) - continue - - pkgs: Set[str] = set() - notes: List[str] = [] - excluded = excluded_by_role.setdefault(role, []) - managed = managed_by_role.setdefault(role, []) - candidates: Dict[str, str] = {} - - if ui.fragment_path: - p = backend.owner_of_path(ui.fragment_path) - if p: - pkgs.add(p) - - for exe in ui.exec_paths: - p = backend.owner_of_path(exe) - if p: - pkgs.add(p) - - for pth in ui.dropin_paths: - if pth.startswith("/etc/"): - candidates[pth] = "systemd_dropin" - - for ef in ui.env_files: - ef = ef.lstrip("-") - if any(ch in ef for ch in "*?["): - for g in glob.glob(ef): - if g.startswith("/etc/") and os.path.isfile(g): - candidates[g] = "systemd_envfile" - else: - if ef.startswith("/etc/") and os.path.isfile(ef): - candidates[ef] = "systemd_envfile" - - hints = _hint_names(unit, pkgs) - _add_pkgs_from_etc_topdirs(hints, topdir_to_pkgs, pkgs) - # Keep a stable set of aliases for this service role. Include current - # packages as well, so that package-named snippets (e.g. cron.d or - # logrotate.d entries) can still be attributed back to this service. - service_role_aliases[role] = set(hints) | set(pkgs) | {role} - - for sp in _maybe_add_specific_paths(hints, backend): - if not os.path.exists(sp): - continue - if sp in etc_owner_map: - pkgs.add(etc_owner_map[sp]) - else: - candidates.setdefault(sp, "custom_specific_path") - - for pkg in sorted(pkgs): - etc_paths = pkg_to_etc_paths.get(pkg, []) - for path, reason in backend.modified_paths(pkg, etc_paths).items(): - if not os.path.isfile(path) or os.path.islink(path): - continue - if cron_snapshot is not None and _is_cron_path(path): - continue - if logrotate_snapshot is not None and _is_logrotate_path(path): - continue - if backend.is_pkg_config_path(path): - continue - candidates.setdefault(path, reason) - - # Capture custom/unowned files living under /etc/ for this service. - # - # Historically we only captured "config-ish" files (by extension). That - # misses important runtime-generated artifacts like certificates and - # key material under service directories (e.g. /etc/openvpn/*.crt). - # - # To avoid exploding output for shared trees (e.g. /etc/systemd), keep - # the older "config-ish only" behaviour for known shared topdirs. - any_roots: List[str] = [] - confish_roots: List[str] = [] - for h in hints: - roots_for_h = [f"/etc/{h}", f"/etc/{h}.d"] - if h in SHARED_ETC_TOPDIRS: - confish_roots.extend(roots_for_h) - else: - any_roots.extend(roots_for_h) - - found: List[str] = [] - found.extend( - _scan_unowned_under_roots( - any_roots, - owned_etc, - limit=MAX_UNOWNED_FILES_PER_ROLE, - confish_only=False, - ) - ) - if len(found) < MAX_UNOWNED_FILES_PER_ROLE: - found.extend( - _scan_unowned_under_roots( - confish_roots, - owned_etc, - limit=MAX_UNOWNED_FILES_PER_ROLE - len(found), - confish_only=True, - ) - ) - for pth in found: - candidates.setdefault(pth, "custom_unowned") - - if not pkgs and not candidates: - notes.append( - "No packages or /etc candidates detected (unexpected for enabled service)." - ) - - # De-dupe within this role while capturing. This also avoids emitting - # duplicate Ansible tasks for the same destination path. - # Attribute shared /etc config to the parent service role when this unit looks - # like a helper (e.g. NetworkManager-dispatcher.service -> NetworkManager.service). - for path, reason in sorted(candidates.items()): - dest_role = role - if ( - parent_role - and path.startswith("/etc/") - and reason not in ("systemd_dropin", "systemd_envfile") - ): - dest_role = parent_role - - dest_managed = managed_by_role.setdefault(dest_role, []) - dest_excluded = excluded_by_role.setdefault(dest_role, []) - dest_seen = seen_by_role.setdefault(dest_role, set()) - _capture_file( - bundle_dir=bundle_dir, - role_name=dest_role, - abs_path=path, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=dest_managed, - excluded_out=dest_excluded, - seen_role=dest_seen, - seen_global=captured_global, - ) - - service_snaps.append( - ServiceSnapshot( - unit=unit, - role_name=role, - packages=sorted(pkgs), - active_state=ui.active_state, - sub_state=ui.sub_state, - unit_file_state=ui.unit_file_state, - condition_result=ui.condition_result, - managed_files=managed, - excluded=excluded, - notes=notes, - ) - ) - - # ------------------------- - # Enabled systemd timers - # - # Timers are typically related to a service/package, so we try to attribute - # timer unit overrides to their associated role rather than creating a - # standalone timer role. If we can't attribute a timer, it will fall back - # to etc_custom (if it's a custom /etc unit). - # ------------------------- - timer_extra_by_pkg: Dict[str, List[str]] = {} - try: - enabled_timers = list_enabled_timers() - except Exception: - enabled_timers = [] - - service_snap_by_unit: Dict[str, ServiceSnapshot] = { - s.unit: s for s in service_snaps - } - - for t in sorted(enabled_timers): - try: - ti = get_timer_info(t) - except Exception: # nosec - continue - - timer_paths: List[str] = [] - for pth in [ti.fragment_path, *ti.dropin_paths, *ti.env_files]: - if not pth: - continue - if not pth.startswith("/etc/"): - # Prefer capturing only custom/overridden units. - continue - if os.path.islink(pth) or not os.path.isfile(pth): - continue - timer_paths.append(pth) - - if not timer_paths: - continue - - # Primary attribution: timer -> trigger service role - snap = None - if ti.trigger_unit: - snap = service_snap_by_unit.get(ti.trigger_unit) - - if snap is not None: - role_seen = seen_by_role.setdefault(snap.role_name, set()) - for path in timer_paths: - _capture_file( - bundle_dir=bundle_dir, - role_name=snap.role_name, - abs_path=path, - reason="related_timer", - policy=policy, - path_filter=path_filter, - managed_out=snap.managed_files, - excluded_out=snap.excluded, - seen_role=role_seen, - seen_global=captured_global, - ) - continue - - # Secondary attribution: associate timer overrides with a package role - # (useful when a timer triggers a service that isn't enabled). - pkgs: Set[str] = set() - if ti.fragment_path: - p = backend.owner_of_path(ti.fragment_path) - if p: - pkgs.add(p) - if ti.trigger_unit and ti.trigger_unit.endswith(".service"): - try: - ui = get_unit_info(ti.trigger_unit) - if ui.fragment_path: - p = backend.owner_of_path(ui.fragment_path) - if p: - pkgs.add(p) - for exe in ui.exec_paths: - p = backend.owner_of_path(exe) - if p: - pkgs.add(p) - except Exception: # nosec - pass - - for pkg in pkgs: - timer_extra_by_pkg.setdefault(pkg, []).extend(timer_paths) - - # ------------------------- - # Manually installed package roles - # ------------------------- - manual_pkgs = backend.list_manual_packages() - # Avoid duplicate roles: if a manual package is already managed by any service role, skip its pkg_ role. - covered_by_services: Set[str] = set() - for s in service_snaps: - for p in s.packages: - covered_by_services.add(p) - - manual_pkgs_skipped: List[str] = [] - pkg_snaps: List[PackageSnapshot] = [] - - # Add dedicated cron/logrotate roles (if detected) as package roles. - # These roles centralise all cron/logrotate managed files so they aren't scattered - # across unrelated roles. - if cron_snapshot is not None: - pkg_snaps.append(cron_snapshot) - if logrotate_snapshot is not None: - pkg_snaps.append(logrotate_snapshot) - for pkg in sorted(manual_pkgs): - if cron_snapshot is not None and pkg == cron_pkg: - manual_pkgs_skipped.append(pkg) - continue - if logrotate_snapshot is not None and pkg == logrotate_pkg: - manual_pkgs_skipped.append(pkg) - continue - if pkg in covered_by_services: - manual_pkgs_skipped.append(pkg) - continue - role = _role_name_from_pkg(pkg) - notes: List[str] = [] - excluded: List[ExcludedFile] = [] - managed: List[ManagedFile] = [] - candidates: Dict[str, str] = {} - - for tpath in timer_extra_by_pkg.get(pkg, []): - candidates.setdefault(tpath, "related_timer") - - etc_paths = pkg_to_etc_paths.get(pkg, []) - for path, reason in backend.modified_paths(pkg, etc_paths).items(): - if not os.path.isfile(path) or os.path.islink(path): - continue - if cron_snapshot is not None and _is_cron_path(path): - continue - if logrotate_snapshot is not None and _is_logrotate_path(path): - continue - if backend.is_pkg_config_path(path): - continue - candidates.setdefault(path, reason) - - topdirs = _topdirs_for_package(pkg, pkg_to_etc_paths) - roots: List[str] = [] - # Collect candidate directories plus backend-specific common files. - for td in sorted(topdirs): - if td in SHARED_ETC_TOPDIRS: - continue - if backend.is_pkg_config_path(f"/etc/{td}/") or backend.is_pkg_config_path( - f"/etc/{td}" - ): - continue - roots.extend([f"/etc/{td}", f"/etc/{td}.d"]) - roots.extend(_maybe_add_specific_paths(set(topdirs), backend)) - - # Capture any custom/unowned files under /etc/ for this - # manually-installed package. This may include runtime-generated - # artifacts like certificates, key files, and helper scripts which are - # not owned by any .deb. - for pth in _scan_unowned_under_roots( - [r for r in roots if os.path.isdir(r)], - owned_etc, - confish_only=False, - ): - candidates.setdefault(pth, "custom_unowned") - - for r in roots: - if os.path.isfile(r) and not os.path.islink(r): - if r not in owned_etc and _is_confish(r): - candidates.setdefault(r, "custom_specific_path") - - role_seen = seen_by_role.setdefault(role, set()) - for path, reason in sorted(candidates.items()): - _capture_file( - bundle_dir=bundle_dir, - role_name=role, - abs_path=path, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=managed, - excluded_out=excluded, - seen_role=role_seen, - seen_global=captured_global, - ) - - if not pkg_to_etc_paths.get(pkg, []) and not managed: - notes.append("No /etc files detected for this package.") - - pkg_snaps.append( - PackageSnapshot( - package=pkg, - role_name=role, - managed_files=managed, - managed_links=[], - excluded=excluded, - notes=notes, - ) - ) - - # ------------------------- - # Web server enablement symlinks (nginx/apache2) - # - # Debian-style nginx/apache2 configurations often use *-enabled directories - # populated with symlinks pointing back into *-available. The symlinks - # represent the enablement state and are important to reproduce. - # - # We only harvest these when the relevant service/package has already been - # detected in this run (i.e. we have a role that will manage nginx/apache2). - # ------------------------- - - def _find_role_snapshot(role_name: str): - for s in service_snaps: - if s.role_name == role_name: - return s - for p in pkg_snaps: - if p.role_name == role_name: - return p - return None - - def _capture_enabled_symlinks(role_name: str, dirs: List[str]) -> None: - snap = _find_role_snapshot(role_name) - if snap is None: - return - - role_seen = seen_by_role.setdefault(role_name, set()) - for d in dirs: - if not os.path.isdir(d): - continue - for pth in sorted(glob.glob(os.path.join(d, "*"))): - if not os.path.islink(pth): - continue - _capture_link( - role_name=role_name, - abs_path=pth, - reason="enabled_symlink", - policy=policy, - path_filter=path_filter, - managed_out=snap.managed_links, - excluded_out=snap.excluded, - seen_role=role_seen, - seen_global=captured_global, - ) - - _capture_enabled_symlinks( - "nginx", - [ - "/etc/nginx/modules-enabled", - "/etc/nginx/sites-enabled", - ], - ) - _capture_enabled_symlinks( - "apache2", - [ - "/etc/apache2/conf-enabled", - "/etc/apache2/mods-enabled", - "/etc/apache2/sites-enabled", - ], + context = HarvestContext( + bundle_dir=bundle_dir, + policy=policy, + path_filter=path_filter, + platform=platform, + backend=backend, + installed_pkgs=installed_pkgs, + installed_names=installed_names, + owned_etc=owned_etc, + etc_owner_map=etc_owner_map, + topdir_to_pkgs=topdir_to_pkgs, + pkg_to_etc_paths=pkg_to_etc_paths, + captured_global=captured_global, ) + runtime_collection = RuntimeStateCollector( + context, + persistent_ipset_files=persistent_ipset_files, + persistent_iptables_v4_files=persistent_iptables_v4_files, + persistent_iptables_v6_files=persistent_iptables_v6_files, + ).collect() + firewall_runtime_snapshot = runtime_collection.firewall_runtime_snapshot + sysctl_snapshot = runtime_collection.sysctl_snapshot + + # The generated sysctl role owns /etc/sysctl.d/99-enroll.conf; do not also + # capture an existing file at that path into etc_custom/package roles. + for mf in sysctl_snapshot.managed_files: + captured_global.add(mf.path) + + cron_logrotate_collection = CronLogrotateCollector(context).collect() + cron_pkg = cron_logrotate_collection.cron_pkg + logrotate_pkg = cron_logrotate_collection.logrotate_pkg + cron_snapshot = cron_logrotate_collection.cron_snapshot + logrotate_snapshot = cron_logrotate_collection.logrotate_snapshot + + service_package_collection = ServicePackageCollector( + context, + cron_snapshot=cron_snapshot, + logrotate_snapshot=logrotate_snapshot, + cron_pkg=cron_pkg, + logrotate_pkg=logrotate_pkg, + ).collect() + service_snaps = service_package_collection.service_snaps + pkg_snaps = service_package_collection.pkg_snaps + manual_pkgs = service_package_collection.manual_pkgs + service_role_aliases = service_package_collection.service_role_aliases + seen_by_role = service_package_collection.seen_by_role + # ------------------------- - # Users role (non-system users) + # Users role, Flatpak and Snap state # ------------------------- - users_notes: List[str] = [] - users_excluded: List[ExcludedFile] = [] - users_managed: List[ManagedFile] = [] - users_list: List[dict] = [] + users_collection = UsersCollector(context, seen_by_role).collect() + users_snapshot = users_collection.users_snapshot + flatpak_snapshot = users_collection.flatpak_snapshot + snap_snapshot = users_collection.snap_snapshot - try: - user_records = collect_non_system_users() - except Exception as e: - user_records = [] - users_notes.append(f"Failed to enumerate users: {e!r}") - - users_role_name = "users" - users_role_seen = seen_by_role.setdefault(users_role_name, set()) - - skel_dir = "/etc/skel" - # Dotfiles to harvest for non-system users. For the common "skeleton" - # files, only capture if the user's copy differs from /etc/skel. - skel_dotfiles = [ - (".bashrc", "user_shell_rc"), - (".profile", "user_profile"), - (".bash_logout", "user_shell_logout"), - ] - extra_dotfiles = [ - (".bash_aliases", "user_shell_aliases"), - ] - - for u in user_records: - users_list.append( - { - "name": u.name, - "uid": u.uid, - "gid": u.gid, - "gecos": u.gecos, - "home": u.home, - "shell": u.shell, - "primary_group": u.primary_group, - "supplementary_groups": u.supplementary_groups, - } - ) - - # Copy only safe SSH public material: authorized_keys + *.pub - for sf in u.ssh_files: - reason = ( - "authorized_keys" - if sf.endswith("/authorized_keys") - else "ssh_public_key" - ) - _capture_file( - bundle_dir=bundle_dir, - role_name=users_role_name, - abs_path=sf, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=users_managed, - excluded_out=users_excluded, - seen_role=users_role_seen, - seen_global=captured_global, - ) - - # Capture common per-user shell dotfiles when they differ from /etc/skel. - # These still go through IgnorePolicy and user path filters. - home = (u.home or "").rstrip("/") - if home and home.startswith("/"): - for rel, reason in skel_dotfiles: - upath = os.path.join(home, rel) - if not os.path.exists(upath): - continue - skel_path = os.path.join(skel_dir, rel) - if not _files_differ(upath, skel_path, max_bytes=policy.max_file_bytes): - continue - _capture_file( - bundle_dir=bundle_dir, - role_name=users_role_name, - abs_path=upath, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=users_managed, - excluded_out=users_excluded, - seen_role=users_role_seen, - seen_global=captured_global, - ) - - # Capture other common per-user shell files unconditionally if present. - for rel, reason in extra_dotfiles: - upath = os.path.join(home, rel) - if not os.path.exists(upath): - continue - _capture_file( - bundle_dir=bundle_dir, - role_name=users_role_name, - abs_path=upath, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=users_managed, - excluded_out=users_excluded, - seen_role=users_role_seen, - seen_global=captured_global, - ) - - users_snapshot = UsersSnapshot( - role_name=users_role_name, - users=users_list, - managed_files=users_managed, - excluded=users_excluded, - notes=users_notes, - ) + # ------------------------- + # Container image inventory (Docker/Podman image caches) + # ------------------------- + container_images_snapshot = ContainerImagesCollector(context).collect() # ------------------------- # Package manager config role # - Debian: apt_config # - Fedora/RHEL-like: dnf_config # ------------------------- - apt_notes: List[str] = [] - apt_excluded: List[ExcludedFile] = [] - apt_managed: List[ManagedFile] = [] - dnf_notes: List[str] = [] - dnf_excluded: List[ExcludedFile] = [] - dnf_managed: List[ManagedFile] = [] - - apt_role_name = "apt_config" - dnf_role_name = "dnf_config" - - if backend.name == "dpkg": - apt_role_seen = seen_by_role.setdefault(apt_role_name, set()) - for path, reason in _iter_apt_capture_paths(): - _capture_file( - bundle_dir=bundle_dir, - role_name=apt_role_name, - abs_path=path, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=apt_managed, - excluded_out=apt_excluded, - seen_role=apt_role_seen, - seen_global=captured_global, - ) - elif backend.name == "rpm": - dnf_role_seen = seen_by_role.setdefault(dnf_role_name, set()) - for path, reason in _iter_dnf_capture_paths(): - _capture_file( - bundle_dir=bundle_dir, - role_name=dnf_role_name, - abs_path=path, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=dnf_managed, - excluded_out=dnf_excluded, - seen_role=dnf_role_seen, - seen_global=captured_global, - ) - - apt_config_snapshot = AptConfigSnapshot( - role_name=apt_role_name, - managed_files=apt_managed, - excluded=apt_excluded, - notes=apt_notes, - ) - dnf_config_snapshot = DnfConfigSnapshot( - role_name=dnf_role_name, - managed_files=dnf_managed, - excluded=dnf_excluded, - notes=dnf_notes, - ) + package_manager_config = PackageManagerConfigCollector( + context, seen_by_role + ).collect() + apt_config_snapshot = package_manager_config.apt_config_snapshot + dnf_config_snapshot = package_manager_config.dnf_config_snapshot # ------------------------- # etc_custom role (unowned /etc files not already attributed elsewhere) @@ -1984,7 +700,7 @@ def harvest( alias_ranked: Dict[str, tuple[int, str]] = {} def _add_alias(alias: str, role_name: str, *, priority: int) -> None: - key = _safe_name(alias) + key = safe_name(alias) if not key: return cur = alias_ranked.get(key) @@ -2045,12 +761,12 @@ def harvest( if len(svc_roles) > 1: # Direct role-name matches first. for c in [pkg, *uniq]: - rn = _safe_name(c) + rn = safe_name(c) if rn in svc_roles: return (rn, tag) # Next, use the alias map if it points at one of the roles. for c in [pkg, *uniq]: - hit = alias_ranked.get(_safe_name(c)) + hit = alias_ranked.get(safe_name(c)) if hit is not None and hit[1] in svc_roles: return (hit[1], tag) @@ -2061,7 +777,7 @@ def harvest( return (pkg_role, tag) for c in uniq: - key = _safe_name(c) + key = safe_name(c) hit = alias_ranked.get(key) if hit is not None: return (hit[1], tag) @@ -2080,7 +796,7 @@ def harvest( # Capture essential system config/state (even if package-owned). etc_role_seen = seen_by_role.setdefault(etc_role_name, set()) - for path, reason in _iter_system_capture_paths(): + for path, reason in system_paths.iter_system_capture_paths(): if path in already: continue @@ -2094,7 +810,7 @@ def harvest( managed_out, excluded_out = (etc_managed, etc_excluded) role_seen = etc_role_seen - _capture_file( + capture_file( bundle_dir=bundle_dir, role_name=role_for_copy, abs_path=path, @@ -2120,7 +836,7 @@ def harvest( continue if not os.path.isfile(path) or os.path.islink(path): continue - if not _is_confish(path): + if not system_paths.is_confish(path): continue target = _target_role_for_shared_snippet(path) @@ -2133,7 +849,7 @@ def harvest( managed_out, excluded_out = (etc_managed, etc_excluded) role_seen = etc_role_seen - if _capture_file( + if capture_file( bundle_dir=bundle_dir, role_name=role_for_copy, abs_path=path, @@ -2146,12 +862,12 @@ def harvest( seen_global=captured_global, ): scanned += 1 - if scanned >= MAX_FILES_CAP: + if scanned >= system_paths.MAX_FILES_CAP: etc_notes.append( - f"Reached file cap ({MAX_FILES_CAP}) while scanning /etc for unowned files." + f"Reached file cap ({system_paths.MAX_FILES_CAP}) while scanning /etc for unowned files." ) break - if scanned >= MAX_FILES_CAP: + if scanned >= system_paths.MAX_FILES_CAP: break etc_custom_snapshot = EtcCustomSnapshot( @@ -2162,217 +878,25 @@ def harvest( ) # ------------------------- - # usr_local_custom role (/usr/local/etc + /usr/local/bin scripts) + # usr_local_custom and extra_paths roles # ------------------------- - ul_notes: List[str] = [] - ul_excluded: List[ExcludedFile] = [] - ul_managed: List[ManagedFile] = [] - ul_role_name = "usr_local_custom" - - # Extend the already-captured set with etc_custom. already_all: Set[str] = set(already) for mf in etc_managed: already_all.add(mf.path) - def _scan_usr_local_tree( - root: str, *, require_executable: bool, cap: int, reason: str - ) -> None: - scanned = 0 - if not os.path.isdir(root): - return - role_seen = seen_by_role.setdefault(ul_role_name, set()) - for dirpath, _, filenames in os.walk(root): - for fn in filenames: - path = os.path.join(dirpath, fn) - if path in already_all: - continue - if not os.path.isfile(path) or os.path.islink(path): - continue - try: - owner, group, mode = stat_triplet(path) - except OSError: - ul_excluded.append(ExcludedFile(path=path, reason="unreadable")) - continue + usr_local_custom_snapshot = UsrLocalCustomCollector( + context, + seen_by_role, + already_all, + ).collect() - if require_executable: - try: - if (int(mode, 8) & 0o111) == 0: - continue - except ValueError: - # If mode parsing fails, be conservative and skip. - continue - - if _capture_file( - bundle_dir=bundle_dir, - role_name=ul_role_name, - abs_path=path, - reason=reason, - policy=policy, - path_filter=path_filter, - managed_out=ul_managed, - excluded_out=ul_excluded, - seen_role=role_seen, - seen_global=captured_global, - metadata=(owner, group, mode), - ): - already_all.add(path) - scanned += 1 - if scanned >= cap: - ul_notes.append(f"Reached file cap ({cap}) while scanning {root}.") - return - - # /usr/local/etc: capture all non-binary regular files (filtered by IgnorePolicy) - _scan_usr_local_tree( - "/usr/local/etc", - require_executable=False, - cap=MAX_FILES_CAP, - reason="usr_local_etc_custom", - ) - - # /usr/local/bin: capture executable scripts only (skip non-executable text) - _scan_usr_local_tree( - "/usr/local/bin", - require_executable=True, - cap=MAX_FILES_CAP, - reason="usr_local_bin_script", - ) - - usr_local_custom_snapshot = UsrLocalCustomSnapshot( - role_name=ul_role_name, - managed_files=ul_managed, - excluded=ul_excluded, - notes=ul_notes, - ) - - # ------------------------- - # extra_paths role (user-requested includes) - # ------------------------- - extra_notes: List[str] = [] - extra_excluded: List[ExcludedFile] = [] - extra_managed: List[ManagedFile] = [] - extra_managed_dirs: List[ManagedDir] = [] - extra_dir_seen: Set[str] = set() - - def _walk_and_capture_dirs(root: str) -> None: - root = os.path.normpath(root) - if not root.startswith("/"): - root = "/" + root - if not os.path.isdir(root) or os.path.islink(root): - return - for dirpath, dirnames, _ in os.walk(root, followlinks=False): - if len(extra_managed_dirs) >= MAX_FILES_CAP: - extra_notes.append( - f"Reached directory cap ({MAX_FILES_CAP}) while scanning {root}." - ) - return - dirpath = os.path.normpath(dirpath) - if not dirpath.startswith("/"): - dirpath = "/" + dirpath - if path_filter.is_excluded(dirpath): - # Prune excluded subtrees. - dirnames[:] = [] - continue - if os.path.islink(dirpath) or not os.path.isdir(dirpath): - dirnames[:] = [] - continue - - if dirpath not in extra_dir_seen: - deny = None - deny_dir = getattr(policy, "deny_reason_dir", None) - if callable(deny_dir): - deny = deny_dir(dirpath) - else: - deny = policy.deny_reason(dirpath) - if deny in ("not_regular_file", "not_file", "not_regular"): - deny = None - if not deny: - try: - owner, group, mode = stat_triplet(dirpath) - extra_managed_dirs.append( - ManagedDir( - path=dirpath, - owner=owner, - group=group, - mode=mode, - reason="user_include_dir", - ) - ) - except OSError: - pass - extra_dir_seen.add(dirpath) - - # Prune excluded dirs and symlinks early. - pruned: List[str] = [] - for d in dirnames: - p = os.path.join(dirpath, d) - if os.path.islink(p) or path_filter.is_excluded(p): - continue - pruned.append(d) - dirnames[:] = pruned - - extra_role_name = "extra_paths" - extra_role_seen = seen_by_role.setdefault(extra_role_name, set()) - - include_specs = list(include_paths or []) - exclude_specs = list(exclude_paths or []) - - # If any include pattern points at a directory, capture that directory tree's - # ownership/mode so the manifest can recreate it accurately. - include_pats = path_filter.iter_include_patterns() - for pat in include_pats: - if pat.kind == "prefix": - p = pat.value - if os.path.isdir(p) and not os.path.islink(p): - _walk_and_capture_dirs(p) - elif pat.kind == "glob": - for h in glob.glob(pat.value, recursive=True): - if os.path.isdir(h) and not os.path.islink(h): - _walk_and_capture_dirs(h) - - if include_specs: - extra_notes.append("User include patterns:") - extra_notes.extend([f"- {p}" for p in include_specs]) - if exclude_specs: - extra_notes.append("User exclude patterns:") - extra_notes.extend([f"- {p}" for p in exclude_specs]) - - included_files: List[str] = [] - if include_specs: - files, inc_notes = expand_includes( - path_filter.iter_include_patterns(), - exclude=path_filter, - max_files=MAX_FILES_CAP, - ) - included_files = files - extra_notes.extend(inc_notes) - - for path in included_files: - if path in already_all: - continue - - if _capture_file( - bundle_dir=bundle_dir, - role_name=extra_role_name, - abs_path=path, - reason="user_include", - policy=policy, - path_filter=path_filter, - managed_out=extra_managed, - excluded_out=extra_excluded, - seen_role=extra_role_seen, - seen_global=captured_global, - ): - already_all.add(path) - - extra_paths_snapshot = ExtraPathsSnapshot( - role_name=extra_role_name, - include_patterns=include_specs, - exclude_patterns=exclude_specs, - managed_dirs=extra_managed_dirs, - managed_files=extra_managed, - excluded=extra_excluded, - notes=extra_notes, - ) + extra_paths_snapshot = ExtraPathsCollector( + context, + seen_by_role, + already_all, + include_paths=include_paths, + exclude_paths=exclude_paths, + ).collect() # ------------------------- # Inventory: packages (SBOM-ish) @@ -2406,6 +930,7 @@ def harvest( arches = sorted({i.get("arch") for i in installs if i.get("arch")}) vers = sorted({i.get("version") for i in installs if i.get("version")}) version: Optional[str] = vers[0] if len(vers) == 1 else None + section = package_section_from_installations(installs) observed: List[Dict[str, str]] = [] if pkg in manual_set: @@ -2428,6 +953,7 @@ def harvest( "version": version, "arches": arches, "installations": installs, + "section": section, "observed_via": observed, "roles": roles, } @@ -2500,18 +1026,19 @@ def harvest( }, "roles": { "users": asdict(users_snapshot), + "flatpak": asdict(flatpak_snapshot), + "snap": asdict(snap_snapshot), + "container_images": asdict(container_images_snapshot), "services": [asdict(s) for s in service_snaps], "packages": [asdict(p) for p in pkg_snaps], "apt_config": asdict(apt_config_snapshot), "dnf_config": asdict(dnf_config_snapshot), "firewall_runtime": asdict(firewall_runtime_snapshot), + "sysctl": asdict(sysctl_snapshot), "etc_custom": asdict(etc_custom_snapshot), "usr_local_custom": asdict(usr_local_custom_snapshot), "extra_paths": asdict(extra_paths_snapshot), }, } - state_path = os.path.join(bundle_dir, "state.json") - with open(state_path, "w", encoding="utf-8") as f: - json.dump(state, f, indent=2, sort_keys=True) - return state_path + return str(write_state(bundle_dir, state)) diff --git a/enroll/harvest_collectors/__init__.py b/enroll/harvest_collectors/__init__.py new file mode 100644 index 0000000..dc8925f --- /dev/null +++ b/enroll/harvest_collectors/__init__.py @@ -0,0 +1,38 @@ +"""Harvest collector package exports""" + +from __future__ import annotations + +from importlib import import_module + +from .context import HarvestCollector, HarvestContext + +_COLLECTOR_EXPORTS = { + "CronLogrotateCollection": ".cron_logrotate", + "CronLogrotateCollector": ".cron_logrotate", + "ExtraPathsCollector": ".paths", + "PackageManagerConfigCollection": ".package_manager", + "PackageManagerConfigCollector": ".package_manager", + "RuntimeStateCollection": ".runtime", + "RuntimeStateCollector": ".runtime", + "ServicePackageCollection": ".services", + "ServicePackageCollector": ".services", + "UsersCollection": ".users", + "UsersCollector": ".users", + "UsrLocalCustomCollector": ".paths", +} + +__all__ = [ + "HarvestCollector", + "HarvestContext", + *_COLLECTOR_EXPORTS, +] + + +def __getattr__(name: str): + module_name = _COLLECTOR_EXPORTS.get(name) + if module_name is None: + raise AttributeError(f"module {__name__!r} has no attribute {name!r}") + module = import_module(module_name, __name__) + value = getattr(module, name) + globals()[name] = value + return value diff --git a/enroll/harvest_collectors/container_images.py b/enroll/harvest_collectors/container_images.py new file mode 100644 index 0000000..86129d9 --- /dev/null +++ b/enroll/harvest_collectors/container_images.py @@ -0,0 +1,251 @@ +from __future__ import annotations + +import json +import re +import shutil +import subprocess # nosec B404 +from collections.abc import ( + Iterable, +) # nosec - executes fixed docker/podman command arguments only +from typing import Any, Dict, List, Optional, Sequence, Tuple + +from ..harvest_types import ContainerImagesSnapshot +from .context import HarvestCollector + +_DIGEST_RE = re.compile(r"@sha256:[0-9A-Fa-f]{32,}") +_SHA_ID_RE = re.compile(r"^(?:sha256:)?[0-9A-Fa-f]{64}$") + + +def _normalise_image_id(value: Any) -> Optional[str]: + s = str(value or "").strip() + if not s: + return None + if s.startswith("sha256:"): + return s + if _SHA_ID_RE.match(s): + return "sha256:" + s + return s + + +def _as_string_list(value: Any) -> List[str]: + if not value: + return [] + if isinstance(value, str): + values = [value] + elif isinstance(value, Iterable): + values = list(value) + else: + values = [value] + out: List[str] = [] + for item in values: + s = str(item or "").strip() + if not s or s in {"", ":"}: + continue + if s not in out: + out.append(s) + return out + + +def _pullable_digests(value: Any) -> List[str]: + return [s for s in _as_string_list(value) if _DIGEST_RE.search(s)] + + +def _split_tag_ref(ref: str) -> Optional[Dict[str, str]]: + """Split an image tag into repository/tag, preserving registry ports.""" + + s = str(ref or "").strip() + if not s or "@" in s or s == ":": + return None + last_slash = s.rfind("/") + last_colon = s.rfind(":") + if last_colon > last_slash: + repository = s[:last_colon] + tag = s[last_colon + 1 :] + else: + repository = s + tag = "latest" + if not repository or not tag: + return None + return {"ref": s, "repository": repository, "tag": tag} + + +def _tag_aliases(value: Any) -> List[Dict[str, str]]: + out: List[Dict[str, str]] = [] + seen = set() + for ref in _as_string_list(value): + item = _split_tag_ref(ref) + if not item: + continue + key = (item["repository"], item["tag"]) + if key in seen: + continue + seen.add(key) + out.append(item) + return out + + +def _platform_from_inspect( + item: Dict[str, Any], +) -> Tuple[Optional[str], Optional[str], Optional[str], Optional[str]]: + os_name = item.get("Os") or item.get("OS") + arch = item.get("Architecture") or item.get("Arch") + variant = item.get("Variant") + os_s = str(os_name).strip() if os_name not in (None, "") else None + arch_s = str(arch).strip() if arch not in (None, "") else None + variant_s = str(variant).strip() if variant not in (None, "") else None + platform = None + if os_s and arch_s: + platform = f"{os_s}/{arch_s}" + if variant_s: + platform = f"{platform}/{variant_s}" + return os_s, arch_s, variant_s, platform + + +def _run_command( + argv: Sequence[str], *, timeout: int = 20 +) -> subprocess.CompletedProcess[str]: + return subprocess.run( # nosec - argv is constructed from fixed binary names and image ids + list(argv), + check=False, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + timeout=timeout, + ) + + +def _chunks(items: Sequence[str], size: int) -> Iterable[List[str]]: + for i in range(0, len(items), size): + yield list(items[i : i + size]) + + +class ContainerImagesCollector(HarvestCollector): + """Collect local Docker and Podman image metadata. + + The harvest records pullable registry digests where present. Local image IDs + are kept as evidence but are not treated as pull references. + """ + + def collect(self) -> ContainerImagesSnapshot: + images: List[Dict[str, Any]] = [] + notes: List[str] = [] + + images.extend(self._collect_engine("docker", notes=notes)) + images.extend(self._collect_engine("podman", notes=notes)) + + if images: + digest_count = len([img for img in images if img.get("pull_ref")]) + notes.append( + f"Detected {len(images)} container image(s); {digest_count} have registry digests usable for exact pulls." + ) + + return ContainerImagesSnapshot( + role_name="container_images", + images=images, + notes=notes, + ) + + def _collect_engine(self, engine: str, *, notes: List[str]) -> List[Dict[str, Any]]: + exe = shutil.which(engine) + if not exe: + return [] + + try: + listed = _run_command([exe, "image", "ls", "-q", "--no-trunc"]) + except Exception as exc: + notes.append(f"Failed to list {engine} images: {exc!r}") + return [] + + if listed.returncode != 0: + detail = (listed.stderr or listed.stdout or "").strip() + if detail: + notes.append(f"Failed to list {engine} images: {detail}") + else: + notes.append( + f"Failed to list {engine} images: exit {listed.returncode}" + ) + return [] + + image_ids = [] + seen_ids = set() + for line in listed.stdout.splitlines(): + image_id = _normalise_image_id(line) + if not image_id or image_id in seen_ids: + continue + seen_ids.add(image_id) + image_ids.append(image_id) + + if not image_ids: + return [] + + out: List[Dict[str, Any]] = [] + for chunk in _chunks(image_ids, 40): + try: + inspected = _run_command([exe, "image", "inspect", *chunk]) + except Exception as exc: + notes.append(f"Failed to inspect {engine} images: {exc!r}") + continue + if inspected.returncode != 0: + detail = (inspected.stderr or inspected.stdout or "").strip() + notes.append( + f"Failed to inspect {engine} images {', '.join(chunk[:3])}: {detail or inspected.returncode}" + ) + continue + try: + data = json.loads(inspected.stdout or "[]") + except json.JSONDecodeError as exc: + notes.append(f"Failed to parse {engine} image inspect JSON: {exc}") + continue + if not isinstance(data, list): + notes.append(f"Unexpected {engine} image inspect JSON shape") + continue + for item in data: + if isinstance(item, dict): + normalised = self._normalise_inspect(engine, item) + if normalised is not None: + out.append(normalised) + return out + + def _normalise_inspect( + self, engine: str, item: Dict[str, Any] + ) -> Optional[Dict[str, Any]]: + image_id = _normalise_image_id(item.get("Id") or item.get("ID")) + repo_tags = _as_string_list(item.get("RepoTags")) + repo_digests = _pullable_digests(item.get("RepoDigests")) + pull_ref = sorted(repo_digests)[0] if repo_digests else None + os_name, arch, variant, platform = _platform_from_inspect(item) + + if not image_id and not repo_tags and not repo_digests: + return None + + notes: List[str] = [] + if not pull_ref: + if repo_tags: + notes.append( + "Image has tag(s) but no RepoDigest; exact digest-pinned pull cannot be rendered." + ) + else: + notes.append( + "Image has no tag or RepoDigest; local-only/dangling images cannot be pulled from a registry." + ) + + out: Dict[str, Any] = { + "engine": engine, + "scope": "system", + "user": None, + "home": None, + "image_id": image_id, + "repo_tags": repo_tags, + "repo_digests": repo_digests, + "pull_ref": pull_ref, + "tag_aliases": _tag_aliases(repo_tags), + "os": os_name, + "architecture": arch, + "variant": variant, + "platform": platform, + "size": item.get("Size"), + "created": item.get("Created"), + "source": f"{engine} image inspect", + "notes": notes, + } + return out diff --git a/enroll/harvest_collectors/context.py b/enroll/harvest_collectors/context.py new file mode 100644 index 0000000..7c5b5d9 --- /dev/null +++ b/enroll/harvest_collectors/context.py @@ -0,0 +1,32 @@ +from __future__ import annotations + +from dataclasses import dataclass +from typing import Any, Dict, List, Set + +from ..ignore import IgnorePolicy +from ..pathfilter import PathFilter + + +@dataclass +class HarvestContext: + """Shared context passed to feature collectors.""" + + bundle_dir: str + policy: IgnorePolicy + path_filter: PathFilter + platform: Dict[str, Any] + backend: Any + installed_pkgs: Dict[str, Any] + installed_names: Set[str] + owned_etc: Set[str] + etc_owner_map: Dict[str, str] + topdir_to_pkgs: Dict[str, Set[str]] + pkg_to_etc_paths: Dict[str, List[str]] + captured_global: Set[str] + + +class HarvestCollector: + """Base class for harvest feature collectors.""" + + def __init__(self, context: HarvestContext) -> None: + self.context = context diff --git a/enroll/harvest_collectors/cron_logrotate.py b/enroll/harvest_collectors/cron_logrotate.py new file mode 100644 index 0000000..c40c4a1 --- /dev/null +++ b/enroll/harvest_collectors/cron_logrotate.py @@ -0,0 +1,161 @@ +from __future__ import annotations + +import os +from dataclasses import dataclass +from typing import List, Optional, Set + +from ..capture import capture_file +from ..harvest_types import ExcludedFile, ManagedFile, PackageSnapshot +from ..package_hints import package_section_from_installations +from ..system_paths import iter_matching_files +from .context import HarvestCollector + + +def _pick_installed(installed_names: Set[str], candidates: List[str]) -> Optional[str]: + for candidate in candidates: + if candidate in installed_names: + return candidate + return None + + +def _is_cron_path(path: str) -> bool: + return ( + path == "/etc/crontab" + or path == "/etc/anacrontab" + or path in ("/etc/cron.allow", "/etc/cron.deny") + or path.startswith("/etc/cron.") + or path.startswith("/etc/cron.d/") + or path.startswith("/etc/anacron/") + or path.startswith("/var/spool/cron/") + or path.startswith("/var/spool/crontabs/") + or path.startswith("/var/spool/anacron/") + ) + + +def _is_logrotate_path(path: str) -> bool: + return path == "/etc/logrotate.conf" or path.startswith("/etc/logrotate.d/") + + +_CRON_CAPTURE_GLOBS = [ + "/etc/crontab", + "/etc/cron.d/*", + "/etc/cron.hourly/*", + "/etc/cron.daily/*", + "/etc/cron.weekly/*", + "/etc/cron.monthly/*", + "/etc/cron.allow", + "/etc/cron.deny", + "/etc/anacrontab", + "/etc/anacron/*", + # user crontabs / spool state + "/var/spool/cron/*", + "/var/spool/cron/crontabs/*", + "/var/spool/crontabs/*", + "/var/spool/anacron/*", +] + +_LOGROTATE_CAPTURE_GLOBS = [ + "/etc/logrotate.conf", + "/etc/logrotate.d/*", +] + + +@dataclass +class CronLogrotateCollection: + cron_pkg: Optional[str] + logrotate_pkg: Optional[str] + cron_snapshot: Optional[PackageSnapshot] + logrotate_snapshot: Optional[PackageSnapshot] + + +class CronLogrotateCollector(HarvestCollector): + """Collect dedicated cron/logrotate package roles before general packages.""" + + cron_role_name = "cron" + logrotate_role_name = "logrotate" + + def collect(self) -> CronLogrotateCollection: + cron_pkg = _pick_installed( + self.context.installed_names, + ["cron", "cronie", "cronie-anacron", "vixie-cron", "fcron"], + ) + logrotate_pkg = _pick_installed(self.context.installed_names, ["logrotate"]) + + cron_snapshot = self._collect_cron_snapshot(cron_pkg) if cron_pkg else None + logrotate_snapshot = ( + self._collect_logrotate_snapshot(logrotate_pkg) if logrotate_pkg else None + ) + return CronLogrotateCollection( + cron_pkg=cron_pkg, + logrotate_pkg=logrotate_pkg, + cron_snapshot=cron_snapshot, + logrotate_snapshot=logrotate_snapshot, + ) + + def _collect_cron_snapshot(self, cron_pkg: str) -> PackageSnapshot: + managed: List[ManagedFile] = [] + excluded: List[ExcludedFile] = [] + notes: List[str] = [] + seen: Set[str] = set() + + for spec in _CRON_CAPTURE_GLOBS: + for path in iter_matching_files(spec): + if not os.path.isfile(path) or os.path.islink(path): + continue + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=self.cron_role_name, + abs_path=path, + reason="system_cron", + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=seen, + seen_global=self.context.captured_global, + ) + + return PackageSnapshot( + package=cron_pkg, + role_name=self.cron_role_name, + section=package_section_from_installations( + self.context.installed_pkgs.get(cron_pkg, []) + ), + managed_files=managed, + excluded=excluded, + notes=notes, + ) + + def _collect_logrotate_snapshot(self, logrotate_pkg: str) -> PackageSnapshot: + managed: List[ManagedFile] = [] + excluded: List[ExcludedFile] = [] + notes: List[str] = [] + seen: Set[str] = set() + + for spec in _LOGROTATE_CAPTURE_GLOBS: + for path in iter_matching_files(spec): + if not os.path.isfile(path) or os.path.islink(path): + continue + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=self.logrotate_role_name, + abs_path=path, + reason="system_logrotate", + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=seen, + seen_global=self.context.captured_global, + ) + + return PackageSnapshot( + package=logrotate_pkg, + role_name=self.logrotate_role_name, + section=package_section_from_installations( + self.context.installed_pkgs.get(logrotate_pkg, []) + ), + managed_files=managed, + excluded=excluded, + notes=notes, + ) diff --git a/enroll/harvest_collectors/package_manager.py b/enroll/harvest_collectors/package_manager.py new file mode 100644 index 0000000..0cbeb03 --- /dev/null +++ b/enroll/harvest_collectors/package_manager.py @@ -0,0 +1,87 @@ +from __future__ import annotations + +from dataclasses import dataclass +from typing import Dict, List, Set + +from ..capture import capture_file +from ..harvest_types import ( + AptConfigSnapshot, + DnfConfigSnapshot, + ExcludedFile, + ManagedFile, +) +from ..system_paths import iter_apt_capture_paths, iter_dnf_capture_paths +from .context import HarvestCollector, HarvestContext + + +@dataclass +class PackageManagerConfigCollection: + apt_config_snapshot: AptConfigSnapshot + dnf_config_snapshot: DnfConfigSnapshot + + +class PackageManagerConfigCollector(HarvestCollector): + """Collect package-manager configuration into existing role snapshots.""" + + def __init__( + self, context: HarvestContext, seen_by_role: Dict[str, Set[str]] + ) -> None: + super().__init__(context) + self.seen_by_role = seen_by_role + + def collect(self) -> PackageManagerConfigCollection: + apt_notes: List[str] = [] + apt_excluded: List[ExcludedFile] = [] + apt_managed: List[ManagedFile] = [] + dnf_notes: List[str] = [] + dnf_excluded: List[ExcludedFile] = [] + dnf_managed: List[ManagedFile] = [] + + apt_role_name = "apt_config" + dnf_role_name = "dnf_config" + + if self.context.backend.name == "dpkg": + apt_role_seen = self.seen_by_role.setdefault(apt_role_name, set()) + for path, reason in iter_apt_capture_paths(): + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=apt_role_name, + abs_path=path, + reason=reason, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=apt_managed, + excluded_out=apt_excluded, + seen_role=apt_role_seen, + seen_global=self.context.captured_global, + ) + elif self.context.backend.name == "rpm": + dnf_role_seen = self.seen_by_role.setdefault(dnf_role_name, set()) + for path, reason in iter_dnf_capture_paths(): + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=dnf_role_name, + abs_path=path, + reason=reason, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=dnf_managed, + excluded_out=dnf_excluded, + seen_role=dnf_role_seen, + seen_global=self.context.captured_global, + ) + + return PackageManagerConfigCollection( + apt_config_snapshot=AptConfigSnapshot( + role_name=apt_role_name, + managed_files=apt_managed, + excluded=apt_excluded, + notes=apt_notes, + ), + dnf_config_snapshot=DnfConfigSnapshot( + role_name=dnf_role_name, + managed_files=dnf_managed, + excluded=dnf_excluded, + notes=dnf_notes, + ), + ) diff --git a/enroll/harvest_collectors/paths.py b/enroll/harvest_collectors/paths.py new file mode 100644 index 0000000..eda2d41 --- /dev/null +++ b/enroll/harvest_collectors/paths.py @@ -0,0 +1,286 @@ +from __future__ import annotations + +import glob +import os +from typing import Dict, List, Optional, Set + +from .. import harvest as h +from ..capture import capture_file, capture_link +from ..harvest_types import ( + ExcludedFile, + ExtraPathsSnapshot, + ManagedDir, + ManagedFile, + ManagedLink, + UsrLocalCustomSnapshot, +) +from ..system_paths import MAX_FILES_CAP +from ..pathfilter import expand_includes +from .context import HarvestCollector, HarvestContext + + +class UsrLocalCustomCollector(HarvestCollector): + """Collect selected /usr/local state into the usr_local_custom role.""" + + role_name = "usr_local_custom" + + def __init__( + self, + context: HarvestContext, + seen_by_role: Dict[str, Set[str]], + already_all: Set[str], + ) -> None: + super().__init__(context) + self.seen_by_role = seen_by_role + self.already_all = already_all + self.notes: List[str] = [] + self.excluded: List[ExcludedFile] = [] + self.managed: List[ManagedFile] = [] + + def collect(self) -> UsrLocalCustomSnapshot: + self._scan_tree( + "/usr/local/etc", + require_executable=False, + cap=MAX_FILES_CAP, + reason="usr_local_etc_custom", + ) + self._scan_tree( + "/usr/local/bin", + require_executable=True, + cap=MAX_FILES_CAP, + reason="usr_local_bin_script", + ) + return UsrLocalCustomSnapshot( + role_name=self.role_name, + managed_files=self.managed, + excluded=self.excluded, + notes=self.notes, + ) + + def _scan_tree( + self, + root: str, + *, + require_executable: bool, + cap: int, + reason: str, + ) -> None: + scanned = 0 + if not os.path.isdir(root): + return + role_seen = self.seen_by_role.setdefault(self.role_name, set()) + for dirpath, _, filenames in os.walk(root): + for filename in filenames: + path = os.path.join(dirpath, filename) + if path in self.already_all: + continue + if not os.path.isfile(path) or os.path.islink(path): + continue + try: + owner, group, mode = h.stat_triplet(path) + except OSError: + self.excluded.append(ExcludedFile(path=path, reason="unreadable")) + continue + + if require_executable: + try: + if (int(mode, 8) & 0o111) == 0: + continue + except ValueError: + continue + + if capture_file( + bundle_dir=self.context.bundle_dir, + role_name=self.role_name, + abs_path=path, + reason=reason, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=self.managed, + excluded_out=self.excluded, + seen_role=role_seen, + seen_global=self.context.captured_global, + metadata=(owner, group, mode), + ): + self.already_all.add(path) + scanned += 1 + if scanned >= cap: + self.notes.append( + f"Reached file cap ({cap}) while scanning {root}." + ) + return + + +class ExtraPathsCollector(HarvestCollector): + """Collect user-requested include/exclude paths into extra_paths.""" + + role_name = "extra_paths" + + def __init__( + self, + context: HarvestContext, + seen_by_role: Dict[str, Set[str]], + already_all: Set[str], + *, + include_paths: Optional[List[str]] = None, + exclude_paths: Optional[List[str]] = None, + ) -> None: + super().__init__(context) + self.seen_by_role = seen_by_role + self.already_all = already_all + self.include_specs = list(include_paths or []) + self.exclude_specs = list(exclude_paths or []) + self.notes: List[str] = [] + self.excluded: List[ExcludedFile] = [] + self.managed: List[ManagedFile] = [] + self.managed_links: List[ManagedLink] = [] + self.managed_dirs: List[ManagedDir] = [] + self.dir_seen: Set[str] = set() + + def collect(self) -> ExtraPathsSnapshot: + self._collect_included_dirs() + if self.include_specs: + self.notes.append("User include patterns:") + self.notes.extend([f"- {p}" for p in self.include_specs]) + if self.exclude_specs: + self.notes.append("User exclude patterns:") + self.notes.extend([f"- {p}" for p in self.exclude_specs]) + + included_files: List[str] = [] + if self.include_specs: + files, inc_notes = expand_includes( + self.context.path_filter.iter_include_patterns(), + exclude=self.context.path_filter, + max_files=MAX_FILES_CAP, + ) + included_files = files + self.notes.extend(inc_notes) + + role_seen = self.seen_by_role.setdefault(self.role_name, set()) + for path in included_files: + if path in self.already_all: + continue + if capture_file( + bundle_dir=self.context.bundle_dir, + role_name=self.role_name, + abs_path=path, + reason="user_include", + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=self.managed, + excluded_out=self.excluded, + seen_role=role_seen, + seen_global=self.context.captured_global, + ): + self.already_all.add(path) + + return ExtraPathsSnapshot( + role_name=self.role_name, + include_patterns=self.include_specs, + exclude_patterns=self.exclude_specs, + managed_dirs=self.managed_dirs, + managed_files=self.managed, + managed_links=self.managed_links, + excluded=self.excluded, + notes=self.notes, + ) + + def _collect_included_dirs(self) -> None: + role_seen = self.seen_by_role.setdefault(self.role_name, set()) + for pat in self.context.path_filter.iter_include_patterns(): + if pat.kind == "prefix": + path = pat.value + if os.path.islink(path): + self._capture_included_link(path, role_seen) + elif os.path.isdir(path): + self._walk_and_capture_dirs(path, role_seen) + elif pat.kind == "glob": + for hit in glob.glob(pat.value, recursive=True): + if os.path.islink(hit): + self._capture_included_link(hit, role_seen) + elif os.path.isdir(hit): + self._walk_and_capture_dirs(hit, role_seen) + + def _capture_included_link(self, path: str, role_seen: Set[str]) -> None: + path = os.path.normpath(path) + if not path.startswith("/"): + path = "/" + path + if path in self.already_all: + return + if capture_link( + role_name=self.role_name, + abs_path=path, + reason="user_include_link", + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=self.managed_links, + excluded_out=self.excluded, + seen_role=role_seen, + seen_global=self.context.captured_global, + ): + self.already_all.add(path) + + def _walk_and_capture_dirs(self, root: str, role_seen: Set[str]) -> None: + root = os.path.normpath(root) + if not root.startswith("/"): + root = "/" + root + if not os.path.isdir(root) or os.path.islink(root): + return + for dirpath, dirnames, filenames in os.walk(root, followlinks=False): + if len(self.managed_dirs) >= MAX_FILES_CAP: + self.notes.append( + f"Reached directory cap ({MAX_FILES_CAP}) while scanning {root}." + ) + return + dirpath = os.path.normpath(dirpath) + if not dirpath.startswith("/"): + dirpath = "/" + dirpath + if self.context.path_filter.is_excluded(dirpath): + dirnames[:] = [] + continue + if os.path.islink(dirpath) or not os.path.isdir(dirpath): + dirnames[:] = [] + continue + + if dirpath not in self.dir_seen: + deny = None + deny_dir = getattr(self.context.policy, "deny_reason_dir", None) + if callable(deny_dir): + deny = deny_dir(dirpath) + else: + deny = self.context.policy.deny_reason(dirpath) + if deny in ("not_regular_file", "not_file", "not_regular"): + deny = None + if not deny: + try: + owner, group, mode = h.stat_triplet(dirpath) + self.managed_dirs.append( + ManagedDir( + path=dirpath, + owner=owner, + group=group, + mode=mode, + reason="user_include_dir", + ) + ) + except OSError: + pass + self.dir_seen.add(dirpath) + + pruned: List[str] = [] + for dirname in dirnames: + path = os.path.join(dirpath, dirname) + if self.context.path_filter.is_excluded(path): + continue + if os.path.islink(path): + self._capture_included_link(path, role_seen) + continue + pruned.append(dirname) + dirnames[:] = pruned + + for filename in filenames: + path = os.path.join(dirpath, filename) + if self.context.path_filter.is_excluded(path): + continue + if os.path.islink(path): + self._capture_included_link(path, role_seen) diff --git a/enroll/harvest_collectors/runtime.py b/enroll/harvest_collectors/runtime.py new file mode 100644 index 0000000..c16f9da --- /dev/null +++ b/enroll/harvest_collectors/runtime.py @@ -0,0 +1,64 @@ +from __future__ import annotations + +import os +from dataclasses import dataclass +from typing import List, Optional + +from .. import harvest as h +from ..harvest_types import FirewallRuntimeSnapshot, SysctlSnapshot +from .context import HarvestCollector, HarvestContext + + +@dataclass +class RuntimeStateCollection: + firewall_runtime_snapshot: FirewallRuntimeSnapshot + sysctl_snapshot: SysctlSnapshot + + +class RuntimeStateCollector(HarvestCollector): + """Collect root-only live runtime state that has generated roles.""" + + def __init__( + self, + context: HarvestContext, + *, + persistent_ipset_files: Optional[List[str]] = None, + persistent_iptables_v4_files: Optional[List[str]] = None, + persistent_iptables_v6_files: Optional[List[str]] = None, + ) -> None: + super().__init__(context) + self.persistent_ipset_files = persistent_ipset_files or [] + self.persistent_iptables_v4_files = persistent_iptables_v4_files or [] + self.persistent_iptables_v6_files = persistent_iptables_v6_files or [] + + def collect(self) -> RuntimeStateCollection: + running_as_root = not hasattr(os, "geteuid") or os.geteuid() == 0 + if not running_as_root: + return RuntimeStateCollection( + firewall_runtime_snapshot=FirewallRuntimeSnapshot( + role_name="firewall_runtime", + notes=[ + "Live ipset/iptables runtime capture skipped because harvest " + "is not running as root." + ], + ), + sysctl_snapshot=SysctlSnapshot( + role_name="sysctl", + notes=[ + "Live sysctl runtime capture skipped because harvest is not " + "running as root." + ], + ), + ) + + firewall_runtime_snapshot = h._collect_firewall_runtime_snapshot( + self.context.bundle_dir, + persistent_ipset_files=self.persistent_ipset_files, + persistent_iptables_v4_files=self.persistent_iptables_v4_files, + persistent_iptables_v6_files=self.persistent_iptables_v6_files, + ) + sysctl_snapshot = h._collect_sysctl_snapshot(self.context.bundle_dir) + return RuntimeStateCollection( + firewall_runtime_snapshot=firewall_runtime_snapshot, + sysctl_snapshot=sysctl_snapshot, + ) diff --git a/enroll/harvest_collectors/services.py b/enroll/harvest_collectors/services.py new file mode 100644 index 0000000..2b087df --- /dev/null +++ b/enroll/harvest_collectors/services.py @@ -0,0 +1,541 @@ +from __future__ import annotations + +import glob +import os +from dataclasses import dataclass +from typing import Dict, List, Optional, Set + +from .. import harvest as h +from ..capture import capture_file, capture_link +from ..harvest_types import ExcludedFile, ManagedFile, PackageSnapshot, ServiceSnapshot +from ..package_hints import ( + SHARED_ETC_TOPDIRS, + add_pkgs_from_etc_topdirs, + hint_names, + maybe_add_specific_paths, + package_section_from_installations, + role_name_from_pkg, + role_name_from_unit, +) +from ..system_paths import ( + MAX_UNOWNED_FILES_PER_ROLE, + is_confish, + scan_unowned_under_roots, + topdirs_for_package, +) +from ..systemd import UnitQueryError +from .context import HarvestCollector, HarvestContext +from .cron_logrotate import CronLogrotateCollector, _is_cron_path, _is_logrotate_path + + +@dataclass +class ServicePackageCollection: + service_snaps: List[ServiceSnapshot] + pkg_snaps: List[PackageSnapshot] + manual_pkgs: List[str] + simple_packages: List[str] + manual_pkgs_skipped: List[str] + service_role_aliases: Dict[str, Set[str]] + seen_by_role: Dict[str, Set[str]] + + +class ServicePackageCollector(HarvestCollector): + """Collect service-attributed and manually-installed package snapshots.""" + + def __init__( + self, + context: HarvestContext, + *, + cron_snapshot: Optional[PackageSnapshot] = None, + logrotate_snapshot: Optional[PackageSnapshot] = None, + cron_pkg: Optional[str] = None, + logrotate_pkg: Optional[str] = None, + ) -> None: + super().__init__(context) + self.cron_snapshot = cron_snapshot + self.logrotate_snapshot = logrotate_snapshot + self.cron_pkg = cron_pkg + self.logrotate_pkg = logrotate_pkg + self.service_role_aliases: Dict[str, Set[str]] = {} + self.seen_by_role: Dict[str, Set[str]] = {} + self.managed_by_role: Dict[str, List[ManagedFile]] = {} + self.excluded_by_role: Dict[str, List[ExcludedFile]] = {} + + def collect(self) -> ServicePackageCollection: + service_snaps, timer_extra_by_pkg = self._collect_service_snapshots() + pkg_snaps, manual_pkgs, simple_packages, manual_pkgs_skipped = ( + self._collect_package_snapshots( + service_snaps, + timer_extra_by_pkg, + ) + ) + self._capture_common_enabled_symlinks(service_snaps, pkg_snaps) + return ServicePackageCollection( + service_snaps=service_snaps, + pkg_snaps=pkg_snaps, + manual_pkgs=manual_pkgs, + simple_packages=simple_packages, + manual_pkgs_skipped=manual_pkgs_skipped, + service_role_aliases=self.service_role_aliases, + seen_by_role=self.seen_by_role, + ) + + def _collect_service_snapshots( + self, + ) -> tuple[List[ServiceSnapshot], Dict[str, List[str]]]: + backend = self.context.backend + service_snaps: List[ServiceSnapshot] = [] + + enabled_services = h.list_enabled_services() + if self.cron_snapshot is not None or self.logrotate_snapshot is not None: + blocked_roles = set() + if self.cron_snapshot is not None: + blocked_roles.add(CronLogrotateCollector.cron_role_name) + if self.logrotate_snapshot is not None: + blocked_roles.add(CronLogrotateCollector.logrotate_role_name) + enabled_services = [ + u + for u in enabled_services + if role_name_from_unit(u) not in blocked_roles + ] + enabled_set = set(enabled_services) + + def service_sort_key(unit: str) -> tuple[int, str, str]: + base = unit.removesuffix(".service") + base = base.split("@", 1)[0] + return (base.count("-"), base.lower(), unit.lower()) + + def parent_service_unit(unit: str) -> Optional[str]: + if not unit.endswith(".service"): + return None + base = unit.removesuffix(".service") + base = base.split("@", 1)[0] + parts = base.split("-") + for i in range(len(parts) - 1, 0, -1): + cand = "-".join(parts[:i]) + ".service" + if cand in enabled_set: + return cand + return None + + parent_unit_for = { + u: pu for u in enabled_services if (pu := parent_service_unit(u)) + } + + for unit in sorted(enabled_services, key=service_sort_key): + role = role_name_from_unit(unit) + parent_unit = parent_unit_for.get(unit) + parent_role = role_name_from_unit(parent_unit) if parent_unit else None + + try: + ui = h.get_unit_info(unit) + except UnitQueryError as e: + self.service_role_aliases.setdefault( + role, hint_names(unit, set()) | {role} + ) + self.seen_by_role.setdefault(role, set()) + managed = self.managed_by_role.setdefault(role, []) + excluded = self.excluded_by_role.setdefault(role, []) + service_snaps.append( + ServiceSnapshot( + unit=unit, + role_name=role, + packages=[], + active_state=None, + sub_state=None, + unit_file_state=None, + condition_result=None, + managed_files=managed, + excluded=excluded, + notes=[str(e)], + ) + ) + continue + + pkgs: Set[str] = set() + notes: List[str] = [] + excluded = self.excluded_by_role.setdefault(role, []) + managed = self.managed_by_role.setdefault(role, []) + candidates: Dict[str, str] = {} + + if ui.fragment_path: + p = backend.owner_of_path(ui.fragment_path) + if p: + pkgs.add(p) + + for exe in ui.exec_paths: + p = backend.owner_of_path(exe) + if p: + pkgs.add(p) + + for pth in ui.dropin_paths: + if pth.startswith("/etc/"): + candidates[pth] = "systemd_dropin" + + for env_file in ui.env_files: + env_file = env_file.lstrip("-") + if any(ch in env_file for ch in "*?["): + for g in glob.glob(env_file): + if g.startswith("/etc/") and os.path.isfile(g): + candidates[g] = "systemd_envfile" + elif env_file.startswith("/etc/") and os.path.isfile(env_file): + candidates[env_file] = "systemd_envfile" + + hints = hint_names(unit, pkgs) + add_pkgs_from_etc_topdirs(hints, self.context.topdir_to_pkgs, pkgs) + self.service_role_aliases[role] = set(hints) | set(pkgs) | {role} + + for sp in maybe_add_specific_paths(hints, backend): + if not os.path.exists(sp): + continue + if sp in self.context.etc_owner_map: + pkgs.add(self.context.etc_owner_map[sp]) + else: + candidates.setdefault(sp, "custom_specific_path") + + for pkg in sorted(pkgs): + etc_paths = self.context.pkg_to_etc_paths.get(pkg, []) + for path, reason in backend.modified_paths(pkg, etc_paths).items(): + if not os.path.isfile(path) or os.path.islink(path): + continue + if self.cron_snapshot is not None and _is_cron_path(path): + continue + if self.logrotate_snapshot is not None and _is_logrotate_path(path): + continue + if backend.is_pkg_config_path(path): + continue + candidates.setdefault(path, reason) + + any_roots: List[str] = [] + confish_roots: List[str] = [] + for hint in hints: + roots_for_hint = [f"/etc/{hint}", f"/etc/{hint}.d"] + if hint in SHARED_ETC_TOPDIRS: + confish_roots.extend(roots_for_hint) + else: + any_roots.extend(roots_for_hint) + + found: List[str] = [] + found.extend( + scan_unowned_under_roots( + any_roots, + self.context.owned_etc, + limit=MAX_UNOWNED_FILES_PER_ROLE, + confish_only=False, + ) + ) + if len(found) < MAX_UNOWNED_FILES_PER_ROLE: + found.extend( + scan_unowned_under_roots( + confish_roots, + self.context.owned_etc, + limit=MAX_UNOWNED_FILES_PER_ROLE - len(found), + confish_only=True, + ) + ) + for pth in found: + candidates.setdefault(pth, "custom_unowned") + + if not pkgs and not candidates: + notes.append( + "No packages or /etc candidates detected (unexpected for enabled service)." + ) + + for path, reason in sorted(candidates.items()): + dest_role = role + if ( + parent_role + and path.startswith("/etc/") + and reason not in ("systemd_dropin", "systemd_envfile") + ): + dest_role = parent_role + + dest_managed = self.managed_by_role.setdefault(dest_role, []) + dest_excluded = self.excluded_by_role.setdefault(dest_role, []) + dest_seen = self.seen_by_role.setdefault(dest_role, set()) + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=dest_role, + abs_path=path, + reason=reason, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=dest_managed, + excluded_out=dest_excluded, + seen_role=dest_seen, + seen_global=self.context.captured_global, + ) + + service_snaps.append( + ServiceSnapshot( + unit=unit, + role_name=role, + packages=sorted(pkgs), + active_state=ui.active_state, + sub_state=ui.sub_state, + unit_file_state=ui.unit_file_state, + condition_result=ui.condition_result, + managed_files=managed, + excluded=excluded, + notes=notes, + ) + ) + + timer_extra_by_pkg = self._collect_timer_overrides(service_snaps) + return service_snaps, timer_extra_by_pkg + + def _collect_timer_overrides( + self, + service_snaps: List[ServiceSnapshot], + ) -> Dict[str, List[str]]: + backend = self.context.backend + timer_extra_by_pkg: Dict[str, List[str]] = {} + try: + enabled_timers = h.list_enabled_timers() + except Exception: + enabled_timers = [] + + service_snap_by_unit = {s.unit: s for s in service_snaps} + + for timer in sorted(enabled_timers): + try: + ti = h.get_timer_info(timer) + except Exception: # nosec + continue + + timer_paths: List[str] = [] + for pth in [ti.fragment_path, *ti.dropin_paths, *ti.env_files]: + if not pth: + continue + if not pth.startswith("/etc/"): + continue + if os.path.islink(pth) or not os.path.isfile(pth): + continue + timer_paths.append(pth) + + if not timer_paths: + continue + + snap = ( + service_snap_by_unit.get(ti.trigger_unit) if ti.trigger_unit else None + ) + if snap is not None: + role_seen = self.seen_by_role.setdefault(snap.role_name, set()) + for path in timer_paths: + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=snap.role_name, + abs_path=path, + reason="related_timer", + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=snap.managed_files, + excluded_out=snap.excluded, + seen_role=role_seen, + seen_global=self.context.captured_global, + ) + continue + + pkgs: Set[str] = set() + if ti.fragment_path: + p = backend.owner_of_path(ti.fragment_path) + if p: + pkgs.add(p) + if ti.trigger_unit and ti.trigger_unit.endswith(".service"): + try: + ui = h.get_unit_info(ti.trigger_unit) + if ui.fragment_path: + p = backend.owner_of_path(ui.fragment_path) + if p: + pkgs.add(p) + for exe in ui.exec_paths: + p = backend.owner_of_path(exe) + if p: + pkgs.add(p) + except Exception: # nosec + pass + + for pkg in pkgs: + timer_extra_by_pkg.setdefault(pkg, []).extend(timer_paths) + + return timer_extra_by_pkg + + def _collect_package_snapshots( + self, + service_snaps: List[ServiceSnapshot], + timer_extra_by_pkg: Dict[str, List[str]], + ) -> tuple[List[PackageSnapshot], List[str], List[str], List[str]]: + backend = self.context.backend + manual_pkgs = backend.list_manual_packages() + covered_by_services: Set[str] = set() + for snap in service_snaps: + covered_by_services.update(snap.packages) + + manual_pkgs_skipped: List[str] = [] + pkg_snaps: List[PackageSnapshot] = [] + simple_packages: List[str] = [] + + if self.cron_snapshot is not None: + pkg_snaps.append(self.cron_snapshot) + if self.logrotate_snapshot is not None: + pkg_snaps.append(self.logrotate_snapshot) + + for pkg in sorted(manual_pkgs): + if pkg in covered_by_services: + manual_pkgs_skipped.append(pkg) + continue + if self.cron_snapshot is not None and pkg == self.cron_pkg: + manual_pkgs_skipped.append(pkg) + continue + if self.logrotate_snapshot is not None and pkg == self.logrotate_pkg: + manual_pkgs_skipped.append(pkg) + continue + + role = role_name_from_pkg(pkg) + notes: List[str] = [] + excluded: List[ExcludedFile] = [] + managed: List[ManagedFile] = [] + candidates: Dict[str, str] = {} + + for tpath in timer_extra_by_pkg.get(pkg, []): + candidates.setdefault(tpath, "related_timer") + + etc_paths = self.context.pkg_to_etc_paths.get(pkg, []) + for path, reason in backend.modified_paths(pkg, etc_paths).items(): + if not os.path.isfile(path) or os.path.islink(path): + continue + if self.cron_snapshot is not None and _is_cron_path(path): + continue + if self.logrotate_snapshot is not None and _is_logrotate_path(path): + continue + if backend.is_pkg_config_path(path): + continue + candidates.setdefault(path, reason) + + topdirs = topdirs_for_package(pkg, self.context.pkg_to_etc_paths) + roots: List[str] = [] + for topdir in sorted(topdirs): + if topdir in SHARED_ETC_TOPDIRS: + continue + if backend.is_pkg_config_path( + f"/etc/{topdir}/" + ) or backend.is_pkg_config_path(f"/etc/{topdir}"): + continue + roots.extend([f"/etc/{topdir}", f"/etc/{topdir}.d"]) + roots.extend(maybe_add_specific_paths(set(topdirs), backend)) + + for pth in scan_unowned_under_roots( + [r for r in roots if os.path.isdir(r)], + self.context.owned_etc, + confish_only=False, + ): + candidates.setdefault(pth, "custom_unowned") + + for root in roots: + if os.path.isfile(root) and not os.path.islink(root): + if root not in self.context.owned_etc and is_confish(root): + candidates.setdefault(root, "custom_specific_path") + + role_seen = self.seen_by_role.setdefault(role, set()) + for path, reason in sorted(candidates.items()): + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=role, + abs_path=path, + reason=reason, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=role_seen, + seen_global=self.context.captured_global, + ) + + has_config = bool(managed or excluded) + if not has_config: + notes.append( + "No changed or custom configuration detected for this package." + ) + simple_packages.append(pkg) + + pkg_snaps.append( + PackageSnapshot( + package=pkg, + role_name=role, + section=package_section_from_installations( + self.context.installed_pkgs.get(pkg, []) + ), + managed_files=managed, + managed_links=[], + excluded=excluded, + notes=notes, + has_config=has_config, + ) + ) + + return pkg_snaps, manual_pkgs, simple_packages, manual_pkgs_skipped + + def _find_role_snapshot( + self, + role_name: str, + service_snaps: List[ServiceSnapshot], + pkg_snaps: List[PackageSnapshot], + ): + for snap in service_snaps: + if snap.role_name == role_name: + return snap + for snap in pkg_snaps: + if snap.role_name == role_name: + return snap + return None + + def _capture_enabled_symlinks_for_role( + self, + role_name: str, + dirs: List[str], + service_snaps: List[ServiceSnapshot], + pkg_snaps: List[PackageSnapshot], + ) -> None: + snap = self._find_role_snapshot(role_name, service_snaps, pkg_snaps) + if snap is None: + return + + role_seen = self.seen_by_role.setdefault(role_name, set()) + for directory in dirs: + if not os.path.isdir(directory): + continue + for pth in sorted(glob.glob(os.path.join(directory, "*"))): + if not os.path.islink(pth): + continue + capture_link( + role_name=role_name, + abs_path=pth, + reason="enabled_symlink", + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=snap.managed_links, + excluded_out=snap.excluded, + seen_role=role_seen, + seen_global=self.context.captured_global, + ) + + def _capture_common_enabled_symlinks( + self, + service_snaps: List[ServiceSnapshot], + pkg_snaps: List[PackageSnapshot], + ) -> None: + self._capture_enabled_symlinks_for_role( + "nginx", + ["/etc/nginx/modules-enabled", "/etc/nginx/sites-enabled"], + service_snaps, + pkg_snaps, + ) + self._capture_enabled_symlinks_for_role( + "apache2", + [ + "/etc/apache2/conf-enabled", + "/etc/apache2/mods-enabled", + "/etc/apache2/sites-enabled", + ], + service_snaps, + pkg_snaps, + ) diff --git a/enroll/harvest_collectors/users.py b/enroll/harvest_collectors/users.py new file mode 100644 index 0000000..d1e86fe --- /dev/null +++ b/enroll/harvest_collectors/users.py @@ -0,0 +1,168 @@ +from __future__ import annotations + +from dataclasses import asdict, dataclass +from typing import Any, Dict, List, Set + +from .. import harvest as h +from ..capture import capture_file, capture_user_shell_dotfiles +from ..harvest_types import ( + ExcludedFile, + FlatpakSnapshot, + ManagedFile, + SnapSnapshot, + UsersSnapshot, +) +from .context import HarvestCollector, HarvestContext + + +@dataclass +class UsersCollection: + users_snapshot: UsersSnapshot + flatpak_snapshot: FlatpakSnapshot + snap_snapshot: SnapSnapshot + + +class UsersCollector(HarvestCollector): + """Collect non-system users plus system/user Flatpak and Snap facts.""" + + def __init__( + self, context: HarvestContext, seen_by_role: Dict[str, Set[str]] + ) -> None: + super().__init__(context) + self.seen_by_role = seen_by_role + + def collect(self) -> UsersCollection: + users_notes: List[str] = [] + users_excluded: List[ExcludedFile] = [] + users_managed: List[ManagedFile] = [] + users_list: List[dict] = [] + + try: + user_records = h.collect_non_system_users() + except Exception as e: + user_records = [] + users_notes.append(f"Failed to enumerate users: {e!r}") + + # Detect system-wide Flatpaks/Snaps and configured Flatpak remotes. + from ..accounts import ( + find_system_flatpak_remotes, + find_system_flatpaks, + find_system_snaps, + find_user_flatpak_remotes, + ) + + system_flatpaks = [asdict(f) for f in find_system_flatpaks()] + system_snaps = [asdict(s) for s in find_system_snaps()] + system_flatpak_remotes = [asdict(r) for r in find_system_flatpak_remotes()] + flatpak_notes: List[str] = [] + snap_notes: List[str] = [] + if system_flatpaks: + flatpak_notes.append( + "System-wide flatpaks detected: " + + ", ".join(str(f.get("name")) for f in system_flatpaks) + ) + if system_snaps: + snap_notes.append( + "System-wide snaps detected: " + + ", ".join(str(s.get("name")) for s in system_snaps) + ) + + users_role_name = "users" + users_role_seen = self.seen_by_role.setdefault(users_role_name, set()) + + skel_dir = "/etc/skel" + auto_capture_user_dotfiles = bool( + getattr(self.context.policy, "dangerous", False) + ) + if user_records and not auto_capture_user_dotfiles: + users_notes.append( + "User shell dotfiles were not auto-harvested because --dangerous was not set; " + "use --dangerous for automatic shell-dotfile capture, or targeted " + "--include-path patterns for safe-mode review." + ) + + user_flatpaks_map: Dict[str, List[Dict[str, Any]]] = {} + user_flatpak_remotes: List[Dict[str, Any]] = [] + + for user in user_records: + users_list.append( + { + "name": user.name, + "uid": user.uid, + "gid": user.gid, + "gecos": user.gecos, + "home": user.home, + "shell": user.shell, + "primary_group": user.primary_group, + "supplementary_groups": user.supplementary_groups, + } + ) + + # Copy only safe SSH public material: authorized_keys + *.pub + for ssh_file in user.ssh_files: + reason = ( + "authorized_keys" + if ssh_file.endswith("/authorized_keys") + else "ssh_public_key" + ) + capture_file( + bundle_dir=self.context.bundle_dir, + role_name=users_role_name, + abs_path=ssh_file, + reason=reason, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=users_managed, + excluded_out=users_excluded, + seen_role=users_role_seen, + seen_global=self.context.captured_global, + ) + + # Capture common per-user shell dotfiles only in dangerous mode. They + # often contain exported tokens or aliases/functions with embedded secrets. + home = (user.home or "").rstrip("/") + if home and home.startswith("/"): + capture_user_shell_dotfiles( + bundle_dir=self.context.bundle_dir, + role_name=users_role_name, + home=home, + skel_dir=skel_dir, + enabled=auto_capture_user_dotfiles, + policy=self.context.policy, + path_filter=self.context.path_filter, + managed_out=users_managed, + excluded_out=users_excluded, + seen_role=users_role_seen, + seen_global=self.context.captured_global, + ) + + # Collect per-user Flatpak applications and remotes. Snap packages are + # system-wide; ~/snap/* is user data, not an install source. + if user.flatpaks: + user_flatpaks_map[user.name] = [asdict(fp) for fp in user.flatpaks] + user_flatpak_remotes.extend( + asdict(r) for r in find_user_flatpak_remotes(home, user=user.name) + ) + + return UsersCollection( + users_snapshot=UsersSnapshot( + role_name="users", + users=users_list, + managed_files=users_managed, + excluded=users_excluded, + notes=users_notes, + user_flatpaks=user_flatpaks_map, + user_flatpak_remotes=user_flatpak_remotes, + ), + flatpak_snapshot=FlatpakSnapshot( + role_name="flatpak", + system_flatpaks=system_flatpaks, + remotes=system_flatpak_remotes, + notes=flatpak_notes, + ), + snap_snapshot=SnapSnapshot( + role_name="snap", + system_snaps=system_snaps, + notes=snap_notes, + ), + ) diff --git a/enroll/harvest_safety.py b/enroll/harvest_safety.py new file mode 100644 index 0000000..d6d738c --- /dev/null +++ b/enroll/harvest_safety.py @@ -0,0 +1,277 @@ +from __future__ import annotations + +import os +import stat +import tempfile +from pathlib import Path + + +class OutputSafetyError(RuntimeError): + """Raised when an output path is unsafe for root-run plaintext output.""" + + +# Keep a reference to the real euid getter so tests that monkeypatch +# enroll.harvest.os.geteuid do not accidentally make output-safety code +# believe a non-root test process is running as root. Tests that need to +# exercise root behavior can still monkeypatch _effective_uid directly. +_OS_GETEUID = getattr(os, "geteuid", None) + + +def _chmod_private(path: Path) -> None: + try: + os.chmod(path, 0o700) + except OSError: + # Best-effort; callers still benefit from mkdir(mode=0o700) on normal FSes. + pass + + +def _effective_uid() -> int | None: + if _OS_GETEUID is None: + return None + try: + return int(_OS_GETEUID()) + except OSError: + return None + + +def _assert_trusted_root_parent(path: Path, st: os.stat_result, *, label: str) -> None: + """Reject parent directories that are unsafe when Enroll runs as root. + + Enroll deliberately invokes host tools and writes host configuration state, + so root-run output should not pass through parent directories controlled by + an unprivileged user. Root-owned sticky shared directories such as /tmp are + allowed as a boundary, but any existing child below them must still be + root-owned and non-writable by group/other. + """ + + if _effective_uid() != 0: + return + if not stat.S_ISDIR(st.st_mode): + raise OutputSafetyError(f"{label} parent is not a directory: {path}") + if st.st_uid != 0: + raise OutputSafetyError( + f"{label} parent is not owned by root; refusing root-run output: {path}" + ) + writable_by_group_or_other = st.st_mode & (stat.S_IWGRP | stat.S_IWOTH) + sticky = st.st_mode & stat.S_ISVTX + if writable_by_group_or_other and not sticky: + raise OutputSafetyError( + f"{label} parent is writable by group/other; refusing root-run output: {path}" + ) + + +def _assert_existing_output_dir_component(path: Path, *, label: str) -> None: + try: + st = path.lstat() + except OSError as e: + raise OutputSafetyError(f"unable to inspect {label} parent: {path}") from e + if stat.S_ISLNK(st.st_mode): + raise OutputSafetyError( + f"{label} parent path contains a symlink; refusing: {path}" + ) + if not stat.S_ISDIR(st.st_mode): + raise OutputSafetyError(f"{label} parent is not a directory: {path}") + _assert_trusted_root_parent(path, st, label=label) + + +def _mkdir_private_dir_tree( + path: Path, *, label: str, final_must_be_new: bool = False +) -> Path: + """Create a directory tree one component at a time with safety checks. + + pathlib.mkdir(parents=True) can traverse a symlink inserted after a parent + pre-check and create deeper components in the symlink target. Walking one + component at a time avoids that class of race for root-run output paths. + """ + + out = Path(path).expanduser() + parts = out.parts + if not parts: + return out + + if out.is_absolute(): + cur = Path(parts[0]) + rest = parts[1:] + _assert_existing_output_dir_component(cur, label=label) + else: + cur = Path.cwd() + rest = parts + _assert_existing_output_dir_component(cur, label=label) + + for idx, part in enumerate(rest): + cur = cur / part + is_final = idx == len(rest) - 1 + if os.path.lexists(cur): + if is_final and final_must_be_new: + raise OutputSafetyError( + f"{label} path already exists; refusing to overwrite or merge: {cur}" + ) + _assert_existing_output_dir_component(cur, label=label) + continue + try: + os.mkdir(cur, 0o700) + except FileExistsError: + if is_final and final_must_be_new: + raise OutputSafetyError( + f"{label} path already exists; refusing to overwrite or merge: {cur}" + ) + _assert_existing_output_dir_component(cur, label=label) + continue + _chmod_private(cur) + _assert_existing_output_dir_component(cur, label=label) + + return out + + +def _assert_no_existing_symlink_components( + path: Path, *, label: str, require_trusted_root_parents: bool = True +) -> None: + """Reject unsafe existing parent components of an output path. + + This catches symlink parents for all users. When running as root, it also + rejects existing parents controlled by an unprivileged user so an attacker + cannot redirect root output by racing or replacing a parent directory. + """ + + parts = path.parts + if not parts: + return + + if path.is_absolute(): + cur = Path(parts[0]) + rest = parts[1:-1] + else: + cur = Path.cwd() + rest = parts[:-1] + if require_trusted_root_parents: + _assert_existing_output_dir_component(cur, label=label) + + for part in rest: + cur = cur / part + if not os.path.lexists(cur): + return + if require_trusted_root_parents: + _assert_existing_output_dir_component(cur, label=label) + else: + try: + st = cur.lstat() + except OSError as e: + raise OutputSafetyError( + f"unable to inspect {label} parent: {cur}" + ) from e + if stat.S_ISLNK(st.st_mode): + raise OutputSafetyError( + f"{label} parent path contains a symlink; refusing: {cur}" + ) + + +def ensure_safe_output_parent(path: str | Path, *, label: str = "output") -> Path: + """Create and validate the parent directory for a root-run output file. + + The parent is checked with the same symlink/root-trust rules as plaintext + bundle directories. This is for output *files* such as reports and SOPS + bundles, where replacing an existing regular file is acceptable but + following attacker-controlled parent paths is not. + """ + + out = Path(path).expanduser() + parent = out.parent if out.parent != Path("") else Path(".") + sentinel = parent / ".enroll-output-parent-check" + _assert_no_existing_symlink_components(sentinel, label=label) + _mkdir_private_dir_tree(parent, label=label, final_must_be_new=False) + _assert_no_existing_symlink_components(sentinel, label=label) + return parent + + +def write_text_output_file( + path: str | Path, + text: str, + *, + label: str = "output file", + mode: int = 0o600, +) -> Path: + """Safely write a user-facing output text file. + + The write is staged in the destination directory and atomically renamed into + place. A final-path symlink is replaced rather than followed, while parent + symlinks or root-unsafe parents are refused by ensure_safe_output_parent(). + """ + + out = Path(path).expanduser() + parent = ensure_safe_output_parent(out, label=label) + fd, tmp_name = tempfile.mkstemp(prefix=".enroll-output-", dir=str(parent)) + try: + with os.fdopen(fd, "w", encoding="utf-8") as f: + f.write(text) + try: + os.chmod(tmp_name, mode) + except OSError: + pass + os.replace(tmp_name, out) + finally: + try: + os.unlink(tmp_name) + except FileNotFoundError: + pass + return out + + +def ensure_private_dir(path: str | Path, *, label: str = "output") -> Path: + """Create or validate a private directory without requiring it to be empty. + + This is for persistent internal directories such as Enroll's cache root, + where existing contents are expected across runs. It uses the same + component-by-component symlink and root-parent trust checks as user-facing + plaintext output directories, but permits an existing final directory. + """ + + out = Path(path).expanduser() + sentinel = out / ".enroll-private-dir-check" + _assert_no_existing_symlink_components(sentinel, label=label) + out = _mkdir_private_dir_tree(out, label=label, final_must_be_new=False) + _assert_no_existing_symlink_components(sentinel, label=label) + _chmod_private(out) + return out + + +def prepare_new_private_dir(path: str | Path, *, label: str = "output") -> Path: + """Create a brand-new private output directory. + + Refuse existing paths, including symlinks. This prevents root-run harvests + from writing into attacker-precreated directories in shared locations such + as /tmp, and keeps plaintext bundles private by default. + """ + + out = Path(path).expanduser() + _assert_no_existing_symlink_components(out, label=label) + return _mkdir_private_dir_tree(out, label=label, final_must_be_new=True) + + +def ensure_private_empty_dir(path: str | Path, *, label: str = "output") -> Path: + """Create or validate a private empty directory. + + This is for internally-generated random cache/temp directories. User-facing + --out paths should normally use prepare_new_private_dir() instead. + """ + + out = Path(path).expanduser() + _assert_no_existing_symlink_components(out, label=label) + if os.path.lexists(out): + try: + st = out.lstat() + except OSError as e: + raise OutputSafetyError(f"unable to inspect {label} path: {out}") from e + if stat.S_ISLNK(st.st_mode): + raise OutputSafetyError(f"{label} path is a symlink; refusing: {out}") + if not stat.S_ISDIR(st.st_mode): + raise OutputSafetyError( + f"{label} path exists but is not a directory: {out}" + ) + if any(out.iterdir()): + raise OutputSafetyError( + f"{label} path is not empty; refusing to merge: {out}" + ) + _chmod_private(out) + return out + + return _mkdir_private_dir_tree(out, label=label, final_must_be_new=True) diff --git a/enroll/harvest_types.py b/enroll/harvest_types.py new file mode 100644 index 0000000..c88163e --- /dev/null +++ b/enroll/harvest_types.py @@ -0,0 +1,172 @@ +from __future__ import annotations + +from dataclasses import dataclass, field +from typing import Any, Dict, List, Optional + + +@dataclass +class ManagedFile: + path: str + src_rel: str + owner: str + group: str + mode: str + reason: str + + +@dataclass +class ManagedLink: + """A symlink we want to materialise on the target host. + + For configuration enablement patterns (e.g. sites-enabled), the symlink is + meaningful state even when the link target is captured elsewhere. + """ + + path: str + target: str + reason: str + + +@dataclass +class ManagedDir: + path: str + owner: str + group: str + mode: str + reason: str + + +@dataclass +class ExcludedFile: + path: str + reason: str + + +@dataclass +class ServiceSnapshot: + unit: str + role_name: str + packages: List[str] + active_state: Optional[str] + sub_state: Optional[str] + unit_file_state: Optional[str] + condition_result: Optional[str] + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + managed_links: List[ManagedLink] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class PackageSnapshot: + package: str + role_name: str + section: Optional[str] = None + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + managed_links: List[ManagedLink] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + has_config: bool = True # False if package has no config/systemd/cron files + + +@dataclass +class UsersSnapshot: + role_name: str + users: List[dict] + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + user_flatpaks: Dict[str, List[Dict[str, Any]]] = field(default_factory=dict) + user_flatpak_remotes: List[Dict[str, Any]] = field(default_factory=list) + + +@dataclass +class FlatpakSnapshot: + role_name: str + system_flatpaks: List[Dict[str, Any]] = field(default_factory=list) + remotes: List[Dict[str, Any]] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class SnapSnapshot: + role_name: str + system_snaps: List[Dict[str, Any]] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class ContainerImagesSnapshot: + role_name: str + images: List[Dict[str, Any]] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class AptConfigSnapshot: + role_name: str + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class DnfConfigSnapshot: + role_name: str + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class EtcCustomSnapshot: + role_name: str + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class UsrLocalCustomSnapshot: + role_name: str + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class ExtraPathsSnapshot: + role_name: str + include_patterns: List[str] = field(default_factory=list) + exclude_patterns: List[str] = field(default_factory=list) + managed_dirs: List[ManagedDir] = field(default_factory=list) + managed_files: List[ManagedFile] = field(default_factory=list) + managed_links: List[ManagedLink] = field(default_factory=list) + excluded: List[ExcludedFile] = field(default_factory=list) + notes: List[str] = field(default_factory=list) + + +@dataclass +class FirewallRuntimeSnapshot: + role_name: str + packages: List[str] = field(default_factory=list) + ipset_save: Optional[str] = None + ipset_sets: List[str] = field(default_factory=list) + iptables_v4_save: Optional[str] = None + iptables_v6_save: Optional[str] = None + notes: List[str] = field(default_factory=list) + + +@dataclass +class SysctlSnapshot: + role_name: str + managed_files: List[ManagedFile] = field(default_factory=list) + parameters: Dict[str, str] = field(default_factory=dict) + notes: List[str] = field(default_factory=list) diff --git a/enroll/ignore.py b/enroll/ignore.py index a7bf297..eed4035 100644 --- a/enroll/ignore.py +++ b/enroll/ignore.py @@ -1,11 +1,15 @@ from __future__ import annotations import fnmatch +import errno import os import re +import stat from dataclasses import dataclass from typing import Optional +from .fsutil import open_no_follow_path + DEFAULT_DENY_GLOBS = [ # Common backup copies created by passwd tools (can contain sensitive data) @@ -46,9 +50,47 @@ DEFAULT_ALLOW_BINARY_GLOBS = [ "/etc/pki/rpm-gpg/*", ] +# Conservative secret patterns for default/safe harvesting. These are +# intentionally biased towards false positives: operators can opt in with +# --dangerous or targeted include/exclude review when a file is genuinely +# needed. +# +# The assignment pattern catches INI/YAML/JSON/TOML-ish keys such as: +# password: hunter2 +# "client_secret": "..." +# aws_secret_access_key = ... +# GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json SENSITIVE_CONTENT_PATTERNS = [ - re.compile(rb"-----BEGIN (RSA |EC |OPENSSH |)PRIVATE KEY-----"), - re.compile(rb"(?i)\bpassword\s*="), + re.compile( + rb"-----BEGIN (?:RSA |EC |OPENSSH |DSA |ENCRYPTED |PGP )?PRIVATE KEY(?: BLOCK)?-----" + ), + re.compile(rb"(?i)-----BEGIN OPENSSH PRIVATE KEY-----"), + re.compile(rb"(?i)AGE-SECRET-KEY-[A-Z0-9]+"), + re.compile(rb"(?i)OPENSSH PRIVATE KEY"), + re.compile(rb"(?i)PGP PRIVATE KEY BLOCK"), + re.compile( + rb"""(?ix) + (^|[^A-Za-z0-9]) + [\"']? + ( + [A-Za-z0-9_.-]* + ( + password|passwd|passphrase| + token|auth[_-]?token|access[_-]?token|refresh[_-]?token| + secret|client[_-]?secret|secret[_-]?key| + api[_-]?key|access[_-]?key|private[_-]?key| + credential|credentials| + aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key| + azure[_-]?client[_-]?secret|azure[_-]?tenant[_-]?id|azure[_-]?client[_-]?id| + google[_-]?application[_-]?credentials|gcp[_-]?service[_-]?account| + service[_-]?account[_-]?key + ) + [A-Za-z0-9_.-]* + ) + [\"']? + \s*[:=] + """ + ), re.compile(rb"(?i)\b(pass|passwd|token|secret|api[_-]?key)\b"), ] @@ -57,6 +99,42 @@ BLOCK_START = b"/*" BLOCK_END = b"*/" +def normalize_for_match(path: str) -> str: + """Lexically normalize a path string for deny/allow glob matching. + + This collapses redundant separators ("//"), resolves "." and ".." + segments, and strips trailing slashes using ``os.path.normpath`` -- a + pure string operation that never touches the filesystem. + + It is deliberately NOT ``os.path.realpath``/``Path.resolve``: resolving + symlinks would stat the filesystem and reintroduce a time-of-check / + time-of-use window before the later ``O_NOFOLLOW`` open in + ``inspect_file``. The goal here is only to stop a non-canonical *string* + (e.g. "/etc//shadow" or "/etc/foo/../shadow") from slipping past a deny + glob like "/etc/shadow". It is defense-in-depth on top of the no-follow + open, not a load-bearing control by itself. + + ``normpath`` preserves a leading "//" because POSIX treats it as + implementation-defined; for glob matching we collapse it to a single + leading slash so patterns anchored at "/" still match. + """ + + if not path: + return path + normalized = os.path.normpath(path) + if normalized.startswith("//") and not normalized.startswith("///"): + normalized = normalized[1:] + return normalized + + +@dataclass(frozen=True) +class FileInspection: + """Bytes and metadata captured from one safely-opened source file.""" + + data: bytes + stat_result: os.stat_result + + @dataclass class IgnorePolicy: deny_globs: Optional[list[str]] = None @@ -96,42 +174,32 @@ class IgnorePolicy: yield raw - def deny_reason(self, path: str) -> Optional[str]: + def _path_deny_reason(self, path: str) -> Optional[str]: + # Match against a lexically-normalized path so non-canonical spellings + # (e.g. "/etc//shadow", "/etc/foo/../shadow") cannot slip past a deny + # glob. The original path is still what gets opened/recorded. + match_path = normalize_for_match(path) # Always ignore plain *.log files (rarely useful as config, often noisy). - if path.endswith(".log"): + if match_path.endswith(".log"): return "log_file" # Ignore editor/backup files that end with a trailing tilde. - if path.endswith("~"): + if match_path.endswith("~"): return "backup_file" # Ignore backup shadow files - if path.startswith("/etc/") and path.endswith("-"): + if match_path.startswith("/etc/") and match_path.endswith("-"): return "backup_file" if not self.dangerous: for g in self.deny_globs or []: - if fnmatch.fnmatch(path, g): + if fnmatch.fnmatch(match_path, g): return "denied_path" + return None - try: - st = os.stat(path, follow_symlinks=True) - except OSError: - return "unreadable" - - if st.st_size > self.max_file_bytes: - return "too_large" - - if not os.path.isfile(path) or os.path.islink(path): - return "not_regular_file" - - try: - with open(path, "rb") as f: - data = f.read(min(self.sample_bytes, st.st_size)) - except OSError: - return "unreadable" - + def _content_deny_reason(self, path: str, data: bytes) -> Optional[str]: if b"\x00" in data: + match_path = normalize_for_match(path) for g in self.allow_binary_globs or []: - if fnmatch.fnmatch(path, g): + if fnmatch.fnmatch(match_path, g): # Binary is acceptable for explicitly-allowed paths. return None return "binary_like" @@ -144,6 +212,74 @@ class IgnorePolicy: return None + def inspect_file(self, path: str) -> tuple[Optional[str], Optional[FileInspection]]: + """Safely inspect a regular file and return the exact bytes to copy. + + The source is opened with O_NOFOLLOW on every path component (see + ``fsutil.open_no_follow_path``), fstat() is taken from that file + descriptor, and the whole file is read only after the size cap passes. + With the default 256 KiB cap this avoids a memory DoS while ensuring + secret scanning covers every byte that may be copied. + + Opening every component without following symlinks means a regular + file reached through a symlinked *parent* directory is refused with + ``symlink_component`` rather than silently captured -- its logical + path would not have matched the deny globs. + """ + + deny = self._path_deny_reason(path) + if deny: + return deny, None + + fd: Optional[int] = None + try: + try: + fd = open_no_follow_path(path) + except OSError as e: + if e.errno == errno.ELOOP: + # A symlink (or unsafe '..') somewhere in the path. This is + # distinct from "not a regular file" so operators can see + # why a path under a symlinked parent was skipped. + return "symlink_component", None + if e.errno == errno.ENOTDIR: + return "not_regular_file", None + return "unreadable", None + + try: + st = os.fstat(fd) + except OSError: + return "unreadable", None + + if not stat.S_ISREG(st.st_mode): + return "not_regular_file", None + if st.st_size > self.max_file_bytes: + return "too_large", None + + chunks: list[bytes] = [] + remaining = int(st.st_size) + while remaining > 0: + chunk = os.read(fd, min(1024 * 1024, remaining)) + if not chunk: + break + chunks.append(chunk) + remaining -= len(chunk) + data = b"".join(chunks) + + deny = self._content_deny_reason(path, data) + if deny: + return deny, None + return None, FileInspection(data=data, stat_result=st) + finally: + if fd is not None: + try: + os.close(fd) + except OSError: + pass + + def deny_reason(self, path: str) -> Optional[str]: + deny, _inspection = self.inspect_file(path) + return deny + def deny_reason_dir(self, path: str) -> Optional[str]: """Directory-specific deny logic. @@ -157,8 +293,9 @@ class IgnorePolicy: No size checks or content scanning are performed for directories. """ if not self.dangerous: + match_path = normalize_for_match(path) for g in self.deny_globs or []: - if fnmatch.fnmatch(path, g): + if fnmatch.fnmatch(match_path, g): return "denied_path" try: @@ -189,16 +326,17 @@ class IgnorePolicy: """ # Keep the same fast-path filename ignores as deny_reason(). - if path.endswith(".log"): + match_path = normalize_for_match(path) + if match_path.endswith(".log"): return "log_file" - if path.endswith("~"): + if match_path.endswith("~"): return "backup_file" - if path.startswith("/etc/") and path.endswith("-"): + if match_path.startswith("/etc/") and match_path.endswith("-"): return "backup_file" if not self.dangerous: for g in self.deny_globs or []: - if fnmatch.fnmatch(path, g): + if fnmatch.fnmatch(match_path, g): return "denied_path" try: diff --git a/enroll/jinjaturtle.py b/enroll/jinjaturtle.py index 7a2702e..2b8f467 100644 --- a/enroll/jinjaturtle.py +++ b/enroll/jinjaturtle.py @@ -1,11 +1,16 @@ from __future__ import annotations +import hashlib +import re import shutil import subprocess # nosec import tempfile from dataclasses import dataclass from pathlib import Path -from typing import Optional +from typing import Any, Dict, List, Optional, Set, Tuple + +from .manifest_safety import ArtifactSafetyError, safe_artifact_file +from .yamlutil import yaml_dump_mapping, yaml_load_mapping SYSTEMD_SUFFIXES = { @@ -36,6 +41,258 @@ SUPPORTED_SUFFIXES = { } | SYSTEMD_SUFFIXES +def resolve_jinjaturtle_mode(jinjaturtle: str) -> Tuple[Optional[str], bool]: + """Resolve Enroll's common JinjaTurtle mode flag. + + Renderers accept the same values: + - ``auto``: use JinjaTurtle when present on PATH + - ``on``: require it and fail if it is absent + - ``off``: never use it + """ + jt_exe = find_jinjaturtle_cmd() + if jinjaturtle not in {"auto", "on", "off"}: + raise ValueError("jinjaturtle must be one of: auto, on, off") + if jinjaturtle == "on": + if not jt_exe: + raise RuntimeError("jinjaturtle requested but not found on PATH") + return jt_exe, True + if jinjaturtle == "auto": + return jt_exe, jt_exe is not None + return jt_exe, False + + +def _merge_mappings_overwrite( + existing: Dict[str, Any], incoming: Dict[str, Any] +) -> Dict[str, Any]: + merged = dict(existing) + merged.update(incoming) + return merged + + +@dataclass(frozen=True) +class JinjifiedArtifact: + template_rel: str + template_text: str + vars_text: str + context: Dict[str, Any] + + +_JINJA_EXPR_VAR_RE = re.compile(r"{{\s*([A-Za-z_][A-Za-z0-9_]*)\b") +_JINJA_FOR_RE = re.compile( + r"{%\s*for\s+([A-Za-z_][A-Za-z0-9_]*)\s+in\s+([A-Za-z_][A-Za-z0-9_]*)\b" +) +_JINJA_SPECIAL_VARS = {"loop", "true", "false", "none", "True", "False", "None"} +_ERB_INSTANCE_VAR_RE = re.compile(r"<%=?[^%]*@([A-Za-z_][A-Za-z0-9_]*)", re.S) + + +def _find_undeclared_jinja_vars(template_text: str) -> Set[str]: + try: + from jinja2 import Environment, meta # type: ignore + + env = Environment() # nosec B701 - parsing config templates, not rendering HTML + ast = env.parse(template_text) + return set(meta.find_undeclared_variables(ast)) + except Exception: + locals_from_loops: Set[str] = set() + collection_vars: Set[str] = set() + for match in _JINJA_FOR_RE.finditer(template_text): + locals_from_loops.add(match.group(1)) + collection_vars.add(match.group(2)) + + referenced = set(_JINJA_EXPR_VAR_RE.findall(template_text)) | collection_vars + referenced -= locals_from_loops + referenced -= _JINJA_SPECIAL_VARS + return referenced + + +def missing_jinja_template_vars( + template_text: str, context: Dict[str, Any] +) -> Set[str]: + """Return variables referenced by a JinjaTurtle template but absent from vars. + + This is a defensive check for Enroll's best-effort templating path. If + JinjaTurtle ever emits a placeholder without a matching default variable, + Enroll should fall back to copying the raw harvested file rather than + generating an Ansible role that fails at apply time. + """ + + referenced = _find_undeclared_jinja_vars(template_text) + referenced -= _JINJA_SPECIAL_VARS + return {name for name in referenced if name not in context} + + +def missing_erb_template_vars(template_text: str, context: Dict[str, Any]) -> Set[str]: + """Return ERB ``@param`` references absent from Puppet Hiera/class data.""" + + local_names: Set[str] = set() + for key in context: + text = str(key) + if "::" in text: + local_names.add(text.split("::", 1)[1]) + else: + local_names.add(text) + + referenced = set(_ERB_INSTANCE_VAR_RE.findall(template_text)) + return {name for name in referenced if name not in local_names} + + +def jinjify_artifact( + bundle_dir: str | Path, + artifact_role: str, + src_rel: str, + dest_path: str, + template_root: str | Path, + *, + jt_exe: Optional[str], + jt_enabled: bool, + overwrite_templates: bool = True, + role_name: Optional[str] = None, + template_engine: str = "jinja2", + puppet_class: Optional[str] = None, +) -> Optional[JinjifiedArtifact]: + """Best-effort conversion of one harvested artifact into a template. + + Ansible/Salt use Jinja2 output. Puppet uses ERB output with Puppet Hiera + keys when a new enough JinjaTurtle is available. + """ + if not (jt_enabled and jt_exe and can_jinjify_path(dest_path)): + return None + + try: + artifact_path = safe_artifact_file(bundle_dir, artifact_role, src_rel) + except (ArtifactSafetyError, FileNotFoundError): + return None + + try: + run_kwargs: Dict[str, Any] = { + "role_name": role_name or artifact_role, + "force_format": infer_other_formats(dest_path), + } + # Keep the historical call shape for Ansible/Salt and for tests that + # monkeypatch run_jinjaturtle with the old signature. Puppet/ERB is + # the only path that needs the newer JinjaTurtle CLI switches. + if template_engine != "jinja2": + run_kwargs["template_engine"] = template_engine + if puppet_class: + run_kwargs["puppet_class"] = puppet_class + result = run_jinjaturtle(jt_exe, str(artifact_path), **run_kwargs) + except Exception: + return None # nosec - best-effort template generation + + ext = "erb" if template_engine == "erb" else "j2" + template_rel = Path(src_rel).as_posix() + f".{ext}" + template_dst = Path(template_root) / template_rel + + context = yaml_load_mapping(result.vars_text) + missing = ( + missing_erb_template_vars(result.template_text, context) + if template_engine == "erb" + else missing_jinja_template_vars(result.template_text, context) + ) + if missing: + # If this role was generated into an existing output directory, avoid + # leaving an obsolete template behind after falling back to a raw copy. + if overwrite_templates and template_dst.exists(): + template_dst.unlink() + return None + + if overwrite_templates or not template_dst.exists(): + template_dst.parent.mkdir(parents=True, exist_ok=True) + template_dst.write_text(result.template_text, encoding="utf-8") + + return JinjifiedArtifact( + template_rel=template_rel, + template_text=result.template_text, + vars_text=result.vars_text, + context=context, + ) + + +def managed_file_var_prefix(role_name: str, src_rel: str) -> str: + """Return a JinjaTurtle-safe variable prefix for one managed file. + + JinjaTurtle's ``--role-name`` is a variable prefix. Enroll can place many + unrelated managed files in one generated role, so using only the role name + can collide for common keys such as ``enabled``, ``ignore``, or ``name``. + Include the relative artifact path when a role templates multiple files. + """ + + raw = f"{role_name}_{src_rel}" + safe = re.sub(r"[^A-Za-z0-9_]+", "_", raw).strip("_").lower() + safe = re.sub(r"_+", "_", safe) + if not safe: + safe = "managed_file" + if len(safe) > 96: + digest = hashlib.sha1( # nosec B324 + raw.encode("utf-8", errors="replace") + ).hexdigest()[:8] + safe = safe[:80].rstrip("_") + "_" + digest + return safe + + +def jinjify_managed_files( + bundle_dir: str | Path, + artifact_role: str, + template_root: str | Path, + managed_files: List[Dict[str, Any]], + *, + jt_exe: Optional[str], + jt_enabled: bool, + overwrite_templates: bool, + role_name: Optional[str] = None, +) -> Tuple[Set[str], str]: + """Jinjify a list of managed files and return Ansible-style vars text. + + The return shape intentionally matches the historical Ansible helper: + ``(templated_src_rels, combined_vars_text)``. Salt uses + :func:`jinjify_artifact` directly because it stores variables as a context + map per managed file. + """ + templated: Set[str] = set() + vars_map: Dict[str, Any] = {} + base_role_name = role_name or artifact_role + candidates = [ + mf + for mf in managed_files + if str(mf.get("path") or "") + and str(mf.get("src_rel") or "") + and can_jinjify_path(str(mf.get("path") or "")) + ] + namespace_by_file = len(candidates) > 1 + + for mf in managed_files: + dest_path = str(mf.get("path") or "") + src_rel = str(mf.get("src_rel") or "") + if not dest_path or not src_rel: + continue + + converted = jinjify_artifact( + bundle_dir, + artifact_role, + src_rel, + dest_path, + template_root, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=overwrite_templates, + role_name=( + managed_file_var_prefix(base_role_name, src_rel) + if namespace_by_file + else base_role_name + ), + ) + if converted is None: + continue + + templated.add(src_rel) + if converted.context: + vars_map = _merge_mappings_overwrite(vars_map, converted.context) + + if vars_map: + return templated, yaml_dump_mapping(vars_map, sort_keys=True) + return templated, "" + + def infer_other_formats(dest_path: str) -> Optional[str]: p = Path(dest_path) name = p.name.lower() @@ -83,6 +340,8 @@ def run_jinjaturtle( *, role_name: str, force_format: Optional[str] = None, + template_engine: str = "jinja2", + puppet_class: Optional[str] = None, ) -> JinjifyResult: """ Run jinjaturtle against src_path and return (template, defaults-yaml). @@ -90,6 +349,9 @@ def run_jinjaturtle( jinjaturtle CLI: jinjaturtle -r [-f ] [-d ] [-t ] + + Newer JinjaTurtle versions also support ``--template-engine erb`` and + ``--puppet-class`` for Puppet/Hiera output. """ src = Path(src_path) if not src.is_file(): @@ -98,7 +360,9 @@ def run_jinjaturtle( with tempfile.TemporaryDirectory(prefix="enroll-jt-") as td: td_path = Path(td) defaults_out = td_path / "defaults.yml" - template_out = td_path / "template.j2" + template_out = td_path / ( + "template.erb" if template_engine == "erb" else "template.j2" + ) cmd = [ jt_exe, @@ -112,6 +376,10 @@ def run_jinjaturtle( ] if force_format: cmd.extend(["-f", force_format]) + if template_engine != "jinja2": + cmd.extend(["--template-engine", template_engine]) + if puppet_class: + cmd.extend(["--puppet-class", puppet_class]) p = subprocess.run(cmd, text=True, capture_output=True) # nosec if p.returncode != 0: diff --git a/enroll/manifest.py b/enroll/manifest.py index 99adbb7..3ebfefe 100644 --- a/enroll/manifest.py +++ b/enroll/manifest.py @@ -1,676 +1,24 @@ from __future__ import annotations -import json import os -import re import shutil -import stat import tarfile import tempfile from pathlib import Path -from typing import Any, Dict, List, Optional, Set, Tuple - -from .jinjaturtle import ( - can_jinjify_path, - find_jinjaturtle_cmd, - infer_other_formats, - run_jinjaturtle, -) +from typing import List, Optional +from .ansible import manifest_from_bundle_dir as manifest_ansible_from_bundle_dir +from .puppet import manifest_from_bundle_dir as manifest_puppet_from_bundle_dir +from .salt import manifest_from_bundle_dir as manifest_salt_from_bundle_dir +from .harvest_safety import ensure_safe_output_parent +from .manifest_safety import validate_site_fqdn from .remote import _safe_extract_tar from .sopsutil import ( decrypt_file_binary_to, encrypt_file_binary, require_sops_cmd, ) - - -def _try_yaml(): - try: - import yaml # type: ignore - except Exception: - return None - return yaml - - -def _yaml_load_mapping(text: str) -> Dict[str, Any]: - yaml = _try_yaml() - if yaml is None: - return {} - try: - obj = yaml.safe_load(text) - except Exception: - return {} - if obj is None: - return {} - if isinstance(obj, dict): - return obj - return {} - - -def _yaml_dump_mapping(obj: Dict[str, Any], *, sort_keys: bool = True) -> str: - yaml = _try_yaml() - if yaml is None: - # fall back to a naive key: value dump (best-effort) - lines: List[str] = [] - for k, v in sorted(obj.items()) if sort_keys else obj.items(): - lines.append(f"{k}: {v!r}") - return "\n".join(lines).rstrip() + "\n" - - # ansible-lint/yamllint's indentation rules are stricter than YAML itself. - # In particular, they expect sequences nested under a mapping key to be - # indented (e.g. `foo:\n - a`), whereas PyYAML's default is often - # `foo:\n- a`. - class _IndentDumper(yaml.SafeDumper): # type: ignore - def increase_indent(self, flow: bool = False, indentless: bool = False): - return super().increase_indent(flow, False) - - return ( - yaml.dump( - obj, - Dumper=_IndentDumper, - default_flow_style=False, - sort_keys=sort_keys, - indent=2, - allow_unicode=True, - ).rstrip() - + "\n" - ) - - -def _merge_mappings_overwrite( - existing: Dict[str, Any], incoming: Dict[str, Any] -) -> Dict[str, Any]: - """Merge incoming into existing with overwrite. - - NOTE: Unlike role defaults merging, host_vars should reflect the current - harvest for a host. Therefore lists are replaced rather than unioned. - """ - merged = dict(existing) - merged.update(incoming) - return merged - - -def _copy2_replace(src: str, dst: str) -> None: - dst_dir = os.path.dirname(dst) - os.makedirs(dst_dir, exist_ok=True) - - # Copy to a temp file in the same directory, then atomically replace. - fd, tmp = tempfile.mkstemp(prefix=".enroll-tmp-", dir=dst_dir) - os.close(fd) - try: - shutil.copy2(src, tmp) - - # Ensure the working tree stays mergeable: make the file user-writable. - st = os.stat(tmp, follow_symlinks=False) - mode = stat.S_IMODE(st.st_mode) - if not (mode & stat.S_IWUSR): - os.chmod(tmp, mode | stat.S_IWUSR) - - os.replace(tmp, dst) - finally: - try: - os.unlink(tmp) - except FileNotFoundError: - pass - - -def _copy_artifacts( - bundle_dir: str, - role: str, - dst_files_dir: str, - *, - preserve_existing: bool = False, - exclude_rels: Optional[Set[str]] = None, -) -> None: - """Copy harvested artifacts for a role into a destination *files* directory. - - In non --fqdn mode, this is usually /files. - In --fqdn site mode, this is usually: - inventory/host_vars///.files - """ - artifacts_dir = os.path.join(bundle_dir, "artifacts", role) - if not os.path.isdir(artifacts_dir): - return - for root, _, files in os.walk(artifacts_dir): - for fn in files: - src = os.path.join(root, fn) - rel = os.path.relpath(src, artifacts_dir) - dst = os.path.join(dst_files_dir, rel) - - # If a file was successfully templatised by JinjaTurtle, do NOT - # also materialise the raw copy in the destination files dir. - if exclude_rels and rel in exclude_rels: - try: - if os.path.isfile(dst): - os.remove(dst) - except Exception: - pass # nosec - continue - - if preserve_existing and os.path.exists(dst): - continue - os.makedirs(os.path.dirname(dst), exist_ok=True) - _copy2_replace(src, dst) - - -def _write_role_scaffold(role_dir: str) -> None: - os.makedirs(os.path.join(role_dir, "tasks"), exist_ok=True) - os.makedirs(os.path.join(role_dir, "handlers"), exist_ok=True) - os.makedirs(os.path.join(role_dir, "defaults"), exist_ok=True) - os.makedirs(os.path.join(role_dir, "meta"), exist_ok=True) - os.makedirs(os.path.join(role_dir, "files"), exist_ok=True) - os.makedirs(os.path.join(role_dir, "templates"), exist_ok=True) - - -def _role_tag(role: str) -> str: - """Return a stable Ansible tag name for a role. - - Used by `enroll diff --enforce` to run only the roles needed to repair drift. - """ - r = str(role or "").strip() - # Ansible tag charset is fairly permissive, but keep it portable and consistent. - safe = re.sub(r"[^A-Za-z0-9_-]+", "_", r).strip("_") - if not safe: - safe = "other" - return f"role_{safe}" - - -def _write_playbook_all(path: str, roles: List[str]) -> None: - pb_lines = [ - "---", - "- name: Apply all roles on all hosts", - " gather_facts: true", - " hosts: all", - " become: true", - " roles:", - ] - for r in roles: - pb_lines.append(f" - role: {r}") - pb_lines.append(f" tags: [{_role_tag(r)}]") - with open(path, "w", encoding="utf-8") as f: - f.write("\n".join(pb_lines) + "\n") - - -def _write_playbook_host(path: str, fqdn: str, roles: List[str]) -> None: - pb_lines = [ - "---", - f"- name: Apply all roles on {fqdn}", - f" hosts: {fqdn}", - " gather_facts: true", - " become: true", - " roles:", - ] - for r in roles: - pb_lines.append(f" - role: {r}") - pb_lines.append(f" tags: [{_role_tag(r)}]") - with open(path, "w", encoding="utf-8") as f: - f.write("\n".join(pb_lines) + "\n") - - -def _ensure_ansible_cfg(cfg_path: str) -> None: - if not os.path.exists(cfg_path): - with open(cfg_path, "w", encoding="utf-8") as f: - f.write("[defaults]\n") - f.write("roles_path = roles\n") - f.write("interpreter_python=/usr/bin/python3\n") - f.write("inventory = inventory\n") - f.write("stdout_callback = unixy\n") - f.write("force_color = 1\n") - f.write("vars_plugins_enabled = host_group_vars\n") - f.write("fact_caching = jsonfile\n") - f.write("fact_caching_connection = .enroll_cached_facts\n") - f.write("forks = 30\n") - f.write("remote_tmp = /tmp/ansible-${USER}\n") - f.write("timeout = 12\n") - f.write("[ssh_connection]\n") - f.write("pipelining = True\n") - f.write("scp_if_ssh = True\n") - return - - -def _ensure_inventory_host(inv_path: str, fqdn: str) -> None: - os.makedirs(os.path.dirname(inv_path), exist_ok=True) - if not os.path.exists(inv_path): - with open(inv_path, "w", encoding="utf-8") as f: - f.write("[all]\n") - f.write(fqdn + "\n") - return - - with open(inv_path, "r", encoding="utf-8") as f: - lines = [ln.rstrip("\n") for ln in f.readlines()] - - # ensure there is an [all] group; if not, create it at top - if not any(ln.strip() == "[all]" for ln in lines): - lines = ["[all]"] + lines - - # check if fqdn already present (exact match, ignoring whitespace) - if any(ln.strip() == fqdn for ln in lines): - return - - # append at end - lines.append(fqdn) - with open(inv_path, "w", encoding="utf-8") as f: - f.write("\n".join(lines) + "\n") - - -def _hostvars_path(site_root: str, fqdn: str, role: str) -> str: - return os.path.join(site_root, "inventory", "host_vars", fqdn, f"{role}.yml") - - -def _host_role_files_dir(site_root: str, fqdn: str, role: str) -> str: - """Host-specific files dir for a given role. - - Layout: - inventory/host_vars///.files/ - """ - return os.path.join(site_root, "inventory", "host_vars", fqdn, role, ".files") - - -def _write_hostvars(site_root: str, fqdn: str, role: str, data: Dict[str, Any]) -> None: - """Write host_vars YAML for a role for a specific host. - - This is host-specific state and should track the current harvest output. - Existing keys not mentioned in `data` are preserved, but keys in `data` - are overwritten (including list values). - """ - path = _hostvars_path(site_root, fqdn, role) - os.makedirs(os.path.dirname(path), exist_ok=True) - - existing_map: Dict[str, Any] = {} - if os.path.exists(path): - try: - existing_text = Path(path).read_text(encoding="utf-8") - existing_map = _yaml_load_mapping(existing_text) - except Exception: - existing_map = {} - - merged = _merge_mappings_overwrite(existing_map, data) - - out = "---\n" + _yaml_dump_mapping(merged, sort_keys=True) - with open(path, "w", encoding="utf-8") as f: - f.write(out) - - -def _jinjify_managed_files( - bundle_dir: str, - role: str, - role_dir: str, - managed_files: List[Dict[str, Any]], - *, - jt_exe: Optional[str], - jt_enabled: bool, - overwrite_templates: bool, -) -> Tuple[Set[str], str]: - """ - Return (templated_src_rels, combined_vars_text). - combined_vars_text is a YAML mapping fragment (no leading ---). - """ - templated: Set[str] = set() - vars_map: Dict[str, Any] = {} - - if not (jt_enabled and jt_exe): - return templated, "" - - for mf in managed_files: - dest_path = mf.get("path", "") - src_rel = mf.get("src_rel", "") - if not dest_path or not src_rel: - continue - if not can_jinjify_path(dest_path): - continue - - artifact_path = os.path.join(bundle_dir, "artifacts", role, src_rel) - if not os.path.isfile(artifact_path): - continue - - try: - force_fmt = infer_other_formats(dest_path) - res = run_jinjaturtle( - jt_exe, artifact_path, role_name=role, force_format=force_fmt - ) - except Exception: - # If jinjaturtle cannot process a file for any reason, skip silently. - # (Enroll's core promise is to be optimistic and non-interactive.) - continue # nosec - - tmpl_rel = src_rel + ".j2" - tmpl_dst = os.path.join(role_dir, "templates", tmpl_rel) - if overwrite_templates or not os.path.exists(tmpl_dst): - os.makedirs(os.path.dirname(tmpl_dst), exist_ok=True) - with open(tmpl_dst, "w", encoding="utf-8") as f: - f.write(res.template_text) - - templated.add(src_rel) - if res.vars_text.strip(): - # merge YAML mappings; last wins (avoids duplicate keys) - chunk = _yaml_load_mapping(res.vars_text) - if chunk: - vars_map = _merge_mappings_overwrite(vars_map, chunk) - - if vars_map: - combined = _yaml_dump_mapping(vars_map, sort_keys=True) - return templated, combined - return templated, "" - - -def _write_role_defaults(role_dir: str, mapping: Dict[str, Any]) -> None: - """Overwrite role defaults/main.yml with the provided mapping.""" - defaults_path = os.path.join(role_dir, "defaults", "main.yml") - os.makedirs(os.path.dirname(defaults_path), exist_ok=True) - out = "---\n" + _yaml_dump_mapping(mapping, sort_keys=True) - with open(defaults_path, "w", encoding="utf-8") as f: - f.write(out) - - -def _build_managed_dirs_var( - managed_dirs: List[Dict[str, Any]], -) -> List[Dict[str, Any]]: - """Convert enroll managed_dirs into an Ansible-friendly list of dicts. - - Each dict drives a role task loop and is safe across hosts. - """ - out: List[Dict[str, Any]] = [] - for d in managed_dirs: - dest = d.get("path") or "" - if not dest: - continue - out.append( - { - "dest": dest, - "owner": d.get("owner") or "root", - "group": d.get("group") or "root", - "mode": d.get("mode") or "0755", - } - ) - return out - - -def _build_managed_files_var( - managed_files: List[Dict[str, Any]], - templated_src_rels: Set[str], - *, - notify_other: Optional[str] = None, - notify_systemd: Optional[str] = None, -) -> List[Dict[str, Any]]: - """Convert enroll managed_files into an Ansible-friendly list of dicts. - - Each dict drives a role task loop and is safe across hosts. - """ - out: List[Dict[str, Any]] = [] - for mf in managed_files: - dest = mf.get("path") or "" - src_rel = mf.get("src_rel") or "" - if not dest or not src_rel: - continue - is_unit = str(dest).startswith("/etc/systemd/system/") - kind = "template" if src_rel in templated_src_rels else "copy" - notify: List[str] = [] - if is_unit and notify_systemd: - notify.append(notify_systemd) - if (not is_unit) and notify_other: - notify.append(notify_other) - out.append( - { - "dest": dest, - "src_rel": src_rel, - "owner": mf.get("owner") or "root", - "group": mf.get("group") or "root", - "mode": mf.get("mode") or "0644", - "kind": kind, - "is_systemd_unit": bool(is_unit), - "notify": notify, - } - ) - return out - - -def _build_managed_links_var( - managed_links: List[Dict[str, Any]], -) -> List[Dict[str, Any]]: - """Convert enroll managed_links into an Ansible-friendly list of dicts.""" - out: List[Dict[str, Any]] = [] - for ml in managed_links or []: - dest = ml.get("path") or "" - src = ml.get("target") or "" - if not dest or not src: - continue - out.append({"dest": dest, "src": src}) - return out - - -def _render_generic_files_tasks( - var_prefix: str, *, include_restart_notify: bool -) -> str: - """Render generic tasks to deploy _managed_files safely.""" - # Using first_found makes roles work in both modes: - # - site-mode: inventory/host_vars///.files/... - # - non-site: roles//files/... - return f"""- name: Ensure managed directories exist (preserve owner/group/mode) - ansible.builtin.file: - path: "{{{{ item.dest }}}}" - state: directory - owner: "{{{{ item.owner }}}}" - group: "{{{{ item.group }}}}" - mode: "{{{{ item.mode }}}}" - loop: "{{{{ {var_prefix}_managed_dirs | default([]) }}}}" - -- name: Deploy any systemd unit files (templates) - ansible.builtin.template: - src: "{{{{ item.src_rel }}}}.j2" - dest: "{{{{ item.dest }}}}" - owner: "{{{{ item.owner }}}}" - group: "{{{{ item.group }}}}" - mode: "{{{{ item.mode }}}}" - loop: >- - {{{{ {var_prefix}_managed_files | default([]) - | selectattr('is_systemd_unit', 'equalto', true) - | selectattr('kind', 'equalto', 'template') - | list }}}} - notify: "{{{{ item.notify | default([]) }}}}" - -- name: Deploy any systemd unit files (raw files) - vars: - _enroll_ff: - files: - - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ item.src_rel }}}}" - - "{{{{ role_path }}}}/files/{{{{ item.src_rel }}}}" - ansible.builtin.copy: - src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" - dest: "{{{{ item.dest }}}}" - owner: "{{{{ item.owner }}}}" - group: "{{{{ item.group }}}}" - mode: "{{{{ item.mode }}}}" - loop: >- - {{{{ {var_prefix}_managed_files | default([]) - | selectattr('is_systemd_unit', 'equalto', true) - | selectattr('kind', 'equalto', 'copy') - | list }}}} - notify: "{{{{ item.notify | default([]) }}}}" - -- name: Reload systemd to pick up unit changes - ansible.builtin.meta: flush_handlers - when: >- - ({var_prefix}_managed_files | default([]) - | selectattr('is_systemd_unit', 'equalto', true) - | list - | length) > 0 - -- name: Deploy any other managed files (templates) - ansible.builtin.template: - src: "{{{{ item.src_rel }}}}.j2" - dest: "{{{{ item.dest }}}}" - owner: "{{{{ item.owner }}}}" - group: "{{{{ item.group }}}}" - mode: "{{{{ item.mode }}}}" - loop: >- - {{{{ {var_prefix}_managed_files | default([]) - | selectattr('is_systemd_unit', 'equalto', false) - | selectattr('kind', 'equalto', 'template') - | list }}}} - notify: "{{{{ item.notify | default([]) }}}}" - -- name: Deploy any other managed files (raw files) - vars: - _enroll_ff: - files: - - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ item.src_rel }}}}" - - "{{{{ role_path }}}}/files/{{{{ item.src_rel }}}}" - ansible.builtin.copy: - src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" - dest: "{{{{ item.dest }}}}" - owner: "{{{{ item.owner }}}}" - group: "{{{{ item.group }}}}" - mode: "{{{{ item.mode }}}}" - loop: >- - {{{{ {var_prefix}_managed_files | default([]) - | selectattr('is_systemd_unit', 'equalto', false) - | selectattr('kind', 'equalto', 'copy') - | list }}}} - notify: "{{{{ item.notify | default([]) }}}}" - -- name: Ensure managed symlinks exist - ansible.builtin.file: - src: "{{{{ item.src }}}}" - dest: "{{{{ item.dest }}}}" - state: link - force: true - loop: "{{{{ {var_prefix}_managed_links | default([]) }}}}" -""" - - -def _render_install_packages_tasks(role: str, var_prefix: str) -> str: - """Render cross-distro package installation tasks. - - We generate conditional tasks for apt/dnf/yum, falling back to the - generic `package` module. This keeps generated roles usable on both - Debian-like and RPM-like systems. - """ - return f"""- name: Install packages for {role} (APT) - ansible.builtin.apt: - name: "{{{{ {var_prefix}_packages | default([]) }}}}" - state: present - update_cache: true - when: - - ({var_prefix}_packages | default([])) | length > 0 - - ansible_facts.pkg_mgr | default('') == 'apt' - -- name: Install packages for {role} (DNF5) - ansible.builtin.dnf5: - name: "{{{{ {var_prefix}_packages | default([]) }}}}" - state: present - when: - - ({var_prefix}_packages | default([])) | length > 0 - - ansible_facts.pkg_mgr | default('') == 'dnf5' - -- name: Install packages for {role} (DNF/YUM) - ansible.builtin.dnf: - name: "{{{{ {var_prefix}_packages | default([]) }}}}" - state: present - when: - - ({var_prefix}_packages | default([])) | length > 0 - - ansible_facts.pkg_mgr | default('') in ['dnf', 'yum'] - -- name: Install packages for {role} (generic fallback) - ansible.builtin.package: - name: "{{{{ {var_prefix}_packages | default([]) }}}}" - state: present - when: - - ({var_prefix}_packages | default([])) | length > 0 - - ansible_facts.pkg_mgr | default('') not in ['apt', 'dnf', 'dnf5', 'yum'] - -""" - - -def _render_firewall_runtime_tasks(var_prefix: str) -> str: - """Render tasks for live ipset/iptables snapshots.""" - return f"""- name: Ensure firewall runtime snapshot directory exists - ansible.builtin.file: - path: /etc/enroll/firewall - state: directory - owner: root - group: root - mode: "0750" - -- name: Deploy captured ipset snapshot - vars: - _enroll_ff: - files: - - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_ipset_save }}}}" - - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_ipset_save }}}}" - ansible.builtin.copy: - src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" - dest: /etc/enroll/firewall/ipset.save - owner: root - group: root - mode: "0600" - when: ({var_prefix}_ipset_save | default('') | length) > 0 - -- name: Flush captured ipsets before restoring members - ansible.builtin.command: - cmd: "ipset flush {{{{ item }}}}" - loop: "{{{{ {var_prefix}_ipset_sets | default([]) }}}}" - register: _enroll_ipset_flush - failed_when: false - changed_when: false - when: - - ({var_prefix}_ipset_save | default('') | length) > 0 - - {var_prefix}_sync_ipsets_exact | default(true) | bool - -- name: Restore captured ipsets - ansible.builtin.shell: "ipset restore -exist < /etc/enroll/firewall/ipset.save" - args: - executable: /bin/sh - register: _enroll_ipset_restore - changed_when: _enroll_ipset_restore.rc == 0 - when: ({var_prefix}_ipset_save | default('') | length) > 0 - -- name: Deploy captured IPv4 iptables snapshot - vars: - _enroll_ff: - files: - - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_iptables_v4_save }}}}" - - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_iptables_v4_save }}}}" - ansible.builtin.copy: - src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" - dest: /etc/enroll/firewall/iptables.v4 - owner: root - group: root - mode: "0600" - when: ({var_prefix}_iptables_v4_save | default('') | length) > 0 - -- name: Restore captured IPv4 iptables rules - ansible.builtin.command: - cmd: iptables-restore /etc/enroll/firewall/iptables.v4 - register: _enroll_iptables_v4_restore - changed_when: _enroll_iptables_v4_restore.rc == 0 - when: - - ({var_prefix}_iptables_v4_save | default('') | length) > 0 - - {var_prefix}_restore_iptables | default(true) | bool - -- name: Deploy captured IPv6 iptables snapshot - vars: - _enroll_ff: - files: - - "{{{{ inventory_dir }}}}/host_vars/{{{{ inventory_hostname }}}}/{{{{ role_name }}}}/.files/{{{{ {var_prefix}_iptables_v6_save }}}}" - - "{{{{ role_path }}}}/files/{{{{ {var_prefix}_iptables_v6_save }}}}" - ansible.builtin.copy: - src: "{{{{ lookup('ansible.builtin.first_found', _enroll_ff) }}}}" - dest: /etc/enroll/firewall/iptables.v6 - owner: root - group: root - mode: "0600" - when: ({var_prefix}_iptables_v6_save | default('') | length) > 0 - -- name: Restore captured IPv6 iptables rules - ansible.builtin.command: - cmd: ip6tables-restore /etc/enroll/firewall/iptables.v6 - register: _enroll_iptables_v6_restore - changed_when: _enroll_iptables_v6_restore.rc == 0 - when: - - ({var_prefix}_iptables_v6_save | default('') | length) > 0 - - {var_prefix}_restore_iptables | default(true) | bool -""" +from .validate import validate_harvest def _prepare_bundle_dir( @@ -744,7 +92,7 @@ def _tar_dir_to_with_progress( """Create a tar.gz of src_dir at tar_path, with a simple per-entry progress display.""" src_dir = Path(src_dir) tar_path = Path(tar_path) - tar_path.parent.mkdir(parents=True, exist_ok=True) + ensure_safe_output_parent(tar_path, label="manifest tar output") # Collect paths (dirs + files) paths: list[Path] = [src_dir] @@ -797,7 +145,7 @@ def _encrypt_manifest_out_dir_to_sops( """Tar+encrypt the generated manifest output directory into a single .sops file.""" require_sops_cmd() out_file = Path(out_file) - out_file.parent.mkdir(parents=True, exist_ok=True) + ensure_safe_output_parent(out_file, label="encrypted manifest output") fd, tmp_tgz = tempfile.mkstemp( prefix=".enroll-manifest-", @@ -819,1401 +167,6 @@ def _encrypt_manifest_out_dir_to_sops( return out_file -def _manifest_from_bundle_dir( - bundle_dir: str, - out_dir: str, - *, - fqdn: Optional[str] = None, - jinjaturtle: str = "auto", # auto|on|off -) -> None: - state_path = os.path.join(bundle_dir, "state.json") - with open(state_path, "r", encoding="utf-8") as f: - state = json.load(f) - - roles: Dict[str, Any] = state.get("roles") or {} - - services: List[Dict[str, Any]] = roles.get("services", []) - package_roles: List[Dict[str, Any]] = roles.get("packages", []) - users_snapshot: Dict[str, Any] = roles.get("users", {}) - apt_config_snapshot: Dict[str, Any] = roles.get("apt_config", {}) - dnf_config_snapshot: Dict[str, Any] = roles.get("dnf_config", {}) - firewall_runtime_snapshot: Dict[str, Any] = roles.get("firewall_runtime", {}) - etc_custom_snapshot: Dict[str, Any] = roles.get("etc_custom", {}) - usr_local_custom_snapshot: Dict[str, Any] = roles.get("usr_local_custom", {}) - extra_paths_snapshot: Dict[str, Any] = roles.get("extra_paths", {}) - - site_mode = fqdn is not None and fqdn != "" - - jt_exe = find_jinjaturtle_cmd() - jt_enabled = False - if jinjaturtle not in ("auto", "on", "off"): - raise ValueError("jinjaturtle must be one of: auto, on, off") - if jinjaturtle == "on": - if not jt_exe: - raise RuntimeError("jinjaturtle requested but not found on PATH") - jt_enabled = True - elif jinjaturtle == "auto": - jt_enabled = jt_exe is not None - else: - jt_enabled = False - - os.makedirs(out_dir, exist_ok=True) - roles_root = os.path.join(out_dir, "roles") - os.makedirs(roles_root, exist_ok=True) - - # Site-mode scaffolding - if site_mode: - os.makedirs(os.path.join(out_dir, "inventory"), exist_ok=True) - os.makedirs(os.path.join(out_dir, "inventory", "host_vars"), exist_ok=True) - os.makedirs(os.path.join(out_dir, "playbooks"), exist_ok=True) - _ensure_inventory_host( - os.path.join(out_dir, "inventory", "hosts.ini"), fqdn or "" - ) - _ensure_ansible_cfg(os.path.join(out_dir, "ansible.cfg")) - - manifested_users_roles: List[str] = [] - manifested_apt_config_roles: List[str] = [] - manifested_dnf_config_roles: List[str] = [] - manifested_firewall_runtime_roles: List[str] = [] - manifested_etc_custom_roles: List[str] = [] - manifested_usr_local_custom_roles: List[str] = [] - manifested_extra_paths_roles: List[str] = [] - manifested_service_roles: List[str] = [] - manifested_pkg_roles: List[str] = [] - - # ------------------------- - # Users role (non-system users) - # ------------------------- - if users_snapshot and users_snapshot.get("users"): - role = users_snapshot.get("role_name", "users") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - # Users role includes harvested SSH-related files; in site mode keep them - # host-specific to avoid cross-host clobber. - if site_mode: - _copy_artifacts( - bundle_dir, role, _host_role_files_dir(out_dir, fqdn or "", role) - ) - else: - _copy_artifacts(bundle_dir, role, os.path.join(role_dir, "files")) - - users = users_snapshot.get("users", []) - managed_files = users_snapshot.get("managed_files", []) - excluded = users_snapshot.get("excluded", []) - notes = users_snapshot.get("notes", []) - - # Build groups list and a simplified user dict list suitable for loops - group_names: List[str] = [] - group_set = set() - users_data: List[Dict[str, Any]] = [] - for u in users: - name = u.get("name") - if not name: - continue - pg = u.get("primary_group") or name - home = u.get("home") or f"/home/{name}" - sshdir = home.rstrip("/") + "/.ssh" - supp = u.get("supplementary_groups") or [] - if pg: - group_set.add(pg) - for g in supp: - if g: - group_set.add(g) - - users_data.append( - { - "name": name, - "uid": u.get("uid"), - "primary_group": pg, - "home": home, - "ssh_dir": sshdir, - "shell": u.get("shell"), - "gecos": u.get("gecos"), - "supplementary_groups": sorted(set(supp)), - } - ) - - group_names = sorted(group_set) - - # SSH-related files (authorized_keys, known_hosts, config, etc.) - ssh_files: List[Dict[str, Any]] = [] - for mf in managed_files: - dest = mf.get("path") or "" - src_rel = mf.get("src_rel") or "" - if not dest or not src_rel: - continue - - owner = "root" - group = "root" - for u in users_data: - home_prefix = (u.get("home") or "").rstrip("/") + "/" - if home_prefix and dest.startswith(home_prefix): - owner = str(u.get("name") or "root") - group = str(u.get("primary_group") or owner) - break - - # Prefer the harvested file mode so we preserve any deliberate - # permissions (e.g. 0600 for certain dotfiles). For authorized_keys, - # enforce 0600 regardless. - mode = mf.get("mode") or "0644" - if mf.get("reason") == "authorized_keys": - mode = "0600" - ssh_files.append( - { - "dest": dest, - "src_rel": src_rel, - "owner": owner, - "group": group, - "mode": mode, - } - ) - - # Variables are host-specific in site mode; in non-site mode they live in role defaults. - if site_mode: - _write_role_defaults( - role_dir, - { - "users_groups": [], - "users_users": [], - "users_ssh_files": [], - }, - ) - _write_hostvars( - out_dir, - fqdn or "", - role, - { - "users_groups": group_names, - "users_users": users_data, - "users_ssh_files": ssh_files, - }, - ) - else: - _write_role_defaults( - role_dir, - { - "users_groups": group_names, - "users_users": users_data, - "users_ssh_files": ssh_files, - }, - ) - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - # tasks (data-driven) - users_tasks = """--- - -- name: Ensure groups exist - ansible.builtin.group: - name: "{{ item }}" - state: present - loop: "{{ users_groups | default([]) }}" - -- name: Ensure users exist - ansible.builtin.user: - name: "{{ item.name }}" - uid: "{{ item.uid | default(omit) }}" - group: "{{ item.primary_group }}" - home: "{{ item.home }}" - create_home: true - shell: "{{ item.shell | default(omit) }}" - comment: "{{ item.gecos | default(omit) }}" - state: present - loop: "{{ users_users | default([]) }}" - -- name: Ensure users supplementary groups - ansible.builtin.user: - name: "{{ item.name }}" - groups: "{{ item.supplementary_groups | default([]) | join(',') }}" - append: true - loop: "{{ users_users | default([]) }}" - when: (item.supplementary_groups | default([])) | length > 0 - -- name: Ensure .ssh directories exist - ansible.builtin.file: - path: "{{ item.ssh_dir }}" - state: directory - owner: "{{ item.name }}" - group: "{{ item.primary_group }}" - mode: "0700" - loop: "{{ users_users | default([]) }}" - -- name: Deploy SSH-related files - vars: - _enroll_ff: - files: - - "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/{{ role_name }}/.files/{{ item.src_rel }}" - - "{{ role_path }}/files/{{ item.src_rel }}" - ansible.builtin.copy: - src: "{{ lookup('ansible.builtin.first_found', _enroll_ff) }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner }}" - group: "{{ item.group }}" - mode: "{{ item.mode }}" - loop: "{{ users_ssh_files | default([]) }}" -""" - - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(users_tasks) - - with open( - os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\n") - - readme = ( - """# users - -Generated non-system user accounts and SSH public material. - -## Users -""" - + ( - "\n".join([f"- {u.get('name')} (uid {u.get('uid')})" for u in users]) - or "- (none)" - ) - + """\n -## Included SSH files -""" - + ( - "\n".join( - [f"- {mf.get('path')} ({mf.get('reason')})" for mf in managed_files] - ) - or "- (none)" - ) - + """\n -## Excluded -""" - + ( - "\n".join([f"- {e.get('path')} ({e.get('reason')})" for e in excluded]) - or "- (none)" - ) - + """\n -## Notes -""" - + ("\n".join([f"- {n}" for n in notes]) or "- (none)") - + """\n""" - ) - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_users_roles.append(role) - - # ------------------------- - # apt_config role (APT sources, pinning, and keyrings) - # ------------------------- - if apt_config_snapshot and apt_config_snapshot.get("managed_files"): - role = apt_config_snapshot.get("role_name", "apt_config") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - managed_files = apt_config_snapshot.get("managed_files", []) - managed_dirs = apt_config_snapshot.get("managed_dirs", []) or [] - excluded = apt_config_snapshot.get("excluded", []) - notes = apt_config_snapshot.get("notes", []) - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - # Copy only the non-templated artifacts (templates live in the role). - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other=None, - notify_systemd=None, - ) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - vars_map: Dict[str, Any] = { - f"{var_prefix}_managed_files": files_var, - f"{var_prefix}_managed_dirs": dirs_var, - } - vars_map = _merge_mappings_overwrite(vars_map, jt_map) - - if site_mode: - _write_role_defaults( - role_dir, - {f"{var_prefix}_managed_files": [], f"{var_prefix}_managed_dirs": []}, - ) - _write_hostvars(out_dir, fqdn or "", role, vars_map) - else: - _write_role_defaults(role_dir, vars_map) - - tasks = "---\n" + _render_generic_files_tasks( - var_prefix, include_restart_notify=False - ) - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks.rstrip() + "\n") - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - # README: summarise repos and keyrings - source_paths: List[str] = [] - keyring_paths: List[str] = [] - repo_hosts: Set[str] = set() - - url_re = re.compile(r"(?:https?|ftp)://([^/\s]+)", re.IGNORECASE) - - for mf in managed_files: - p = str(mf.get("path") or "") - src_rel = str(mf.get("src_rel") or "") - if not p or not src_rel: - continue - - if p == "/etc/apt/sources.list" or p.startswith("/etc/apt/sources.list.d/"): - source_paths.append(p) - art_path = os.path.join(bundle_dir, "artifacts", role, src_rel) - try: - with open(art_path, "r", encoding="utf-8", errors="replace") as sf: - for line in sf: - line = line.strip() - if not line or line.startswith("#"): - continue - for m in url_re.finditer(line): - repo_hosts.add(m.group(1)) - except OSError: - pass # nosec - - if ( - p.startswith("/etc/apt/trusted.gpg") - or p.startswith("/etc/apt/keyrings/") - or p.startswith("/usr/share/keyrings/") - ): - keyring_paths.append(p) - - source_paths = sorted(set(source_paths)) - keyring_paths = sorted(set(keyring_paths)) - repos = sorted(repo_hosts) - - readme = ( - """# apt_config - -APT configuration harvested from the system (sources, pinning, and keyrings). - -## Repository hosts -""" - + ("\n".join([f"- {h}" for h in repos]) or "- (none)") - + """\n -## Source files -""" - + ("\n".join([f"- {p}" for p in source_paths]) or "- (none)") - + """\n -## Keyrings -""" - + ("\n".join([f"- {p}" for p in keyring_paths]) or "- (none)") - + """\n -## Managed files -""" - + ( - "\n".join( - [f"- {mf.get('path')} ({mf.get('reason')})" for mf in managed_files] - ) - or "- (none)" - ) - + """\n -## Excluded -""" - + ( - "\n".join([f"- {e.get('path')} ({e.get('reason')})" for e in excluded]) - or "- (none)" - ) - + """\n -## Notes -""" - + ("\n".join([f"- {n}" for n in notes]) or "- (none)") - + """\n""" - ) - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_apt_config_roles.append(role) - - # ------------------------- - # dnf_config role (DNF/YUM repos, config, and RPM GPG keys) - # ------------------------- - if dnf_config_snapshot and dnf_config_snapshot.get("managed_files"): - role = dnf_config_snapshot.get("role_name", "dnf_config") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - managed_files = dnf_config_snapshot.get("managed_files", []) - managed_dirs = dnf_config_snapshot.get("managed_dirs", []) or [] - excluded = dnf_config_snapshot.get("excluded", []) - notes = dnf_config_snapshot.get("notes", []) - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other=None, - notify_systemd=None, - ) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - vars_map: Dict[str, Any] = { - f"{var_prefix}_managed_files": files_var, - f"{var_prefix}_managed_dirs": dirs_var, - } - vars_map = _merge_mappings_overwrite(vars_map, jt_map) - - if site_mode: - _write_role_defaults( - role_dir, - {f"{var_prefix}_managed_files": [], f"{var_prefix}_managed_dirs": []}, - ) - _write_hostvars(out_dir, fqdn or "", role, vars_map) - else: - _write_role_defaults(role_dir, vars_map) - - tasks = "---\n" + _render_generic_files_tasks( - var_prefix, include_restart_notify=False - ) - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks.rstrip() + "\n") - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - # README: summarise repos and GPG key material - repo_paths: List[str] = [] - key_paths: List[str] = [] - repo_hosts: Set[str] = set() - - url_re = re.compile(r"(?:https?|ftp)://([^/\s]+)", re.IGNORECASE) - file_url_re = re.compile(r"file://(/[^\s]+)") - - for mf in managed_files: - p = str(mf.get("path") or "") - src_rel = str(mf.get("src_rel") or "") - if not p or not src_rel: - continue - - if p.startswith("/etc/yum.repos.d/") and p.endswith(".repo"): - repo_paths.append(p) - art_path = os.path.join(bundle_dir, "artifacts", role, src_rel) - try: - with open(art_path, "r", encoding="utf-8", errors="replace") as rf: - for line in rf: - s = line.strip() - if not s or s.startswith("#") or s.startswith(";"): - continue - # Collect hostnames from URLs (baseurl, mirrorlist, metalink, gpgkey...) - for m in url_re.finditer(s): - repo_hosts.add(m.group(1)) - # Collect local gpgkey file paths referenced as file:///... - for m in file_url_re.finditer(s): - key_paths.append(m.group(1)) - except OSError: - pass # nosec - - if p.startswith("/etc/pki/rpm-gpg/"): - key_paths.append(p) - - repo_paths = sorted(set(repo_paths)) - key_paths = sorted(set(key_paths)) - repos = sorted(repo_hosts) - - readme = ( - """# dnf_config - -DNF/YUM configuration harvested from the system (repos, config files, and RPM GPG keys). - -## Repository hosts -""" - + ("\n".join([f"- {h}" for h in repos]) or "- (none)") - + """\n -## Repo files -""" - + ("\n".join([f"- {p}" for p in repo_paths]) or "- (none)") - + """\n -## GPG keys -""" - + ("\n".join([f"- {p}" for p in key_paths]) or "- (none)") - + """\n -## Managed files -""" - + ( - "\n".join( - [f"- {mf.get('path')} ({mf.get('reason')})" for mf in managed_files] - ) - or "- (none)" - ) - + """\n -## Excluded -""" - + ( - "\n".join([f"- {e.get('path')} ({e.get('reason')})" for e in excluded]) - or "- (none)" - ) - + """\n -## Notes -""" - + ("\n".join([f"- {n}" for n in notes]) or "- (none)") - + """\n""" - ) - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_dnf_config_roles.append(role) - - # ------------------------- - # firewall_runtime role (live ipset/iptables kernel state) - # ------------------------- - if firewall_runtime_snapshot and ( - firewall_runtime_snapshot.get("ipset_save") - or firewall_runtime_snapshot.get("iptables_v4_save") - or firewall_runtime_snapshot.get("iptables_v6_save") - ): - role = firewall_runtime_snapshot.get("role_name", "firewall_runtime") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - packages = firewall_runtime_snapshot.get("packages", []) or [] - ipset_save = firewall_runtime_snapshot.get("ipset_save") or "" - ipset_sets = firewall_runtime_snapshot.get("ipset_sets", []) or [] - iptables_v4_save = firewall_runtime_snapshot.get("iptables_v4_save") or "" - iptables_v6_save = firewall_runtime_snapshot.get("iptables_v6_save") or "" - notes = firewall_runtime_snapshot.get("notes", []) or [] - - # Generated firewall snapshots are host-specific in site mode. - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - ) - else: - _copy_artifacts(bundle_dir, role, os.path.join(role_dir, "files")) - - vars_map: Dict[str, Any] = { - f"{var_prefix}_packages": packages, - f"{var_prefix}_ipset_save": ipset_save, - f"{var_prefix}_ipset_sets": ipset_sets, - f"{var_prefix}_iptables_v4_save": iptables_v4_save, - f"{var_prefix}_iptables_v6_save": iptables_v6_save, - f"{var_prefix}_sync_ipsets_exact": True, - f"{var_prefix}_restore_iptables": True, - } - - if site_mode: - _write_role_defaults( - role_dir, - { - f"{var_prefix}_packages": [], - f"{var_prefix}_ipset_save": "", - f"{var_prefix}_ipset_sets": [], - f"{var_prefix}_iptables_v4_save": "", - f"{var_prefix}_iptables_v6_save": "", - f"{var_prefix}_sync_ipsets_exact": True, - f"{var_prefix}_restore_iptables": True, - }, - ) - _write_hostvars(out_dir, fqdn or "", role, vars_map) - else: - _write_role_defaults(role_dir, vars_map) - - tasks = ( - "---\n" - + _render_install_packages_tasks(role, var_prefix) - + _render_firewall_runtime_tasks(var_prefix) - ) - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks.rstrip() + "\n") - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - readme = f"""# {role} - -Generated from live firewall runtime state captured during harvest. - -This role restores live ipset and iptables state only for firewall families where Enroll did not find corresponding persistent configuration on the source host. Static firewall configuration files, such as `/etc/iptables/rules.v4`, `/etc/iptables/rules.v6`, UFW, nftables, firewalld, or `/etc/ipset*`, are harvested separately as managed files and treated as authoritative for their respective family. - -## Captured snapshots -- ipset: {ipset_save or "(none)"} -- iptables IPv4: {iptables_v4_save or "(none)"} -- iptables IPv6: {iptables_v6_save or "(none)"} - -## Captured ipsets -{os.linesep.join("- " + x for x in ipset_sets) or "- (none)"} - -## Notes -{os.linesep.join("- " + n for n in notes) or "- (none)"} - -## Safety notes -- `firewall_runtime_sync_ipsets_exact` defaults to `true`; it flushes captured set members before replaying the saved members so stale entries are removed. This applies only when no persistent ipset config was found. -- `firewall_runtime_restore_iptables` defaults to `true`; `iptables-restore`/`ip6tables-restore` replace only captured families. A family is captured only when no corresponding persistent iptables config was found. -""" - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_firewall_runtime_roles.append(role) - - # ------------------------- - # etc_custom role (unowned /etc not already attributed) - # ------------------------- - if etc_custom_snapshot and etc_custom_snapshot.get("managed_files"): - role = etc_custom_snapshot.get("role_name", "etc_custom") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - managed_files = etc_custom_snapshot.get("managed_files", []) - managed_dirs = etc_custom_snapshot.get("managed_dirs", []) or [] - excluded = etc_custom_snapshot.get("excluded", []) - notes = etc_custom_snapshot.get("notes", []) - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - # Copy only the non-templated artifacts (templates live in the role). - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other=None, - notify_systemd="Run systemd daemon-reload", - ) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - vars_map: Dict[str, Any] = { - f"{var_prefix}_managed_files": files_var, - f"{var_prefix}_managed_dirs": dirs_var, - } - vars_map = _merge_mappings_overwrite(vars_map, jt_map) - - if site_mode: - _write_role_defaults( - role_dir, - {f"{var_prefix}_managed_files": [], f"{var_prefix}_managed_dirs": []}, - ) - _write_hostvars(out_dir, fqdn or "", role, vars_map) - else: - _write_role_defaults(role_dir, vars_map) - - tasks = "---\n" + _render_generic_files_tasks( - var_prefix, include_restart_notify=False - ) - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks.rstrip() + "\n") - - handlers = """--- -- name: Run systemd daemon-reload - ansible.builtin.systemd: - daemon_reload: true -""" - with open( - os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(handlers) - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - readme = ( - """# etc_custom - -Unowned /etc config files not attributed to packages or services. - -## Managed files -""" - + ("\n".join([f"- {mf.get('path')}" for mf in managed_files]) or "- (none)") - + """\n -## Excluded -""" - + ( - "\n".join([f"- {e.get('path')} ({e.get('reason')})" for e in excluded]) - or "- (none)" - ) - + """\n -## Notes -""" - + ("\n".join([f"- {n}" for n in notes]) or "- (none)") - + """\n""" - ) - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_etc_custom_roles.append(role) - - # ------------------------- - - # ------------------------- - - # ------------------------- - # usr_local_custom role (/usr/local/etc + /usr/local/bin scripts) - # ------------------------- - if usr_local_custom_snapshot and usr_local_custom_snapshot.get("managed_files"): - role = usr_local_custom_snapshot.get("role_name", "usr_local_custom") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - managed_files = usr_local_custom_snapshot.get("managed_files", []) - managed_dirs = usr_local_custom_snapshot.get("managed_dirs", []) or [] - excluded = usr_local_custom_snapshot.get("excluded", []) - notes = usr_local_custom_snapshot.get("notes", []) - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - # Copy only the non-templated artifacts (templates live in the role). - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other=None, - notify_systemd=None, - ) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - vars_map: Dict[str, Any] = { - f"{var_prefix}_managed_files": files_var, - f"{var_prefix}_managed_dirs": dirs_var, - } - vars_map = _merge_mappings_overwrite(vars_map, jt_map) - - if site_mode: - _write_role_defaults( - role_dir, - {f"{var_prefix}_managed_files": [], f"{var_prefix}_managed_dirs": []}, - ) - _write_hostvars(out_dir, fqdn or "", role, vars_map) - else: - _write_role_defaults(role_dir, vars_map) - - tasks = "---\n" + _render_generic_files_tasks( - var_prefix, include_restart_notify=False - ) - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks.rstrip() + "\n") - - # No handlers needed for this role, but keep a valid YAML document. - with open( - os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\n") - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - readme = ( - """# usr_local_custom\n\n""" - "Unowned /usr/local files (scripts in /usr/local/bin and config under /usr/local/etc).\n\n" - "## Managed files\n" - + ("\n".join([f"- {mf.get('path')}" for mf in managed_files]) or "- (none)") - + "\n\n## Excluded\n" - + ( - "\n".join([f"- {e.get('path')} ({e.get('reason')})" for e in excluded]) - or "- (none)" - ) - + "\n\n## Notes\n" - + ("\n".join([f"- {n}" for n in notes]) or "- (none)") - + "\n" - ) - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_usr_local_custom_roles.append(role) - - # ------------------------- - # extra_paths role (user-requested includes) - # ------------------------- - if extra_paths_snapshot and ( - extra_paths_snapshot.get("managed_files") - or extra_paths_snapshot.get("managed_dirs") - ): - role = extra_paths_snapshot.get("role_name", "extra_paths") - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - managed_dirs = extra_paths_snapshot.get("managed_dirs", []) or [] - managed_files = extra_paths_snapshot.get("managed_files", []) - excluded = extra_paths_snapshot.get("excluded", []) - notes = extra_paths_snapshot.get("notes", []) - include_pats = extra_paths_snapshot.get("include_patterns", []) or [] - exclude_pats = extra_paths_snapshot.get("exclude_patterns", []) or [] - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other=None, - notify_systemd=None, - ) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - vars_map: Dict[str, Any] = { - f"{var_prefix}_managed_dirs": dirs_var, - f"{var_prefix}_managed_files": files_var, - } - vars_map = _merge_mappings_overwrite(vars_map, jt_map) - - if site_mode: - _write_role_defaults( - role_dir, - { - f"{var_prefix}_managed_dirs": [], - f"{var_prefix}_managed_files": [], - }, - ) - _write_hostvars(out_dir, fqdn or "", role, vars_map) - else: - _write_role_defaults(role_dir, vars_map) - - tasks = "---\n" + _render_generic_files_tasks( - var_prefix, include_restart_notify=False - ) - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks.rstrip() + "\n") - - with open( - os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\n") - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - readme = ( - f"""# {role} - -User-requested extra file harvesting. - -## Include patterns -""" - + ("\n".join([f"- {p}" for p in include_pats]) or "- (none)") - + """\n -## Exclude patterns -""" - + ("\n".join([f"- {p}" for p in exclude_pats]) or "- (none)") - + """\n -## Managed directories -""" - + ("\n".join([f"- {d.get('path')}" for d in managed_dirs]) or "- (none)") - + """\n -## Managed files -""" - + ("\n".join([f"- {mf.get('path')}" for mf in managed_files]) or "- (none)") - + """\n -## Excluded -""" - + ( - "\n".join([f"- {e.get('path')} ({e.get('reason')})" for e in excluded]) - or "- (none)" - ) - + """\n -## Notes -""" - + ("\n".join([f"- {n}" for n in notes]) or "- (none)") - + """\n""" - ) - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_extra_paths_roles.append(role) - - # ------------------------- - # Service roles - # ------------------------- - for svc in services: - role = svc["role_name"] - unit = svc["unit"] - pkgs = svc.get("packages", []) or [] - managed_files = svc.get("managed_files", []) or [] - managed_dirs = svc.get("managed_dirs", []) or [] - managed_links = svc.get("managed_links", []) or [] - - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - was_active = svc.get("active_state") == "active" - unit_file_state = str(svc.get("unit_file_state") or "") - enabled_at_harvest = unit_file_state in ("enabled", "enabled-runtime") - desired_state = "started" if was_active else "stopped" - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - # Copy only the non-templated artifacts. - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other="Restart service", - notify_systemd="Run systemd daemon-reload", - ) - - links_var = _build_managed_links_var(managed_links) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - base_vars: Dict[str, Any] = { - f"{var_prefix}_unit_name": unit, - f"{var_prefix}_packages": pkgs, - f"{var_prefix}_managed_files": files_var, - f"{var_prefix}_managed_dirs": dirs_var, - f"{var_prefix}_managed_links": links_var, - f"{var_prefix}_manage_unit": True, - f"{var_prefix}_systemd_enabled": bool(enabled_at_harvest), - f"{var_prefix}_systemd_state": desired_state, - } - base_vars = _merge_mappings_overwrite(base_vars, jt_map) - - if site_mode: - # Role defaults are host-agnostic/safe; all harvested state is in host_vars. - _write_role_defaults( - role_dir, - { - f"{var_prefix}_unit_name": unit, - f"{var_prefix}_packages": [], - f"{var_prefix}_managed_files": [], - f"{var_prefix}_managed_dirs": [], - f"{var_prefix}_managed_links": [], - f"{var_prefix}_manage_unit": False, - f"{var_prefix}_systemd_enabled": False, - f"{var_prefix}_systemd_state": "stopped", - }, - ) - _write_hostvars(out_dir, fqdn or "", role, base_vars) - else: - _write_role_defaults(role_dir, base_vars) - - handlers = f"""--- -- name: Run systemd daemon-reload - ansible.builtin.systemd: - daemon_reload: true - -- name: Restart service - ansible.builtin.service: - name: "{{{{ {var_prefix}_unit_name }}}}" - state: restarted - when: - - {var_prefix}_manage_unit | default(false) - - ({var_prefix}_systemd_state | default('stopped')) == 'started' -""" - with open( - os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(handlers) - - task_parts: List[str] = [] - task_parts.append("---\n" + _render_install_packages_tasks(role, var_prefix)) - - task_parts.append( - _render_generic_files_tasks(var_prefix, include_restart_notify=True) - ) - - task_parts.append( - f"""- name: Probe whether systemd unit exists and is manageable - ansible.builtin.systemd: - name: "{{{{ {var_prefix}_unit_name }}}}" - check_mode: true - register: _unit_probe - failed_when: false - changed_when: false - when: {var_prefix}_manage_unit | default(false) - -- name: Ensure unit enablement matches harvest - ansible.builtin.systemd: - name: "{{{{ {var_prefix}_unit_name }}}}" - enabled: "{{{{ {var_prefix}_systemd_enabled | bool }}}}" - when: - - {var_prefix}_manage_unit | default(false) - - _unit_probe is succeeded - -- name: Ensure unit running state matches harvest - ansible.builtin.systemd: - name: "{{{{ {var_prefix}_unit_name }}}}" - state: "{{{{ {var_prefix}_systemd_state }}}}" - when: - - {var_prefix}_manage_unit | default(false) - - _unit_probe is succeeded -""" - ) - - tasks = "\n".join(task_parts).rstrip() + "\n" - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks) - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - excluded = svc.get("excluded", []) - notes = svc.get("notes", []) - readme = f"""# {role} - -Generated from `{unit}`. - -## Packages -{os.linesep.join("- " + p for p in pkgs) or "- (none detected)"} - -## Managed files -{os.linesep.join("- " + mf["path"] + " (" + mf["reason"] + ")" for mf in managed_files) or "- (none)"} - -## Managed symlinks -{os.linesep.join("- " + ml["path"] + " -> " + ml["target"] + " (" + ml.get("reason", "") + ")" for ml in managed_links) or "- (none)"} - -## Excluded (possible secrets / unsafe) -{os.linesep.join("- " + e["path"] + " (" + e["reason"] + ")" for e in excluded) or "- (none)"} - -## Notes -{os.linesep.join("- " + n for n in notes) or "- (none)"} -""" - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_service_roles.append(role) - - # ------------------------- - # Manually installed package roles - # ------------------------- - for pr in package_roles: - role = pr["role_name"] - pkg = pr.get("package") or "" - managed_files = pr.get("managed_files", []) or [] - managed_dirs = pr.get("managed_dirs", []) or [] - managed_links = pr.get("managed_links", []) or [] - - role_dir = os.path.join(roles_root, role) - _write_role_scaffold(role_dir) - - var_prefix = role - - templated, jt_vars = _jinjify_managed_files( - bundle_dir, - role, - role_dir, - managed_files, - jt_exe=jt_exe, - jt_enabled=jt_enabled, - overwrite_templates=not site_mode, - ) - - # Copy only the non-templated artifacts. - if site_mode: - _copy_artifacts( - bundle_dir, - role, - _host_role_files_dir(out_dir, fqdn or "", role), - exclude_rels=templated, - ) - else: - _copy_artifacts( - bundle_dir, - role, - os.path.join(role_dir, "files"), - exclude_rels=templated, - ) - - pkgs = [pkg] if pkg else [] - - files_var = _build_managed_files_var( - managed_files, - templated, - notify_other=None, - notify_systemd="Run systemd daemon-reload", - ) - - links_var = _build_managed_links_var(managed_links) - - dirs_var = _build_managed_dirs_var(managed_dirs) - - jt_map = _yaml_load_mapping(jt_vars) if jt_vars.strip() else {} - base_vars: Dict[str, Any] = { - f"{var_prefix}_packages": pkgs, - f"{var_prefix}_managed_files": files_var, - f"{var_prefix}_managed_dirs": dirs_var, - f"{var_prefix}_managed_links": links_var, - } - base_vars = _merge_mappings_overwrite(base_vars, jt_map) - - if site_mode: - _write_role_defaults( - role_dir, - { - f"{var_prefix}_packages": [], - f"{var_prefix}_managed_files": [], - f"{var_prefix}_managed_dirs": [], - f"{var_prefix}_managed_links": [], - }, - ) - _write_hostvars(out_dir, fqdn or "", role, base_vars) - else: - _write_role_defaults(role_dir, base_vars) - - handlers = """--- -- name: Run systemd daemon-reload - ansible.builtin.systemd: - daemon_reload: true -""" - with open( - os.path.join(role_dir, "handlers", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(handlers) - - task_parts: List[str] = [] - task_parts.append("---\n" + _render_install_packages_tasks(role, var_prefix)) - task_parts.append( - _render_generic_files_tasks(var_prefix, include_restart_notify=False) - ) - - tasks = "\n".join(task_parts).rstrip() + "\n" - with open( - os.path.join(role_dir, "tasks", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write(tasks) - - with open( - os.path.join(role_dir, "meta", "main.yml"), "w", encoding="utf-8" - ) as f: - f.write("---\ndependencies: []\n") - - excluded = pr.get("excluded", []) - notes = pr.get("notes", []) - readme = f"""# {role} - -Generated for package `{pkg}`. - -## Managed files -{os.linesep.join("- " + mf["path"] + " (" + mf["reason"] + ")" for mf in managed_files) or "- (none)"} - -## Managed symlinks -{os.linesep.join("- " + ml["path"] + " -> " + ml["target"] + " (" + ml.get("reason", "") + ")" for ml in managed_links) or "- (none)"} - -## Excluded (possible secrets / unsafe) -{os.linesep.join("- " + e["path"] + " (" + e["reason"] + ")" for e in excluded) or "- (none)"} - -## Notes -{os.linesep.join("- " + n for n in notes) or "- (none)"} - -> Note: package roles (those not discovered via a systemd service) do not attempt to restart or enable services automatically. -""" - with open(os.path.join(role_dir, "README.md"), "w", encoding="utf-8") as f: - f.write(readme) - - manifested_pkg_roles.append(role) - # Place cron/logrotate at the end of the playbook so: - # - users exist before we restore per-user crontabs in /var/spool - # - most packages/services are installed/configured first - tail_roles: List[str] = [] - for r in ("cron", "logrotate"): - if r in manifested_pkg_roles: - tail_roles.append(r) - - main_pkg_roles = [r for r in manifested_pkg_roles if r not in set(tail_roles)] - - all_roles = ( - manifested_apt_config_roles - + manifested_dnf_config_roles - + main_pkg_roles - + manifested_service_roles - + manifested_etc_custom_roles - + manifested_usr_local_custom_roles - + manifested_extra_paths_roles - + manifested_users_roles - + tail_roles - + manifested_firewall_runtime_roles - ) - - if site_mode: - _write_playbook_host( - os.path.join(out_dir, "playbooks", f"{fqdn}.yml"), fqdn or "", all_roles - ) - else: - _write_playbook_all(os.path.join(out_dir, "playbook.yml"), all_roles) - - def manifest( bundle_dir: str, out: str, @@ -2221,8 +174,10 @@ def manifest( fqdn: Optional[str] = None, jinjaturtle: str = "auto", # auto|on|off sops_fingerprints: Optional[List[str]] = None, + no_common_roles: bool = False, + target: str = "ansible", ) -> Optional[str]: - """Render an Ansible manifest from a harvest. + """Render a configuration-management manifest from a harvest. Plain mode: - `bundle_dir` must be a directory @@ -2238,6 +193,11 @@ def manifest( - In SOPS mode: the path to the encrypted manifest bundle (.sops) - In plain mode: None """ + target = (target or "ansible").strip().lower() + if target not in {"ansible", "puppet", "salt"}: + raise ValueError(f"unsupported manifest target: {target!r}") + fqdn = validate_site_fqdn(fqdn) + sops_mode = bool(sops_fingerprints) # Decrypt/extract the harvest bundle if needed. @@ -2247,10 +207,39 @@ def manifest( td_out: Optional[tempfile.TemporaryDirectory] = None try: - if not sops_mode: - _manifest_from_bundle_dir( - resolved_bundle_dir, out, fqdn=fqdn, jinjaturtle=jinjaturtle + validation = validate_harvest(resolved_bundle_dir) + if not validation.ok: + raise RuntimeError( + "harvest state does not match this Enroll version's schema; " + "please re-harvest the host with this version of Enroll.\n" + + validation.to_text().strip() ) + + if not sops_mode: + if target == "puppet": + manifest_puppet_from_bundle_dir( + resolved_bundle_dir, + out, + fqdn=fqdn, + no_common_roles=no_common_roles, + jinjaturtle=jinjaturtle, + ) + elif target == "salt": + manifest_salt_from_bundle_dir( + resolved_bundle_dir, + out, + fqdn=fqdn, + no_common_roles=no_common_roles, + jinjaturtle=jinjaturtle, + ) + else: + manifest_ansible_from_bundle_dir( + resolved_bundle_dir, + out, + fqdn=fqdn, + jinjaturtle=jinjaturtle, + no_common_roles=no_common_roles, + ) return None # SOPS mode: generate into a secure temp dir, then tar+encrypt into a single file. @@ -2258,15 +247,31 @@ def manifest( td_out = tempfile.TemporaryDirectory(prefix="enroll-manifest-") tmp_out = Path(td_out.name) / "out" - tmp_out.mkdir(parents=True, exist_ok=True) - try: - os.chmod(tmp_out, 0o700) - except OSError: - pass - _manifest_from_bundle_dir( - resolved_bundle_dir, str(tmp_out), fqdn=fqdn, jinjaturtle=jinjaturtle - ) + if target == "puppet": + manifest_puppet_from_bundle_dir( + resolved_bundle_dir, + str(tmp_out), + fqdn=fqdn, + no_common_roles=no_common_roles, + jinjaturtle=jinjaturtle, + ) + elif target == "salt": + manifest_salt_from_bundle_dir( + resolved_bundle_dir, + str(tmp_out), + fqdn=fqdn, + no_common_roles=no_common_roles, + jinjaturtle=jinjaturtle, + ) + else: + manifest_ansible_from_bundle_dir( + resolved_bundle_dir, + str(tmp_out), + fqdn=fqdn, + jinjaturtle=jinjaturtle, + no_common_roles=no_common_roles, + ) enc = _encrypt_manifest_out_dir_to_sops( tmp_out, out_file, list(sops_fingerprints or []) diff --git a/enroll/manifest_safety.py b/enroll/manifest_safety.py new file mode 100644 index 0000000..c7e64e1 --- /dev/null +++ b/enroll/manifest_safety.py @@ -0,0 +1,258 @@ +from __future__ import annotations + +import os +import re +import shutil +import stat +from pathlib import Path +from typing import Iterator, Tuple + +from .harvest_safety import ( + OutputSafetyError, + ensure_safe_output_parent, + prepare_new_private_dir, +) + + +class ArtifactSafetyError(RuntimeError): + """Raised when a harvest artifact path is unsafe to consume.""" + + +class ManifestOutputError(RuntimeError): + """Raised when a manifest output path is unsafe to use.""" + + +_SITE_FQDN_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9_.-]{0,252}$") + + +def validate_site_fqdn(value: str | None) -> str | None: + """Validate the optional site-mode host name/FQDN. + + Renderers use this value in inventory data and, for Ansible, in output + paths. Keep it deliberately conservative so it cannot become a path + separator, absolute path, YAML/INI newline injection, or shell-ish text in + generated documentation/commands. + """ + + if value is None: + return None + text = str(value).strip() + if not text: + return None + if any(ch in text for ch in ("/", "\\", "\x00", "\n", "\r")): + raise ManifestOutputError( + "--fqdn contains unsafe path or newline characters; use a simple " + "host/inventory name" + ) + if text in {".", ".."} or not _SITE_FQDN_RE.fullmatch(text): + raise ManifestOutputError( + "--fqdn must start with a letter or digit and contain only " + "letters, digits, dot, underscore, or hyphen" + ) + return text + + +def _assert_no_output_symlinks(root: Path) -> None: + """Reject pre-existing symlinks in an output tree we are about to merge into. + + Non-site mode refuses existing output directories entirely. Site/FQDN modes + intentionally accumulate multiple nodes into one tree, so reject symlinks in + the tree before merging to avoid writes being redirected outside *root*. + Version-control metadata can contain implementation-specific entries and is + not part of Enroll's generated layout, so it is pruned from this check. + """ + + skip_dirs = {".git", ".hg", ".svn"} + for dirpath, dirnames, filenames in os.walk(root, followlinks=False): + dirpath_p = Path(dirpath) + + for dirname in list(dirnames): + if dirname in skip_dirs: + dirnames.remove(dirname) + continue + p = dirpath_p / dirname + try: + st = p.lstat() + except FileNotFoundError: + continue + if stat.S_ISLNK(st.st_mode): + raise ManifestOutputError( + f"manifest output tree contains a symlink; refusing to merge: {p}" + ) + + for filename in filenames: + if filename in skip_dirs: + continue + p = dirpath_p / filename + try: + st = p.lstat() + except FileNotFoundError: + continue + if stat.S_ISLNK(st.st_mode): + raise ManifestOutputError( + f"manifest output tree contains a symlink; refusing to merge: {p}" + ) + + +def _safe_relative_path(value: str, *, field: str) -> Path: + text = str(value or "").strip() + if not text: + raise ArtifactSafetyError(f"empty {field}") + if "\x00" in text: + raise ArtifactSafetyError(f"{field} contains NUL byte: {text!r}") + p = Path(text) + if p.is_absolute(): + raise ArtifactSafetyError(f"{field} must be relative: {text!r}") + if any(part in {"", ".", ".."} for part in p.parts): + raise ArtifactSafetyError(f"{field} contains unsafe path component: {text!r}") + return p + + +def prepare_manifest_output_dir( + out_dir: str | Path, *, allow_existing: bool = False +) -> Path: + """Create a manifest output directory, refusing unsafe root output paths. + + Rendering a manifest may be run by root and may target configuration- + management trees. Refuse an existing path rather than deleting or merging + with it by default; callers that intentionally support accumulation, such + as --fqdn site mode, may allow an existing directory but never a symlink, + non-directory path, symlinked parent, or root-unsafe parent. + """ + + out = Path(out_dir).expanduser() + if os.path.lexists(out): + if not allow_existing: + raise ManifestOutputError( + "manifest output path already exists; refusing to overwrite: " f"{out}" + ) + try: + ensure_safe_output_parent( + out / ".enroll-manifest-output-check", label="manifest output" + ) + except OutputSafetyError as e: + raise ManifestOutputError(str(e)) from e + st = out.lstat() + if stat.S_ISLNK(st.st_mode): + raise ManifestOutputError( + f"manifest output path is a symlink; refusing to use: {out}" + ) + if not out.is_dir(): + raise ManifestOutputError( + f"manifest output path exists but is not a directory: {out}" + ) + _assert_no_output_symlinks(out) + return out + try: + return prepare_new_private_dir(out, label="manifest output") + except OutputSafetyError as e: + raise ManifestOutputError(str(e)) from e + + +def _assert_no_symlink_components(path: Path, *, root: Path) -> None: + """Reject symlinks in any existing path component between root and path.""" + + try: + rel = path.relative_to(root) + except ValueError as e: + raise ArtifactSafetyError(f"artifact path escapes artifact root: {path}") from e + + cur = root + for part in rel.parts: + cur = cur / part + try: + st = cur.lstat() + except FileNotFoundError: + # Missing components are handled by the final caller where relevant. + return + if stat.S_ISLNK(st.st_mode): + raise ArtifactSafetyError(f"artifact path contains symlink: {cur}") + + +def safe_artifact_file(bundle_dir: str | Path, role: str, src_rel: str) -> Path: + """Return a harvested artifact file path only if it is safe to copy. + + The path must remain under artifacts/, contain no absolute or '..' + components, contain no symlinks in any path component, and refer to a + regular, non-hardlinked file. This deliberately mirrors the tar extraction + hardening used for remote/SOPS/plain tarball bundles, but applies it to + directory bundles too. + """ + + role_path = _safe_relative_path(role, field="artifact role") + src_path = _safe_relative_path(src_rel, field="artifact src_rel") + + artifacts_root = Path(bundle_dir).expanduser() / "artifacts" + root = artifacts_root / role_path + candidate = root / src_path + + if artifacts_root.exists(): + st = artifacts_root.lstat() + if stat.S_ISLNK(st.st_mode): + raise ArtifactSafetyError( + f"artifacts directory is a symlink: {artifacts_root}" + ) + + if root.exists(): + _assert_no_symlink_components(root, root=artifacts_root) + + _assert_no_symlink_components(candidate, root=artifacts_root) + + try: + st = candidate.lstat() + except FileNotFoundError: + raise + + if stat.S_ISLNK(st.st_mode): + raise ArtifactSafetyError(f"artifact is a symlink: {candidate}") + if not stat.S_ISREG(st.st_mode): + raise ArtifactSafetyError(f"artifact is not a regular file: {candidate}") + if st.st_nlink > 1: + raise ArtifactSafetyError(f"artifact is hardlinked: {candidate}") + + resolved_root = artifacts_root.resolve(strict=True) + resolved_candidate = candidate.resolve(strict=True) + try: + resolved_candidate.relative_to(resolved_root) + except ValueError as e: + raise ArtifactSafetyError( + f"artifact path escapes artifact root: {candidate}" + ) from e + + return candidate + + +def iter_safe_artifact_files( + bundle_dir: str | Path, role: str +) -> Iterator[Tuple[Path, str]]: + """Yield safe artifact files for a role as (path, src_rel).""" + + role_path = _safe_relative_path(role, field="artifact role") + artifacts_dir = Path(bundle_dir).expanduser() / "artifacts" / role_path + if not artifacts_dir.exists(): + return + if not artifacts_dir.is_dir(): + raise ArtifactSafetyError( + f"artifact role path is not a directory: {artifacts_dir}" + ) + + for root, dirs, files in os.walk(artifacts_dir, followlinks=False): + root_p = Path(root) + for dirname in list(dirs): + p = root_p / dirname + try: + st = p.lstat() + except FileNotFoundError: + continue + if stat.S_ISLNK(st.st_mode): + raise ArtifactSafetyError(f"artifact directory is a symlink: {p}") + for filename in files: + p = root_p / filename + rel = p.relative_to(artifacts_dir).as_posix() + yield safe_artifact_file(bundle_dir, role, rel), rel + + +def copy_safe_artifact_file(src: str | Path, dst: str | Path) -> None: + """Copy an already validated artifact file without following symlinks.""" + + shutil.copy2(src, dst, follow_symlinks=False) diff --git a/enroll/package_hints.py b/enroll/package_hints.py new file mode 100644 index 0000000..b710ed2 --- /dev/null +++ b/enroll/package_hints.py @@ -0,0 +1,126 @@ +from __future__ import annotations + +import re +from typing import Dict, List, Optional, Set + +from .role_names import avoid_reserved_role_name + + +# Directories that are shared across many packages. Never attribute all unowned +# files in these trees to one single package. +SHARED_ETC_TOPDIRS = { + "apparmor.d", + "apt", + "cron.d", + "cron.daily", + "cron.weekly", + "cron.monthly", + "cron.hourly", + "default", + "init.d", + "logrotate.d", + "modprobe.d", + "network", + "pam.d", + "ssh", + "ssl", + "sudoers.d", + "sysctl.d", + "systemd", + # RPM-family shared trees + "dnf", + "yum", + "yum.repos.d", + "sysconfig", + "pki", + "firewalld", +} + + +def safe_name(s: str) -> str: + out: List[str] = [] + for ch in s: + out.append(ch if ch.isalnum() or ch in ("_", "-") else "_") + return "".join(out).replace("-", "_") + + +def role_id(raw: str) -> str: + # normalise separators first + s = re.sub(r"[^A-Za-z0-9]+", "_", raw) + # split CamelCase -> snake_case + s = re.sub(r"([a-z0-9])([A-Z])", r"\1_\2", s) + s = s.lower() + s = re.sub(r"_+", "_", s).strip("_") + if not re.match(r"^[a-z_]", s): + s = "r_" + s + return s + + +def role_name_from_unit(unit: str) -> str: + base = role_id(unit.removesuffix(".service")) + return avoid_reserved_role_name(safe_name(base), prefix="service") + + +def role_name_from_pkg(pkg: str) -> str: + return avoid_reserved_role_name(safe_name(pkg), prefix="package") + + +def package_section_from_installations( + installs: List[Dict[str, str]], +) -> Optional[str]: + """Return a stable package grouping label from installed package metadata.""" + + values: Set[str] = set() + for inst in installs or []: + value = (inst.get("section") or inst.get("group") or "").strip() + if not value: + continue + if value.lower() in {"(none)", "none", "unspecified"}: + continue + values.add(value) + + if not values: + return None + return sorted(values)[0] + + +def hint_names(unit: str, pkgs: Set[str]) -> Set[str]: + base = unit.removesuffix(".service") + hints = {base} + if "@" in base: + hints.add(base.split("@", 1)[0]) + hints |= set(pkgs) + hints |= {h.split(".", 1)[0] for h in list(hints) if "." in h} + return {h for h in hints if h} + + +def add_pkgs_from_etc_topdirs( + hints: Set[str], topdir_to_pkgs: Dict[str, Set[str]], pkgs: Set[str] +) -> None: + """Expand a service's package set using package-owned /etc top-level dirs.""" + + for h in hints: + for top in (h, f"{h}.d"): + if top in SHARED_ETC_TOPDIRS: + continue + for p in topdir_to_pkgs.get(top, set()): + pkgs.add(p) + + +def maybe_add_specific_paths(hints: Set[str], backend) -> List[str]: + # Delegate to backend-specific conventions (e.g. /etc/default on Debian, + # /etc/sysconfig on Fedora/RHEL). Always include sysctl.d. + try: + return backend.specific_paths_for_hints(hints) + except Exception: + # Best-effort fallback (Debian-ish). + paths: List[str] = [] + for h in hints: + paths.extend( + [ + f"/etc/default/{h}", + f"/etc/init.d/{h}", + f"/etc/sysctl.d/{h}.conf", + ] + ) + return paths diff --git a/enroll/puppet.py b/enroll/puppet.py new file mode 100644 index 0000000..baf7596 --- /dev/null +++ b/enroll/puppet.py @@ -0,0 +1,1840 @@ +from __future__ import annotations + +import hashlib +import json +import re +import shlex +from pathlib import Path +from typing import Any, Dict, Iterable, List, Optional, Set, Tuple + +import yaml + +from .cm import ( + CMModule, + resolve_catalog_conflicts, + role_order_key, + markdown_list, +) +from .manifest_safety import ( + copy_safe_artifact_file, + prepare_manifest_output_dir, + safe_artifact_file, +) +from .render_safety import puppet_hiera_safe_data +from .state import inventory_packages_from_state, roles_from_state +from .jinjaturtle import ( + can_jinjify_path, + jinjify_artifact, + managed_file_var_prefix, + resolve_jinjaturtle_mode, +) + + +class PuppetRole(CMModule): + """Puppet-specific view of a renderer-neutral CMModule.""" + + def __init__(self, role_name: str) -> None: + super().__init__( + role_name=role_name, + module_name=_puppet_name(role_name, fallback="enroll_role"), + ) + self.container_images: List[Dict[str, Any]] = [] + self.flatpak_remotes: List[Dict[str, Any]] = [] + self.flatpaks: List[Dict[str, Any]] = [] + self.snaps: List[Dict[str, Any]] = [] + self.template_hiera: Dict[str, Any] = {} + + def has_resources(self) -> bool: + return self.has_resources_or_attrs( + "container_images", "flatpak_remotes", "flatpaks", "snaps" + ) + + def add_service_snapshot(self, snap: Dict[str, Any]) -> None: + self.add_service_snapshot_state( + snap, state_key="ensure", running="running", stopped="stopped" + ) + + def add_users_snapshot(self, snap: Dict[str, Any]) -> None: + records = self.user_records_from_snapshot(snap) + self.groups.update(self.user_group_names_from_records(records)) + for record in records: + name = str(record.get("name") or "") + self.users[name] = { + "name": name, + "uid": record.get("uid"), + "gid": record.get("gid"), + "primary_group": record.get("primary_group") or None, + "home": record.get("home"), + "shell": record.get("shell"), + "gecos": record.get("gecos"), + "supplementary_groups": record.get("supplementary_groups") or [], + } + + self.add_user_flatpaks_snapshot(snap) + + def prepare_flatpak_remote(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _prepare_flatpak_remote(item) + + def prepare_flatpak_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _prepare_flatpak_item(item) + + def prepare_snap_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _prepare_snap_item(item) + + def add_firewall_runtime_snapshot( + self, + snap: Dict[str, Any], + *, + bundle_dir: str, + artifact_role: str, + module_files_dir: Path, + file_prefix: Optional[str] = None, + ) -> None: + super().add_firewall_runtime_snapshot( + snap, + bundle_dir=bundle_dir, + artifact_role=artifact_role, + files_dir=module_files_dir, + copy_artifact=_copy_artifact, + source_uri=_source_uri, + file_prefix=file_prefix, + dir_attrs={"require": "File['/etc/enroll']"}, + ) + + def add_container_images_snapshot(self, snap: Dict[str, Any]) -> None: + for raw in snap.get("images", []) or []: + if not isinstance(raw, dict): + continue + engine = str(raw.get("engine") or "").strip().lower() + pull_ref = str(raw.get("pull_ref") or "").strip() + if engine not in {"docker", "podman"}: + continue + if not pull_ref: + tags = ", ".join(str(t) for t in (raw.get("repo_tags") or []) if t) + label = tags or str(raw.get("image_id") or "unknown image") + self.notes.append( + f"Container image {label} has no RepoDigest; exact Puppet pull resource was not rendered." + ) + continue + item = dict(raw) + item["engine"] = engine + item["pull_ref"] = pull_ref + item["scope"] = str(item.get("scope") or "system").strip() or "system" + image_name, image_digest = _split_digest_ref(pull_ref) + item["image"] = image_name + item["image_digest"] = image_digest + item["tag_aliases"] = [ + dict(alias) + for alias in (item.get("tag_aliases") or []) + if isinstance(alias, dict) and alias.get("ref") + ] + item["pull_cmd"] = _container_pull_cmd(engine, pull_ref) + item["pull_unless"] = _container_exists_cmd(engine, pull_ref) + for alias in item["tag_aliases"]: + alias_ref = str(alias.get("ref") or "") + alias["tag_cmd"] = _container_tag_cmd(engine, pull_ref, alias_ref) + alias["tag_unless"] = _container_exists_cmd(engine, alias_ref) + self.container_images.append(item) + for note in snap.get("notes", []) or []: + self.notes.append(str(note)) + + def add_managed_content( + self, + snap: Dict[str, Any], + *, + bundle_dir: str, + artifact_role: str, + module_files_dir: Path, + module_templates_dir: Optional[Path] = None, + file_prefix: Optional[str] = None, + notify_services: Optional[List[str]] = None, + jt_exe: Optional[str] = None, + jt_enabled: bool = False, + overwrite_templates: bool = True, + ) -> None: + for d in self.managed_dirs_from_snapshot(snap): + path = str(d.get("path") or "").strip() + self.add_managed_dir( + path, + owner=d.get("owner") or "root", + group=d.get("group") or "root", + mode=d.get("mode") or "0755", + reason=d.get("reason") or "managed_dir", + ) + + managed_files = list(self.managed_files_from_snapshot(snap)) + candidates = [ + mf + for mf in managed_files + if str(mf.get("path") or "") + and str(mf.get("src_rel") or "") + and can_jinjify_path(str(mf.get("path") or "")) + ] + namespace_by_file = len(candidates) > 1 + + for mf in managed_files: + path = str(mf.get("path") or "").strip() + src_rel = str(mf.get("src_rel") or "").strip() + if not path or not src_rel: + continue + + template_rel: Optional[str] = None + if module_templates_dir is not None: + role_prefix = ( + managed_file_var_prefix(self.module_name, src_rel) + if namespace_by_file + else self.module_name + ) + converted = jinjify_artifact( + bundle_dir, + artifact_role, + src_rel, + path, + module_templates_dir, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=overwrite_templates, + role_name=role_prefix, + template_engine="erb", + puppet_class=self.module_name, + ) + if converted is not None: + template_rel = converted.template_rel + self.template_hiera.update(converted.context) + + attrs: Dict[str, Any] = { + "owner": mf.get("owner") or "root", + "group": mf.get("group") or "root", + "mode": mf.get("mode") or "0644", + "reason": mf.get("reason") or "managed_file", + } + if template_rel is not None: + attrs["template"] = f"{self.module_name}/{template_rel}" + else: + module_rel = _copy_artifact( + bundle_dir, + artifact_role, + src_rel, + module_files_dir, + dst_prefix=file_prefix, + ) + if not module_rel: + self.notes.append( + f"Skipped {path}: harvested artifact {artifact_role}/{src_rel} was not present." + ) + continue + attrs["source"] = _source_uri(self.module_name, module_rel) + if notify_services and not path.startswith("/etc/systemd/system/"): + notify_units = [unit for unit in notify_services if str(unit).strip()] + notify_value = _service_notify_value(notify_units) + if notify_value: + attrs["notify"] = notify_value + attrs["notify_services"] = notify_units + attrs["_notify_services"] = notify_units + self.add_managed_file(path, **attrs) + + for ml in self.managed_links_from_snapshot(snap): + path = str(ml.get("path") or "").strip() + target = str(ml.get("target") or "").strip() + if not path or not target: + continue + self.add_managed_link( + path, + target=target, + reason=ml.get("reason") or "managed_link", + ) + + self.remove_directory_resource_conflicts() + + +# https://help.puppet.com/core/current/Content/PuppetCore/lang_reserved_words.htm +_RESERVED_PUPPET_NAMES = { + "and", + "application", + "attr", + "case", + "component", + "consumes", + "default", + "define", + "elsif", + "environment", + "false", + "function", + "if", + "import", + "in", + "init", + "inherits", + "node", + "or", + "private", + "produces", + "regexp", + "site", + "true", + "type", + "undef", + "unit", + "unless", +} + + +def _puppet_name(raw: str, *, fallback: str = "role") -> str: + s = re.sub(r"[^A-Za-z0-9_]+", "_", raw or fallback) + s = re.sub(r"_+", "_", s).strip("_").lower() + if not s: + s = fallback + if not re.match(r"^[a-z]", s): + s = f"{fallback}_{s}" + if s in _RESERVED_PUPPET_NAMES: + s = f"{fallback}_{s}" + return s + + +# Control characters (C0 range plus DEL) that should never appear raw inside a +# generated Puppet manifest scalar. They cannot occur in values harvested from a +# live host (e.g. /etc/passwd GECOS is newline-delimited), so their presence +# indicates a hand-edited or tampered harvest. Emitting them verbatim is valid +# Puppet but produces multi-line / control-laden manifests; normalise them into +# explicit escapes instead. +_PP_CONTROL_CHARS = frozenset(chr(c) for c in range(0x20)) | {"\x7f"} + +# Puppet double-quoted recognised single-character escapes. +_PP_DQ_ESCAPES = { + "\n": "\\n", + "\t": "\\t", + "\r": "\\r", + "\\": "\\\\", + '"': '\\"', + "$": "\\$", +} + + +def _pp_quote_double(s: str) -> str: + """Render a Puppet double-quoted string with control characters escaped. + + Only used as a fallback when a value contains raw control characters, so the + common case stays single-quoted and byte-identical to historical output. + """ + + out = [] + for ch in s: + esc = _PP_DQ_ESCAPES.get(ch) + if esc is not None: + out.append(esc) + elif ch in _PP_CONTROL_CHARS: + # Puppet supports \uXXXX style escapes inside double-quoted strings. + out.append(f"\\u{{{ord(ch):04x}}}") + else: + out.append(ch) + return '"' + "".join(out) + '"' + + +def _pp_quote(value: Any) -> str: + s = str(value) + # Puppet single-quoted strings only honour \\ and \' escapes; everything + # else (including a literal newline) is taken verbatim. That is safe but lets + # a tampered harvest splatter raw control characters across the manifest. + # When any are present, fall back to a double-quoted string where they can be + # neutralised into explicit escapes. + if any(ch in _PP_CONTROL_CHARS for ch in s): + return _pp_quote_double(s) + s = s.replace("\\", "\\\\").replace("'", "\\'") + return f"'{s}'" + + +def _pp_bool(value: bool) -> str: + return "true" if bool(value) else "false" + + +def _shell_quote(value: Any) -> str: + return shlex.quote(str(value or "")) + + +def _split_digest_ref(value: Any) -> Tuple[str, Optional[str]]: + text = str(value or "").strip() + if "@" not in text: + return text, None + image, digest = text.split("@", 1) + return image, digest + + +def _container_pull_cmd(engine: str, pull_ref: str) -> str: + return f"{engine} pull {_shell_quote(pull_ref)}" + + +def _container_exists_cmd(engine: str, ref: str) -> str: + if engine == "podman": + return f"podman image exists {_shell_quote(ref)}" + return f"docker image inspect {_shell_quote(ref)} >/dev/null 2>&1" + + +def _container_tag_cmd(engine: str, pull_ref: str, tag_ref: str) -> str: + return f"{engine} tag {_shell_quote(pull_ref)} {_shell_quote(tag_ref)}" + + +def _flatpak_scope(item: Dict[str, Any]) -> str: + return "--user" if str(item.get("method") or "system") == "user" else "--system" + + +def _flatpak_home(item: Dict[str, Any]) -> Optional[str]: + user = str(item.get("user") or "").strip() + if not user: + return None + return str(item.get("home") or f"/home/{user}") + + +def _flatpak_exec_env(item: Dict[str, Any]) -> List[str]: + home = _flatpak_home(item) + if not home: + return [] + return [f"HOME={home}", f"XDG_DATA_HOME={home}/.local/share"] + + +def _flatpak_remote_exists_cmd(item: Dict[str, Any]) -> str: + return ( + f"flatpak {_flatpak_scope(item)} remote-list --columns=name " + f"| grep -Fx -- {_shell_quote(item.get('name'))}" + ) + + +def _flatpak_remote_add_cmd(item: Dict[str, Any]) -> str: + return ( + f"flatpak {_flatpak_scope(item)} remote-add --if-not-exists " + f"{_shell_quote(item.get('name'))} {_shell_quote(item.get('url'))}" + ) + + +def _flatpak_ref(item: Dict[str, Any]) -> str: + ref = str(item.get("ref") or "").strip() + if ref: + return ref + return str(item.get("name") or "").strip() + + +def _flatpak_exists_cmd(item: Dict[str, Any]) -> str: + return f"flatpak {_flatpak_scope(item)} info {_shell_quote(_flatpak_ref(item))} >/dev/null 2>&1" + + +def _flatpak_install_cmd(item: Dict[str, Any]) -> str: + args = ["flatpak", _flatpak_scope(item), "install", "-y"] + remote = str(item.get("remote") or "").strip() + if remote: + args.append(remote) + args.append(_flatpak_ref(item)) + return " ".join(_shell_quote(arg) for arg in args) + + +def _prepare_flatpak_remote(item: Dict[str, Any]) -> Dict[str, Any]: + out = dict(item) + method = str(out.get("method") or "system") + user = str(out.get("user") or "") + name = str(out.get("name") or "") + out["state_id"] = _state_title("flatpak-remote", f"{method}-{user}-{name}") + out["add_cmd"] = _flatpak_remote_add_cmd(out) + out["exists_cmd"] = _flatpak_remote_exists_cmd(out) + out["environment"] = _flatpak_exec_env(out) + return out + + +def _prepare_flatpak_item(item: Dict[str, Any]) -> Dict[str, Any]: + out = dict(item) + method = str(out.get("method") or "system") + user = str(out.get("user") or "") + ref = _flatpak_ref(out) + out["state_id"] = _state_title("flatpak", f"{method}-{user}-{ref}") + out["install_cmd"] = _flatpak_install_cmd(out) + out["exists_cmd"] = _flatpak_exists_cmd(out) + out["environment"] = _flatpak_exec_env(out) + return out + + +def _snap_exists_cmd(item: Dict[str, Any]) -> str: + return f"snap list {_shell_quote(item.get('name'))} >/dev/null 2>&1" + + +def _snap_install_cmd(item: Dict[str, Any]) -> str: + args = ["snap", "install", str(item.get("name") or "")] + channel = str(item.get("channel") or "").strip() + revision = str(item.get("revision") or "").strip() + if channel: + args.append(f"--channel={channel}") + elif revision: + args.append(f"--revision={revision}") + if item.get("classic"): + args.append("--classic") + if item.get("devmode"): + args.append("--devmode") + if item.get("dangerous"): + args.append("--dangerous") + return " ".join(_shell_quote(arg) for arg in args if str(arg)) + + +def _prepare_snap_item(item: Dict[str, Any]) -> Dict[str, Any]: + out = dict(item) + name = str(out.get("name") or "") + out["state_id"] = _state_title("snap", name) + out["install_cmd"] = _snap_install_cmd(out) + out["exists_cmd"] = _snap_exists_cmd(out) + return out + + +def _pp_array(values: Iterable[Any]) -> str: + return "[" + ", ".join(_pp_quote(v) for v in values) + "]" + + +def _pp_value(value: Any) -> str: + """Render a conservative Puppet literal for generated class defaults.""" + + if value is None: + return "undef" + if isinstance(value, bool): + return _pp_bool(value) + if isinstance(value, int) and not isinstance(value, bool): + return str(value) + if isinstance(value, float): + return repr(value) + if isinstance(value, list): + return "[" + ", ".join(_pp_value(v) for v in value) + "]" + if isinstance(value, dict): + parts = [] + for key in sorted(value, key=lambda k: str(k)): + parts.append(f"{_pp_quote(key)} => {_pp_value(value[key])}") + return "{" + ", ".join(parts) + "}" + return _pp_quote(value) + + +def _template_param_defaults(prole: PuppetRole) -> Dict[str, Any]: + prefix = f"{prole.module_name}::" + out: Dict[str, Any] = {} + for key, value in prole.template_hiera.items(): + key_s = str(key) + if key_s.startswith(prefix): + local = key_s[len(prefix) :] + elif "::" in key_s: + local = key_s.split("::", 1)[1] + else: + local = key_s + if local: + out[local] = value + return out + + +def _puppet_exec_attrs( + command: str, + unless: str, + *, + item: Optional[Dict[str, Any]] = None, + require: Optional[str] = None, +) -> List[Tuple[str, str]]: + attrs: List[Tuple[str, str]] = [ + ("command", _pp_quote(command)), + ("unless", _pp_quote(unless)), + ("path", "['/usr/bin', '/bin']"), + ] + if item: + user = str(item.get("user") or "").strip() + if user: + attrs.append(("user", _pp_quote(user))) + env = item.get("environment") or _flatpak_exec_env(item) + if env: + attrs.append(("environment", _pp_array(env))) + if require: + attrs.append(("require", require)) + return attrs + + +def _resource( + lines: List[str], rtype: str, title: str, attrs: List[Tuple[str, str]] +) -> None: + lines.append(f" {rtype} {{ {_pp_quote(title)}:") + for key, value in attrs: + lines.append(f" {key} => {value},") + lines.append(" }") + lines.append("") + + +def _state_title(prefix: str, value: Any) -> str: + safe = re.sub(r"[^A-Za-z0-9_.-]+", "-", str(value or "item")).strip("-._") + if not safe: + safe = "item" + if len(safe) > 64: + digest = hashlib.sha1( + str(value).encode("utf-8", errors="replace") + ).hexdigest()[ # nosec B324 + :8 + ] + safe = safe[:48] + "-" + digest + return f"enroll-{prefix}-{safe}" + + +def _render_firewall_runtime_execs( + lines: List[str], runtime: Dict[str, Any], *, indent: str = " " +) -> None: + specs = [ + ( + "ipset", + "ipset_save", + "ipset_restore_cmd", + "enroll-firewall-runtime-ipset-restore", + ), + ( + "iptables_v4", + "iptables_v4_save", + "iptables_v4_restore_cmd", + "enroll-firewall-runtime-iptables-v4-restore", + ), + ( + "iptables_v6", + "iptables_v6_save", + "iptables_v6_restore_cmd", + "enroll-firewall-runtime-iptables-v6-restore", + ), + ] + for _family, path_key, cmd_key, title in specs: + path = str(runtime.get(path_key) or "") + command = str(runtime.get(cmd_key) or "") + if not path or not command: + continue + attrs: List[Tuple[str, str]] = [ + ("command", _pp_quote(command)), + ("path", "['/sbin', '/usr/sbin', '/bin', '/usr/bin']"), + ("refreshonly", "true"), + ("subscribe", f"File[{_pp_quote(path)}]"), + ] + lines.append(f"{indent}exec {{ {_pp_quote(title)}:") + for key, value in attrs: + lines.append(f"{indent} {key} => {value},") + lines.append(f"{indent}}}") + lines.append("") + + +def _active_service_snapshots_by_unit( + entries: Iterable[Dict[str, Any]], +) -> Dict[str, Dict[str, Any]]: + """Return active service snapshots keyed by systemd unit name.""" + + by_unit: Dict[str, Dict[str, Any]] = {} + for entry in entries: + if str(entry.get("kind") or "package") != "service": + continue + snap = entry.get("snapshot") or {} + if not isinstance(snap, dict): + continue + unit = str(snap.get("unit") or "").strip() + if not unit or str(snap.get("active_state") or "") != "active": + continue + by_unit.setdefault(unit, snap) + return by_unit + + +def _service_notify_value(units: Iterable[str]) -> Optional[str]: + refs = [f"Service[{_pp_quote(unit)}]" for unit in units if str(unit).strip()] + if not refs: + return None + return refs[0] if len(refs) == 1 else f"[{', '.join(refs)}]" + + +def _sync_service_notifications(puppet_roles: Iterable[PuppetRole]) -> None: + """Remove generated service notifications that do not target this catalog.""" + + roles = list(puppet_roles) + declared_services = {unit for role in roles for unit in role.services} + for role in roles: + for path, attrs in role.files.items(): + notify_units = [ + str(unit).strip() + for unit in (attrs.get("_notify_services") or []) + if str(unit).strip() + ] + if not notify_units: + attrs.pop("_notify_services", None) + continue + kept = [unit for unit in notify_units if unit in declared_services] + missing = sorted(set(notify_units) - set(kept)) + if missing: + role.notes.append( + "Skipped service notification for " + f"{path}: no generated Service resource for " + f"{', '.join(missing)}." + ) + notify_value = _service_notify_value(kept) + if notify_value: + attrs["notify"] = notify_value + attrs["notify_services"] = kept + else: + attrs.pop("notify", None) + attrs.pop("notify_services", None) + attrs.pop("_notify_services", None) + + +def _copy_artifact( + bundle_dir: str, + role: str, + src_rel: str, + dst_files_dir: Path, + *, + dst_prefix: Optional[str] = None, +) -> Optional[str]: + if not role or not src_rel: + return None + try: + src = safe_artifact_file(bundle_dir, role, src_rel) + except FileNotFoundError: + return None + module_rel = Path(dst_prefix or "") / src_rel + dst = dst_files_dir / module_rel + dst.parent.mkdir(parents=True, exist_ok=True) + copy_safe_artifact_file(src, dst) + return module_rel.as_posix() + + +def _source_uri(module_name: str, module_rel: str) -> str: + return f"puppet:///modules/{module_name}/{module_rel}" + + +def _node_data_filename(fqdn: str) -> str: + """Return a safe Hiera node-data filename for an FQDN/certname.""" + + name = str(fqdn or "").strip().replace("/", "_").replace("\\", "_") + return f"{name or 'node'}.yaml" + + +def _node_file_prefix(fqdn: str) -> str: + """Return a safe module-files prefix for node-specific artifacts.""" + + name = re.sub(r"[^A-Za-z0-9_.-]+", "_", str(fqdn or "").strip()) + name = name.strip("._-") or "node" + return f"nodes/{name}" + + +def _collect_puppet_roles( + state: Dict[str, Any], + bundle_dir: str, + modules_dir: Path, + *, + fqdn: Optional[str] = None, + no_common_roles: bool = False, + jt_exe: Optional[str] = None, + jt_enabled: bool = False, +) -> List[PuppetRole]: + roles = roles_from_state(state) + inventory_packages = inventory_packages_from_state(state) + use_common_modules = not fqdn and not no_common_roles + node_file_prefix = _node_file_prefix(fqdn) if fqdn else None + out: Dict[str, PuppetRole] = {} + + def ensure_role(role_name: str) -> PuppetRole: + role_name = _puppet_name(role_name, fallback="enroll_role") + return out.setdefault(role_name, PuppetRole(role_name)) + + for key in ( + "apt_config", + "dnf_config", + "etc_custom", + "usr_local_custom", + "extra_paths", + "sysctl", + ): + snap = roles.get(key) or {} + if not isinstance(snap, dict): + continue + role_name = _puppet_name( + str(snap.get("role_name") or key), fallback="enroll_role" + ) + prole = ensure_role(role_name) + module_dir = modules_dir / prole.module_name + module_files_dir = module_dir / "files" + prole.add_managed_content( + snap, + bundle_dir=bundle_dir, + artifact_role=str(snap.get("role_name") or key), + module_files_dir=module_files_dir, + module_templates_dir=module_dir / "templates", + file_prefix=node_file_prefix, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not bool(fqdn), + ) + + users_snap = roles.get("users") or {} + if isinstance(users_snap, dict): + role_name = _puppet_name( + str(users_snap.get("role_name") or "users"), fallback="enroll_role" + ) + prole = ensure_role(role_name) + prole.add_users_snapshot(users_snap) + module_dir = modules_dir / prole.module_name + prole.add_managed_content( + users_snap, + bundle_dir=bundle_dir, + artifact_role=str(users_snap.get("role_name") or "users"), + module_files_dir=module_dir / "files", + module_templates_dir=module_dir / "templates", + file_prefix=node_file_prefix, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not bool(fqdn), + ) + + package_service_entries = list( + CMModule.package_service_entries( + roles, inventory_packages, use_common_roles=use_common_modules + ) + ) + service_units_by_package = CMModule.active_service_units_by_package( + package_service_entries + ) + service_snapshots_by_unit = _active_service_snapshots_by_unit( + package_service_entries + ) + + for entry in package_service_entries: + snap = entry.get("snapshot") or {} + kind = str(entry.get("kind") or "package") + fallback = "service" if kind == "service" else "package" + source_label = str( + snap.get("role_name") or snap.get("unit") or snap.get("package") or fallback + ) + original_role_name = _puppet_name(source_label, fallback=fallback) + role_name = _puppet_name( + str(entry.get("role_label") or source_label), + fallback="package_group" if use_common_modules else fallback, + ) + prole = ensure_role(role_name) + notify_services: List[str] = [] + if kind == "service": + prole.add_service_snapshot(snap) + unit = str(snap.get("unit") or "").strip() + if unit and str(snap.get("active_state") or "") == "active": + notify_services = [unit] + else: + prole.add_package_snapshot(snap) + notify_services = CMModule.active_service_units_for_package_snapshot( + snap, service_units_by_package + ) + for unit in notify_services: + service_snap = service_snapshots_by_unit.get(unit) + if service_snap is not None: + prole.add_service_snapshot(service_snap) + module_dir = modules_dir / prole.module_name + prole.add_managed_content( + snap, + bundle_dir=bundle_dir, + artifact_role=str(snap.get("role_name") or original_role_name), + module_files_dir=module_dir / "files", + module_templates_dir=module_dir / "templates", + file_prefix=node_file_prefix, + notify_services=notify_services, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not bool(fqdn), + ) + + container_images = roles.get("container_images") or {} + if isinstance(container_images, dict) and ( + container_images.get("images") or container_images.get("notes") + ): + prole = ensure_role( + str(container_images.get("role_name") or "container_images") + ) + prole.add_container_images_snapshot(container_images) + + fw = roles.get("firewall_runtime") or {} + if isinstance(fw, dict): + has_fw = ( + fw.get("ipset_save") + or fw.get("iptables_v4_save") + or fw.get("iptables_v6_save") + ) + if has_fw: + runtime_role = ensure_role("enroll_runtime") + runtime_role.add_managed_dir( + "/etc/enroll", + owner="root", + group="root", + mode="0750", + reason="enroll_runtime", + ) + role_name = str(fw.get("role_name") or "firewall_runtime") + prole = ensure_role(role_name) + prole.add_firewall_runtime_snapshot( + fw, + bundle_dir=bundle_dir, + artifact_role=role_name, + module_files_dir=modules_dir / prole.module_name / "files", + file_prefix=node_file_prefix, + ) + + flatpak = roles.get("flatpak") or {} + if isinstance(flatpak, dict) and ( + flatpak.get("system_flatpaks") or flatpak.get("remotes") or flatpak.get("notes") + ): + prole = ensure_role(str(flatpak.get("role_name") or "flatpak")) + prole.add_flatpak_snapshot(flatpak) + + snap = roles.get("snap") or {} + if isinstance(snap, dict) and (snap.get("system_snaps") or snap.get("notes")): + prole = ensure_role(str(snap.get("role_name") or "snap")) + prole.add_snap_snapshot(snap) + + puppet_roles = sorted(out.values(), key=lambda r: role_order_key(r.role_name)) + resolve_catalog_conflicts(puppet_roles) + _sync_service_notifications(puppet_roles) + return [r for r in puppet_roles if r.has_resources()] + + +def _render_role_class(prole: PuppetRole) -> str: + has_sysctl_conf = "/etc/sysctl.d/99-enroll.conf" in prole.files + template_defaults = _template_param_defaults(prole) + params: List[str] = [] + if has_sysctl_conf: + params.extend( + [ + " Boolean $sysctl_apply = true,", + " Boolean $sysctl_ignore_apply_errors = true,", + ] + ) + for name, value in sorted(template_defaults.items()): + params.append(f" Any ${name} = {_pp_value(value)},") + + if params: + lines: List[str] = [ + "# Generated by Enroll from harvest state.", + f"class {prole.module_name} (", + *params, + ") {", + "", + ] + else: + lines = [ + "# Generated by Enroll from harvest state.", + f"class {prole.module_name} {{", + "", + ] + + for package in sorted(prole.packages): + _resource(lines, "package", package, [("ensure", _pp_quote("installed"))]) + + for group in sorted(prole.groups): + _resource(lines, "group", group, [("ensure", _pp_quote("present"))]) + + for user in [prole.users[k] for k in sorted(prole.users)]: + attrs: List[Tuple[str, str]] = [ + ("ensure", _pp_quote("present")), + ("managehome", _pp_bool(True)), + ] + if user.get("uid") is not None: + attrs.append(("uid", _pp_quote(user["uid"]))) + if user.get("primary_group"): + attrs.append(("gid", _pp_quote(user["primary_group"]))) + if user.get("home"): + attrs.append(("home", _pp_quote(user["home"]))) + if user.get("shell"): + attrs.append(("shell", _pp_quote(user["shell"]))) + if user.get("gecos"): + attrs.append(("comment", _pp_quote(user["gecos"]))) + if user.get("supplementary_groups"): + attrs.append(("groups", _pp_array(user["supplementary_groups"]))) + attrs.append(("membership", _pp_quote("minimum"))) + _resource(lines, "user", user["name"], attrs) + + for path, d in sorted(prole.dirs.items()): + _resource( + lines, + "file", + path, + [ + ("ensure", _pp_quote("directory")), + ("owner", _pp_quote(d.get("owner") or "root")), + ("group", _pp_quote(d.get("group") or "root")), + ("mode", _pp_quote(d.get("mode") or "0755")), + *([("require", str(d.get("require")))] if d.get("require") else []), + ], + ) + + for path, f in sorted(prole.files.items()): + file_attrs: List[Tuple[str, str]] = [("ensure", _pp_quote("file"))] + if f.get("template"): + file_attrs.append(("content", f"template({_pp_quote(f.get('template'))})")) + else: + file_attrs.append(("source", _pp_quote(f.get("source") or ""))) + file_attrs.extend( + [ + ("owner", _pp_quote(f.get("owner") or "root")), + ("group", _pp_quote(f.get("group") or "root")), + ("mode", _pp_quote(f.get("mode") or "0644")), + *([("notify", str(f.get("notify")))] if f.get("notify") else []), + ] + ) + _resource(lines, "file", path, file_attrs) + + for path, lnk in sorted(prole.links.items()): + _resource( + lines, + "file", + path, + [ + ("ensure", _pp_quote("link")), + ("target", _pp_quote(lnk.get("target") or "")), + ], + ) + + for svc in [prole.services[k] for k in sorted(prole.services)]: + _resource( + lines, + "service", + svc["name"], + [ + ("ensure", _pp_quote(svc["ensure"])), + ("enable", _pp_bool(bool(svc["enable"]))), + ], + ) + + flatpak_remote_titles: Dict[Tuple[str, str, str], str] = {} + for remote in prole.flatpak_remotes: + name = str(remote.get("name") or "").strip() + url = str(remote.get("url") or "").strip() + if not name or not url: + continue + title = str(remote.get("state_id") or _state_title("flatpak-remote", name)) + key = ( + str(remote.get("method") or "system"), + str(remote.get("user") or ""), + name, + ) + flatpak_remote_titles[key] = title + remote_user = str(remote.get("user") or "").strip() + remote_require = None + if remote_user and remote_user in prole.users: + remote_require = f"User[{_pp_quote(remote_user)}]" + _resource( + lines, + "exec", + title, + _puppet_exec_attrs( + str(remote.get("add_cmd") or _flatpak_remote_add_cmd(remote)), + str(remote.get("exists_cmd") or _flatpak_remote_exists_cmd(remote)), + item=remote, + require=remote_require, + ), + ) + + for app in prole.flatpaks: + ref = _flatpak_ref(app) + if not ref: + continue + title = str(app.get("state_id") or _state_title("flatpak", ref)) + requires: List[str] = [] + user = str(app.get("user") or "").strip() + if user: + requires.append(f"User[{_pp_quote(user)}]") + remote = str(app.get("remote") or "").strip() + if remote: + remote_title = flatpak_remote_titles.get( + (str(app.get("method") or "system"), user, remote) + ) + if remote_title: + requires.append(f"Exec[{_pp_quote(remote_title)}]") + require_expr = None + if len(requires) == 1: + require_expr = requires[0] + elif requires: + require_expr = "[" + ", ".join(requires) + "]" + _resource( + lines, + "exec", + title, + _puppet_exec_attrs( + str(app.get("install_cmd") or _flatpak_install_cmd(app)), + str(app.get("exists_cmd") or _flatpak_exists_cmd(app)), + item=app, + require=require_expr, + ), + ) + + for snap in prole.snaps: + name = str(snap.get("name") or "").strip() + if not name: + continue + _resource( + lines, + "exec", + str(snap.get("state_id") or _state_title("snap", name)), + _puppet_exec_attrs( + str(snap.get("install_cmd") or _snap_install_cmd(snap)), + str(snap.get("exists_cmd") or _snap_exists_cmd(snap)), + ), + ) + + for image in prole.container_images: + engine = str(image.get("engine") or "").strip() + pull_ref = str(image.get("pull_ref") or "").strip() + if not engine or not pull_ref: + continue + if engine == "docker": + pull_title = _state_title("docker-pull", pull_ref) + _resource( + lines, + "exec", + pull_title, + [ + ( + "command", + _pp_quote( + image.get("pull_cmd") + or _container_pull_cmd(engine, pull_ref) + ), + ), + ( + "unless", + _pp_quote( + image.get("pull_unless") + or _container_exists_cmd(engine, pull_ref) + ), + ), + ("path", "['/usr/bin', '/bin']"), + ], + ) + for alias in image.get("tag_aliases") or []: + tag_ref = str(alias.get("ref") or "").strip() + if not tag_ref: + continue + _resource( + lines, + "exec", + _state_title("docker-tag", tag_ref), + [ + ( + "command", + _pp_quote( + alias.get("tag_cmd") + or _container_tag_cmd(engine, pull_ref, tag_ref) + ), + ), + ( + "unless", + _pp_quote( + alias.get("tag_unless") + or _container_exists_cmd(engine, tag_ref) + ), + ), + ("path", "['/usr/bin', '/bin']"), + ("require", f"Exec[{_pp_quote(pull_title)}]"), + ], + ) + elif engine == "podman": + _resource( + lines, + "exec", + _state_title("podman-pull", pull_ref), + [ + ( + "command", + _pp_quote( + image.get("pull_cmd") + or _container_pull_cmd(engine, pull_ref) + ), + ), + ( + "unless", + _pp_quote( + image.get("pull_unless") + or _container_exists_cmd(engine, pull_ref) + ), + ), + ("path", "['/usr/bin', '/bin']"), + ], + ) + for alias in image.get("tag_aliases") or []: + tag_ref = str(alias.get("ref") or "").strip() + if not tag_ref: + continue + _resource( + lines, + "exec", + _state_title("podman-tag", tag_ref), + [ + ( + "command", + _pp_quote( + alias.get("tag_cmd") + or _container_tag_cmd(engine, pull_ref, tag_ref) + ), + ), + ( + "unless", + _pp_quote( + alias.get("tag_unless") + or _container_exists_cmd(engine, tag_ref) + ), + ), + ("path", "['/usr/bin', '/bin']"), + ( + "require", + f"Exec[{_pp_quote(_state_title('podman-pull', pull_ref))}]", + ), + ], + ) + + if prole.firewall_runtime: + _render_firewall_runtime_execs(lines, prole.firewall_runtime) + + if has_sysctl_conf: + lines.append(" if $sysctl_apply {") + lines.append(" exec { 'enroll-apply-sysctl':") + lines.append(" command => $sysctl_ignore_apply_errors ? {") + lines.append( + " true => \"/bin/sh -c 'sysctl -e -p /etc/sysctl.d/99-enroll.conf || true'\"," + ) + lines.append(" default => 'sysctl -e -p /etc/sysctl.d/99-enroll.conf',") + lines.append(" },") + lines.append(" path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],") + lines.append(" refreshonly => true,") + lines.append(" subscribe => File['/etc/sysctl.d/99-enroll.conf'],") + lines.append(" }") + lines.append(" }") + lines.append("") + + if prole.notes: + lines.append(" # Notes and limitations") + for note in prole.notes: + lines.append(f" # - {note}") + lines.append("") + + lines.append("}") + lines.append("") + return "\n".join(lines) + + +def _attrs_with_ensure( + attrs: Dict[str, Any], ensure: str, *, allowed: Set[str] +) -> Dict[str, Any]: + """Return only Puppet resource attributes, dropping Enroll metadata.""" + out = {"ensure": ensure} + for key in sorted(allowed): + if key in attrs and attrs[key] is not None: + out[key] = attrs[key] + return out + + +def _role_hiera_values(prole: PuppetRole) -> Dict[str, Any]: + """Return Automatic Parameter Lookup data for one generated module.""" + + data: Dict[str, Any] = {} + prefix = f"{prole.module_name}::" + + if prole.packages: + data[f"{prefix}packages"] = sorted(prole.packages) + + if prole.groups: + data[f"{prefix}groups"] = { + group: {"ensure": "present"} for group in sorted(prole.groups) + } + + if prole.users: + users: Dict[str, Dict[str, Any]] = {} + for name in sorted(prole.users): + user = prole.users[name] + attrs: Dict[str, Any] = {"ensure": "present", "managehome": True} + if user.get("uid") is not None: + attrs["uid"] = user["uid"] + if user.get("primary_group"): + attrs["gid"] = user["primary_group"] + if user.get("home"): + attrs["home"] = user["home"] + if user.get("shell"): + attrs["shell"] = user["shell"] + if user.get("gecos"): + attrs["comment"] = user["gecos"] + if user.get("supplementary_groups"): + attrs["groups"] = list(user["supplementary_groups"]) + attrs["membership"] = "minimum" + users[name] = attrs + data[f"{prefix}users"] = users + + if prole.dirs: + data[f"{prefix}dirs"] = { + path: _attrs_with_ensure( + prole.dirs[path], + "directory", + allowed={"owner", "group", "mode", "require"}, + ) + for path in sorted(prole.dirs) + } + + if prole.files: + data[f"{prefix}files"] = { + path: _attrs_with_ensure( + prole.files[path], + "file", + allowed={ + "source", + "template", + "owner", + "group", + "mode", + "notify_services", + }, + ) + for path in sorted(prole.files) + } + + if prole.links: + data[f"{prefix}links"] = { + path: _attrs_with_ensure( + prole.links[path], + "link", + allowed={"target"}, + ) + for path in sorted(prole.links) + } + + if prole.services: + data[f"{prefix}services"] = { + name: { + "ensure": prole.services[name].get("ensure") or "stopped", + "enable": bool(prole.services[name].get("enable")), + } + for name in sorted(prole.services) + } + + if prole.flatpak_remotes: + data[f"{prefix}flatpak_remotes"] = list(prole.flatpak_remotes) + if prole.flatpaks: + data[f"{prefix}flatpaks"] = list(prole.flatpaks) + if prole.snaps: + data[f"{prefix}snaps"] = list(prole.snaps) + if prole.container_images: + data[f"{prefix}container_images"] = list(prole.container_images) + if prole.firewall_runtime: + data[f"{prefix}firewall_runtime"] = dict(prole.firewall_runtime) + + if prole.notes: + data[f"{prefix}notes"] = list(prole.notes) + + data.update(prole.template_hiera) + + if "/etc/sysctl.d/99-enroll.conf" in prole.files: + data[f"{prefix}sysctl_apply"] = True + data[f"{prefix}sysctl_ignore_apply_errors"] = True + + return data + + +def _render_hiera_role_class(prole: PuppetRole) -> str: + """Render a reusable, data-driven Puppet class for --fqdn/Hiera mode.""" + + lines: List[str] = [ + "# Generated by Enroll from harvest state.", + "# Resource data is supplied by Hiera Automatic Parameter Lookup.", + f"class {prole.module_name} (", + " Array[String] $packages = [],", + " Hash[String, Hash] $groups = {},", + " Hash[String, Hash] $users = {},", + " Hash[String, Hash] $dirs = {},", + " Hash[String, Hash] $files = {},", + " Hash[String, Hash] $links = {},", + " Hash[String, Hash] $services = {},", + " Array[Hash] $flatpak_remotes = [],", + " Array[Hash] $flatpaks = [],", + " Array[Hash] $snaps = [],", + " Array[Hash] $container_images = [],", + " Hash $firewall_runtime = {},", + " Array[String] $notes = [],", + " Boolean $sysctl_apply = true,", + " Boolean $sysctl_ignore_apply_errors = true,", + *[ + f" Any ${name} = undef," + for name in sorted(_template_param_defaults(prole)) + ], + ") {", + "", + " $packages.each |String $package_name| {", + " package { $package_name:", + " ensure => 'installed',", + " }", + " }", + "", + " $groups.each |String $resource_title, Hash $attrs| {", + " group { $resource_title:", + " * => $attrs,", + " }", + " }", + "", + " $users.each |String $resource_title, Hash $attrs| {", + " user { $resource_title:", + " * => $attrs,", + " }", + " }", + "", + " $dirs.each |String $resource_title, Hash $attrs| {", + " file { $resource_title:", + " * => $attrs,", + " }", + " }", + "", + " # Declare services before files so file notify relationships can", + " # resolve in Hiera-driven classes.", + " $services.each |String $resource_title, Hash $attrs| {", + " service { $resource_title:", + " * => $attrs,", + " }", + " }", + "", + " $files.each |String $resource_title, Hash $attrs| {", + " $file_attrs = $attrs.filter |$key, $value| {", + " $key != 'template' and $key != 'notify_services'", + " }", + " if $attrs['notify_services'] {", + " $notify_targets = $attrs['notify_services'].map |String $unit| { Service[$unit] }", + " if $attrs['template'] {", + " file { $resource_title:", + " * => $file_attrs,", + " content => template($attrs['template']),", + " notify => $notify_targets,", + " }", + " } else {", + " file { $resource_title:", + " * => $file_attrs,", + " notify => $notify_targets,", + " }", + " }", + " } elsif $attrs['template'] {", + " file { $resource_title:", + " * => $file_attrs,", + " content => template($attrs['template']),", + " }", + " } else {", + " file { $resource_title:", + " * => $file_attrs,", + " }", + " }", + " }", + "", + " $links.each |String $resource_title, Hash $attrs| {", + " file { $resource_title:", + " * => $attrs,", + " }", + " }", + "", + " $flatpak_remotes.each |Integer $idx, Hash $remote| {", + " exec { $remote['state_id']:", + " command => $remote['add_cmd'],", + " unless => $remote['exists_cmd'],", + " path => ['/usr/bin', '/bin'],", + " user => $remote['user'],", + " environment => $remote['environment'],", + " }", + " }", + "", + " $flatpaks.each |Integer $idx, Hash $app| {", + " exec { $app['state_id']:", + " command => $app['install_cmd'],", + " unless => $app['exists_cmd'],", + " path => ['/usr/bin', '/bin'],", + " user => $app['user'],", + " environment => $app['environment'],", + " }", + " }", + "", + " $snaps.each |Integer $idx, Hash $snap| {", + " exec { $snap['state_id']:", + " command => $snap['install_cmd'],", + " unless => $snap['exists_cmd'],", + " path => ['/usr/bin', '/bin'],", + " }", + " }", + "", + " $container_images.each |Integer $idx, Hash $image| {", + " if $image['engine'] == 'docker' and $image['pull_ref'] {", + ' exec { "enroll-docker-pull-${idx}":', + " command => $image['pull_cmd'],", + " unless => $image['pull_unless'],", + " path => ['/usr/bin', '/bin'],", + " }", + " $image['tag_aliases'].each |Integer $tag_idx, Hash $alias| {", + ' exec { "enroll-docker-tag-${idx}-${tag_idx}":', + " command => $alias['tag_cmd'],", + " unless => $alias['tag_unless'],", + " path => ['/usr/bin', '/bin'],", + ' require => Exec["enroll-docker-pull-${idx}"],', + " }", + " }", + " } elsif $image['engine'] == 'podman' and $image['pull_ref'] {", + ' exec { "enroll-podman-pull-${idx}":', + " command => $image['pull_cmd'],", + " unless => $image['pull_unless'],", + " path => ['/usr/bin', '/bin'],", + " }", + " $image['tag_aliases'].each |Integer $tag_idx, Hash $alias| {", + ' exec { "enroll-podman-tag-${idx}-${tag_idx}":', + " command => $alias['tag_cmd'],", + " unless => $alias['tag_unless'],", + " path => ['/usr/bin', '/bin'],", + ' require => Exec["enroll-podman-pull-${idx}"],', + " }", + " }", + " }", + " }", + "", + " if $firewall_runtime['ipset_restore_cmd'] {", + " exec { 'enroll-firewall-runtime-ipset-restore':", + " command => $firewall_runtime['ipset_restore_cmd'],", + " path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],", + " refreshonly => true,", + " subscribe => File[$firewall_runtime['ipset_save']],", + " }", + " }", + "", + " if $firewall_runtime['iptables_v4_restore_cmd'] {", + " exec { 'enroll-firewall-runtime-iptables-v4-restore':", + " command => $firewall_runtime['iptables_v4_restore_cmd'],", + " path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],", + " refreshonly => true,", + " subscribe => File[$firewall_runtime['iptables_v4_save']],", + " }", + " }", + "", + " if $firewall_runtime['iptables_v6_restore_cmd'] {", + " exec { 'enroll-firewall-runtime-iptables-v6-restore':", + " command => $firewall_runtime['iptables_v6_restore_cmd'],", + " path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],", + " refreshonly => true,", + " subscribe => File[$firewall_runtime['iptables_v6_save']],", + " }", + " }", + "", + " if $sysctl_apply and '/etc/sysctl.d/99-enroll.conf' in $files {", + " exec { 'enroll-apply-sysctl':", + " command => $sysctl_ignore_apply_errors ? {", + " true => \"/bin/sh -c 'sysctl -e -p /etc/sysctl.d/99-enroll.conf || true'\",", + " default => 'sysctl -e -p /etc/sysctl.d/99-enroll.conf',", + " },", + " path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],", + " refreshonly => true,", + " subscribe => File['/etc/sysctl.d/99-enroll.conf'],", + " }", + " }", + "", + " # Generated notes are supplied through the $notes parameter for review.", + "}", + "", + ] + return "\n".join(lines) + + +def _render_site_pp(puppet_roles: List[PuppetRole], fqdn: Optional[str]) -> str: + node_name = _pp_quote(fqdn) if fqdn else "default" + if not puppet_roles: + return f"node {node_name} {{\n # No Puppet classes were generated from this harvest.\n}}\n" + includes = "\n".join(f" include {r.module_name}" for r in puppet_roles) + return f"node {node_name} {{\n{includes}\n}}\n" + + +def _render_hiera_site_pp(node_names: List[str]) -> str: + lines: List[str] = [ + "# Generated by Enroll from harvest state.", + "# Per-node class lists and resources are read from Hiera data.", + "", + ] + for node_name in node_names: + lines.extend( + [ + f"node {_pp_quote(node_name)} {{", + " $enroll_classes = lookup('enroll::classes', Array[String], 'unique', [])", + " $enroll_classes.each |String $enroll_class| {", + " include $enroll_class", + " }", + "}", + "", + ] + ) + lines.extend( + [ + "node default {", + " $enroll_classes = lookup('enroll::classes', Array[String], 'unique', [])", + " $enroll_classes.each |String $enroll_class| {", + " include $enroll_class", + " }", + "}", + "", + ] + ) + return "\n".join(lines) + + +def _render_hiera_yaml() -> str: + data = { + "version": 5, + "defaults": {"datadir": "data", "data_hash": "yaml_data"}, + "hierarchy": [ + { + "name": "Enroll trusted certname node data", + "path": "nodes/%{trusted.certname}.yaml", + }, + { + "name": "Enroll networking FQDN node data", + "path": "nodes/%{facts.networking.fqdn}.yaml", + }, + {"name": "Enroll common data", "path": "common.yaml"}, + ], + } + return yaml.safe_dump(data, sort_keys=False, explicit_start=True) + + +def _write_yaml(path: Path, data: Dict[str, Any]) -> None: + path.parent.mkdir(parents=True, exist_ok=True) + path.write_text( + yaml.safe_dump( + puppet_hiera_safe_data(data), sort_keys=True, explicit_start=True + ), + encoding="utf-8", + ) + + +def _write_hiera_node_data( + out: Path, fqdn: str, puppet_roles: List[PuppetRole] +) -> Path: + node_data: Dict[str, Any] = { + "enroll::classes": [r.module_name for r in puppet_roles] + } + for prole in puppet_roles: + node_data.update(_role_hiera_values(prole)) + node_path = out / "data" / "nodes" / _node_data_filename(fqdn) + _write_yaml(node_path, node_data) + common_path = out / "data" / "common.yaml" + if not common_path.exists(): + _write_yaml(common_path, {"enroll::classes": []}) + return node_path + + +def _hiera_node_names(out: Path) -> List[str]: + nodes_dir = out / "data" / "nodes" + if not nodes_dir.is_dir(): + return [] + out_names: Set[str] = set() + for path in nodes_dir.glob("*.yaml"): + out_names.add(path.name[: -len(".yaml")]) + return sorted(out_names) + + +def _write_metadata(module_dir: Path, module_name: str, prole: PuppetRole) -> None: + dependencies: List[Dict[str, str]] = [] + + (module_dir / "metadata.json").write_text( + json.dumps( + { + "name": f"enroll-{module_name}", + "version": "0.1.0", + "author": "Enroll", + "summary": f"Generated Enroll Puppet module for {module_name}", + "license": "UNLICENSED", + "source": "", + "dependencies": dependencies, + }, + indent=2, + sort_keys=True, + ) + + "\n", + encoding="utf-8", + ) + + +def _render_readme( + state: Dict[str, Any], + puppet_roles: List[PuppetRole], + *, + fqdn: Optional[str] = None, + node_names: Optional[List[str]] = None, +) -> str: + host = state.get("host", {}) if isinstance(state.get("host"), dict) else {} + hostname = host.get("hostname") or "unknown" + hiera_mode = bool(fqdn) + role_lines = markdown_list( + f"`{r.module_name}` from Enroll role `{r.role_name}`" for r in puppet_roles + ) + node_lines = markdown_list(f"`{n}`" for n in (node_names or [])) + notes_text = markdown_list( + f"`{r.module_name}`: {note}" for r in puppet_roles for note in r.notes + ) + if hiera_mode: + layout = f"""- `manifests/site.pp` declares node blocks and includes classes listed in Hiera key `enroll::classes`. +- `hiera.yaml` configures per-node lookup from `data/nodes/%{{trusted.certname}}.yaml` with a fallback to `data/common.yaml`. +- `data/nodes/{_node_data_filename(fqdn or '')}` contains this node's class list and class parameter data. +- `modules//manifests/init.pp` contains reusable, data-driven classes. +- `modules//files/nodes//...` contains node-specific harvested raw file artifacts, avoiding clashes between hosts. +- `modules//templates/` contains ERB templates when JinjaTurtle can convert a harvested config file.""" + apply = f"""Run from this generated output directory, passing the node certname so Hiera selects the right node data: + +```bash +sudo puppet apply --modulepath ./modules --hiera_config ./hiera.yaml --certname {fqdn} manifests/site.pp --noop --test +``` + +If you depend on other pre-installed Puppet modules, you may need to pass in other modulepaths as well, e.g: + +```bash +sudo puppet apply --modulepath ./modules:/etc/puppet/code/modules --hiera_config ./hiera.yaml --certname {fqdn} manifests/site.pp --noop --test +``` + +For Puppet agent/control-repo use, place this output where `hiera.yaml`, `data/`, `manifests/`, and `modules/` form the environment root. Re-running Enroll with another `--fqdn` into the same output directory adds or replaces that node's YAML without deleting existing node data.""" + else: + layout = """- `manifests/site.pp` declares a `node` block and includes the generated classes in manifest order. +- `modules//manifests/init.pp` contains resources for each generated Enroll role/snapshot or common package group. +- `modules//files/` contains harvested raw file artifacts for that role or group. +- `modules//templates/` contains ERB templates when JinjaTurtle can convert a harvested config file. +- Generated module names avoid Puppet reserved words such as `default`.""" + apply = """Run from this generated output directory so Puppet can find `./modules`, or pass an absolute module path: + +```bash +sudo puppet apply --modulepath ./modules manifests/site.pp --noop --test +``` + +If you depend on other pre-installed Puppet modules, you may need to pass in other modulepaths as well, e.g: + +```bash +sudo puppet apply --modulepath ./modules:/etc/puppet/code/modules manifests/site.pp --noop --test +```""" + return f"""# Enroll Puppet manifest + +Generated by Enroll from harvest data for `{hostname}`. + +This Puppet target reuses the existing harvest state without changing harvesting behaviour. + +## Layout + +{layout} + +## Known nodes + +{node_lines if hiera_mode else '- Non-Hiera single-node output.'} + +## Generated modules + +{role_lines} + +## Apply / check + +{apply} + +## Generated resources + +- Native packages observed in package and service snapshots. +- Local users and groups from the users snapshot. +- Managed directories, files, and symlinks from harvested roles. +- Basic service enablement/running-state resources. +- `/etc/sysctl.d/99-enroll.conf` plus a refresh-only sysctl apply exec when present. +- Docker and Podman images by digest using guarded `exec` resources (`pull`/`tag` commands with `unless` checks). +- Podman images by digest using guarded `podman pull` / `podman tag` exec resources. + +## Current limitations + +- JinjaTurtle/ERB templating is best-effort. Files that JinjaTurtle cannot parse are copied as raw module files. +- Review generated resources before applying them broadly across unlike hosts. + +## Notes + +{notes_text} +""" + + +class PuppetManifestRenderer: + """Render Puppet modules and site manifest from a harvest bundle.""" + + def __init__( + self, + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str] = None, + no_common_roles: bool = False, + jinjaturtle: str = "auto", + ) -> None: + self.bundle_dir = bundle_dir + self.out_dir = out_dir + self.fqdn = fqdn + self.no_common_roles = no_common_roles + self.jinjaturtle = jinjaturtle + + def render(self) -> None: + """Render Puppet modules/site.pp from a harvest bundle.""" + + bundle_dir = self.bundle_dir + out_dir = self.out_dir + fqdn = self.fqdn + no_common_roles = self.no_common_roles + + state = PuppetRole.load_state(bundle_dir) + hiera_mode = bool(fqdn) + out = prepare_manifest_output_dir(out_dir, allow_existing=hiera_mode) + manifests_dir = out / "manifests" + modules_dir = out / "modules" + manifests_dir.mkdir(parents=True, exist_ok=True) + modules_dir.mkdir(parents=True, exist_ok=True) + + jt_exe, jt_enabled = resolve_jinjaturtle_mode(self.jinjaturtle) + + puppet_roles = _collect_puppet_roles( + state, + bundle_dir, + modules_dir, + fqdn=fqdn, + no_common_roles=no_common_roles, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + ) + for prole in puppet_roles: + module_dir = modules_dir / prole.module_name + module_manifests = module_dir / "manifests" + module_files = module_dir / "files" + module_manifests.mkdir(parents=True, exist_ok=True) + module_files.mkdir(parents=True, exist_ok=True) + (module_manifests / "init.pp").write_text( + ( + _render_hiera_role_class(prole) + if hiera_mode + else _render_role_class(prole) + ), + encoding="utf-8", + ) + _write_metadata(module_dir, prole.module_name, prole) + + node_names: List[str] = [] + if hiera_mode and fqdn: + (out / "hiera.yaml").write_text(_render_hiera_yaml(), encoding="utf-8") + _write_hiera_node_data(out, fqdn, puppet_roles) + node_names = _hiera_node_names(out) + (manifests_dir / "site.pp").write_text( + _render_hiera_site_pp(node_names), encoding="utf-8" + ) + else: + (manifests_dir / "site.pp").write_text( + _render_site_pp(puppet_roles, fqdn), encoding="utf-8" + ) + (out / "README.md").write_text( + _render_readme( + state, + puppet_roles, + fqdn=fqdn, + node_names=node_names, + ), + encoding="utf-8", + ) + + +def manifest_from_bundle_dir( + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str] = None, + no_common_roles: bool = False, + jinjaturtle: str = "auto", +) -> None: + PuppetManifestRenderer( + bundle_dir, + out_dir, + fqdn=fqdn, + no_common_roles=no_common_roles, + jinjaturtle=jinjaturtle, + ).render() diff --git a/enroll/remote.py b/enroll/remote.py index 45e2798..ecb1c27 100644 --- a/enroll/remote.py +++ b/enroll/remote.py @@ -13,6 +13,8 @@ from pathlib import Path from pathlib import PurePosixPath from typing import Optional, Callable, TextIO +from .harvest_safety import ensure_private_empty_dir, prepare_new_private_dir + class RemoteSudoPasswordRequired(RuntimeError): """Raised when sudo requires a password but none was provided.""" @@ -139,12 +141,16 @@ def remote_harvest( getpass_fn=getpass_fn, ) + allow_existing_output = bool(kwargs.pop("allow_existing_output", False)) + output_prepared = False + while True: try: return _remote_harvest( sudo_password=sudo_password, no_sudo=no_sudo, ssh_key_passphrase=ssh_key_passphrase, + allow_existing_output=allow_existing_output or output_prepared, **kwargs, ) except RemoteSSHKeyPassphraseRequired: @@ -158,6 +164,7 @@ def remote_harvest( # Fallback prompt if interactive. if stdin is not None and getattr(stdin, "isatty", lambda: False)(): ssh_key_passphrase = getpass_fn(key_prompt) + output_prepared = True continue raise RemoteSSHKeyPassphraseRequired( @@ -173,6 +180,7 @@ def remote_harvest( # Fallback prompt if interactive. if stdin is not None and getattr(stdin, "isatty", lambda: False)(): sudo_password = getpass_fn(prompt) + output_prepared = True continue raise RemoteSudoPasswordRequired( @@ -210,11 +218,18 @@ def _safe_extract_tar(tar: tarfile.TarFile, dest: Path) -> None: if member_path != dest and not str(member_path).startswith(str(dest) + os.sep): raise RuntimeError(f"Unsafe tar member path: {name}") - # Extract members one-by-one after validation. + # Extract members one-by-one after validation. Pass an explicit tarfile + # extraction filter on Python versions that support it so Python 3.12/3.13 + # do not warn about the Python 3.14 default changing. Keep the older call + # path for Python 3.10/3.11, where the filter argument is unavailable. + supports_filter = hasattr(tarfile, "data_filter") for m in tar.getmembers(): if m.name in {".", "./"}: continue - tar.extract(m, path=dest) + if supports_filter: + tar.extract(m, path=dest, filter="data") + else: + tar.extract(m, path=dest) def _build_enroll_pyz(tmpdir: Path) -> Path: @@ -406,6 +421,7 @@ def _remote_harvest( ssh_key_passphrase: Optional[str] = None, include_paths: Optional[list[str]] = None, exclude_paths: Optional[list[str]] = None, + allow_existing_output: bool = False, ) -> Path: """Run enroll harvest on a remote host via SSH and pull the bundle locally. @@ -419,12 +435,11 @@ def _remote_harvest( "Install it with: pip install paramiko" ) from e - local_out_dir = Path(local_out_dir) - local_out_dir.mkdir(parents=True, exist_ok=True) - try: - os.chmod(local_out_dir, 0o700) - except OSError: - pass + local_out_dir = ( + ensure_private_empty_dir(local_out_dir, label="remote harvest output") + if allow_existing_output + else prepare_new_private_dir(local_out_dir, label="remote harvest output") + ) # Build a zipapp locally and upload it to the remote. with tempfile.TemporaryDirectory(prefix="enroll-remote-") as td: @@ -563,22 +578,50 @@ def _remote_harvest( sftp = ssh.open_sftp() rtmp: Optional[str] = None + remote_root_tmp: Optional[str] = None try: rc, out, err = _ssh_run(ssh, "mktemp -d") if rc != 0: raise RuntimeError(f"Remote mktemp failed: {err.strip()}") rtmp = out.strip() + if not rtmp: + raise RuntimeError("Remote mktemp returned an empty path") # Be explicit: restrict the remote staging area to the current user. - rc, out, err = _ssh_run(ssh, f"chmod 700 {rtmp}") + rc, out, err = _ssh_run(ssh, f"chmod 700 -- {shlex.quote(rtmp)}") if rc != 0: raise RuntimeError(f"Remote chmod failed: {err.strip()}") rapp = f"{rtmp}/enroll.pyz" - rbundle = f"{rtmp}/bundle" - sftp.put(str(pyz), rapp) + if not no_sudo: + # The remote zipapp is staged as the SSH user, but the harvest + # itself runs as root. Root must not write its bundle under the + # SSH user's mktemp directory: the root-output safety checks + # deliberately reject user-owned parents to avoid symlink/race + # issues. Create a separate sudo-owned tempdir for the bundle. + rc, out, err = _ssh_run_sudo( + ssh, "mktemp -d", sudo_password=sudo_password, get_pty=True + ) + if rc != 0: + raise RuntimeError(f"Remote sudo mktemp failed: {err.strip()}") + remote_root_tmp = out.strip() + if not remote_root_tmp: + raise RuntimeError("Remote sudo mktemp returned an empty path") + + rc, out, err = _ssh_run_sudo( + ssh, + f"chmod 700 -- {shlex.quote(remote_root_tmp)}", + sudo_password=sudo_password, + get_pty=True, + ) + if rc != 0: + raise RuntimeError(f"Remote sudo chmod failed: {err.strip()}") + rbundle = f"{remote_root_tmp}/bundle" + else: + rbundle = f"{rtmp}/bundle" + # Run remote harvest. argv: list[str] = [ remote_python, @@ -620,7 +663,11 @@ def _remote_harvest( "Unable to determine remote username for chown. " "Pass --remote-user explicitly or use --no-sudo." ) - chown_cmd = f"chown -R {resolved_user} {rbundle}" + chown_target = remote_root_tmp or rbundle + chown_cmd = ( + "chown -R -- " + f"{shlex.quote(resolved_user)} {shlex.quote(chown_target)}" + ) rc, out, err = _ssh_run_sudo( ssh, chown_cmd, @@ -637,7 +684,7 @@ def _remote_harvest( ) # Stream a tarball back to the local machine (avoid creating a tar file on the remote). - cmd = f"tar -cz -C {rbundle} ." + cmd = f"tar -cz -C {shlex.quote(rbundle)} ." _stdin, stdout, stderr = ssh.exec_command(cmd) # nosec with open(local_tgz, "wb") as f: while True: @@ -660,9 +707,21 @@ def _remote_harvest( _safe_extract_tar(tf, local_out_dir) finally: - # Cleanup remote tmpdir even on failure. + # Cleanup remote tmpdirs even on failure. The sudo-owned harvest + # tempdir may still be root-owned if harvest/chown failed, so remove + # it via sudo and avoid masking the original error if cleanup fails. + if remote_root_tmp: + try: + _ssh_run_sudo( + ssh, + f"rm -rf -- {shlex.quote(remote_root_tmp)}", + sudo_password=sudo_password, + get_pty=True, + ) + except Exception: + pass # nosec - best-effort remote cleanup if rtmp: - _ssh_run(ssh, f"rm -rf {rtmp}") + _ssh_run(ssh, f"rm -rf -- {shlex.quote(rtmp)}") try: sftp.close() ssh.close() diff --git a/enroll/render_safety.py b/enroll/render_safety.py new file mode 100644 index 0000000..e8fc54a --- /dev/null +++ b/enroll/render_safety.py @@ -0,0 +1,232 @@ +from __future__ import annotations + +import json +import re +from collections.abc import Mapping, Set as AbstractSet +from typing import Any + + +ANSIBLE_JINJA_STARTS = ("{{", "{%", "{#") + + +class AnsibleUnsafeText(str): + """String subclass dumped as Ansible's ``!unsafe`` YAML scalar. + + Ansible templating can recursively evaluate Jinja delimiters that arrive + through variables/defaults. Harvested data is not authored playbook code; + values containing Jinja starts must be tagged as unsafe data before they are + written to Ansible variable files. + """ + + +def is_ansible_template_like(value: str) -> bool: + """Return true if *value* contains a Jinja start delimiter.""" + + return any(marker in value for marker in ANSIBLE_JINJA_STARTS) + + +def ansible_unsafe_data(value: Any) -> Any: + """Recursively mark template-looking harvested strings as Ansible data. + + Keep ordinary strings untouched so generated output remains readable and so + existing tests/tools that use ``yaml.safe_load`` continue to work for normal + data. Mapping keys are also strings in Ansible data structures, so protect + keys as well as values. + """ + + if isinstance(value, AnsibleUnsafeText): + return value + if isinstance(value, str): + return AnsibleUnsafeText(value) if is_ansible_template_like(value) else value + if isinstance(value, Mapping): + return { + ansible_unsafe_data(str(key)): ansible_unsafe_data(inner) + for key, inner in value.items() + } + if isinstance(value, list): + return [ansible_unsafe_data(item) for item in value] + if isinstance(value, tuple): + return [ansible_unsafe_data(item) for item in value] + if isinstance(value, AbstractSet): + return sorted(ansible_unsafe_data(item) for item in value) + return value + + +def escape_puppet_hiera_interpolation(value: str) -> str: + """Preserve literal ``%{`` text in Puppet Hiera data sources. + + Hiera treats ``%{...}`` in data values as interpolation. Enroll's Hiera + data is generated from harvested values, not authored Hiera expressions, so + any literal interpolation opener is escaped with Hiera's documented + ``literal('%')`` helper. + """ + + return str(value).replace("%{", "%{literal('%')}{") + + +def puppet_hiera_safe_data(value: Any) -> Any: + """Recursively escape Hiera interpolation openers in harvested data.""" + + if isinstance(value, Mapping): + return { + escape_puppet_hiera_interpolation(str(key)): puppet_hiera_safe_data(inner) + for key, inner in value.items() + } + if isinstance(value, list): + return [puppet_hiera_safe_data(item) for item in value] + if isinstance(value, tuple): + return [puppet_hiera_safe_data(item) for item in value] + if isinstance(value, AbstractSet): + return sorted(puppet_hiera_safe_data(item) for item in value) + if isinstance(value, str): + return escape_puppet_hiera_interpolation(value) + return value + + +def _plain_json_data(value: Any) -> Any: + if isinstance(value, Mapping): + return {str(key): _plain_json_data(inner) for key, inner in value.items()} + if isinstance(value, list): + return [_plain_json_data(item) for item in value] + if isinstance(value, tuple): + return [_plain_json_data(item) for item in value] + if isinstance(value, AbstractSet): + return sorted(_plain_json_data(item) for item in value) + return value + + +def _escape_braces_inside_json_strings(text: str) -> str: + """Replace literal braces only while scanning JSON string tokens.""" + + out: list[str] = [] + in_string = False + escaped = False + for ch in text: + if not in_string: + out.append(ch) + if ch == '"': + in_string = True + continue + + if escaped: + out.append(ch) + escaped = False + elif ch == "\\": + out.append(ch) + escaped = True + elif ch == '"': + out.append(ch) + in_string = False + elif ch == "{": + out.append("\\u007b") + elif ch == "}": + out.append("\\u007d") + else: + out.append(ch) + return "".join(out) + + +def salt_sls_json_quote(value: Any) -> str: + """Return a double-quoted YAML/JSON scalar safe for Salt's Jinja pass. + + Salt state and pillar SLS files normally use the ``jinja|yaml`` renderer + pipeline. YAML/JSON quoting alone does not stop ``{{ ... }}``, ``{% ... %}`` + or ``{# ... #}`` inside harvested values from being evaluated before YAML is + parsed. JSON/YAML double-quoted scalars decode ``\u007b`` and ``\u007d`` + after Jinja has run, so encode braces inside string tokens as Unicode escapes. + """ + + dumped = json.dumps(str(value), ensure_ascii=False) + return _escape_braces_inside_json_strings(dumped) + + +_PLAIN_YAML_KEY_RE = re.compile(r"^[A-Za-z0-9_./:-]+$") + + +def _salt_yaml_key(value: Any) -> str: + text = str(value) + if text and _PLAIN_YAML_KEY_RE.match(text) and not text.startswith(("-", "?", ":")): + return text + return salt_sls_json_quote(text) + + +def _salt_yaml_scalar(value: Any) -> str: + if value is None: + return "null" + if isinstance(value, bool): + return "true" if value else "false" + if isinstance(value, int) and not isinstance(value, bool): + return str(value) + if isinstance(value, float): + return json.dumps(value, allow_nan=False) + return salt_sls_json_quote(value) + + +def _salt_yaml_lines( + value: Any, indent: int = 0, *, sort_keys: bool = True +) -> list[str]: + prefix = " " * indent + if isinstance(value, Mapping): + if not value: + return [prefix + "{}"] + keys = sorted(value, key=lambda item: str(item)) if sort_keys else list(value) + lines: list[str] = [] + for key in keys: + inner = value[key] + key_text = _salt_yaml_key(key) + if isinstance(inner, Mapping): + if not inner: + lines.append(f"{prefix}{key_text}: {{}}") + else: + lines.append(f"{prefix}{key_text}:") + lines.extend( + _salt_yaml_lines(inner, indent + 2, sort_keys=sort_keys) + ) + elif isinstance(inner, (list, tuple, set)): + seq = list(inner) if not isinstance(inner, set) else sorted(inner) + if not seq: + lines.append(f"{prefix}{key_text}: []") + else: + lines.append(f"{prefix}{key_text}:") + lines.extend(_salt_yaml_lines(seq, indent + 2, sort_keys=sort_keys)) + else: + lines.append(f"{prefix}{key_text}: {_salt_yaml_scalar(inner)}") + return lines + + if isinstance(value, (list, tuple, set)): + seq = list(value) if not isinstance(value, set) else sorted(value) + if not seq: + return [prefix + "[]"] + lines = [] + for item in seq: + if isinstance(item, Mapping): + if not item: + lines.append(prefix + "- {}") + else: + lines.append(prefix + "-") + lines.extend( + _salt_yaml_lines(item, indent + 2, sort_keys=sort_keys) + ) + elif isinstance(item, (list, tuple, set)): + lines.append(prefix + "-") + lines.extend(_salt_yaml_lines(item, indent + 2, sort_keys=sort_keys)) + else: + lines.append(f"{prefix}- {_salt_yaml_scalar(item)}") + return lines + + return [prefix + _salt_yaml_scalar(value)] + + +def salt_sls_yaml_dump( + value: Any, + *, + sort_keys: bool = True, + explicit_start: bool = False, +) -> str: + """Dump block YAML whose string braces cannot form Salt Jinja delimiters.""" + + lines = _salt_yaml_lines(_plain_json_data(value), sort_keys=sort_keys) + rendered = "\n".join(lines).rstrip() + "\n" + if explicit_start: + rendered = "---\n" + rendered + return rendered diff --git a/enroll/role_names.py b/enroll/role_names.py new file mode 100644 index 0000000..a6f4a32 --- /dev/null +++ b/enroll/role_names.py @@ -0,0 +1,30 @@ +from __future__ import annotations + +RESERVED_SINGLETON_ROLE_NAMES = { + "users", + "flatpak", + "snap", + "container_images", + "apt_config", + "dnf_config", + "firewall_runtime", + "sysctl", + "etc_custom", + "usr_local_custom", + "extra_paths", + "common_packages", +} + + +def avoid_reserved_role_name(role_name: str, *, prefix: str) -> str: + """Return a role name that cannot collide with singleton roles. + + Singleton roles are generated once per manifest from dedicated top-level + state sections. Package and service roles can naturally have the same names + as those singletons, e.g. the OS package named ``flatpak``. Prefix those + generated package/service roles so they cannot overwrite singleton role + directories during manifestation. + """ + if role_name in RESERVED_SINGLETON_ROLE_NAMES: + return f"{prefix}_{role_name}" + return role_name diff --git a/enroll/rpm.py b/enroll/rpm.py index 0314670..a036814 100644 --- a/enroll/rpm.py +++ b/enroll/rpm.py @@ -148,7 +148,7 @@ def list_installed_packages() -> Dict[str, List[Dict[str, str]]]: Uses `rpm -qa` and is expected to work on RHEL/Fedora-like systems. Output format: - {"pkg": [{"version": "...", "arch": "..."}, ...], ...} + {"pkg": [{"version": "...", "arch": "...", "group": "..."}, ...], ...} The version string is formatted as: - "-" for typical packages @@ -161,7 +161,7 @@ def list_installed_packages() -> Dict[str, List[Dict[str, str]]]: "rpm", "-qa", "--qf", - "%{NAME}\t%{EPOCHNUM}\t%{VERSION}\t%{RELEASE}\t%{ARCH}\n", + "%{NAME}\t%{EPOCHNUM}\t%{VERSION}\t%{RELEASE}\t%{ARCH}\t%{GROUP}\n", ], allow_fail=False, merge_err=True, @@ -190,7 +190,11 @@ def list_installed_packages() -> Dict[str, List[Dict[str, str]]]: if epoch and epoch.isdigit() and epoch != "0": v = f"{epoch}:{v}" - pkgs.setdefault(name, []).append({"version": v, "arch": arch}) + instance = {"version": v, "arch": arch} + if len(parts) >= 6 and parts[5].strip(): + instance["group"] = parts[5].strip() + + pkgs.setdefault(name, []).append(instance) for k in list(pkgs.keys()): pkgs[k] = sorted( diff --git a/enroll/salt.py b/enroll/salt.py new file mode 100644 index 0000000..2a9fc69 --- /dev/null +++ b/enroll/salt.py @@ -0,0 +1,1759 @@ +from __future__ import annotations + +import hashlib +import json +import re +import shlex +import shutil +from pathlib import Path +from typing import Any, Dict, Iterable, List, Mapping, Optional, Tuple + + +from .cm import ( + CMModule, + resolve_catalog_conflicts, + role_order_key, + markdown_list, +) +from .jinjaturtle import jinjify_artifact, resolve_jinjaturtle_mode +from .manifest_safety import ( + copy_safe_artifact_file, + prepare_manifest_output_dir, + safe_artifact_file, +) +from .render_safety import salt_sls_json_quote, salt_sls_yaml_dump +from .state import inventory_packages_from_state, roles_from_state +from .yamlutil import yaml_load_mapping_file + + +class SaltRole(CMModule): + """Salt-specific view of a renderer-neutral CMModule.""" + + managed_owner_attr = "user" + + def __init__(self, role_name: str) -> None: + super().__init__( + role_name=role_name, + module_name=_salt_name(role_name, fallback="enroll_role"), + ) + self.container_images: List[Dict[str, Any]] = [] + self.flatpak_remotes: List[Dict[str, Any]] = [] + self.flatpaks: List[Dict[str, Any]] = [] + self.snaps: List[Dict[str, Any]] = [] + + def has_resources(self) -> bool: + return self.has_resources_or_attrs( + "container_images", "flatpak_remotes", "flatpaks", "snaps" + ) + + @property + def sls_name(self) -> str: + return f"roles.{self.module_name}" + + def add_service_snapshot(self, snap: Dict[str, Any]) -> None: + self.add_service_snapshot_state( + snap, state_key="state", running="running", stopped="dead" + ) + unit = self.service_unit_from_snapshot(snap) + if unit in self.services: + self.services[unit]["state_id"] = _state_id( + "service", unit, role=self.module_name + ) + + def add_users_snapshot(self, snap: Dict[str, Any]) -> None: + records = self.user_records_from_snapshot(snap) + self.groups.update(self.user_group_names_from_records(records)) + for record in records: + name = str(record.get("name") or "") + user_data: Dict[str, Any] = { + "name": name, + "uid": record.get("uid"), + "gid": record.get("primary_group") or record.get("gid"), + "home": record.get("home"), + "shell": record.get("shell"), + "groups": record.get("supplementary_groups") or [], + } + user_data.update(_gecos_attrs(record.get("gecos"))) + self.users[name] = user_data + + self.add_user_flatpaks_snapshot(snap) + + def prepare_flatpak_remote(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _prepare_flatpak_remote(item) + + def prepare_flatpak_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _prepare_flatpak_item(item) + + def prepare_snap_item(self, item: Dict[str, Any]) -> Dict[str, Any]: + return _prepare_snap_item(item) + + def add_firewall_runtime_snapshot( + self, + snap: Dict[str, Any], + *, + bundle_dir: str, + artifact_role: str, + role_files_dir: Path, + file_prefix: Optional[str] = None, + ) -> None: + super().add_firewall_runtime_snapshot( + snap, + bundle_dir=bundle_dir, + artifact_role=artifact_role, + files_dir=role_files_dir, + copy_artifact=_copy_artifact, + source_uri=_source_uri, + file_prefix=file_prefix, + dir_attrs={"require": [{"file": "/etc/enroll"}]}, + ) + + def add_container_images_snapshot(self, snap: Dict[str, Any]) -> None: + for raw in snap.get("images", []) or []: + if not isinstance(raw, dict): + continue + engine = str(raw.get("engine") or "").strip().lower() + pull_ref = str(raw.get("pull_ref") or "").strip() + if engine not in {"docker", "podman"}: + continue + if not pull_ref: + tags = ", ".join(str(t) for t in (raw.get("repo_tags") or []) if t) + label = tags or str(raw.get("image_id") or "unknown image") + self.notes.append( + f"Container image {label} has no RepoDigest; exact Salt pull state was not rendered." + ) + continue + item = dict(raw) + item["engine"] = engine + item["pull_ref"] = pull_ref + item["scope"] = str(item.get("scope") or "system").strip() or "system" + item["tag_aliases"] = [ + dict(alias) + for alias in (item.get("tag_aliases") or []) + if isinstance(alias, dict) and alias.get("ref") + ] + item["pull_cmd"] = _container_pull_cmd(engine, pull_ref) + item["pull_unless"] = _container_exists_cmd(engine, pull_ref) + for alias in item["tag_aliases"]: + alias_ref = str(alias.get("ref") or "") + alias["tag_cmd"] = _container_tag_cmd(engine, pull_ref, alias_ref) + alias["tag_unless"] = _container_tag_matches_cmd( + engine, pull_ref, alias_ref + ) + self.container_images.append(item) + for note in snap.get("notes", []) or []: + self.notes.append(str(note)) + + def add_managed_content( + self, + snap: Dict[str, Any], + *, + bundle_dir: str, + artifact_role: str, + role_files_dir: Path, + file_prefix: Optional[str] = None, + jt_exe: Optional[str] = None, + jt_enabled: bool = False, + overwrite_templates: bool = True, + watch_services: Optional[List[str]] = None, + watch_service_states: Optional[List[str]] = None, + ) -> None: + for d in self.managed_dirs_from_snapshot(snap): + path = str(d.get("path") or "").strip() + self.add_managed_dir( + path, + user=d.get("owner") or "root", + group=d.get("group") or "root", + mode=d.get("mode") or "0755", + makedirs=True, + reason=d.get("reason") or "managed_dir", + ) + + watch_state_ids = _service_watch_state_ids( + self.module_name, + watch_services=watch_services, + watch_service_states=watch_service_states, + ) + + for mf in self.managed_files_from_snapshot(snap): + path = str(mf.get("path") or "").strip() + src_rel = str(mf.get("src_rel") or "").strip() + if not path or not src_rel: + continue + + template = _jinjify_managed_file( + bundle_dir, + artifact_role, + src_rel, + path, + role_files_dir.parent, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=overwrite_templates, + ) + if template is not None: + tmpl_rel, context = template + attrs: Dict[str, Any] = { + "user": mf.get("owner") or "root", + "group": mf.get("group") or "root", + "mode": mf.get("mode") or "0644", + "source": _template_source_uri(self.module_name, tmpl_rel), + "template": "jinja", + "context": context, + "makedirs": True, + "reason": mf.get("reason") or "managed_file", + } + if watch_state_ids and not path.startswith("/etc/systemd/system/"): + attrs["watch_in"] = [ + {"service": state_id} for state_id in watch_state_ids + ] + self.add_managed_file(path, **attrs) + continue + + role_rel = _copy_artifact( + bundle_dir, + artifact_role, + src_rel, + role_files_dir, + dst_prefix=file_prefix, + ) + if not role_rel: + self.notes.append( + f"Skipped {path}: harvested artifact {artifact_role}/{src_rel} was not present." + ) + continue + attrs = { + "user": mf.get("owner") or "root", + "group": mf.get("group") or "root", + "mode": mf.get("mode") or "0644", + "source": _source_uri(self.module_name, role_rel), + "makedirs": True, + "reason": mf.get("reason") or "managed_file", + } + if watch_state_ids and not path.startswith("/etc/systemd/system/"): + attrs["watch_in"] = [ + {"service": state_id} for state_id in watch_state_ids + ] + self.add_managed_file(path, **attrs) + + for ml in self.managed_links_from_snapshot(snap): + path = str(ml.get("path") or "").strip() + target = str(ml.get("target") or "").strip() + if not path or not target: + continue + self.add_managed_link( + path, + target=target, + force=False, + makedirs=True, + reason=ml.get("reason") or "managed_link", + ) + + self.remove_directory_resource_conflicts() + + +_RESERVED_SALT_NAMES = {"top", "init", "files", "pillar", "states", "roles"} + + +def _salt_name(raw: str, *, fallback: str = "role") -> str: + s = re.sub(r"[^A-Za-z0-9_]+", "_", raw or fallback) + s = re.sub(r"_+", "_", s).strip("_").lower() + if not s: + s = fallback + if not re.match(r"^[a-z_]", s): + s = f"{fallback}_{s}" + if s in _RESERVED_SALT_NAMES: + s = f"{fallback}_{s}" + return s + + +def _state_id(prefix: str, value: Any, *, role: str = "") -> str: + label = re.sub(r"[^A-Za-z0-9_]+", "_", str(value or "item").strip().lower()) + label = re.sub(r"_+", "_", label).strip("_") or "item" + digest = hashlib.sha1( + str(value).encode("utf-8", errors="replace") + ).hexdigest()[ # nosec B324 + :8 + ] # nosec B324 + parts = ["enroll", prefix] + if role: + parts.append(role) + parts.extend([label[:40], digest]) + return "_".join(parts) + + +def _plain_salt_data(value: Any) -> Any: + """Return data made from plain JSON/YAML-safe containers. + + Salt's Jinja ``yaml_encode`` filter cannot represent Salt/PyYAML + ``OrderedDict`` values. Normalise generated template contexts before we + write static SLS or pillar data, and before passing context to file.managed. + """ + + if isinstance(value, Mapping): + return {str(key): _plain_salt_data(inner) for key, inner in value.items()} + if isinstance(value, list): + return [_plain_salt_data(item) for item in value] + if isinstance(value, tuple): + return [_plain_salt_data(item) for item in value] + if isinstance(value, set): + return sorted(_plain_salt_data(item) for item in value) + return value + + +_TO_JSON_FILTER_RE = re.compile( + r"{{\s*([A-Za-z_][A-Za-z0-9_]*(?:\.[A-Za-z_][A-Za-z0-9_]*)?)\s*" + r"\|\s*to_json\s*\([^)]*\)\s*}}" +) + + +def _saltify_jinjaturtle_template( + template_text: str, context: Dict[str, Any] +) -> Tuple[str, Dict[str, Any]]: + """Translate JinjaTurtle's Ansible-oriented Jinja into Salt-safe Jinja. + + JinjaTurtle emits Ansible's ``to_json`` filter for JSON/TOML values. Salt's + Jinja environment does not provide that filter. For ordinary generated + context variables, pre-render a JSON string and substitute a plain variable + reference. For loop-local expressions such as ``item`` or ``item.name`` we + fall back to Jinja's built-in ``tojson`` filter. + """ + + salt_context = _plain_salt_data(context) + + def replace(match: re.Match[str]) -> str: + expr = match.group(1) + if "." not in expr and expr in salt_context: + json_var = f"{expr}__enroll_json" + salt_context[json_var] = json.dumps(salt_context[expr], ensure_ascii=False) + return "{{ " + json_var + " }}" + return "{{ " + expr + " | tojson }}" + + return _TO_JSON_FILTER_RE.sub(replace, template_text), salt_context + + +def _service_watch_state_ids( + role_name: str, + *, + watch_services: Optional[Iterable[str]] = None, + watch_service_states: Optional[Iterable[str]] = None, +) -> List[str]: + """Return de-duplicated Salt service state ids for watch_in requisites.""" + + out: List[str] = [] + seen = set() + for state_id in watch_service_states or []: + value = str(state_id or "").strip() + if value and value not in seen: + seen.add(value) + out.append(value) + for unit in watch_services or []: + unit_s = str(unit or "").strip() + if not unit_s: + continue + value = _state_id("service", unit_s, role=role_name) + if value not in seen: + seen.add(value) + out.append(value) + return out + + +def _active_service_state_ids_by_unit( + entries: Iterable[Dict[str, Any]], +) -> Dict[str, str]: + """Return generated Salt service state ids keyed by active systemd unit.""" + + by_unit: Dict[str, str] = {} + for entry in entries: + if str(entry.get("kind") or "package") != "service": + continue + snap = entry.get("snapshot") or {} + if not isinstance(snap, dict): + continue + unit = str(snap.get("unit") or "").strip() + if not unit or str(snap.get("active_state") or "") != "active": + continue + source_label = str(snap.get("role_name") or snap.get("unit") or "service") + role_name = _salt_name( + str(entry.get("role_label") or source_label), fallback="service" + ) + by_unit.setdefault(unit, _state_id("service", unit, role=role_name)) + return by_unit + + +def _yaml_quote(value: Any) -> str: + return salt_sls_json_quote(value) + + +def _yaml_bool(value: Any) -> str: + return "true" if bool(value) else "false" + + +def _shell_quote(value: Any) -> str: + return shlex.quote(str(value or "")) + + +def _container_pull_cmd(engine: str, pull_ref: str) -> str: + return f"{engine} pull {_shell_quote(pull_ref)}" + + +def _container_exists_cmd(engine: str, ref: str) -> str: + if engine == "podman": + return f"podman image exists {_shell_quote(ref)}" + return f"docker image inspect {_shell_quote(ref)} >/dev/null 2>&1" + + +def _container_image_id_expr(engine: str, ref: str) -> str: + """Return a shell expression that extracts an inspected image ID. + + Salt renders SLS files through Jinja before YAML, so Docker's normal + format template cannot be emitted literally without careful escaping. Use + JSON output plus sed instead; it avoids Go-template braces in generated + Salt states and pillar data. + """ + + sed_id = ( + r"sed -n 's/^[[:space:]]*\"Id\":[[:space:]]*\"\([^\"]*\)\".*/\1/p' " + r"| head -n 1" + ) + return ( + f"{_shell_quote(engine)} image inspect {_shell_quote(ref)} " + f"2>/dev/null | {sed_id}" + ) + + +def _container_tag_matches_cmd(engine: str, pull_ref: str, tag_ref: str) -> str: + """Return a shell guard that is true only when tag_ref points at pull_ref.""" + + return ( + f'test "$({_container_image_id_expr(engine, tag_ref)})" ' + f'= "$({_container_image_id_expr(engine, pull_ref)})"' + ) + + +def _container_tag_cmd(engine: str, pull_ref: str, tag_ref: str) -> str: + return f"{engine} tag {_shell_quote(pull_ref)} {_shell_quote(tag_ref)}" + + +def _flatpak_scope(item: Dict[str, Any]) -> str: + return "--user" if str(item.get("method") or "system") == "user" else "--system" + + +def _flatpak_home(item: Dict[str, Any]) -> Optional[str]: + user = str(item.get("user") or "").strip() + if not user: + return None + return str(item.get("home") or f"/home/{user}") + + +def _flatpak_env(item: Dict[str, Any]) -> Dict[str, str]: + home = _flatpak_home(item) + if not home: + return {} + return {"HOME": home, "XDG_DATA_HOME": f"{home}/.local/share"} + + +def _flatpak_remote_exists_cmd(item: Dict[str, Any]) -> str: + return ( + f"flatpak {_flatpak_scope(item)} remote-list --columns=name " + f"| grep -Fx -- {_shell_quote(item.get('name'))}" + ) + + +def _flatpak_remote_add_cmd(item: Dict[str, Any]) -> str: + return ( + f"flatpak {_flatpak_scope(item)} remote-add --if-not-exists " + f"{_shell_quote(item.get('name'))} {_shell_quote(item.get('url'))}" + ) + + +def _flatpak_ref(item: Dict[str, Any]) -> str: + ref = str(item.get("ref") or "").strip() + if ref: + return ref + return str(item.get("name") or "").strip() + + +def _flatpak_exists_cmd(item: Dict[str, Any]) -> str: + return f"flatpak {_flatpak_scope(item)} info {_shell_quote(_flatpak_ref(item))} >/dev/null 2>&1" + + +def _flatpak_install_cmd(item: Dict[str, Any]) -> str: + args = ["flatpak", _flatpak_scope(item), "install", "-y"] + remote = str(item.get("remote") or "").strip() + if remote: + args.append(remote) + args.append(_flatpak_ref(item)) + return " ".join(_shell_quote(arg) for arg in args) + + +def _prepare_flatpak_remote(item: Dict[str, Any]) -> Dict[str, Any]: + out = dict(item) + method = str(out.get("method") or "system") + user = str(out.get("user") or "") + name = str(out.get("name") or "") + out["state_id"] = _state_id("flatpak_remote", f"{method}:{user}:{name}") + out["add_cmd"] = _flatpak_remote_add_cmd(out) + out["exists_cmd"] = _flatpak_remote_exists_cmd(out) + out["env"] = _flatpak_env(out) + return out + + +def _prepare_flatpak_item(item: Dict[str, Any]) -> Dict[str, Any]: + out = dict(item) + method = str(out.get("method") or "system") + user = str(out.get("user") or "") + ref = _flatpak_ref(out) + out["state_id"] = _state_id("flatpak", f"{method}:{user}:{ref}") + out["install_cmd"] = _flatpak_install_cmd(out) + out["exists_cmd"] = _flatpak_exists_cmd(out) + out["env"] = _flatpak_env(out) + return out + + +def _snap_exists_cmd(item: Dict[str, Any]) -> str: + return f"snap list {_shell_quote(item.get('name'))} >/dev/null 2>&1" + + +def _snap_install_cmd(item: Dict[str, Any]) -> str: + args = ["snap", "install", str(item.get("name") or "")] + channel = str(item.get("channel") or "").strip() + revision = str(item.get("revision") or "").strip() + if channel: + args.append(f"--channel={channel}") + elif revision: + args.append(f"--revision={revision}") + if item.get("classic"): + args.append("--classic") + if item.get("devmode"): + args.append("--devmode") + if item.get("dangerous"): + args.append("--dangerous") + return " ".join(_shell_quote(arg) for arg in args if str(arg)) + + +def _prepare_snap_item(item: Dict[str, Any]) -> Dict[str, Any]: + out = dict(item) + name = str(out.get("name") or "") + out["state_id"] = _state_id("snap", name) + out["install_cmd"] = _snap_install_cmd(out) + out["exists_cmd"] = _snap_exists_cmd(out) + return out + + +def _append_firewall_runtime_states(lines: List[str], runtime: Dict[str, Any]) -> None: + specs = [ + ( + "ipset", + "ipset_save", + "ipset_restore_cmd", + "enroll_firewall_runtime_ipset_restore", + ), + ( + "iptables_v4", + "iptables_v4_save", + "iptables_v4_restore_cmd", + "enroll_firewall_runtime_iptables_v4_restore", + ), + ( + "iptables_v6", + "iptables_v6_save", + "iptables_v6_restore_cmd", + "enroll_firewall_runtime_iptables_v6_restore", + ), + ] + for _family, path_key, cmd_key, state_id in specs: + path = str(runtime.get(path_key) or "") + command = str(runtime.get(cmd_key) or "") + if not path or not command: + continue + lines.extend( + [ + f"{state_id}:", + " cmd.run:", + f" - name: {_yaml_quote(command)}", + " - onchanges:", + f" - file: {_yaml_quote(path)}", + "", + ] + ) + + +def _clean_gecos_part(value: Any) -> Optional[str]: + text = str(value or "").strip() + return text or None + + +def _gecos_attrs(value: Any) -> Dict[str, str]: + """Return Salt user.present-safe GECOS fields. + + Linux passwd GECOS is comma-separated. Passing the raw field as Salt's + ``fullname`` can fail for values such as ``Node,,,`` because Salt validates + commas inside individual GECOS subfields. Split it into Salt's native + fields instead. + """ + + raw = str(value or "") + if not raw.strip(): + return {} + parts = raw.split(",", 4) + keys = ("fullname", "roomnumber", "workphone", "homephone", "other") + out: Dict[str, str] = {} + for key, part in zip(keys, parts): + cleaned = _clean_gecos_part(part) + if cleaned: + out[key] = cleaned + return out + + +def _copy_artifact( + bundle_dir: str, + role: str, + src_rel: str, + dst_files_dir: Path, + *, + dst_prefix: Optional[str] = None, +) -> Optional[str]: + if not role or not src_rel: + return None + try: + src = safe_artifact_file(bundle_dir, role, src_rel) + except FileNotFoundError: + return None + role_rel = Path(dst_prefix or "") / src_rel + dst = dst_files_dir / role_rel + dst.parent.mkdir(parents=True, exist_ok=True) + copy_safe_artifact_file(src, dst) + return role_rel.as_posix() + + +def _source_uri(module_name: str, role_rel: str) -> str: + return f"salt://roles/{module_name}/files/{role_rel}" + + +def _template_source_uri(module_name: str, tmpl_rel: str) -> str: + return f"salt://roles/{module_name}/templates/{tmpl_rel}" + + +def _jinjify_managed_file( + bundle_dir: str, + artifact_role: str, + src_rel: str, + dest_path: str, + role_dir: Path, + *, + jt_exe: Optional[str], + jt_enabled: bool, + overwrite_templates: bool, +) -> Optional[Tuple[str, Dict[str, Any]]]: + converted = jinjify_artifact( + bundle_dir, + artifact_role, + src_rel, + dest_path, + role_dir / "templates", + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=overwrite_templates, + ) + if converted is None: + return None + + template_text, context = _saltify_jinjaturtle_template( + converted.template_text, converted.context + ) + template_path = role_dir / "templates" / converted.template_rel + if template_text != converted.template_text: + existing = ( + template_path.read_text(encoding="utf-8") if template_path.exists() else "" + ) + if ( + overwrite_templates + or not template_path.exists() + or _TO_JSON_FILTER_RE.search(existing) + ): + template_path.parent.mkdir(parents=True, exist_ok=True) + template_path.write_text(template_text, encoding="utf-8") + + return converted.template_rel, context + + +def _node_file_prefix(fqdn: str) -> str: + name = re.sub(r"[^A-Za-z0-9_.-]+", "_", str(fqdn or "").strip()) + name = name.strip("._-") or "node" + return f"nodes/{name}" + + +def _node_sls_basename(fqdn: str) -> str: + raw = str(fqdn or "node").strip() or "node" + name = re.sub(r"[^A-Za-z0-9_]+", "_", raw).strip("_").lower() or "node" + digest = hashlib.sha1( + raw.encode("utf-8", errors="replace") + ).hexdigest()[ # nosec B324 + :8 + ] # nosec B324 + return f"{name}_{digest}" + + +def _collect_salt_roles( + state: Dict[str, Any], + bundle_dir: str, + states_dir: Path, + *, + fqdn: Optional[str] = None, + no_common_roles: bool = False, + jt_exe: Optional[str] = None, + jt_enabled: bool = False, +) -> List[SaltRole]: + roles = roles_from_state(state) + inventory_packages = inventory_packages_from_state(state) + use_common_roles = not fqdn and not no_common_roles + node_file_prefix = _node_file_prefix(fqdn) if fqdn else None + out: Dict[str, SaltRole] = {} + + def ensure_role(role_name: str) -> SaltRole: + role_name = _salt_name(role_name, fallback="enroll_role") + return out.setdefault(role_name, SaltRole(role_name)) + + for key in ( + "apt_config", + "dnf_config", + "etc_custom", + "usr_local_custom", + "extra_paths", + "sysctl", + ): + snap = roles.get(key) or {} + if not isinstance(snap, dict): + continue + role_name = _salt_name( + str(snap.get("role_name") or key), fallback="enroll_role" + ) + srole = ensure_role(role_name) + srole.add_managed_content( + snap, + bundle_dir=bundle_dir, + artifact_role=str(snap.get("role_name") or key), + role_files_dir=states_dir / "roles" / srole.module_name / "files", + file_prefix=node_file_prefix, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not bool(fqdn), + ) + + users_snap = roles.get("users") or {} + if isinstance(users_snap, dict): + role_name = _salt_name( + str(users_snap.get("role_name") or "users"), fallback="enroll_role" + ) + srole = ensure_role(role_name) + srole.add_users_snapshot(users_snap) + srole.add_managed_content( + users_snap, + bundle_dir=bundle_dir, + artifact_role=str(users_snap.get("role_name") or "users"), + role_files_dir=states_dir / "roles" / srole.module_name / "files", + file_prefix=node_file_prefix, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not bool(fqdn), + ) + + package_service_entries = list( + CMModule.package_service_entries( + roles, inventory_packages, use_common_roles=use_common_roles + ) + ) + service_units_by_package = CMModule.active_service_units_by_package( + package_service_entries + ) + service_state_ids_by_unit = _active_service_state_ids_by_unit( + package_service_entries + ) + + for entry in package_service_entries: + snap = entry.get("snapshot") or {} + kind = str(entry.get("kind") or "package") + fallback = "service" if kind == "service" else "package" + source_label = str( + snap.get("role_name") or snap.get("unit") or snap.get("package") or fallback + ) + original_role_name = _salt_name(source_label, fallback=fallback) + role_name = _salt_name( + str(entry.get("role_label") or source_label), + fallback="package_group" if use_common_roles else fallback, + ) + srole = ensure_role(role_name) + watch_services: List[str] = [] + watch_service_states: List[str] = [] + if kind == "service": + srole.add_service_snapshot(snap) + unit = str(snap.get("unit") or "").strip() + if unit and str(snap.get("active_state") or "") == "active": + watch_services = [unit] + else: + srole.add_package_snapshot(snap) + watch_services = CMModule.active_service_units_for_package_snapshot( + snap, service_units_by_package + ) + watch_service_states = [ + service_state_ids_by_unit[unit] + for unit in watch_services + if unit in service_state_ids_by_unit + ] + if watch_service_states: + watch_services = [] + srole.add_managed_content( + snap, + bundle_dir=bundle_dir, + artifact_role=str(snap.get("role_name") or original_role_name), + role_files_dir=states_dir / "roles" / srole.module_name / "files", + file_prefix=node_file_prefix, + jt_exe=jt_exe, + jt_enabled=jt_enabled, + overwrite_templates=not bool(fqdn), + watch_services=watch_services, + watch_service_states=watch_service_states, + ) + + container_images = roles.get("container_images") or {} + if isinstance(container_images, dict) and ( + container_images.get("images") or container_images.get("notes") + ): + srole = ensure_role( + str(container_images.get("role_name") or "container_images") + ) + srole.add_container_images_snapshot(container_images) + + fw = roles.get("firewall_runtime") or {} + if isinstance(fw, dict): + has_fw = ( + fw.get("ipset_save") + or fw.get("iptables_v4_save") + or fw.get("iptables_v6_save") + ) + if has_fw: + runtime_role = ensure_role("enroll_runtime") + runtime_role.add_managed_dir( + "/etc/enroll", + user="root", + group="root", + mode="0750", + reason="enroll_runtime", + ) + role_name = str(fw.get("role_name") or "firewall_runtime") + srole = ensure_role(role_name) + srole.add_firewall_runtime_snapshot( + fw, + bundle_dir=bundle_dir, + artifact_role=role_name, + role_files_dir=states_dir / "roles" / srole.module_name / "files", + file_prefix=node_file_prefix, + ) + + flatpak = roles.get("flatpak") or {} + if isinstance(flatpak, dict) and ( + flatpak.get("system_flatpaks") or flatpak.get("remotes") or flatpak.get("notes") + ): + srole = ensure_role(str(flatpak.get("role_name") or "flatpak")) + srole.add_flatpak_snapshot(flatpak) + + snap = roles.get("snap") or {} + if isinstance(snap, dict) and (snap.get("system_snaps") or snap.get("notes")): + srole = ensure_role(str(snap.get("role_name") or "snap")) + srole.add_snap_snapshot(snap) + + salt_roles = sorted(out.values(), key=lambda r: role_order_key(r.role_name)) + resolve_catalog_conflicts(salt_roles) + return [r for r in salt_roles if r.has_resources()] + + +def _append_yaml_value(lines: List[str], key: str, value: Any, *, indent: int) -> None: + prefix = " " * indent + if isinstance(value, dict): + dumped = salt_sls_yaml_dump(_plain_salt_data(value), sort_keys=True).rstrip() + if not dumped: + lines.append(f"{prefix}- {key}: {{}}") + return + lines.append(f"{prefix}- {key}:") + for line in dumped.splitlines(): + lines.append(f"{prefix} {line}") + return + lines.append(f"{prefix}- {key}: {_yaml_quote(value)}") + + +def _render_static_role(srole: SaltRole) -> str: + lines: List[str] = ["# Generated by Enroll from harvest state.", ""] + + for package in sorted(srole.packages): + lines.extend( + [ + f"{_state_id('pkg', package, role=srole.module_name)}:", + " pkg.installed:", + f" - name: {_yaml_quote(package)}", + "", + ] + ) + + for group in sorted(srole.groups): + lines.extend( + [ + f"{_state_id('group', group, role=srole.module_name)}:", + " group.present:", + f" - name: {_yaml_quote(group)}", + "", + ] + ) + + for name in sorted(srole.users): + user = srole.users[name] + lines.extend( + [ + f"{_state_id('user', name, role=srole.module_name)}:", + " user.present:", + f" - name: {_yaml_quote(name)}", + ] + ) + if user.get("uid") is not None: + lines.append(f" - uid: {user['uid']}") + if user.get("gid") is not None: + lines.append(f" - gid: {_yaml_quote(user['gid'])}") + if user.get("home"): + lines.append(f" - home: {_yaml_quote(user['home'])}") + if user.get("shell"): + lines.append(f" - shell: {_yaml_quote(user['shell'])}") + for gecos_key in ("fullname", "roomnumber", "workphone", "homephone", "other"): + if user.get(gecos_key): + lines.append(f" - {gecos_key}: {_yaml_quote(user[gecos_key])}") + if user.get("groups"): + lines.append(" - groups:") + for group in user.get("groups") or []: + lines.append(f" - {_yaml_quote(group)}") + lines.append(" - remove_groups: false") + lines.append("") + + for path, attrs in sorted(srole.dirs.items()): + lines.extend( + [ + f"{_yaml_quote(path)}:", + " file.directory:", + f" - user: {_yaml_quote(attrs.get('user') or attrs.get('owner') or 'root')}", + f" - group: {_yaml_quote(attrs.get('group') or 'root')}", + f" - mode: {_yaml_quote(str(attrs.get('mode') or '0755'))}", + " - makedirs: true", + ] + ) + if attrs.get("require"): + lines.append(" - require:") + for req in attrs.get("require") or []: + if isinstance(req, dict): + for req_kind, req_name in req.items(): + lines.append(f" - {req_kind}: {_yaml_quote(req_name)}") + lines.append("") + + for path, attrs in sorted(srole.files.items()): + lines.extend( + [ + f"{_yaml_quote(path)}:", + " file.managed:", + f" - source: {_yaml_quote(attrs.get('source') or '')}", + f" - user: {_yaml_quote(attrs.get('user') or attrs.get('owner') or 'root')}", + f" - group: {_yaml_quote(attrs.get('group') or 'root')}", + f" - mode: {_yaml_quote(str(attrs.get('mode') or '0644'))}", + " - makedirs: true", + ] + ) + if attrs.get("template"): + lines.append(f" - template: {_yaml_quote(attrs.get('template'))}") + if attrs.get("context"): + _append_yaml_value(lines, "context", attrs.get("context"), indent=4) + if attrs.get("watch_in"): + lines.append(" - watch_in:") + for req in attrs.get("watch_in") or []: + if isinstance(req, dict): + for req_kind, req_name in req.items(): + lines.append(f" - {req_kind}: {_yaml_quote(req_name)}") + lines.append("") + + for path, attrs in sorted(srole.links.items()): + lines.extend( + [ + f"{_yaml_quote(path)}:", + " file.symlink:", + f" - target: {_yaml_quote(attrs.get('target') or '')}", + f" - force: {_yaml_bool(attrs.get('force', False))}", + " - makedirs: true", + "", + ] + ) + + for name in sorted(srole.services): + svc = srole.services[name] + state_fun = "running" if svc.get("state") == "running" else "dead" + lines.extend( + [ + f"{svc.get('state_id') or _state_id('service', name, role=srole.module_name)}:", + f" service.{state_fun}:", + f" - name: {_yaml_quote(svc.get('name') or name)}", + f" - enable: {_yaml_bool(svc.get('enable', False))}", + "", + ] + ) + + flatpak_remote_state_ids: Dict[Tuple[str, str, str], str] = {} + for remote in srole.flatpak_remotes: + name = str(remote.get("name") or "").strip() + url = str(remote.get("url") or "").strip() + if not name or not url: + continue + state_id = str( + remote.get("state_id") + or _state_id("flatpak_remote", name, role=srole.module_name) + ) + key = ( + str(remote.get("method") or "system"), + str(remote.get("user") or ""), + name, + ) + flatpak_remote_state_ids[key] = state_id + lines.extend( + [ + f"{state_id}:", + " cmd.run:", + f" - name: {_yaml_quote(remote.get('add_cmd') or _flatpak_remote_add_cmd(remote))}", + f" - unless: {_yaml_quote(remote.get('exists_cmd') or _flatpak_remote_exists_cmd(remote))}", + ] + ) + remote_user = str(remote.get("user") or "") + if remote_user: + lines.append(f" - runas: {_yaml_quote(remote_user)}") + env = remote.get("env") or {} + if env: + lines.append(" - env:") + for key_name, value in sorted(env.items()): + lines.append(f" - {key_name}: {_yaml_quote(value)}") + if remote_user and remote_user in srole.users: + lines.extend( + [ + " - require:", + f" - user: {_state_id('user', remote_user, role=srole.module_name)}", + ] + ) + lines.append("") + + for app in srole.flatpaks: + ref = _flatpak_ref(app) + if not ref: + continue + state_id = str( + app.get("state_id") or _state_id("flatpak", ref, role=srole.module_name) + ) + method = str(app.get("method") or "system") + user = str(app.get("user") or "") + remote_name = str(app.get("remote") or "") + require_entries: List[Tuple[str, str]] = [] + if user and user in srole.users: + require_entries.append( + ("user", _state_id("user", user, role=srole.module_name)) + ) + if remote_name: + remote_state_id = flatpak_remote_state_ids.get((method, user, remote_name)) + if remote_state_id: + require_entries.append(("cmd", remote_state_id)) + lines.extend( + [ + f"{state_id}:", + " cmd.run:", + f" - name: {_yaml_quote(app.get('install_cmd') or _flatpak_install_cmd(app))}", + f" - unless: {_yaml_quote(app.get('exists_cmd') or _flatpak_exists_cmd(app))}", + ] + ) + if app.get("user"): + lines.append(f" - runas: {_yaml_quote(app.get('user'))}") + env = app.get("env") or {} + if env: + lines.append(" - env:") + for key_name, value in sorted(env.items()): + lines.append(f" - {key_name}: {_yaml_quote(value)}") + if require_entries: + lines.append(" - require:") + for req_kind, req_name in require_entries: + lines.append(f" - {req_kind}: {req_name}") + lines.append("") + + for snap in srole.snaps: + name = str(snap.get("name") or "").strip() + if not name: + continue + lines.extend( + [ + f"{snap.get('state_id') or _state_id('snap', name, role=srole.module_name)}:", + " cmd.run:", + f" - name: {_yaml_quote(snap.get('install_cmd') or _snap_install_cmd(snap))}", + f" - unless: {_yaml_quote(snap.get('exists_cmd') or _snap_exists_cmd(snap))}", + "", + ] + ) + + for idx, image in enumerate(srole.container_images, start=1): + engine = str(image.get("engine") or "").strip() + pull_ref = str(image.get("pull_ref") or "").strip() + if not engine or not pull_ref: + continue + if engine == "docker": + pull_state_id = _state_id("docker_pull", pull_ref, role=srole.module_name) + lines.extend( + [ + f"{pull_state_id}:", + " cmd.run:", + f" - name: {_yaml_quote(image.get('pull_cmd') or _container_pull_cmd(engine, pull_ref))}", + f" - unless: {_yaml_quote(image.get('pull_unless') or _container_exists_cmd(engine, pull_ref))}", + "", + ] + ) + for alias in image.get("tag_aliases") or []: + tag_ref = str(alias.get("ref") or "").strip() + if not tag_ref: + continue + lines.extend( + [ + f"{_state_id('docker_tag', tag_ref, role=srole.module_name)}:", + " cmd.run:", + f" - name: {_yaml_quote(alias.get('tag_cmd') or _container_tag_cmd(engine, pull_ref, tag_ref))}", + f" - unless: {_yaml_quote(alias.get('tag_unless') or _container_tag_matches_cmd(engine, pull_ref, tag_ref))}", + " - require:", + f" - cmd: {pull_state_id}", + "", + ] + ) + elif engine == "podman": + pull_state_id = _state_id("podman_pull", pull_ref, role=srole.module_name) + lines.extend( + [ + f"{pull_state_id}:", + " cmd.run:", + f" - name: {_yaml_quote(image.get('pull_cmd') or _container_pull_cmd(engine, pull_ref))}", + f" - unless: {_yaml_quote(image.get('pull_unless') or _container_exists_cmd(engine, pull_ref))}", + "", + ] + ) + for alias in image.get("tag_aliases") or []: + tag_ref = str(alias.get("ref") or "").strip() + if not tag_ref: + continue + lines.extend( + [ + f"{_state_id('podman_tag', tag_ref, role=srole.module_name)}:", + " cmd.run:", + f" - name: {_yaml_quote(alias.get('tag_cmd') or _container_tag_cmd(engine, pull_ref, tag_ref))}", + f" - unless: {_yaml_quote(alias.get('tag_unless') or _container_exists_cmd(engine, tag_ref))}", + " - require:", + f" - cmd: {pull_state_id}", + "", + ] + ) + + if srole.firewall_runtime: + _append_firewall_runtime_states(lines, srole.firewall_runtime) + + if "/etc/sysctl.d/99-enroll.conf" in srole.files: + lines.extend( + [ + f"{_state_id('cmd', 'apply_sysctl', role=srole.module_name)}:", + " cmd.run:", + " - name: sysctl -e -p /etc/sysctl.d/99-enroll.conf || true", + " - onchanges:", + " - file: /etc/sysctl.d/99-enroll.conf", + "", + ] + ) + + if srole.notes: + lines.append("# Notes and limitations") + for note in srole.notes: + lines.append(f"# - {note}") + lines.append("") + + return "\n".join(lines).rstrip() + "\n" + + +def _role_pillar_values(srole: SaltRole) -> Dict[str, Any]: + data: Dict[str, Any] = {} + if srole.packages: + data["packages"] = sorted(srole.packages) + if srole.groups: + data["groups"] = {group: {} for group in sorted(srole.groups)} + if srole.users: + users: Dict[str, Dict[str, Any]] = {} + for name in sorted(srole.users): + raw = srole.users[name] + attrs: Dict[str, Any] = {} + for key in ( + "uid", + "gid", + "home", + "shell", + "fullname", + "roomnumber", + "workphone", + "homephone", + "other", + ): + if raw.get(key) is not None: + attrs[key] = raw[key] + if raw.get("groups"): + attrs["groups"] = list(raw["groups"]) + attrs["remove_groups"] = False + users[name] = attrs + data["users"] = users + if srole.dirs: + data["dirs"] = { + path: { + "user": attrs.get("user") or attrs.get("owner") or "root", + "group": attrs.get("group") or "root", + "mode": str(attrs.get("mode") or "0755"), + "makedirs": True, + **({"require": attrs.get("require")} if attrs.get("require") else {}), + } + for path, attrs in sorted(srole.dirs.items()) + } + if srole.files: + data["files"] = { + path: { + "source": attrs.get("source") or "", + "user": attrs.get("user") or attrs.get("owner") or "root", + "group": attrs.get("group") or "root", + "mode": str(attrs.get("mode") or "0644"), + "makedirs": True, + **( + {"template": attrs.get("template")} if attrs.get("template") else {} + ), + **( + {"context": _plain_salt_data(attrs.get("context"))} + if attrs.get("context") + else {} + ), + **( + {"watch_in": attrs.get("watch_in")} if attrs.get("watch_in") else {} + ), + } + for path, attrs in sorted(srole.files.items()) + } + if srole.links: + data["links"] = { + path: { + "target": attrs.get("target") or "", + "force": bool(attrs.get("force", False)), + "makedirs": True, + } + for path, attrs in sorted(srole.links.items()) + } + if srole.services: + data["services"] = { + name: { + "name": svc.get("name") or name, + "state": "running" if svc.get("state") == "running" else "dead", + "enable": bool(svc.get("enable", False)), + "state_id": svc.get("state_id") + or _state_id("service", name, role=srole.module_name), + } + for name, svc in sorted(srole.services.items()) + } + if "/etc/sysctl.d/99-enroll.conf" in srole.files: + data["sysctl_apply"] = True + if srole.flatpak_remotes: + data["flatpak_remotes"] = list(srole.flatpak_remotes) + if srole.flatpaks: + data["flatpaks"] = list(srole.flatpaks) + if srole.snaps: + data["snaps"] = list(srole.snaps) + if srole.container_images: + data["container_images"] = list(srole.container_images) + if srole.firewall_runtime: + data["firewall_runtime"] = dict(srole.firewall_runtime) + if srole.notes: + data["notes"] = list(srole.notes) + return data + + +def _render_pillar_role(srole: SaltRole) -> str: + role_key = srole.module_name + lines = [ + "# Generated by Enroll from harvest state.", + f"{{% set role = salt['pillar.get']('enroll:roles:{role_key}', {{}}) %}}", + "", + "{% for package_name in role.get('packages', []) %}", + f"enroll_pkg_{role_key}_{{{{ loop.index }}}}:", + " pkg.installed:", + " - name: {{ package_name|yaml_dquote }}", + "{% endfor %}", + "", + "{% for group_name, group_attrs in role.get('groups', {}).items() %}", + f"enroll_group_{role_key}_{{{{ loop.index }}}}:", + " group.present:", + " - name: {{ group_name|yaml_dquote }}", + "{% endfor %}", + "", + "{% for user_name, user_attrs in role.get('users', {}).items() %}", + f"enroll_user_{role_key}_{{{{ loop.index }}}}:", + " user.present:", + " - name: {{ user_name|yaml_dquote }}", + "{% if user_attrs.get('uid') is not none %}", + " - uid: {{ user_attrs.get('uid') }}", + "{% endif %}", + "{% if user_attrs.get('gid') is not none %}", + " - gid: {{ user_attrs.get('gid')|yaml_dquote }}", + "{% endif %}", + "{% if user_attrs.get('home') %}", + " - home: {{ user_attrs.get('home')|yaml_dquote }}", + "{% endif %}", + "{% if user_attrs.get('shell') %}", + " - shell: {{ user_attrs.get('shell')|yaml_dquote }}", + "{% endif %}", + "{% for gecos_key in ['fullname', 'roomnumber', 'workphone', 'homephone', 'other'] %}", + "{% if user_attrs.get(gecos_key) %}", + " - {{ gecos_key }}: {{ user_attrs.get(gecos_key)|yaml_dquote }}", + "{% endif %}", + "{% endfor %}", + "{% if user_attrs.get('groups') %}", + " - groups:", + "{% for group_name in user_attrs.get('groups', []) %}", + " - {{ group_name|yaml_dquote }}", + "{% endfor %}", + " - remove_groups: {{ user_attrs.get('remove_groups', False)|yaml_encode }}", + "{% endif %}", + "{% endfor %}", + "", + "{% for path, attrs in role.get('dirs', {}).items() %}", + "{{ path|yaml_dquote }}:", + " file.directory:", + " - user: {{ attrs.get('user', 'root')|yaml_dquote }}", + " - group: {{ attrs.get('group', 'root')|yaml_dquote }}", + " - mode: {{ attrs.get('mode', '0755')|string|yaml_dquote }}", + " - makedirs: {{ attrs.get('makedirs', True)|yaml_encode }}", + "{% if attrs.get('require') %}", + " - require:", + "{% for req in attrs.get('require', []) %}", + "{% for req_kind, req_name in req.items() %}", + " - {{ req_kind }}: {{ req_name|yaml_dquote }}", + "{% endfor %}", + "{% endfor %}", + "{% endif %}", + "{% endfor %}", + "", + "{% for path, attrs in role.get('files', {}).items() %}", + "{{ path|yaml_dquote }}:", + " file.managed:", + " - source: {{ attrs.get('source', '')|yaml_dquote }}", + " - user: {{ attrs.get('user', 'root')|yaml_dquote }}", + " - group: {{ attrs.get('group', 'root')|yaml_dquote }}", + " - mode: {{ attrs.get('mode', '0644')|string|yaml_dquote }}", + " - makedirs: {{ attrs.get('makedirs', True)|yaml_encode }}", + "{% if attrs.get('template') %}", + " - template: {{ attrs.get('template')|yaml_dquote }}", + "{% endif %}", + "{% if attrs.get('context') %}", + " - context: {{ attrs.get('context')|tojson }}", + "{% endif %}", + "{% if attrs.get('watch_in') %}", + " - watch_in:", + "{% for req in attrs.get('watch_in') %}", + "{% for req_kind, req_name in req.items() %}", + " - {{ req_kind }}: {{ req_name|yaml_dquote }}", + "{% endfor %}", + "{% endfor %}", + "{% endif %}", + "{% endfor %}", + "", + "{% for path, attrs in role.get('links', {}).items() %}", + "{{ path|yaml_dquote }}:", + " file.symlink:", + " - target: {{ attrs.get('target', '')|yaml_dquote }}", + " - force: {{ attrs.get('force', False)|yaml_encode }}", + " - makedirs: {{ attrs.get('makedirs', True)|yaml_encode }}", + "{% endfor %}", + "", + "{% for service_id, svc in role.get('services', {}).items() %}", + "{{ svc.get('state_id') or ('enroll_service_" + + role_key + + "_' ~ loop.index|string) }}:", + " service.{{ 'running' if svc.get('state') == 'running' else 'dead' }}:", + " - name: {{ svc.get('name', service_id)|yaml_dquote }}", + " - enable: {{ svc.get('enable', False)|yaml_encode }}", + "{% endfor %}", + "", + "{% for remote in role.get('flatpak_remotes', []) %}", + "{{ remote.get('state_id') }}:", + " cmd.run:", + " - name: {{ remote.get('add_cmd')|yaml_dquote }}", + " - unless: {{ remote.get('exists_cmd')|yaml_dquote }}", + "{% if remote.get('user') %}", + " - runas: {{ remote.get('user')|yaml_dquote }}", + "{% endif %}", + "{% if remote.get('env') %}", + " - env:", + "{% for env_key, env_value in remote.get('env', {}).items() %}", + " - {{ env_key }}: {{ env_value|yaml_dquote }}", + "{% endfor %}", + "{% endif %}", + "{% endfor %}", + "", + "{% for app in role.get('flatpaks', []) %}", + "{{ app.get('state_id') }}:", + " cmd.run:", + " - name: {{ app.get('install_cmd')|yaml_dquote }}", + " - unless: {{ app.get('exists_cmd')|yaml_dquote }}", + "{% if app.get('user') %}", + " - runas: {{ app.get('user')|yaml_dquote }}", + "{% endif %}", + "{% if app.get('env') %}", + " - env:", + "{% for env_key, env_value in app.get('env', {}).items() %}", + " - {{ env_key }}: {{ env_value|yaml_dquote }}", + "{% endfor %}", + "{% endif %}", + "{% endfor %}", + "", + "{% for snap in role.get('snaps', []) %}", + "{{ snap.get('state_id') }}:", + " cmd.run:", + " - name: {{ snap.get('install_cmd')|yaml_dquote }}", + " - unless: {{ snap.get('exists_cmd')|yaml_dquote }}", + "{% endfor %}", + "", + "{% for image in role.get('container_images', []) %}", + "{% if image.get('engine') == 'docker' and image.get('pull_ref') %}", + f"enroll_docker_pull_{role_key}_{{{{ loop.index }}}}:", + " cmd.run:", + " - name: {{ image.get('pull_cmd')|yaml_dquote }}", + " - unless: {{ image.get('pull_unless')|yaml_dquote }}", + "{% set image_loop = loop.index %}", + "{% for alias in image.get('tag_aliases', []) %}", + f"enroll_docker_tag_{role_key}_{{{{ image_loop }}}}_{{{{ loop.index }}}}:", + " cmd.run:", + " - name: {{ alias.get('tag_cmd')|yaml_dquote }}", + " - unless: {{ alias.get('tag_unless')|yaml_dquote }}", + " - require:", + f" - cmd: enroll_docker_pull_{role_key}_{{{{ image_loop }}}}", + "{% endfor %}", + "{% elif image.get('engine') == 'podman' and image.get('pull_ref') %}", + f"enroll_podman_pull_{role_key}_{{{{ loop.index }}}}:", + " cmd.run:", + " - name: {{ image.get('pull_cmd')|yaml_dquote }}", + " - unless: {{ image.get('pull_unless')|yaml_dquote }}", + "{% set image_loop = loop.index %}", + "{% for alias in image.get('tag_aliases', []) %}", + f"enroll_podman_tag_{role_key}_{{{{ image_loop }}}}_{{{{ loop.index }}}}:", + " cmd.run:", + " - name: {{ alias.get('tag_cmd')|yaml_dquote }}", + " - unless: {{ alias.get('tag_unless')|yaml_dquote }}", + " - require:", + f" - cmd: enroll_podman_pull_{role_key}_{{{{ image_loop }}}}", + "{% endfor %}", + "{% endif %}", + "{% endfor %}", + "", + "{% set firewall_runtime = role.get('firewall_runtime', {}) %}", + "{% if firewall_runtime.get('ipset_restore_cmd') %}", + "enroll_firewall_runtime_ipset_restore:", + " cmd.run:", + " - name: {{ firewall_runtime.get('ipset_restore_cmd')|yaml_dquote }}", + " - onchanges:", + " - file: {{ firewall_runtime.get('ipset_save')|yaml_dquote }}", + "{% endif %}", + "", + "{% if firewall_runtime.get('iptables_v4_restore_cmd') %}", + "enroll_firewall_runtime_iptables_v4_restore:", + " cmd.run:", + " - name: {{ firewall_runtime.get('iptables_v4_restore_cmd')|yaml_dquote }}", + " - onchanges:", + " - file: {{ firewall_runtime.get('iptables_v4_save')|yaml_dquote }}", + "{% endif %}", + "", + "{% if firewall_runtime.get('iptables_v6_restore_cmd') %}", + "enroll_firewall_runtime_iptables_v6_restore:", + " cmd.run:", + " - name: {{ firewall_runtime.get('iptables_v6_restore_cmd')|yaml_dquote }}", + " - onchanges:", + " - file: {{ firewall_runtime.get('iptables_v6_save')|yaml_dquote }}", + "{% endif %}", + "", + "{% if role.get('sysctl_apply') and '/etc/sysctl.d/99-enroll.conf' in role.get('files', {}) %}", + f"enroll_apply_sysctl_{role_key}:", + " cmd.run:", + " - name: sysctl -e -p /etc/sysctl.d/99-enroll.conf || true", + " - onchanges:", + " - file: /etc/sysctl.d/99-enroll.conf", + "{% endif %}", + "", + "{% if role.get('notes') %}", + "# Notes and limitations", + "{% for note in role.get('notes', []) %}", + "# - {{ note }}", + "{% endfor %}", + "{% endif %}", + "", + ] + return "\n".join(lines).rstrip() + "\n" + + +def _write_yaml(path: Path, data: Dict[str, Any]) -> None: + path.parent.mkdir(parents=True, exist_ok=True) + path.write_text( + salt_sls_yaml_dump(data, sort_keys=True, explicit_start=True), + encoding="utf-8", + ) + + +def _load_yaml_mapping(path: Path) -> Dict[str, Any]: + return yaml_load_mapping_file(path) + + +def _write_top(path: Path, mapping: Dict[str, List[str]]) -> None: + data = { + "base": {target: list(values) for target, values in sorted(mapping.items())} + } + _write_yaml(path, data) + + +def _read_top(path: Path) -> Dict[str, List[str]]: + data = _load_yaml_mapping(path) + base = data.get("base") if isinstance(data.get("base"), dict) else {} + out: Dict[str, List[str]] = {} + for target, values in base.items(): + if isinstance(values, list): + out[str(target)] = [str(v) for v in values if isinstance(v, str)] + return out + + +def _write_state_top( + states_dir: Path, target: str, sls_names: List[str], *, preserve: bool +) -> None: + top_path = states_dir / "top.sls" + mapping = _read_top(top_path) if preserve else {} + mapping[target] = list(sls_names) + _write_top(top_path, mapping) + + +def _write_pillar_top(pillar_dir: Path, fqdn: str, node_sls: str) -> None: + top_path = pillar_dir / "top.sls" + mapping = _read_top(top_path) + mapping[fqdn] = [node_sls] + _write_top(top_path, mapping) + + +def _write_pillar_node_data( + pillar_dir: Path, fqdn: str, salt_roles: List[SaltRole] +) -> Path: + node_base = _node_sls_basename(fqdn) + node_path = pillar_dir / "nodes" / f"{node_base}.sls" + data = { + "enroll": { + "classes": [r.sls_name for r in salt_roles], + "roles": {r.module_name: _role_pillar_values(r) for r in salt_roles}, + } + } + _write_yaml(node_path, data) + _write_pillar_top(pillar_dir, fqdn, f"nodes.{node_base}") + return node_path + + +def _clean_node_artifacts(states_dir: Path, fqdn: str) -> None: + prefix = Path(_node_file_prefix(fqdn)) + nodes_rel = prefix.parts + for files_dir in (states_dir / "roles").glob("*/files"): + target = files_dir.joinpath(*nodes_rel) + if target.exists(): + shutil.rmtree(target) + + +def _write_master_config(out: Path) -> None: + config_dir = out / "config" + config_dir.mkdir(parents=True, exist_ok=True) + (config_dir / "master.d" / "enroll.conf").parent.mkdir(parents=True, exist_ok=True) + (config_dir / "master.d" / "enroll.conf").write_text( + "# Generated by Enroll. Copy or merge into /etc/salt/master.d/enroll.conf.\n" + "file_roots:\n" + " base:\n" + " - /srv/salt\n" + "pillar_roots:\n" + " base:\n" + " - /srv/pillar\n", + encoding="utf-8", + ) + + +def _render_readme( + state: Dict[str, Any], + salt_roles: List[SaltRole], + *, + fqdn: Optional[str] = None, + node_path: Optional[Path] = None, +) -> str: + host = state.get("host", {}) if isinstance(state.get("host"), dict) else {} + hostname = host.get("hostname") or "unknown" + role_lines = markdown_list( + f"`{r.sls_name}` from Enroll role `{r.role_name}`" for r in salt_roles + ) + notes_text = markdown_list( + f"`{r.sls_name}`: {note}" for r in salt_roles for note in r.notes + ) + + if fqdn: + node_display = ( + node_path.relative_to(Path(node_path).parents[1]).as_posix() + if node_path + else "pillar/nodes/.sls" + ) + layout = f"""- `states/top.sls` targets minion `{fqdn}` to this node's generated role SLS files. +- `pillar/top.sls` targets minion `{fqdn}` to `{node_display}`. +- `pillar/nodes/*.sls` contains per-minion resource data under `enroll:roles:`. +- `states/roles//init.sls` contains reusable, data-driven Salt states. +- `states/roles//files/nodes//...` contains node-specific harvested file artifacts.""" + apply = f"""For a local dry run using the generated tree: + +```bash +sudo salt-call --local --file-root ./states --pillar-root ./pillar --id {fqdn} state.apply test=True +``` + +For master/minion use, copy or sync `states/` to your Salt state tree, copy or sync `pillar/` to your pillar tree, refresh pillar, then apply the highstate or the selected SLS files to minion `{fqdn}`.""" + else: + layout = """- `states/top.sls` targets `*` to the generated role SLS files. +- `states/roles//init.sls` contains concrete Salt states for each generated Enroll role/snapshot or common package group. +- `states/roles//files/` contains harvested file artifacts for that role or group. +- `config/master.d/enroll.conf` documents the expected Salt `file_roots` and `pillar_roots` layout if copied under `/srv`.""" + apply = """For a local dry run using the generated tree: + +```bash +sudo salt-call --local --file-root ./states state.apply test=True +``` + +For master/minion use, copy or sync `states/` to your Salt state tree and apply highstate or the selected SLS files.""" + + return f"""# Enroll Salt manifest + +Generated by Enroll from harvest data for `{hostname}`. + +This Salt target reuses the existing harvest state without changing harvesting behaviour. + +## Layout + +{layout} + +## Generated SLS roles + +{role_lines} + +## Apply / check + +{apply} + +## Generated resources + +- Native packages observed in package and service snapshots. +- Local users and groups from the users snapshot. +- Managed directories, files, and symlinks from harvested roles. +- Basic service enablement/running-state resources. +- `/etc/sysctl.d/99-enroll.conf` plus an `onchanges` sysctl apply command when present. +- Docker images by digest using guarded `docker pull` / `docker tag` command states. +- Podman images by digest using guarded `podman pull` / `podman tag` command states. +- Flatpak remotes and applications using guarded `flatpak remote-add` / `flatpak install` command states. +- Snap applications using guarded `snap install` command states. +- Live firewall runtime snapshots using staged `/etc/enroll/firewall/*` files and guarded restore command states. + +## Current limitations + +- JinjaTurtle templating is applied on a best-effort basis for file formats it recognises; unrecognised files are copied literally. +- Review generated resources before applying them broadly across unlike hosts. + +## Notes + +{notes_text} +""" + + +class SaltManifestRenderer: + """Render Salt state/pillar trees from a harvest bundle.""" + + def __init__( + self, + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str] = None, + no_common_roles: bool = False, + jinjaturtle: str = "auto", + ) -> None: + self.bundle_dir = bundle_dir + self.out_dir = out_dir + self.fqdn = fqdn + self.no_common_roles = no_common_roles + self.jt_exe, self.jt_enabled = resolve_jinjaturtle_mode(jinjaturtle) + + def render(self) -> None: + state = SaltRole.load_state(self.bundle_dir) + fqdn_mode = bool(self.fqdn) + out = prepare_manifest_output_dir(self.out_dir, allow_existing=fqdn_mode) + states_dir = out / "states" + pillar_dir = out / "pillar" + + states_dir.mkdir(parents=True, exist_ok=True) + if fqdn_mode: + pillar_dir.mkdir(parents=True, exist_ok=True) + _clean_node_artifacts(states_dir, str(self.fqdn)) + + salt_roles = _collect_salt_roles( + state, + self.bundle_dir, + states_dir, + fqdn=self.fqdn, + no_common_roles=self.no_common_roles, + jt_exe=self.jt_exe, + jt_enabled=self.jt_enabled, + ) + + for srole in salt_roles: + role_dir = states_dir / "roles" / srole.module_name + role_dir.mkdir(parents=True, exist_ok=True) + (role_dir / "init.sls").write_text( + _render_pillar_role(srole) if fqdn_mode else _render_static_role(srole), + encoding="utf-8", + ) + + node_path: Optional[Path] = None + if fqdn_mode and self.fqdn: + node_path = _write_pillar_node_data(pillar_dir, self.fqdn, salt_roles) + _write_state_top( + states_dir, + self.fqdn, + [r.sls_name for r in salt_roles], + preserve=True, + ) + else: + _write_state_top( + states_dir, + "*", + [r.sls_name for r in salt_roles], + preserve=False, + ) + _write_master_config(out) + (out / "README.md").write_text( + _render_readme(state, salt_roles, fqdn=self.fqdn, node_path=node_path), + encoding="utf-8", + ) + + +def manifest_from_bundle_dir( + bundle_dir: str, + out_dir: str, + *, + fqdn: Optional[str] = None, + no_common_roles: bool = False, + jinjaturtle: str = "auto", +) -> None: + SaltManifestRenderer( + bundle_dir, + out_dir, + fqdn=fqdn, + no_common_roles=no_common_roles, + jinjaturtle=jinjaturtle, + ).render() diff --git a/enroll/schema/state.schema.json b/enroll/schema/state.schema.json index d0bde52..8806b2e 100644 --- a/enroll/schema/state.schema.json +++ b/enroll/schema/state.schema.json @@ -16,6 +16,181 @@ ], "unevaluatedProperties": false }, + "ContainerImageTagAlias": { + "additionalProperties": false, + "properties": { + "ref": { + "minLength": 1, + "type": "string" + }, + "repository": { + "minLength": 1, + "type": "string" + }, + "tag": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ref", + "repository", + "tag" + ], + "type": "object" + }, + "ContainerImage": { + "additionalProperties": false, + "properties": { + "architecture": { + "type": [ + "string", + "null" + ] + }, + "created": { + "type": [ + "string", + "null" + ] + }, + "engine": { + "enum": [ + "docker", + "podman" + ], + "type": "string" + }, + "home": { + "type": [ + "string", + "null" + ] + }, + "image_id": { + "type": [ + "string", + "null" + ] + }, + "notes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "os": { + "type": [ + "string", + "null" + ] + }, + "platform": { + "type": [ + "string", + "null" + ] + }, + "pull_ref": { + "type": [ + "string", + "null" + ] + }, + "repo_digests": { + "items": { + "type": "string" + }, + "type": "array" + }, + "repo_tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "scope": { + "enum": [ + "system", + "user" + ], + "type": "string" + }, + "size": { + "type": [ + "integer", + "null" + ] + }, + "source": { + "type": "string" + }, + "tag_aliases": { + "items": { + "$ref": "#/$defs/ContainerImageTagAlias" + }, + "type": "array" + }, + "user": { + "type": [ + "string", + "null" + ] + }, + "variant": { + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "engine", + "scope", + "user", + "home", + "image_id", + "repo_tags", + "repo_digests", + "pull_ref", + "tag_aliases", + "os", + "architecture", + "variant", + "platform", + "size", + "created", + "source", + "notes" + ], + "type": "object" + }, + "ContainerImagesSnapshot": { + "additionalProperties": false, + "properties": { + "images": { + "items": { + "$ref": "#/$defs/ContainerImage" + }, + "type": "array" + }, + "notes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "role_name": { + "const": "container_images" + } + }, + "required": [ + "role_name", + "images", + "notes" + ], + "type": "object" + }, "DnfConfigSnapshot": { "allOf": [ { @@ -117,6 +292,14 @@ "minLength": 1, "type": "string" }, + "group": { + "minLength": 1, + "type": "string" + }, + "section": { + "minLength": 1, + "type": "string" + }, "version": { "minLength": 1, "type": "string" @@ -364,6 +547,12 @@ }, "type": "array" }, + "section": { + "type": [ + "string", + "null" + ] + }, "version": { "type": [ "string", @@ -390,6 +579,16 @@ "package": { "minLength": 1, "type": "string" + }, + "has_config": { + "type": "boolean", + "default": true + }, + "section": { + "type": [ + "string", + "null" + ] } }, "required": [ @@ -571,6 +770,21 @@ "$ref": "#/$defs/UserEntry" }, "type": "array" + }, + "user_flatpaks": { + "additionalProperties": { + "type": "array", + "items": { + "$ref": "#/$defs/FlatpakInstall" + } + }, + "type": "object" + }, + "user_flatpak_remotes": { + "type": "array", + "items": { + "$ref": "#/$defs/FlatpakRemote" + } } }, "required": [ @@ -652,6 +866,256 @@ "notes" ], "type": "object" + }, + "SysctlSnapshot": { + "additionalProperties": false, + "properties": { + "role_name": { + "const": "sysctl" + }, + "managed_files": { + "items": { + "$ref": "#/$defs/ManagedFile" + }, + "type": "array" + }, + "parameters": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "notes": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "role_name", + "managed_files", + "parameters", + "notes" + ], + "type": "object" + }, + "FlatpakInstall": { + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1 + }, + "method": { + "type": "string", + "enum": [ + "system", + "user" + ] + }, + "remote": { + "type": [ + "string", + "null" + ] + }, + "branch": { + "type": [ + "string", + "null" + ] + }, + "arch": { + "type": [ + "string", + "null" + ] + }, + "kind": { + "type": [ + "string", + "null" + ], + "enum": [ + "app", + "runtime", + null + ] + }, + "ref": { + "type": [ + "string", + "null" + ] + }, + "user": { + "type": [ + "string", + "null" + ] + }, + "home": { + "type": [ + "string", + "null" + ] + }, + "source": { + "type": "string" + }, + "from_url": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "name", + "method" + ], + "type": "object" + }, + "FlatpakRemote": { + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1 + }, + "method": { + "type": "string", + "enum": [ + "system", + "user" + ] + }, + "url": { + "type": "string", + "minLength": 1 + }, + "user": { + "type": [ + "string", + "null" + ] + }, + "home": { + "type": [ + "string", + "null" + ] + }, + "source": { + "type": "string" + } + }, + "required": [ + "name", + "method", + "url" + ], + "type": "object" + }, + "SnapInstall": { + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "minLength": 1 + }, + "channel": { + "type": [ + "string", + "null" + ] + }, + "revision": { + "type": [ + "integer", + "null" + ], + "minimum": 0 + }, + "classic": { + "type": "boolean" + }, + "devmode": { + "type": "boolean" + }, + "dangerous": { + "type": "boolean" + }, + "notes": { + "type": "array", + "items": { + "type": "string" + } + }, + "source": { + "type": "string" + }, + "install_revision": { + "type": "boolean" + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "FlatpakSnapshot": { + "additionalProperties": false, + "properties": { + "role_name": { + "const": "flatpak" + }, + "system_flatpaks": { + "type": "array", + "items": { + "$ref": "#/$defs/FlatpakInstall" + } + }, + "remotes": { + "type": "array", + "items": { + "$ref": "#/$defs/FlatpakRemote" + } + }, + "notes": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "role_name" + ], + "type": "object" + }, + "SnapSnapshot": { + "additionalProperties": false, + "properties": { + "role_name": { + "const": "snap" + }, + "system_snaps": { + "type": "array", + "items": { + "$ref": "#/$defs/SnapInstall" + } + }, + "notes": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "role_name" + ], + "type": "object" } }, "$id": "https://enroll.sh/schema/state.schema.json", @@ -762,6 +1226,18 @@ }, "firewall_runtime": { "$ref": "#/$defs/FirewallRuntimeSnapshot" + }, + "sysctl": { + "$ref": "#/$defs/SysctlSnapshot" + }, + "flatpak": { + "$ref": "#/$defs/FlatpakSnapshot" + }, + "snap": { + "$ref": "#/$defs/SnapSnapshot" + }, + "container_images": { + "$ref": "#/$defs/ContainerImagesSnapshot" } }, "required": [ diff --git a/enroll/sopsutil.py b/enroll/sopsutil.py index de36d4f..e8d31ac 100644 --- a/enroll/sopsutil.py +++ b/enroll/sopsutil.py @@ -7,6 +7,8 @@ import tempfile from pathlib import Path from typing import Iterable, List, Optional +from .harvest_safety import ensure_safe_output_parent + class SopsError(RuntimeError): pass @@ -46,7 +48,7 @@ def encrypt_file_binary( sops = require_sops_cmd() src_path = Path(src_path) dst_path = Path(dst_path) - dst_path.parent.mkdir(parents=True, exist_ok=True) + ensure_safe_output_parent(dst_path, label="sops output") res = subprocess.run( [ @@ -98,7 +100,7 @@ def decrypt_file_binary_to( sops = require_sops_cmd() src_path = Path(src_path) dst_path = Path(dst_path) - dst_path.parent.mkdir(parents=True, exist_ok=True) + ensure_safe_output_parent(dst_path, label="sops output") res = subprocess.run( [ diff --git a/enroll/state.py b/enroll/state.py new file mode 100644 index 0000000..633a22f --- /dev/null +++ b/enroll/state.py @@ -0,0 +1,150 @@ +from __future__ import annotations + +import json +import os +import stat +import tempfile +from pathlib import Path +from typing import Any, Dict, Mapping, TextIO, Union + +from .fsutil import open_no_follow_path + +BundlePath = Union[str, Path] +State = Dict[str, Any] + +# state.json should contain structured metadata, not harvested file content. Keep +# this generous so large package inventories still work while rejecting obvious +# accidental/malicious memory-exhaustion inputs. +MAX_STATE_JSON_BYTES = 16 * 1024 * 1024 + + +class StateSafetyError(RuntimeError): + """Raised when a harvest bundle's state.json is unsafe to parse.""" + + +def state_path(bundle_dir: BundlePath) -> Path: + """Return the canonical state.json path for a harvest bundle.""" + + return Path(bundle_dir) / "state.json" + + +def _check_state_stat(path: Path, st: os.stat_result, *, max_bytes: int) -> None: + if stat.S_ISLNK(st.st_mode): + raise StateSafetyError(f"state.json is a symlink; refusing to read: {path}") + if not stat.S_ISREG(st.st_mode): + raise StateSafetyError(f"state.json is not a regular file: {path}") + if st.st_nlink > 1: + raise StateSafetyError(f"state.json is hardlinked; refusing to read: {path}") + if st.st_size > max_bytes: + raise StateSafetyError( + f"state.json is too large to parse safely " + f"({st.st_size} bytes > {max_bytes} bytes): {path}" + ) + + +def open_state_file(bundle_dir: BundlePath, *, max_bytes: int | None = None) -> TextIO: + """Open state.json only after verifying it is safe to parse. + + Direct directory bundles are more mutable than SOPS/tar/remote bundles, so do + not follow a symlinked state.json and do not parse special files, hardlinks, or + unexpectedly huge inputs. The final open also uses no-follow semantics and the + inode is compared with the pre-open lstat result to catch swaps between the + check and open. + """ + + if max_bytes is None: + max_bytes = MAX_STATE_JSON_BYTES + + path = state_path(bundle_dir) + try: + pre = path.lstat() + except FileNotFoundError: + raise FileNotFoundError(f"missing state.json: {path}") + + _check_state_stat(path, pre, max_bytes=max_bytes) + + fd = -1 + try: + fd = open_no_follow_path(str(path), write=False) + opened = os.fstat(fd) + if (opened.st_dev, opened.st_ino) != (pre.st_dev, pre.st_ino): + raise StateSafetyError( + f"state.json changed while it was being opened; refusing to read: {path}" + ) + _check_state_stat(path, opened, max_bytes=max_bytes) + f = os.fdopen(fd, "r", encoding="utf-8") + fd = -1 + return f + except OSError as e: + raise StateSafetyError(f"unable to safely open state.json: {path}: {e}") from e + finally: + if fd >= 0: + try: + os.close(fd) + except OSError: + pass + + +def load_state(bundle_dir: BundlePath) -> State: + """Load state.json from a harvest bundle directory.""" + + with open_state_file(bundle_dir) as f: + return json.load(f) + + +def write_state( + bundle_dir: BundlePath, + state: Mapping[str, Any], + *, + indent: int = 2, + sort_keys: bool = True, +) -> Path: + """Write state.json to a harvest bundle directory and return its path.""" + + path = state_path(bundle_dir) + path.parent.mkdir(parents=True, exist_ok=True) + + fd = -1 + tmp_name = "" + try: + fd, tmp_name = tempfile.mkstemp( + prefix=f".{path.name}.", suffix=".tmp", dir=str(path.parent), text=True + ) + try: + os.fchmod(fd, 0o600) + except OSError: + pass + with os.fdopen(fd, "w", encoding="utf-8") as f: + fd = -1 + json.dump(state, f, indent=indent, sort_keys=sort_keys) + os.replace(tmp_name, path) + try: + os.chmod(path, 0o600) + except OSError: + pass + finally: + if fd >= 0: + os.close(fd) + if tmp_name: + try: + os.unlink(tmp_name) + except FileNotFoundError: + pass + return path + + +def roles_from_state(state: Mapping[str, Any]) -> Dict[str, Any]: + """Return the roles mapping from a harvest state, or an empty mapping.""" + + roles = state.get("roles") + return dict(roles) if isinstance(roles, dict) else {} + + +def inventory_packages_from_state(state: Mapping[str, Any]) -> Dict[str, Any]: + """Return inventory.packages from a harvest state, or an empty mapping.""" + + inventory = state.get("inventory") + if not isinstance(inventory, dict): + return {} + packages = inventory.get("packages") + return dict(packages) if isinstance(packages, dict) else {} diff --git a/enroll/system_paths.py b/enroll/system_paths.py new file mode 100644 index 0000000..759d7b5 --- /dev/null +++ b/enroll/system_paths.py @@ -0,0 +1,313 @@ +from __future__ import annotations + +import glob +import os +import re +from typing import Dict, List, Set, Tuple + + +ALLOWED_UNOWNED_EXTS = { + ".cfg", + ".cnf", + ".conf", + ".ini", + ".json", + ".link", + ".mount", + ".netdev", + ".network", + ".path", + ".rules", + ".service", + ".socket", + ".target", + ".timer", + ".toml", + ".yaml", + ".yml", + "", # allow extensionless (common in /etc/default and /etc/init.d) +} + +MAX_FILES_CAP = 4000 +MAX_UNOWNED_FILES_PER_ROLE = 500 + + +def is_confish(path: str) -> bool: + base = os.path.basename(path) + _, ext = os.path.splitext(base) + return ext in ALLOWED_UNOWNED_EXTS + + +def scan_unowned_under_roots( + roots: List[str], + owned_etc: Set[str], + limit: int = MAX_UNOWNED_FILES_PER_ROLE, + *, + confish_only: bool = True, +) -> List[str]: + found: List[str] = [] + for root in roots: + if not os.path.isdir(root): + continue + for dirpath, _, filenames in os.walk(root): + if len(found) >= limit: + return found + for fn in filenames: + if len(found) >= limit: + return found + p = os.path.join(dirpath, fn) + if not p.startswith("/etc/"): + continue + if p in owned_etc: + continue + if not os.path.isfile(p) or os.path.islink(p): + continue + if confish_only and not is_confish(p): + continue + found.append(p) + return found + + +def topdirs_for_package(pkg: str, pkg_to_etc_paths: Dict[str, List[str]]) -> Set[str]: + topdirs: Set[str] = set() + for path in pkg_to_etc_paths.get(pkg, []): + parts = path.split("/", 3) + if len(parts) >= 3 and parts[1] == "etc" and parts[2]: + topdirs.add(parts[2]) + return topdirs + + +_APT_SOURCE_GLOBS = [ + "/etc/apt/sources.list", + "/etc/apt/sources.list.d/*.list", + "/etc/apt/sources.list.d/*.sources", +] + +_SYSTEM_CAPTURE_GLOBS: List[Tuple[str, str]] = [ + ("/etc/fstab", "system_mounts"), + ("/etc/crypttab", "system_mounts"), + ("/etc/sysctl.conf", "system_sysctl"), + ("/etc/sysctl.d/*", "system_sysctl"), + ("/etc/modprobe.d/*", "system_modprobe"), + ("/etc/modules", "system_modprobe"), + ("/etc/modules-load.d/*", "system_modprobe"), + ("/etc/netplan/*", "system_network"), + ("/etc/systemd/network/*", "system_network"), + ("/etc/network/interfaces", "system_network"), + ("/etc/network/interfaces.d/*", "system_network"), + ("/etc/resolvconf.conf", "system_network"), + ("/etc/resolvconf/resolv.conf.d/*", "system_network"), + ("/etc/NetworkManager/system-connections/*", "system_network"), + ("/etc/sysconfig/network*", "system_network"), + ("/etc/sysconfig/network-scripts/*", "system_network"), + ("/etc/nftables.conf", "system_firewall"), + ("/etc/nftables.d/*", "system_firewall"), + ("/etc/iptables/rules.v4", "system_firewall"), + ("/etc/iptables/rules.v6", "system_firewall"), + ("/etc/sysconfig/iptables", "system_firewall"), + ("/etc/sysconfig/ip6tables", "system_firewall"), + ("/etc/ipset.conf", "system_firewall"), + ("/etc/ipset/*", "system_firewall"), + ("/etc/ipset.d/*", "system_firewall"), + ("/etc/sysconfig/ipset", "system_firewall"), + ("/etc/default/ipset", "system_firewall"), + ("/etc/ufw/*", "system_firewall"), + ("/etc/default/ufw", "system_firewall"), + ("/etc/firewalld/*", "system_firewall"), + ("/etc/firewalld/zones/*", "system_firewall"), + ("/etc/selinux/config", "system_security"), + ("/etc/rc.local", "system_rc"), +] + +_PERSISTENT_IPTABLES_V4_GLOBS = [ + "/etc/iptables/rules.v4", + "/etc/sysconfig/iptables", +] + +_PERSISTENT_IPTABLES_V6_GLOBS = [ + "/etc/iptables/rules.v6", + "/etc/sysconfig/ip6tables", +] + +_PERSISTENT_IPSET_GLOBS = [ + "/etc/ipset.conf", + "/etc/ipset/*", + "/etc/ipset.d/*", + "/etc/sysconfig/ipset", +] + + +def persistent_ipset_globs() -> List[str]: + return list(_PERSISTENT_IPSET_GLOBS) + + +def persistent_iptables_v4_globs() -> List[str]: + return list(_PERSISTENT_IPTABLES_V4_GLOBS) + + +def persistent_iptables_v6_globs() -> List[str]: + return list(_PERSISTENT_IPTABLES_V6_GLOBS) + + +def persistent_firewall_files(globs: List[str]) -> List[str]: + """Return persistent firewall files matching ``globs``.""" + + seen: Set[str] = set() + out: List[str] = [] + for spec in globs: + for path in iter_matching_files(spec): + if path in seen: + continue + seen.add(path) + out.append(path) + return sorted(out) + + +def iter_matching_files(spec: str, *, cap: int = MAX_FILES_CAP) -> List[str]: + """Expand a glob spec and also walk directories to collect files.""" + + out: List[str] = [] + for p in glob.glob(spec): + if len(out) >= cap: + break + if os.path.islink(p): + continue + if os.path.isfile(p): + out.append(p) + continue + if os.path.isdir(p): + for dirpath, _, filenames in os.walk(p): + for fn in filenames: + if len(out) >= cap: + break + fp = os.path.join(dirpath, fn) + if os.path.islink(fp) or not os.path.isfile(fp): + continue + out.append(fp) + if len(out) >= cap: + break + return out + + +def parse_apt_signed_by(source_files: List[str]) -> Set[str]: + """Return absolute keyring paths referenced via signed-by / Signed-By.""" + + out: Set[str] = set() + re_signed_by = re.compile(r"signed-by\s*=\s*([^\]\s]+)", re.IGNORECASE) + re_signed_by_hdr = re.compile(r"^\s*Signed-By\s*:\s*(.+)$", re.IGNORECASE) + + for sf in source_files: + try: + with open(sf, "r", encoding="utf-8", errors="replace") as f: + for raw in f: + line = raw.strip() + if not line or line.startswith("#"): + continue + + m = re_signed_by_hdr.match(line) + if m: + val = m.group(1).strip() + if val.startswith("|"): + continue + toks = re.split(r"[\s,]+", val) + for t in toks: + if t.startswith("/"): + out.add(t) + continue + + if "[" in line and "]" in line: + bracket = line.split("[", 1)[1].split("]", 1)[0] + for mm in re_signed_by.finditer(bracket): + val = mm.group(1).strip().strip("\"'") + for t in re.split(r"[\s,]+", val): + if t.startswith("/"): + out.add(t) + continue + + for mm in re_signed_by.finditer(line): + val = mm.group(1).strip().strip("\"'") + for t in re.split(r"[\s,]+", val): + if t.startswith("/"): + out.add(t) + except OSError: + continue + + return out + + +def iter_apt_capture_paths() -> List[Tuple[str, str]]: + """Return (path, reason) pairs for APT configuration.""" + + reasons: Dict[str, str] = {} + + if os.path.isdir("/etc/apt"): + for dirpath, _, filenames in os.walk("/etc/apt"): + for fn in filenames: + p = os.path.join(dirpath, fn) + if os.path.islink(p) or not os.path.isfile(p): + continue + reasons.setdefault(p, "apt_config") + + apt_sources: List[str] = [] + for g in _APT_SOURCE_GLOBS: + apt_sources.extend(iter_matching_files(g)) + for p in sorted(set(apt_sources)): + reasons[p] = "apt_source" + + for g in ( + "/etc/apt/trusted.gpg", + "/etc/apt/trusted.gpg.d/*", + "/etc/apt/keyrings/*", + ): + for p in iter_matching_files(g): + reasons[p] = "apt_keyring" + + signed_by = parse_apt_signed_by(sorted(set(apt_sources))) + for p in sorted(signed_by): + if os.path.islink(p) or not os.path.isfile(p): + continue + if p.startswith("/etc/apt/"): + reasons[p] = "apt_keyring" + else: + reasons[p] = "apt_signed_by_keyring" + + return [(p, reasons[p]) for p in sorted(reasons.keys())] + + +def iter_dnf_capture_paths() -> List[Tuple[str, str]]: + """Return (path, reason) pairs for DNF/YUM configuration on RPM systems.""" + + reasons: Dict[str, str] = {} + + for root, tag in ( + ("/etc/dnf", "dnf_config"), + ("/etc/yum", "yum_config"), + ): + if os.path.isdir(root): + for dirpath, _, filenames in os.walk(root): + for fn in filenames: + p = os.path.join(dirpath, fn) + if os.path.islink(p) or not os.path.isfile(p): + continue + reasons.setdefault(p, tag) + + for p in iter_matching_files("/etc/yum.conf"): + reasons[p] = "yum_conf" + for p in iter_matching_files("/etc/yum.repos.d/*.repo"): + reasons[p] = "yum_repo" + for p in iter_matching_files("/etc/pki/rpm-gpg/*"): + reasons[p] = "rpm_gpg_key" + + return [(p, reasons[p]) for p in sorted(reasons.keys())] + + +def iter_system_capture_paths() -> List[Tuple[str, str]]: + out: List[Tuple[str, str]] = [] + seen: Set[str] = set() + for spec, reason in _SYSTEM_CAPTURE_GLOBS: + for path in iter_matching_files(spec): + if path in seen: + continue + seen.add(path) + out.append((path, reason)) + return sorted(out, key=lambda x: x[0]) diff --git a/enroll/validate.py b/enroll/validate.py index f3291e9..e8c65ea 100644 --- a/enroll/validate.py +++ b/enroll/validate.py @@ -1,6 +1,8 @@ from __future__ import annotations import json +import os +import stat import urllib.request from dataclasses import dataclass from pathlib import Path @@ -9,6 +11,8 @@ from typing import Any, Dict, List, Optional, Set, Tuple import jsonschema from .diff import BundleRef, _bundle_from_input +from .manifest_safety import ArtifactSafetyError, safe_artifact_file +from .state import load_state @dataclass @@ -96,6 +100,7 @@ def _iter_managed_files(state: Dict[str, Any]) -> List[Tuple[str, Dict[str, Any] "users", "apt_config", "dnf_config", + "sysctl", "etc_custom", "usr_local_custom", "extra_paths", @@ -152,7 +157,7 @@ def validate_harvest( ) try: - state = json.loads(state_path.read_text(encoding="utf-8")) + state = load_state(bundle.dir) except Exception as e: # noqa: BLE001 return ValidationResult( errors=[f"failed to parse state.json: {e!r}"], warnings=[] @@ -169,7 +174,7 @@ def validate_harvest( except Exception as e: # noqa: BLE001 errors.append(f"failed to load/validate schema: {e!r}") - # Artifact existence checks + # Artifact existence and safety checks. artifacts_dir = bundle.dir / "artifacts" referenced: Set[Tuple[str, str]] = set() for role_name, mf in _iter_managed_files(state): @@ -186,15 +191,15 @@ def validate_harvest( continue referenced.add((role_name, src_rel)) - p = artifacts_dir / role_name / src_rel - if not p.exists(): + try: + safe_artifact_file(bundle.dir, role_name, src_rel) + except FileNotFoundError: errors.append( f"missing artifact for role {role_name}: artifacts/{role_name}/{src_rel}" ) - continue - if not p.is_file(): + except ArtifactSafetyError as e: errors.append( - f"artifact is not a file for role {role_name}: artifacts/{role_name}/{src_rel}" + f"unsafe artifact for role {role_name}: artifacts/{role_name}/{src_rel}: {e}" ) # Runtime firewall snapshots are generated artifacts rather than managed files. @@ -209,43 +214,97 @@ def validate_harvest( f"firewall_runtime {key} has suspicious src_rel: {src_rel!r}" ) continue - referenced.add( - (str(fw.get("role_name") or "firewall_runtime"), src_rel) - ) - p = ( - artifacts_dir - / str(fw.get("role_name") or "firewall_runtime") - / src_rel - ) - if not p.exists(): + role_name = str(fw.get("role_name") or "firewall_runtime") + referenced.add((role_name, src_rel)) + try: + safe_artifact_file(bundle.dir, role_name, src_rel) + except FileNotFoundError: errors.append( "missing firewall runtime artifact: " - f"artifacts/{fw.get('role_name') or 'firewall_runtime'}/{src_rel}" + f"artifacts/{role_name}/{src_rel}" ) - elif not p.is_file(): + except ArtifactSafetyError as e: errors.append( - "firewall runtime artifact is not a file: " - f"artifacts/{fw.get('role_name') or 'firewall_runtime'}/{src_rel}" + "unsafe firewall runtime artifact: " + f"artifacts/{role_name}/{src_rel}: {e}" ) - # Warn if there are extra files in artifacts not referenced. - if artifacts_dir.exists() and artifacts_dir.is_dir(): - for fp in artifacts_dir.rglob("*"): - if not fp.is_file(): - continue - try: - rel = fp.relative_to(artifacts_dir) - except ValueError: - continue - parts = rel.parts - if len(parts) < 2: - continue - role_name = parts[0] - src_rel = "/".join(parts[1:]) - if (role_name, src_rel) not in referenced: - warnings.append( - f"unreferenced artifact present: artifacts/{role_name}/{src_rel}" - ) + # Validate the whole artifact tree too, so unreferenced symlinks, + # hardlinks, special files, and path-shaping tricks do not survive + # validation simply because no managed_file currently references them. + if artifacts_dir.exists(): + try: + artifacts_st = artifacts_dir.lstat() + except OSError as e: + errors.append(f"unable to inspect artifacts directory: {e}") + else: + if stat.S_ISLNK(artifacts_st.st_mode): + errors.append(f"artifacts directory is a symlink: {artifacts_dir}") + elif not stat.S_ISDIR(artifacts_st.st_mode): + errors.append(f"artifacts path is not a directory: {artifacts_dir}") + else: + for root, dirs, files in os.walk(artifacts_dir, followlinks=False): + root_p = Path(root) + for name in list(dirs): + fp = root_p / name + try: + st = fp.lstat() + except FileNotFoundError: + continue + if stat.S_ISLNK(st.st_mode): + errors.append(f"artifact directory is a symlink: {fp}") + elif not stat.S_ISDIR(st.st_mode): + errors.append( + f"artifact directory is not a directory: {fp}" + ) + + for name in files: + fp = root_p / name + try: + st = fp.lstat() + except FileNotFoundError: + continue + try: + rel = fp.relative_to(artifacts_dir) + except ValueError: + errors.append(f"artifact escapes artifact root: {fp}") + continue + parts = rel.parts + if len(parts) < 2: + errors.append( + f"artifact is not under a role directory: {fp}" + ) + continue + role_name = parts[0] + src_rel = "/".join(parts[1:]) + + if stat.S_ISLNK(st.st_mode): + errors.append( + f"artifact is a symlink: artifacts/{role_name}/{src_rel}" + ) + continue + if not stat.S_ISREG(st.st_mode): + errors.append( + f"artifact is not a regular file: artifacts/{role_name}/{src_rel}" + ) + continue + if st.st_nlink > 1: + errors.append( + f"artifact is hardlinked: artifacts/{role_name}/{src_rel}" + ) + continue + try: + safe_artifact_file(bundle.dir, role_name, src_rel) + except (FileNotFoundError, ArtifactSafetyError) as e: + errors.append( + f"unsafe artifact: artifacts/{role_name}/{src_rel}: {e}" + ) + continue + + if (role_name, src_rel) not in referenced: + warnings.append( + f"unreferenced artifact present: artifacts/{role_name}/{src_rel}" + ) return ValidationResult(errors=errors, warnings=warnings) finally: diff --git a/enroll/version.py b/enroll/version.py index bbe78b6..4c250b0 100644 --- a/enroll/version.py +++ b/enroll/version.py @@ -28,5 +28,6 @@ def get_enroll_version() -> str: for dist in [*dist_names, "enroll"]: try: return version(dist) - except Exception: - return "unknown" + except Exception: # nosec B112 + continue + return "unknown" diff --git a/enroll/yamlutil.py b/enroll/yamlutil.py new file mode 100644 index 0000000..b3bf10d --- /dev/null +++ b/enroll/yamlutil.py @@ -0,0 +1,87 @@ +from __future__ import annotations + +from pathlib import Path +from typing import Any, Dict, Mapping + +import yaml + +from .render_safety import AnsibleUnsafeText + + +class IndentedSafeLoader(yaml.SafeLoader): # type: ignore[misc] + """PyYAML loader that understands Ansible's ``!unsafe`` tag.""" + + +def _construct_ansible_unsafe( + loader: yaml.Loader, node: yaml.Node +) -> AnsibleUnsafeText: + return AnsibleUnsafeText(loader.construct_scalar(node)) + + +IndentedSafeLoader.add_constructor("!unsafe", _construct_ansible_unsafe) + + +class IndentedSafeDumper(yaml.SafeDumper): # type: ignore[misc] + """PyYAML dumper that indents sequences under mapping keys.""" + + def increase_indent(self, flow: bool = False, indentless: bool = False): + # PyYAML calls this method with an ``indentless`` keyword, so the + # parameter name must stay intact even though Enroll deliberately + # ignores its value to force indented block sequences. + return super().increase_indent(flow, False) + + +def yaml_load_mapping(text: str) -> Dict[str, Any]: + """Load YAML text and return a mapping, or an empty mapping on failure. + + Enroll may re-read Ansible host_vars that contain ``!unsafe`` scalars + written during the same manifest operation, so the loader accepts that tag + while remaining otherwise based on PyYAML's SafeLoader. + """ + + try: + obj = yaml.load( + text, Loader=IndentedSafeLoader + ) # nosec B506 - subclasses yaml.SafeLoader; only adds !unsafe scalar support. + except Exception: + return {} + return obj if isinstance(obj, dict) else {} + + +def yaml_load_mapping_file(path: Path) -> Dict[str, Any]: + """Load a YAML mapping from *path*, returning an empty mapping if absent.""" + + if not path.exists(): + return {} + return yaml_load_mapping(path.read_text(encoding="utf-8")) + + +def _represent_ansible_unsafe( + dumper: yaml.Dumper, data: AnsibleUnsafeText +) -> yaml.Node: + return dumper.represent_scalar("!unsafe", str(data)) + + +IndentedSafeDumper.add_representer(AnsibleUnsafeText, _represent_ansible_unsafe) + + +def yaml_dump_mapping( + obj: Mapping[str, Any], + *, + sort_keys: bool = True, + explicit_start: bool = False, +) -> str: + """Dump a YAML mapping using Enroll's renderer-friendly formatting.""" + + return ( + yaml.dump( + dict(obj), + Dumper=IndentedSafeDumper, + default_flow_style=False, + sort_keys=sort_keys, + indent=2, + allow_unicode=True, + explicit_start=explicit_start, + ).rstrip() + + "\n" + ) diff --git a/poetry.lock b/poetry.lock index b338a10..f244c79 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.4.1 and should not be changed by hand. [[package]] name = "attrs" @@ -6,6 +6,7 @@ version = "26.1.0" description = "Classes Without Boilerplate" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "attrs-26.1.0-py3-none-any.whl", hash = "sha256:c647aa4a12dfbad9333ca4e71fe62ddc36f4e63b2d260a37a8b83d2f043ac309"}, {file = "attrs-26.1.0.tar.gz", hash = "sha256:d03ceb89cb322a8fd706d4fb91940737b6642aa36998fe130a9bc96c985eff32"}, @@ -17,6 +18,7 @@ version = "5.0.0" description = "Modern password hashing for your software and your servers" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "bcrypt-5.0.0-cp313-cp313t-macosx_10_12_universal2.whl", hash = "sha256:f3c08197f3039bec79cee59a606d62b96b16669cff3949f21e74796b6e3cd2be"}, {file = "bcrypt-5.0.0-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:200af71bc25f22006f4069060c88ed36f8aa4ff7f53e67ff04d2ab3f1e79a5b2"}, @@ -89,13 +91,14 @@ typecheck = ["mypy"] [[package]] name = "certifi" -version = "2026.4.22" +version = "2026.6.17" description = "Python package for providing Mozilla's CA Bundle." optional = false python-versions = ">=3.7" +groups = ["appimage"] files = [ - {file = "certifi-2026.4.22-py3-none-any.whl", hash = "sha256:3cb2210c8f88ba2318d29b0388d1023c8492ff72ecdde4ebdaddbb13a31b1c4a"}, - {file = "certifi-2026.4.22.tar.gz", hash = "sha256:8d455352a37b71bf76a79caa83a3d6c25afee4a385d632127b6afb3963f1c580"}, + {file = "certifi-2026.6.17-py3-none-any.whl", hash = "sha256:2227dcbaafe0d2f59279d1762ddddc37783ed4354594f194ffc31d20f41fc3db"}, + {file = "certifi-2026.6.17.tar.gz", hash = "sha256:024c88eeec92ca068db80f02b8b07c9cef7b9fe261d1d535abfd5abd6f6af432"}, ] [[package]] @@ -104,6 +107,8 @@ version = "2.0.0" description = "Foreign Function Interface for Python calling C code." optional = false python-versions = ">=3.9" +groups = ["main"] +markers = "platform_python_implementation != \"PyPy\"" files = [ {file = "cffi-2.0.0-cp310-cp310-macosx_10_13_x86_64.whl", hash = "sha256:0cf2d91ecc3fcc0625c2c530fe004f82c110405f101548512cce44322fa8ac44"}, {file = "cffi-2.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:f73b96c41e3b2adedc34a7356e64c8eb96e03a3782b535e043a986276ce12a49"}, @@ -200,6 +205,7 @@ version = "3.4.7" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." optional = false python-versions = ">=3.7" +groups = ["appimage"] files = [ {file = "charset_normalizer-3.4.7-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:cdd68a1fb318e290a2077696b7eb7a21a49163c455979c639bf5a5dcdc46617d"}, {file = "charset_normalizer-3.4.7-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:e17b8d5d6a8c47c85e68ca8379def1303fd360c3e22093a807cd34a71cd082b8"}, @@ -338,6 +344,8 @@ version = "0.4.6" description = "Cross-platform colored terminal text." optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" +groups = ["dev"] +markers = "sys_platform == \"win32\"" files = [ {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, @@ -345,186 +353,170 @@ files = [ [[package]] name = "coverage" -version = "7.14.0" +version = "7.14.2" description = "Code coverage measurement for Python" optional = false python-versions = ">=3.10" +groups = ["dev"] files = [ - {file = "coverage-7.14.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:84c32d90bf4537f0e7b4dec9aaa9a938fb8205136b9d2ecf4d7629d5262dc075"}, - {file = "coverage-7.14.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:7c843572c605ab51cfdb5c6b5f2586e2a8467c0d28eca4bdef4ec70c5fecbd82"}, - {file = "coverage-7.14.0-cp310-cp310-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:0c451757d3fa2603354fdc789b5e58a0e327a117c370a40e3476ba4eabab228c"}, - {file = "coverage-7.14.0-cp310-cp310-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:3fd43f0616e765ab78d069cf8358def7363957a45cee446d65c502dcfeea7893"}, - {file = "coverage-7.14.0-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:731e535b1498b27d13594a0527a79b0510867b0ad891532be41cb883f2128e20"}, - {file = "coverage-7.14.0-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c7492f2d493b976941c7ca050f273cbda2f43c381124f7586a3e3c16d1804fec"}, - {file = "coverage-7.14.0-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:dc38367eaa2abb1b766ac333142bce7655335a73537f5c8b75aaa89c2b987757"}, - {file = "coverage-7.14.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:0a951308cde22cf77f953955a754d04dccb57fe3bb8e345d685778ed9fc1632a"}, - {file = "coverage-7.14.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:fab3877e4ebb06bd9d4d4d00ee53309ee5478e66873c66a382272e3ee33eb7ea"}, - {file = "coverage-7.14.0-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:b812eb847b19876ebf33fb6c4f11819af05ab6050b0bfa1bc53412ae81779adb"}, - {file = "coverage-7.14.0-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:d9c8ef6ed820c433de075657d72dda1f89a2984955e58b8a75feb3f184250218"}, - {file = "coverage-7.14.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:d128b1bba9361fbaaf6a19e179e6cfd6a9103ce0c0555876f72780acc93efd85"}, - {file = "coverage-7.14.0-cp310-cp310-win32.whl", hash = "sha256:65f267ca1370726ec2c1aa38bbe4df9a71a740f22878d2d4bf59d71a4cd8d323"}, - {file = "coverage-7.14.0-cp310-cp310-win_amd64.whl", hash = "sha256:b34ece8065914f938ed7f2c5872bb865336977a52919149846eac3744327267a"}, - {file = "coverage-7.14.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6a78e2a9d9c5e3b8d4ab9b9d28c985ea66fced0a7d7c2aec1f216e03a2011480"}, - {file = "coverage-7.14.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a1816c505187592dcd1c5a5f226601a549f70365fbd00930ac88b0c225b76bb4"}, - {file = "coverage-7.14.0-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:d8e1762f0e9cbc26ec315471e7b47855218e833cd5a032d706fbf43845d878c7"}, - {file = "coverage-7.14.0-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:9336e23e8bb3a3925398261385e2a1533957d3e760e91070dcb0e98bfa514eed"}, - {file = "coverage-7.14.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9cd1169b2230f9cbe9c638ba38022ed7a2b1e641cc07f7cea0365e4be2a74980"}, - {file = "coverage-7.14.0-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:d1bb3543b58fea74d2cd1abc4054cc927e4724687cb4560cd2ed88d2c7d820c0"}, - {file = "coverage-7.14.0-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a93bac2cb577ef60074999ed56d8a1535894398e2ed920d4185c3ec0c8864742"}, - {file = "coverage-7.14.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:5904abf7e18cddc463219b17552229650c6b79e061d31a1059283051169cf7d5"}, - {file = "coverage-7.14.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:741f57cddc9004a8c81b084660215f33a6b597dbe62c31386b983ee26310e327"}, - {file = "coverage-7.14.0-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:664123feb0929d7affc135717dbd70d61d98688a08ab1e5ba464739620c6252d"}, - {file = "coverage-7.14.0-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:c83d2399a51bbec8429266905d33616f04bc5726b1138c35844d5fcd896b2e20"}, - {file = "coverage-7.14.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:bcb2e855b87321259a037429288ae85216d191c74de3e79bf57cd2bc0761992c"}, - {file = "coverage-7.14.0-cp311-cp311-win32.whl", hash = "sha256:731dc15b385ac52289743d476245b61e1a2927e803bef655b52bc3b2a75a21f3"}, - {file = "coverage-7.14.0-cp311-cp311-win_amd64.whl", hash = "sha256:bfb0ed8ec5d25e93face268115d7964db9df8b9aae8edcde9ec6b16c726a7cc1"}, - {file = "coverage-7.14.0-cp311-cp311-win_arm64.whl", hash = "sha256:7ebb1c6df9f78046a1b1e0a89674cd4bf73b7c648914eebcf976a57fd99a5627"}, - {file = "coverage-7.14.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:7ffd19fc8aed057fd686a17a4935eef5f9859d69208f96310e893e64b9b6ccf5"}, - {file = "coverage-7.14.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:829994cfe1aeb773ca27bf246d4badc1e764893e3bfb98fff820fcecd1ca4662"}, - {file = "coverage-7.14.0-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:b4f07cf7edcb7ec39431a5074d7ea83b29a9f71fcfc494f0f40af4e65180420f"}, - {file = "coverage-7.14.0-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:ca3d9cf2c32b521bd9518385608787fa86f38daf993695307531822c3430ed67"}, - {file = "coverage-7.14.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:92af52828e7f29d827346b0294e5a0853fa206db77db0395b282918d41e28db9"}, - {file = "coverage-7.14.0-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:7b2bb6c9d7e769360d0f20a0f219603fd64f0c8f97de17ab25853261602be0fb"}, - {file = "coverage-7.14.0-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:1c9ed6ef99f88fb8c14aa8e2bf8eb0fe55fa2edfea68f8675d78741df1a5ac0e"}, - {file = "coverage-7.14.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8231ade007f37959fbf58acc677f26b922c02eda6f0428ea307da0fd39681bf3"}, - {file = "coverage-7.14.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:d8b013632cc1ce1d09dbe4f32667b4d320ec2f54fc326ebeffcd0b0bcc2bb6c4"}, - {file = "coverage-7.14.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:1733198802d71ec4c524f322e2867ee05c62e9e75df86bdca545407a221827d1"}, - {file = "coverage-7.14.0-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:72a305291fa8ee01332f1aaf38b348ca34097f6aa0b0ef627eef2837e57bbba5"}, - {file = "coverage-7.14.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:fcaba850dd317c65423a9d63d88f9573c53b00354d6dd95724576cc98a131595"}, - {file = "coverage-7.14.0-cp312-cp312-win32.whl", hash = "sha256:5ac83957a80d0701310e96d8bec68cdcf4f90a7674b7d13f15a344315b41ab27"}, - {file = "coverage-7.14.0-cp312-cp312-win_amd64.whl", hash = "sha256:70390b0da32cb90b501953716302906e8bcce087cb283e70d8c97729f22e92b2"}, - {file = "coverage-7.14.0-cp312-cp312-win_arm64.whl", hash = "sha256:91b993743d959b8be85b4abf9d5478216a69329c321efe5be0433c1a841d691d"}, - {file = "coverage-7.14.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f2bbb8254370eb4c628ff3d6fa8a7f74ddc40565394d4f7ab791d1fe568e37ef"}, - {file = "coverage-7.14.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:23b81107f46d3f21d0cbce30664fcec0f5d9f585638a67081750f99738f6bf66"}, - {file = "coverage-7.14.0-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:22a7e06a5f11a757cdfe79018e9095f9f69ae283c5cd8123774c788deec8717b"}, - {file = "coverage-7.14.0-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:9d1aa57a1dc8e05bdc42e81c5d671d849577aeedf279f4c449d6d286f9ed88ca"}, - {file = "coverage-7.14.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:90c1a51bcfddf645b3bb7ec333d9e94393a8e94f55642380fa8a9a5a9e636cb7"}, - {file = "coverage-7.14.0-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:a841fae2fadcae4f438d43b6ccc4aac2ad609f47cdb6cfdce60cbb3fe5ca7bc2"}, - {file = "coverage-7.14.0-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c79d2319cabef1fe8e86df73371126931550804738f78ad7d31e3aad85a67367"}, - {file = "coverage-7.14.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:1b23b0c6f0b1db6ad769b7050c8b641c0bf215ded26c1816955b17b7f26edfa9"}, - {file = "coverage-7.14.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:55d3089079ce181a4566b1065ab28d2575eb76d8ac8f81f4fcda2bf037fee087"}, - {file = "coverage-7.14.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:49c005cba1e2f9677fb2845dcdf9a2e72a52a17d63e8231aaaae35d9f50215ef"}, - {file = "coverage-7.14.0-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:9117377b823daa28aa8635fbb08cda1cd6be3d7143257345459559aeef852d52"}, - {file = "coverage-7.14.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:7b79d646cf46d5cf9a9f40281d4441df5849e445726e369006d2b117710b33fe"}, - {file = "coverage-7.14.0-cp313-cp313-win32.whl", hash = "sha256:fb609b3658479e33f9516d46f1a89dbb9b6c261366e3a11844a96ec487533dae"}, - {file = "coverage-7.14.0-cp313-cp313-win_amd64.whl", hash = "sha256:0773d8329cf32b6fd222e4b52622c61fe8d503eb966cfc8d3c3c10c96266d50e"}, - {file = "coverage-7.14.0-cp313-cp313-win_arm64.whl", hash = "sha256:b4e26a0f1b696faf283bffe5b8569e44e336c582439df5d53281ab89ee0cba96"}, - {file = "coverage-7.14.0-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:953f521ca9445300397e65fda3dca58b2dbd68fee983777420b57ac3c77e9f90"}, - {file = "coverage-7.14.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:98af83fd65ae24b1fdd03aaead967a9f523bcd2f1aab2d4f3ffda65bb568a6f1"}, - {file = "coverage-7.14.0-cp313-cp313t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:668b92e6958c4db7cf92e81caac328dfbbdbb215db2850ad28f0cbe1eea0bfbd"}, - {file = "coverage-7.14.0-cp313-cp313t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:9fbd898551762dea00d3fef2b1c4f99afd2c6a3ff952ea07d60a9bd5ed4f34bc"}, - {file = "coverage-7.14.0-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:68af363c07ecd8d4b7d4043d85cb376d7d227eceb54e5323ee45da73dbd3e426"}, - {file = "coverage-7.14.0-cp313-cp313t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:6e57054a583da8ac55edf24117ea4c9133032cfc4cf72aa2d48c1e5d4b52f899"}, - {file = "coverage-7.14.0-cp313-cp313t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:cc3499459bbcdd51a65b64c35ab7ed2764eaf3cba826e0df3f1d7fe2e102b70b"}, - {file = "coverage-7.14.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:45899ec2138a4346ed34d601dedf5076fb74edf2d1dd9dc76a78e82397edee90"}, - {file = "coverage-7.14.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:8767486808c436f05b23ab98eb963fb29185e32a9357a166971685cb3459900f"}, - {file = "coverage-7.14.0-cp313-cp313t-musllinux_1_2_ppc64le.whl", hash = "sha256:a3b5ddfd6aa7ddad53ee3edb231e88a2151507a43229b7d71b953916deca127d"}, - {file = "coverage-7.14.0-cp313-cp313t-musllinux_1_2_riscv64.whl", hash = "sha256:63df0fe568e698e1045792399f8ab6da3a6c2dce3182813fb92afa2641087b47"}, - {file = "coverage-7.14.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:827d6397dbd95144939b18f89edf31f63e1f99633e8d5f32f22ba8bdda567477"}, - {file = "coverage-7.14.0-cp313-cp313t-win32.whl", hash = "sha256:7bf43e000d24012599b879791cff41589af90674722421ef11b11a5431920bab"}, - {file = "coverage-7.14.0-cp313-cp313t-win_amd64.whl", hash = "sha256:3f5549365af25d770e06b1f8f5682d9a5637d06eb494db91c6fa75d3950cc917"}, - {file = "coverage-7.14.0-cp313-cp313t-win_arm64.whl", hash = "sha256:6d160217ec6fe890f16ad3a9531761589443749e448f91986c972714fad361c8"}, - {file = "coverage-7.14.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:9aed9fa983514ca032790f3fe0d1c0e42ca7e16b42432af1706b50a9a46bef5d"}, - {file = "coverage-7.14.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ba3b8390db29296dbbf49e91b6fe08f990743a90c8f447ba4c2ffc29670dfa63"}, - {file = "coverage-7.14.0-cp314-cp314-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:3a5d8e876dfa2f102e970b183863d6dedd023d3c0eeca1fe7a9787bc5f28b212"}, - {file = "coverage-7.14.0-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:5ebb8f4614a3787d567e610bbfdf96a4798dd69a1afb1bd8ad228d4111fe6ff3"}, - {file = "coverage-7.14.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b9bf47223dd8db3d4c4b2e443b02bace480d428f0822c3f991600448a176c97"}, - {file = "coverage-7.14.0-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:3485a836550b303d006d57cc06e3d5afaabc642c77050b7c985a97b13e3776b8"}, - {file = "coverage-7.14.0-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:3e7e88110bae996d199d1693ca8ec3fd52441d426401ae963437598667b4c5eb"}, - {file = "coverage-7.14.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:15228a6800ce7bdf1b74800595e56db7138cecb338fdbf044806e10dcf182dfe"}, - {file = "coverage-7.14.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:9d26ac7f5398bafc5b57421ad994e8a4749e8a7a0e62d05ec7d53014d5963bfa"}, - {file = "coverage-7.14.0-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:2fb73254ff43c911c967a899e1359bc5049b4b115d6e8fbdde4937d0a2246cd5"}, - {file = "coverage-7.14.0-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:454a380af72c6adada298ed270d38c7a391288198dbfb8467f786f588751a90c"}, - {file = "coverage-7.14.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:65c86fb646d2bd2972e96bd1a8b45817ed907cee68655d6295fe7ec031d04cca"}, - {file = "coverage-7.14.0-cp314-cp314-win32.whl", hash = "sha256:6a6516b02a6101398e19a3f44820f69bab2590697f7def4331f668b14adaf828"}, - {file = "coverage-7.14.0-cp314-cp314-win_amd64.whl", hash = "sha256:45e0f79d8351fa76e256716df91eab12890d32678b9590df7ae1042e4bd4cf5d"}, - {file = "coverage-7.14.0-cp314-cp314-win_arm64.whl", hash = "sha256:4b899594a8b2d81e5cc064a0d7f9cac2081fed91049456cae7676787e41549c9"}, - {file = "coverage-7.14.0-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:f580f8c80acd94ac72e863efe2cab791d8c38d153e0b463b92dfa000d5c84cd1"}, - {file = "coverage-7.14.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:a2bd259c442cd43c49b30fbafc51776eb19ea396faf159d26a83e6a0a5f13b0c"}, - {file = "coverage-7.14.0-cp314-cp314t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:a706b908dfa85538863504c624b237a3cc34232bf403c057414ebfdb3b4d9f84"}, - {file = "coverage-7.14.0-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:7333cd944ee4393b9b3d3c1b598c936d4fc8d70573a4c7dacfec5590dd50e436"}, - {file = "coverage-7.14.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0f162bc9a15b82d947b02651b0c7e1609d6f7a8735ca330cfadec8481dd97d5a"}, - {file = "coverage-7.14.0-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:362cb78e01a5dc82009d88004cf60f2e6b6d6fcbfdec05b05af73b0abf40118f"}, - {file = "coverage-7.14.0-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:acebd068fca5512c3a6fde9c045f901613478781a73f0e82b307b214daef23fb"}, - {file = "coverage-7.14.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:29fe3da551dface75deb2ccbf87b6b66e2e7ef38f6d89050b428be94afff3490"}, - {file = "coverage-7.14.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:b4cc4fce8672fffcb09b0eafc167b396b3ba53c4a7230f54b7aaffbf6c835fa9"}, - {file = "coverage-7.14.0-cp314-cp314t-musllinux_1_2_ppc64le.whl", hash = "sha256:5d4a51aad8ba8bdcd2b8bd8f03d4aca19693fa2327a3470e4718a25b03481020"}, - {file = "coverage-7.14.0-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:9f323af3e1e4f68b60b7b247e37b8515563a61375518fa59de1af48ba28a3db6"}, - {file = "coverage-7.14.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:1a0abc7342ea9711c469dd8b821c6c311e6bc6aac1442e5fbd6b27fae0a8f3db"}, - {file = "coverage-7.14.0-cp314-cp314t-win32.whl", hash = "sha256:a9f864ef57b7172e2db87a096642dd51e179e085ab6b2c371c29e885f65c8fb2"}, - {file = "coverage-7.14.0-cp314-cp314t-win_amd64.whl", hash = "sha256:29943e552fdc08e082eb51400fb2f58e118a83b5542bd06531214e084399b644"}, - {file = "coverage-7.14.0-cp314-cp314t-win_arm64.whl", hash = "sha256:742a73ea621953b012f2c4c2219b512180dd84489acf5b1596b0aafc55b9100b"}, - {file = "coverage-7.14.0-py3-none-any.whl", hash = "sha256:8de5b61163aee3d05c8a2beab6f47913df7981dad1baf82c414d99158c286ab1"}, - {file = "coverage-7.14.0.tar.gz", hash = "sha256:057a6af2f160a85384cde4ab36f0d2777bae1057bae255f95413cdd382aa5c74"}, + {file = "coverage-7.14.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:59b75818e3046e9319143157f3dc4b43679a550c2060a17cbf3e39cc0b552925"}, + {file = "coverage-7.14.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:66b08ba4c5cbf0eaa2e9692b203073f198d5d469d8b15d1c7a4854ce7032b2e2"}, + {file = "coverage-7.14.2-cp310-cp310-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:70f266b536c590060b707dddfb6cf9f17e24fd30b992242e774543d256265c43"}, + {file = "coverage-7.14.2-cp310-cp310-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:fb40cac5b1a6378fdccc99268f1033112ee4636e4fd9aaf240f6930d1fcea12c"}, + {file = "coverage-7.14.2-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c301fe9990cb5c081bf4881cb498743807c8e0e93fad7b85c02788456492ef8"}, + {file = "coverage-7.14.2-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:d67b0462c8a3c3d93033e7c79cacdfc57d08e5220d9115bcb24a23edf5a5900d"}, + {file = "coverage-7.14.2-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:0e763087828ee9644f0c89c57f9b75f0a50fdf3e8f5d8fac5cfc351337e89a99"}, + {file = "coverage-7.14.2-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:6d4da2baab6d96ceedd9176b3c142e1198b0310bc8dc04e18a3caab65c3a322c"}, + {file = "coverage-7.14.2-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:ab565a405bfdea61260145d8cc987aa66d1998fd0e0ccd4348008f4e6a39ee33"}, + {file = "coverage-7.14.2-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:c13230b688fbb9122251b74daa092175811eb64cb7bd1c98e2c8193dfa2b0bd5"}, + {file = "coverage-7.14.2-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:014c83ba1ec97993cfe94e77fe6b56daa76bc0c218b86938971574c28942d044"}, + {file = "coverage-7.14.2-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:6caf54ffbf84b30470a8118f275afee9234e616572e4e41bae1dc19198c37294"}, + {file = "coverage-7.14.2-cp310-cp310-win32.whl", hash = "sha256:4bf9d8a35f77df5638c61b5012ba5225109ec1cc15bc5eb097036b3c3cc939f3"}, + {file = "coverage-7.14.2-cp310-cp310-win_amd64.whl", hash = "sha256:c1f17a8caebe0facd4556b1e0adfe0987c17feebed88e7bb6b5365c45c84c5d6"}, + {file = "coverage-7.14.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:909f265c8c41f04c824bf741b2601fdcb56cab4bf56e018996b6494192ba0f58"}, + {file = "coverage-7.14.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:c8102deaf911938233f760426e6a5e287388521de95111d5c8de26c8a1028924"}, + {file = "coverage-7.14.2-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:851f49e7bd7d1cdaf328f3133942b252d5e3d3380690131f423cba8e435b87f5"}, + {file = "coverage-7.14.2-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:04cb445bed86aaf00aaa97d41a8b6e30f100f21e81c34caaec4efc684cb57768"}, + {file = "coverage-7.14.2-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7471bc920d97c51c37ea8127f13b2adca43c3d78c53313b26a1f428e99d2c254"}, + {file = "coverage-7.14.2-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:da5057e1bb257c967feee8ba67f3ebf379e801c7717f238b3d8c9caf00fc8f93"}, + {file = "coverage-7.14.2-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:33c0da852e8a40246cd8e20cf3b2fc17ca52a45e9b5f7983c93db26f5d24b87b"}, + {file = "coverage-7.14.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:f48a85bb437fab7782021c40bfee6b15146928b96960d008ace41b6901a0f21d"}, + {file = "coverage-7.14.2-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:f44e7579a769a21d5b5e3166916bfe30ee175aaffff750324cbb11be2dbec5ad"}, + {file = "coverage-7.14.2-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:78853ca3c6ca2f012daa2b07dbabbb8db0f09d4dbe8ee828d294b3445d3f4cd8"}, + {file = "coverage-7.14.2-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:c9c2795ee3692097ff226ab806005d36bb9691fca9b35353542b57ea749cc830"}, + {file = "coverage-7.14.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2f5cc48a845d755b6db236f8c29c2b54773eb4c7e4ee2ead43812d73718784b0"}, + {file = "coverage-7.14.2-cp311-cp311-win32.whl", hash = "sha256:9c61cb7eaabcfa609c5bc0f5ff5869d72a2f02f17994e5fba5f971de516f3c82"}, + {file = "coverage-7.14.2-cp311-cp311-win_amd64.whl", hash = "sha256:e715909b0966d1774d8a26e14e2f4a3ae75909dca526901c6306286b2dcbfbdc"}, + {file = "coverage-7.14.2-cp311-cp311-win_arm64.whl", hash = "sha256:9193f7150937a4fd836b10eaa123e15d98e961d1fabac07e60adf2d4785f888a"}, + {file = "coverage-7.14.2-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:37c94712e533ea06f0b1e4d934811c520b1914ce0e4da3916220717aa7a86bc6"}, + {file = "coverage-7.14.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:c050bbc7bba94c77e4ed7438f4fda1babe98ab145691d80aa6f60df934a1468b"}, + {file = "coverage-7.14.2-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:a7af571767a2ee342a171c16fc1b1a07a0bf511606d381703fb7cf397fe49d46"}, + {file = "coverage-7.14.2-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:8b4910cce599cd2438f8da65f5ef199a70a1cdb6ab314926df78271ca5954240"}, + {file = "coverage-7.14.2-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c33e9e4878972f430b0cc06de3bf2a28d054a9efb4f8426d27de0d9cb81396ff"}, + {file = "coverage-7.14.2-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:e7967ea55c6dea6becba4d5870e2fa0aa4915a8be7ebff1bb79e6207aa75ce8d"}, + {file = "coverage-7.14.2-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:d1322f237c2979b84096f4239c17828ff17fea6b3bbe96c44381c5f587c44c26"}, + {file = "coverage-7.14.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:77849525340c99f516d793dddbcee16b18d50af892ac43c8de1a6f343d41e3b5"}, + {file = "coverage-7.14.2-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:ef11695493ec3f06f7b2678ca274bcabb4ca04057317df268ddbfd8b05f661a8"}, + {file = "coverage-7.14.2-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:8134f0e0723e080d1c27bbe8fc149f0162e429fa1852482150015d0fce83eaf1"}, + {file = "coverage-7.14.2-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:914eead2b843fc357f733b3fe39cc94f1b53d466e8cfe03080b1ed9d24ccfc73"}, + {file = "coverage-7.14.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e4b2d5e847fb7958583b74910cc19e5ec4ece514487385677b26433b2546116e"}, + {file = "coverage-7.14.2-cp312-cp312-win32.whl", hash = "sha256:e753db9e40dda7302e0ac3e1e6e1325fb7f7b4694f87a7314ab15dd5d57911a7"}, + {file = "coverage-7.14.2-cp312-cp312-win_amd64.whl", hash = "sha256:d32e5ca5f16dafb269ee50b60d32b00c704b3f6f78e238105f1d94a3a5f24bf5"}, + {file = "coverage-7.14.2-cp312-cp312-win_arm64.whl", hash = "sha256:dc366f158e2fb2add9d4e57338ca48f12611024278688ee657eb0b853fcb5de5"}, + {file = "coverage-7.14.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:e5f077641a6713ce9d38df9e85d4fb9e008677fc0775cbaeb32ddfc3b319d4ca"}, + {file = "coverage-7.14.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:0907f39b49ae818fe8af50aaa0f19afbc8ca164aea0865181ca7af17a3ac690b"}, + {file = "coverage-7.14.2-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:5734d47669118d75c28981e562d4530ceb77342d31ffef6def5edd5ad4f05d7b"}, + {file = "coverage-7.14.2-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:1d9a1b5813d00ea6151f6ccf64d1fa16892771dfdda12ba87162d15ec4ea3e1e"}, + {file = "coverage-7.14.2-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9f0a80f4c8ac3f774210b1cc1bc0e31e75502f2818dda9a144ff90e702c4d91d"}, + {file = "coverage-7.14.2-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c2e66f3f22d6c1515ce70f2e7c3e9c6f3ff0ff33480125c9f9c53e8f6508e30f"}, + {file = "coverage-7.14.2-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:6a2c37c3114f87ca7f10113756026eecb49656514debad600dcbec21f355ccea"}, + {file = "coverage-7.14.2-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:3b16a7959d04b1497281c062c180413565c3f3469211d78799ad5b9a75f67796"}, + {file = "coverage-7.14.2-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:6466c6999545cf00c4c142dfcbbf2db396dc735f005dcf8f91d57e351a79472b"}, + {file = "coverage-7.14.2-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:5c60915ebb8f562317ba5ff6b8c32e25c0882289b201a9f2fb2987f91efd95d8"}, + {file = "coverage-7.14.2-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:33b830850488acbcd358c78a4fecfafe7031667b4da8ddff5546295dc962cdeb"}, + {file = "coverage-7.14.2-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:d0f845539230b8269aec902bc978b0cc403f52f002d18a04492efc943404d0bc"}, + {file = "coverage-7.14.2-cp313-cp313-win32.whl", hash = "sha256:a8ac51a2e441e9119b9395f4d893fbc4934c64c8ba58be9b9eaa85591249e548"}, + {file = "coverage-7.14.2-cp313-cp313-win_amd64.whl", hash = "sha256:039b264cdb31c44b48f9821e2afbf8f37df49e0fb837e24a942918b36c567e31"}, + {file = "coverage-7.14.2-cp313-cp313-win_arm64.whl", hash = "sha256:7f2ef591e381cc36b8e53334e1b842c760c520c8a52d01e8626209400e93fe6a"}, + {file = "coverage-7.14.2-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:7a0d1f026b72d627fa5c8a57cbc86ad209b64aa2a65833c83b290ace5cbee126"}, + {file = "coverage-7.14.2-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:4d2b86f81c1c9310a7e774e3cc9e927a3d0bf583ecbfa01498dd626930025428"}, + {file = "coverage-7.14.2-cp314-cp314-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:d76bdc1f9396ae70a55d050cf9743d88141c62ce0a22a3f627fab1d11c2f8bc6"}, + {file = "coverage-7.14.2-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:cda36d8e7bfd63b3e44e75163265429caa5d935b672b00f71bccc8c010518c64"}, + {file = "coverage-7.14.2-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0904f3b79d7b845bef0715afe1900da634d12b97f05b9479cb472880ca07cb9c"}, + {file = "coverage-7.14.2-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:b6795ca4198d6cb7fc2c6163214f6555a6bc5f0ae1e268e76139dec4b37c4499"}, + {file = "coverage-7.14.2-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c41e9b60fc0fa57f5d73306417d2f9d668202cca6944f9435878c55a5e7ae213"}, + {file = "coverage-7.14.2-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:419d2aadd5746efc2e9df0f33c05570d8192e6f6a6098ab05acce586f44ce8a5"}, + {file = "coverage-7.14.2-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:1c5d273c5f1411c0d26c4f066c398d4a434b1f97bb5fa409189bedce86d4add4"}, + {file = "coverage-7.14.2-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:5fe465bc691264adce601527a972990c1174075d86bcbe9968fd20c95e0b1948"}, + {file = "coverage-7.14.2-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:6fbb61617af1c56f95d53170ae9fa6c9aef6de1abd02fcc50064bfc672efb18d"}, + {file = "coverage-7.14.2-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:e1eff22b831dfd5694989cc1f0789980f18391f614ac67c851af9a8e6d25e9ba"}, + {file = "coverage-7.14.2-cp314-cp314-win32.whl", hash = "sha256:58e91be0a233adef698d3e6be54f10401bb91fd7854c0d4c4d50e0d3711e72f1"}, + {file = "coverage-7.14.2-cp314-cp314-win_amd64.whl", hash = "sha256:d8429bf97906bfe6c61f9dbfb3342e0d88120da61939da8bd04f830cc3eab3b8"}, + {file = "coverage-7.14.2-cp314-cp314-win_arm64.whl", hash = "sha256:13609d9d77249447aa73357b14831b0f3b95f275026c9ff20dd105f981f53a0c"}, + {file = "coverage-7.14.2-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:9818486c2bac88ae931df7e04905ee29bef49fd218c00f5f02bed4855254a101"}, + {file = "coverage-7.14.2-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:58055adffabfa243516a197aa9f85f0dd56d905b0fba1a10193269759c29ccb0"}, + {file = "coverage-7.14.2-cp314-cp314t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:535747dbc200349d7fb434cffcb28e770f0290f69b225f56dc3803aa7210cdea"}, + {file = "coverage-7.14.2-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:420c66e35d85c0ca5dc6a38147d83ef239762542900e5921ebbdb89333c540ea"}, + {file = "coverage-7.14.2-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f2cf17b33773be446a588551ea6a746b2d70dd0bc90dc31f1dd7648975a63c6b"}, + {file = "coverage-7.14.2-cp314-cp314t-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:adb4a5fef041f7179bb264203add873c147d169cf2f8d0adae89ff2e51271bac"}, + {file = "coverage-7.14.2-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:9c012ec357dec9408a83dad5541172a63c5cfa1421709f2e5811480d31ae1b28"}, + {file = "coverage-7.14.2-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:dacd0ecd08fda3cb2f85b60cabea7da326dcb2fc15fbb23a88830a80144cc9f2"}, + {file = "coverage-7.14.2-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:f27e980f2feba5dfe7a32b22b125470de69c0bd113c75e16165de909a777f512"}, + {file = "coverage-7.14.2-cp314-cp314t-musllinux_1_2_ppc64le.whl", hash = "sha256:105c00efb65c863630b2b63cbf7b8267e4da2d44b62284efbb19a03b04c337d4"}, + {file = "coverage-7.14.2-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:571173fa04c8e8d6235ab32ae67fecca97777e2e1b4a1a30f3022c34e397c1c1"}, + {file = "coverage-7.14.2-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:e532f34d42d1a421fa00ed6b7735d14ac2e340256c1bad26a5e1dc1252b0bed7"}, + {file = "coverage-7.14.2-cp314-cp314t-win32.whl", hash = "sha256:243971550fb46c3039257f75e65610002d84304c505f609bbd9779e20a653a0a"}, + {file = "coverage-7.14.2-cp314-cp314t-win_amd64.whl", hash = "sha256:60fb0ca084a92da96474b8b405a7ea76dfecac3c68db54383e7934b6f3871169"}, + {file = "coverage-7.14.2-cp314-cp314t-win_arm64.whl", hash = "sha256:36a0a3f42ed7dfdbca2a69a541519ffd5064a5692152fc0018109e74370d7345"}, + {file = "coverage-7.14.2-py3-none-any.whl", hash = "sha256:04d92589e481a8b68a005a5a1e0646a91c76f322c397c4635298c57cf63699b5"}, + {file = "coverage-7.14.2.tar.gz", hash = "sha256:7a2da3d81cfe17c18038c6d98e6592aa9147d596d056119b0ee612c3c8bd5230"}, ] [package.dependencies] tomli = {version = "*", optional = true, markers = "python_full_version <= \"3.11.0a6\" and extra == \"toml\""} [package.extras] -toml = ["tomli"] +toml = ["tomli ; python_full_version <= \"3.11.0a6\""] [[package]] name = "cryptography" -version = "48.0.0" +version = "49.0.0" description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." optional = false python-versions = "!=3.9.0,!=3.9.1,>=3.9" +groups = ["main"] files = [ - {file = "cryptography-48.0.0-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:0c558d2cdffd8f4bbb30fc7134c74d2ca9a476f830bb053074498fbc86f41ed6"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f5333311663ea94f75dd408665686aaf426563556bb5283554a3539177e03b8c"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7995ef305d7165c3f11ae07f2517e5a4f1d5c18da1376a0a9ed496336b69e5f3"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:40ba1f85eaa6959837b1d51c9767e230e14612eea4ef110ee8854ada22da1bf5"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:369a6348999f94bbd53435c894377b20ab95f25a9065c283570e70150d8abc3c"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:a0e692c683f4df67815a2d258b324e66f4738bd7a96a218c826dce4f4bd05d8f"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:18349bbc56f4743c8b12dc32e2bccb2cf83ee8b69a3bba74ef8ae857e26b3d25"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e8eac43dfca5c4cccc6dad9a80504436fca53bb9bc3100a2386d730fbe6b602"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9ccdac7d40688ecb5a3b4a604b8a88c8002e3442d6c60aead1db2a89a041560c"}, - {file = "cryptography-48.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:bd72e68b06bb1e96913f97dd4901119bc17f39d4586a5adf2d3e47bc2b9d58b5"}, - {file = "cryptography-48.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:59baa2cb386c4f0b9905bd6eb4c2a79a69a128408fd31d32ca4d7102d4156321"}, - {file = "cryptography-48.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:9249e3cd978541d665967ac2cb2787fd6a62bddf1e75b3e347a594d7dacf4f74"}, - {file = "cryptography-48.0.0-cp311-abi3-win32.whl", hash = "sha256:9c459db21422be75e2809370b829a87eb37f74cd785fc4aa9ea1e5f43b47cda4"}, - {file = "cryptography-48.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:5b012212e08b8dd5edc78ef54da83dd9892fd9105323b3993eff6bea65dc21d7"}, - {file = "cryptography-48.0.0-cp314-cp314t-macosx_10_9_universal2.whl", hash = "sha256:3cb07a3ed6431663cd321ea8a000a1314c74211f823e4177fefa2255e057d1ec"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:8c7378637d7d88016fa6791c159f698b3d3eed28ebf844ac36b9dc04a14dae18"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:cc90c0b39b2e3c65ef52c804b72e3c58f8a04ab2a1871272798e5f9572c17d20"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:76341972e1eff8b4bea859f09c0d3e64b96ce931b084f9b9b7db8ef364c30eff"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:55b7718303bf06a5753dcdccf2f3945cf18ad7bffde41b61226e4db31ab89a9c"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:a64697c641c7b1b2178e573cbc31c7c6684cd56883a478d75143dbb7118036db"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:561215ea3879cb1cbbf272867e2efda62476f240fb58c64de6b393ae19246741"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:ad64688338ed4bc1a6618076ba75fd7194a5f1797ac60b47afe926285adb3166"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:906cbf0670286c6e0044156bc7d4af9cbb0ef6db9f73e52c3ec56ba6bdde5336"}, - {file = "cryptography-48.0.0-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:ea8990436d914540a40ab24b6a77c0969695ed52f4a4874c5137ccf7045a7057"}, - {file = "cryptography-48.0.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:c18684a7f0cc9a3cb60328f496b8e3372def7c5d2df39ac267878b05565aaaae"}, - {file = "cryptography-48.0.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:9be5aafa5736574f8f15f262adc81b2a9869e2cfe9014d52a44633905b40d52c"}, - {file = "cryptography-48.0.0-cp314-cp314t-win32.whl", hash = "sha256:c17dfe85494deaeddc5ce251aebd1d60bbe6afc8b62071bb0b469431a000124f"}, - {file = "cryptography-48.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:27241b1dc9962e056062a8eef1991d02c3a24569c95975bd2322a8a52c6e5e12"}, - {file = "cryptography-48.0.0-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:58d00498e8933e4a194f3076aee1b4a97dfec1a6da444535755822fe5d8b0b86"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:614d0949f4790582d2cc25553abd09dd723025f0c0e7c67376a1d77196743d6e"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7ce4bfae76319a532a2dc68f82cc32f5676ee792a983187dac07183690e5c66f"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:2eb992bbd4661238c5a397594c83f5b4dc2bc5b848c365c8f991b6780efcc5c7"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:22a5cb272895dce158b2cacdfdc3debd299019659f42947dbdac6f32d68fe832"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:2b4d59804e8408e2fea7d1fbaf218e5ec984325221db76e6a241a9abd6cdd95c"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:984a20b0f62a26f48a3396c72e4bc34c66e356d356bf370053066b3b6d54634a"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:5a5ed8fde7a1d09376ca0b40e68cd59c69fe23b1f9768bd5824f54681626032a"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:8cd666227ef7af430aa5914a9910e0ddd703e75f039cef0825cd0da71b6b711a"}, - {file = "cryptography-48.0.0-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:9071196d81abc88b3516ac8cdfad32e2b66dd4a5393a8e68a961e9161ddc6239"}, - {file = "cryptography-48.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:1e2d54c8be6152856a36f0882ab231e70f8ec7f14e93cf87db8a2ed056bf160c"}, - {file = "cryptography-48.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a5da777e32ffed6f85a7b2b3f7c5cbc88c146bfcd0a1d7baf5fcc6c52ee35dd4"}, - {file = "cryptography-48.0.0-cp39-abi3-win32.whl", hash = "sha256:77a2ccbbe917f6710e05ba9adaa25fb5075620bf3ea6fb751997875aff4ae4bd"}, - {file = "cryptography-48.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:16cd65b9330583e4619939b3a3843eec1e6e789744bb01e7c7e2e62e33c239c8"}, - {file = "cryptography-48.0.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:84cf79f0dc8b36ac5da873481716e87aef31fcfa0444f9e1d8b4b2cece142855"}, - {file = "cryptography-48.0.0-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:fdfef35d751d510fcef5252703621574364fec16418c4a1e5e1055248401054b"}, - {file = "cryptography-48.0.0-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:0890f502ddf7d9c6426129c3f49f5c0a39278ed7cd6322c8755ffca6ee675a13"}, - {file = "cryptography-48.0.0-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:ecde28a596bead48b0cfd2a1b4416c3d43074c2d785e3a398d7ec1fc4d0f7fbb"}, - {file = "cryptography-48.0.0-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:4defde8685ae324a9eb9d818717e93b4638ef67070ac9bc15b8ca85f63048355"}, - {file = "cryptography-48.0.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:db63bf618e5dea46c07de12e900fe1cdd2541e6dc9dbae772a70b7d4d4765f6a"}, - {file = "cryptography-48.0.0.tar.gz", hash = "sha256:5c3932f4436d1cccb036cb0eaef46e6e2db91035166f1ad6505c3c9d5a635920"}, + {file = "cryptography-49.0.0-cp311-abi3-macosx_11_0_arm64.whl", hash = "sha256:966fe0e9c67490071f14c0d2b1cb2dfb3023c5ce39457343931415f08382f2db"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:36d1709f992593689b45bda411498d62c6e365f2ca00b84657d4dadd24de16db"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:0e959b578856a3924bc0cbb710fc12c387b9412a951389f3ca61704a9e25f325"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:53ecee2e23f7169b6117e99fc8a944e5e50f79e69758a83b52a00cb98ab2b2d2"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:2eda353d8a27bcbcaa4cbed18994a74ab4d19a2ca897db188ea269ab9b71419b"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:2afe9051da7ae7bd5905da5a949280c7d2bb75682e188f650a9d0f2756b834c6"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:0b82e28ee398a386f0807bba7884d30f25218855690f45115831bcce5d90822c"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:ccac2bfebc306b862133e3bb71f3f6ee8bb525240089b2d952e4144b3a6d5da7"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:d0527ce944105f257f605a827d6ebead966c752038b6e8656abb9c5edee6fc68"}, + {file = "cryptography-49.0.0-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:cbc77da8c523d5abd028635ba850a6966fcee2c82e2bf65a41d1d8afe0f98be9"}, + {file = "cryptography-49.0.0-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:b87e65d263b3e5d3bb92a57e2a6638e2f31110fa7aa890c7b2dbba42248d0a3f"}, + {file = "cryptography-49.0.0-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:66ec79c3904820572d7e987abdf304281f141d37ad9a489b8e97066e7b9b6459"}, + {file = "cryptography-49.0.0-cp311-abi3-win_amd64.whl", hash = "sha256:e5dfc1e64de5677cec922ffa8da89c546d0415bf6efdf081842e5d44c84e1f0e"}, + {file = "cryptography-49.0.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:73a205dce83953d131a4aa1e0fd917a2fd1c5b1eef251e9d7152efefcbf5caf7"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:196ecd6a36e4e9aa10270393bb98d8df88fccee0bf1e5128b91ae4eb4375896d"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7abcee80084cda3f7691f3eb1ce480d8df49cec637b429aa35986c1de71738aa"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_28_aarch64.whl", hash = "sha256:4ae387c9cb68ea569ca17e490d66d8142b81c3cc814bf179974b7d146e490bbb"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_28_ppc64le.whl", hash = "sha256:f37d847238971164fdbc68ade6f6574aecc9c0af714190e2083429ff68f4ce9d"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_28_x86_64.whl", hash = "sha256:c2bc30226390d60ea19d9f82b19db005fe0452154a23c1c410c12ea801e43561"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_31_armv7l.whl", hash = "sha256:07cab27cc7b7e0fd28e5e26bb9eeedde5c135c868b46de4a27845abe94af6122"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:b20133d204d2bb56ba047642199603876c872026ca53e79c35b83772ab2cc505"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_34_ppc64le.whl", hash = "sha256:b970c6da94d5bb18629db453d14f2a1300f6bf59b61e9b82377931ef95504866"}, + {file = "cryptography-49.0.0-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:d8ecde755e2e91bf773fc94e8c9d730cd7f2007004cb492263a794ec3899a1c8"}, + {file = "cryptography-49.0.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:e3fb64c420688e5319ae25113a354015abbd8dffbfbc41781a1ea66fc7622ac3"}, + {file = "cryptography-49.0.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:32703d93296f5c1f4b53349ad3a250c2cae0fdecd3a3dd5d47e616d8d616af27"}, + {file = "cryptography-49.0.0-cp314-cp314t-win_amd64.whl", hash = "sha256:33cd0565932807baddb67b96dbee92f2c374b5c89dee09fd74079aeb8c8dba61"}, + {file = "cryptography-49.0.0-cp39-abi3-macosx_11_0_arm64.whl", hash = "sha256:ec5e529fb80935c94fe7b729f9972b50e351a0e6b50aa294fd5cabb109fcc29a"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f78ff2c9ed8dc2d036b0f4d640e22522213d047c1b14e61205a7e55c80a494d4"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:35b151772baff2c74cba7fa290ceaff4c3b11c0c881eb93eb5dbc05a7cfbba18"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:0f21641cf4b30fca7aee061ced0ec7ad7b073518088b7c9969a297c0ae796c69"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:9e82dcc8e56052715fb18b2429e3bca4823b1629136a2084fc45a9a5cecb9b64"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:6f2debedf9ca60cf1d5bd466475638af5130f89965605cd818484d19987d3a21"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:8c25ceb16df5b9435f3f6a9829204985b0e0cbee3b48aacd432c7d2c850b44d9"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:28d8b15e6275f12c8a207dc309dfa957903c927d08d0cc937ee3f63f200693cc"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:6fc361c34fb6aac015ce19435876635e5c6d21db31998b0920f675f131e043b8"}, + {file = "cryptography-49.0.0-cp39-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:2400ef9c9e2299a25614eb1dea3db54a69b1349efd043bfac9c67630d136df36"}, + {file = "cryptography-49.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:67e1d20ad9ef3a563c59ef22e7a8a0b8210bd26604369ea4a30a7c66aefe504e"}, + {file = "cryptography-49.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:42b0684e0e40cf26122427802486f6d93aea593612603a94fbf260c7eb1e9c1b"}, + {file = "cryptography-49.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:026ac7423e6fa66872d3bf889be5974507da3944f866f704fa200eadacd00001"}, + {file = "cryptography-49.0.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc1e275c2f1d97b1a6450b8b0ea3ebfa6e087a611c2b26cb2404d48588abab7b"}, + {file = "cryptography-49.0.0-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c83782480a4a9da4d0feb51950131ba32e12e70813848b3343f6e18c28a66838"}, + {file = "cryptography-49.0.0-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:b39efa323140595abd3ecca8529d321ae50f55f3aa3ba9cc81ea56a6011953d5"}, + {file = "cryptography-49.0.0-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:b47db11c2c3525083296069b98ac5221907455e989ae0c2e3008bde851921615"}, + {file = "cryptography-49.0.0-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:084ef1af862eb07ec46d25f68689f2102a9fc0e05ce7b80f14f5fe51e4eef0f6"}, + {file = "cryptography-49.0.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:be9fcb48a55f023493482827d4f459bd263cc20efde64f204b97c123201850c6"}, + {file = "cryptography-49.0.0.tar.gz", hash = "sha256:f89660a348f4f78a92366240a61404e337586ef7f5909a2fef59ca88ef505493"}, ] [package.dependencies] cffi = {version = ">=2.0.0", markers = "platform_python_implementation != \"PyPy\""} -typing-extensions = {version = ">=4.13.2", markers = "python_full_version < \"3.11\""} +typing-extensions = {version = ">=4.13.2", markers = "python_full_version < \"3.11.0\""} [package.extras] ssh = ["bcrypt (>=3.1.5)"] @@ -535,6 +527,7 @@ version = "5.0" description = "A library for working with .desktop files" optional = false python-versions = ">=3.10" +groups = ["appimage"] files = [ {file = "desktop_entry_lib-5.0-py3-none-any.whl", hash = "sha256:e60a0c2c5e42492dbe5378e596b1de87d1b1c4dc74d1f41998a164ee27a1226f"}, {file = "desktop_entry_lib-5.0.tar.gz", hash = "sha256:9a621bac1819fe21021356e41fec0ac096ed56e6eb5dcfe0639cd8654914b864"}, @@ -549,6 +542,8 @@ version = "1.3.1" description = "Backport of PEP 654 (exception groups)" optional = false python-versions = ">=3.7" +groups = ["dev"] +markers = "python_version == \"3.10\"" files = [ {file = "exceptiongroup-1.3.1-py3-none-any.whl", hash = "sha256:a7a39a3bd276781e98394987d3a5701d0c4edffb633bb7a5144577f82c773598"}, {file = "exceptiongroup-1.3.1.tar.gz", hash = "sha256:8b412432c6055b0b7d14c310000ae93352ed6754f70fa8f7c34141f91c4e3219"}, @@ -562,13 +557,14 @@ test = ["pytest (>=6)"] [[package]] name = "idna" -version = "3.15" +version = "3.18" description = "Internationalized Domain Names in Applications (IDNA)" optional = false -python-versions = ">=3.8" +python-versions = ">=3.9" +groups = ["appimage"] files = [ - {file = "idna-3.15-py3-none-any.whl", hash = "sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8"}, - {file = "idna-3.15.tar.gz", hash = "sha256:ca962446ea538f7092a95e057da437618e886f4d349216d2b1e294abfdb65fdc"}, + {file = "idna-3.18-py3-none-any.whl", hash = "sha256:7f952cbe720b688055e3f87de14f5c3e5fdaa8bc3928985c4077ca689de849a2"}, + {file = "idna-3.18.tar.gz", hash = "sha256:ffb385a7e039654cef1ab9ef32c6fafe283c0c0467bba1d9029738ce4a14a848"}, ] [package.extras] @@ -580,6 +576,7 @@ version = "2.3.0" description = "brain-dead simple config-ini parsing" optional = false python-versions = ">=3.10" +groups = ["dev"] files = [ {file = "iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12"}, {file = "iniconfig-2.3.0.tar.gz", hash = "sha256:c76315c77db068650d49c5b56314774a7804df16fee4402c1f19d6d15d8c4730"}, @@ -591,6 +588,7 @@ version = "3.0.3" description = "Pythonic task execution" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "invoke-3.0.3-py3-none-any.whl", hash = "sha256:f11327165e5cbb89b2ad1d88d3292b5113332c43b8553b494da435d6ec6f5053"}, {file = "invoke-3.0.3.tar.gz", hash = "sha256:437b6a622223824380bfb4e64f612711a6b648c795f565efc8625af66fb57f0c"}, @@ -602,6 +600,7 @@ version = "4.26.0" description = "An implementation of JSON Schema validation for Python" optional = false python-versions = ">=3.10" +groups = ["main"] files = [ {file = "jsonschema-4.26.0-py3-none-any.whl", hash = "sha256:d489f15263b8d200f8387e64b4c3a75f06629559fb73deb8fdfb525f2dab50ce"}, {file = "jsonschema-4.26.0.tar.gz", hash = "sha256:0c26707e2efad8aa1bfc5b7ce170f3fccc2e4918ff85989ba9ffa9facb2be326"}, @@ -609,7 +608,7 @@ files = [ [package.dependencies] attrs = ">=22.2.0" -jsonschema-specifications = ">=2023.03.6" +jsonschema-specifications = ">=2023.3.6" referencing = ">=0.28.4" rpds-py = ">=0.25.0" @@ -623,6 +622,7 @@ version = "2025.9.1" description = "The JSON Schema meta-schemas and vocabularies, exposed as a Registry" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "jsonschema_specifications-2025.9.1-py3-none-any.whl", hash = "sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe"}, {file = "jsonschema_specifications-2025.9.1.tar.gz", hash = "sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d"}, @@ -637,6 +637,7 @@ version = "26.2" description = "Core utilities for Python packages" optional = false python-versions = ">=3.8" +groups = ["dev"] files = [ {file = "packaging-26.2-py3-none-any.whl", hash = "sha256:5fc45236b9446107ff2415ce77c807cee2862cb6fac22b8a73826d0693b0980e"}, {file = "packaging-26.2.tar.gz", hash = "sha256:ff452ff5a3e828ce110190feff1178bb1f2ea2281fa2075aadb987c2fb221661"}, @@ -648,6 +649,7 @@ version = "5.0.0" description = "SSH2 protocol library" optional = false python-versions = ">=3.9" +groups = ["main"] files = [ {file = "paramiko-5.0.0-py3-none-any.whl", hash = "sha256:b7044611c30140d9a75261653210e2002977b71a0497ff3ba0d98d7edbf62f7c"}, {file = "paramiko-5.0.0.tar.gz", hash = "sha256:36763b5b95c2a0dcfdf1abc48e48156ee425b21efe2f0e787c2dd5a95c0e5e79"}, @@ -665,6 +667,7 @@ version = "1.6.0" description = "plugin and hook calling mechanisms for python" optional = false python-versions = ">=3.9" +groups = ["dev"] files = [ {file = "pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746"}, {file = "pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3"}, @@ -680,6 +683,8 @@ version = "3.0" description = "C parser in Python" optional = false python-versions = ">=3.10" +groups = ["main"] +markers = "platform_python_implementation != \"PyPy\" and implementation_name != \"PyPy\"" files = [ {file = "pycparser-3.0-py3-none-any.whl", hash = "sha256:b727414169a36b7d524c1c3e31839a521725078d7b2ff038656844266160a992"}, {file = "pycparser-3.0.tar.gz", hash = "sha256:600f49d217304a5902ac3c37e1281c9fe94e4d0489de643a9504c5cdfdfc6b29"}, @@ -691,6 +696,7 @@ version = "2.20.0" description = "Pygments is a syntax highlighting package written in Python." optional = false python-versions = ">=3.9" +groups = ["dev"] files = [ {file = "pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176"}, {file = "pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f"}, @@ -705,6 +711,7 @@ version = "1.6.2" description = "Python binding to the Networking and Cryptography (NaCl) library" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "pynacl-1.6.2-cp314-cp314t-macosx_10_10_universal2.whl", hash = "sha256:622d7b07cc5c02c666795792931b50c91f3ce3c2649762efb1ef0d5684c81594"}, {file = "pynacl-1.6.2-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:d071c6a9a4c94d79eb665db4ce5cedc537faf74f2355e4d502591d850d3913c0"}, @@ -746,6 +753,7 @@ version = "4.2" description = "Generate AppImages from your Python projects" optional = false python-versions = ">=3.9" +groups = ["appimage"] files = [ {file = "pyproject_appimage-4.2-py3-none-any.whl", hash = "sha256:d6892643db5759dc06531a4546bdab404a519c63814c060f8749979a8625d9cc"}, {file = "pyproject_appimage-4.2.tar.gz", hash = "sha256:6b6387250cb1e6ecbb08a13f5810749396ebe8637f2f35bf2296bfdd5e65cd6e"}, @@ -762,6 +770,7 @@ version = "8.4.2" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.9" +groups = ["dev"] files = [ {file = "pytest-8.4.2-py3-none-any.whl", hash = "sha256:872f880de3fc3a5bdc88a11b39c9710c3497a547cfa9320bc3c5e62fbf272e79"}, {file = "pytest-8.4.2.tar.gz", hash = "sha256:86c0d0b93306b961d58d62a4db4879f27fe25513d4b969df351abdddb3c30e01"}, @@ -785,6 +794,7 @@ version = "5.0.0" description = "Pytest plugin for measuring coverage." optional = false python-versions = ">=3.8" +groups = ["dev"] files = [ {file = "pytest-cov-5.0.0.tar.gz", hash = "sha256:5837b58e9f6ebd335b0f8060eecce69b662415b16dc503883a02f45dfeb14857"}, {file = "pytest_cov-5.0.0-py3-none-any.whl", hash = "sha256:4f0764a1219df53214206bf1feea4633c3b558a2925c8b59f144f682861ce652"}, @@ -803,6 +813,7 @@ version = "6.0.3" description = "YAML parser and emitter for Python" optional = false python-versions = ">=3.8" +groups = ["main"] files = [ {file = "PyYAML-6.0.3-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f"}, {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4"}, @@ -885,6 +896,7 @@ version = "0.37.0" description = "JSON Referencing + Python" optional = false python-versions = ">=3.10" +groups = ["main"] files = [ {file = "referencing-0.37.0-py3-none-any.whl", hash = "sha256:381329a9f99628c9069361716891d34ad94af76e461dcb0335825aecc7692231"}, {file = "referencing-0.37.0.tar.gz", hash = "sha256:44aefc3142c5b842538163acb373e24cce6632bd54bdb01b21ad5863489f50d8"}, @@ -897,13 +909,14 @@ typing-extensions = {version = ">=4.4.0", markers = "python_version < \"3.13\""} [[package]] name = "requests" -version = "2.34.1" +version = "2.34.2" description = "Python HTTP for Humans." optional = false python-versions = ">=3.10" +groups = ["appimage"] files = [ - {file = "requests-2.34.1-py3-none-any.whl", hash = "sha256:bf38a3ff993960d3dd819c08862c40b3c703306eb7c744fcd9f4ddbb95b548f0"}, - {file = "requests-2.34.1.tar.gz", hash = "sha256:0fc5669f2b69704449fe1552360bd2a73a54512dfd03e65529157f1513322beb"}, + {file = "requests-2.34.2-py3-none-any.whl", hash = "sha256:2a0d60c172f83ac6ab31e4554906c0f3b3588d37b5cb939b1c061f4907e278e0"}, + {file = "requests-2.34.2.tar.gz", hash = "sha256:f288924cae4e29463698d6d60bc6a4da69c89185ad1e0bcc4104f584e960b9ed"}, ] [package.dependencies] @@ -922,6 +935,7 @@ version = "0.30.0" description = "Python bindings to Rust's persistent data structures (rpds)" optional = false python-versions = ">=3.10" +groups = ["main"] files = [ {file = "rpds_py-0.30.0-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:679ae98e00c0e8d68a7fda324e16b90fd5260945b45d3b824c892cec9eea3288"}, {file = "rpds_py-0.30.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:4cc2206b76b4f576934f0ed374b10d7ca5f457858b157ca52064bdfc26b9fc00"}, @@ -1046,6 +1060,7 @@ version = "2.4.1" description = "A lil' TOML parser" optional = false python-versions = ">=3.8" +groups = ["appimage", "dev"] files = [ {file = "tomli-2.4.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:f8f0fc26ec2cc2b965b7a3b87cd19c5c6b8c5e5f436b984e85f486d652285c30"}, {file = "tomli-2.4.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4ab97e64ccda8756376892c53a72bd1f964e519c77236368527f758fbc36a53a"}, @@ -1095,6 +1110,7 @@ files = [ {file = "tomli-2.4.1-py3-none-any.whl", hash = "sha256:0d85819802132122da43cb86656f8d1f8c6587d54ae7dcaf30e90533028b49fe"}, {file = "tomli-2.4.1.tar.gz", hash = "sha256:7c7e1a961a0b2f2472c1ac5b69affa0ae1132c39adcb67aba98568702b9cc23f"}, ] +markers = {appimage = "python_version == \"3.10\"", dev = "python_full_version <= \"3.11.0a6\""} [[package]] name = "typing-extensions" @@ -1102,10 +1118,12 @@ version = "4.15.0" description = "Backported and Experimental Type Hints for Python 3.9+" optional = false python-versions = ">=3.9" +groups = ["main", "dev"] files = [ {file = "typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548"}, {file = "typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466"}, ] +markers = {main = "python_version < \"3.13\"", dev = "python_version == \"3.10\""} [[package]] name = "urllib3" @@ -1113,18 +1131,19 @@ version = "2.7.0" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = ">=3.10" +groups = ["appimage"] files = [ {file = "urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897"}, {file = "urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c"}, ] [package.extras] -brotli = ["brotli (>=1.2.0)", "brotlicffi (>=1.2.0.0)"] +brotli = ["brotli (>=1.2.0) ; platform_python_implementation == \"CPython\"", "brotlicffi (>=1.2.0.0) ; platform_python_implementation != \"CPython\""] h2 = ["h2 (>=4,<5)"] socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] -zstd = ["backports-zstd (>=1.0.0)"] +zstd = ["backports-zstd (>=1.0.0) ; python_version < \"3.14\""] [metadata] -lock-version = "2.0" -python-versions = "^3.10" -content-hash = "30e16396439f2cdd69005a5b7bdf8144aac33422a77a63accbc9eaa74151d851" +lock-version = "2.1" +python-versions = ">=3.10" +content-hash = "30b921854cfa120876ec47a9969f8ff29668f438357b9957c1c47c77ce267b67" diff --git a/pyproject.toml b/pyproject.toml index a7a83d0..d02de2f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,34 +1,49 @@ -[tool.poetry] +[build-system] +requires = ["poetry-core>=2.0.0,<3.0.0"] +build-backend = "poetry.core.masonry.api" + +[project] name = "enroll" -version = "0.6.0" -description = "Enroll a server's running state retrospectively into Ansible" -authors = ["Miguel Jacq "] -license = "GPL-3.0-or-later" +version = "0.7.0b7" +description = "Enroll a server's running state retrospectively into Ansible, Puppet or Salt" readme = "README.md" -packages = [{ include = "enroll" }] -repository = "https://git.mig5.net/mig5/enroll" -include = [ - { path = "enroll/schema/state.schema.json", format = ["sdist", "wheel"] } +requires-python = ">=3.10" +license = "GPL-3.0-or-later" +authors = [ + { name = "Miguel Jacq", email = "mig@mig5.net" }, +] +dependencies = [ + "PyYAML>=6,<7", + "paramiko>=3.5", + "jsonschema>=4.23,<5", ] -[tool.poetry.dependencies] -python = "^3.10" -pyyaml = "^6" -paramiko = ">=3.5" -jsonschema = "^4.23.0" +[project.urls] +Repository = "https://git.mig5.net/mig5/enroll" -[tool.poetry.scripts] +[project.scripts] enroll = "enroll.cli:main" -[build-system] -requires = ["poetry-core>=1.8.0"] -build-backend = "poetry.core.masonry.api" +[tool.poetry] +requires-poetry = ">=2.0" +packages = [{ include = "enroll" }] +include = [ + { path = "enroll/schema/state.schema.json", format = ["sdist", "wheel"] }, +] + +[tool.poetry.group.dev] +optional = true + +[tool.poetry.group.dev.dependencies] +pytest = ">=8,<9" +pytest-cov = ">=5,<6" + +[tool.poetry.group.appimage] +optional = true + +[tool.poetry.group.appimage.dependencies] +pyproject-appimage = ">=4.2,<5" [tool.pyproject-appimage] script = "enroll" output = "Enroll.AppImage" - -[tool.poetry.dev-dependencies] -pytest = "^8" -pytest-cov = "^5" -pyproject-appimage = "^4.2" diff --git a/pytests.sh b/pytests.sh new file mode 100755 index 0000000..8d2e42e --- /dev/null +++ b/pytests.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +set -eou pipefail + +poetry run python -m pytest -q tests -vvv --cov=enroll --cov-report=term-missing diff --git a/release.sh b/release.sh index d8454a2..761c816 100755 --- a/release.sh +++ b/release.sh @@ -7,11 +7,9 @@ filedust -y . # Publish to Pypi poetry build -poetry publish # Make AppImage -poetry run pyproject-appimage -mv Enroll.AppImage dist/ +poetry run pyproject-appimage --output dist/Enroll.AppImage # Sign packages for file in `ls -1 dist/`; do qubes-gpg-client --batch --armor --detach-sign dist/$file > dist/$file.asc; done @@ -87,6 +85,9 @@ for dist in ${DISTS[@]}; do qubes-gpg-client --local-user "$KEYID" --detach-sign --armor "$RPM_REPO/repodata/repomd.xml" > "$RPM_REPO/repodata/repomd.xml.asc" done +# If we got this far, publish to Poetry too +poetry publish + echo "==> Syncing repo to server..." rsync -aHPvz --exclude=.git --delete "$REPO_ROOT/" "$REMOTE/" diff --git a/tests.sh b/tests.sh index 126a87b..af27e9b 100755 --- a/tests.sh +++ b/tests.sh @@ -1,53 +1,524 @@ #!/bin/bash -set -eo pipefail +set -Eeuo pipefail -# Pytests -poetry run pytest -vvvv --cov=enroll --cov-report=term-missing --disable-warnings +if [[ -d /opt/puppetlabs/bin ]]; then + export PATH="/opt/puppetlabs/bin:${PATH}" +fi -BUNDLE_DIR="/tmp/bundle" -ANSIBLE_DIR="/tmp/ansible" -rm -rf "${BUNDLE_DIR}" "${ANSIBLE_DIR}" +PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +TMP_PARENT="${TMPDIR:-/tmp}" +KEEP_WORKDIR=0 +if [[ -n "${ENROLL_TEST_WORKDIR:-}" ]]; then + WORK_DIR="${ENROLL_TEST_WORKDIR}" + KEEP_WORKDIR=1 + mkdir -p "${WORK_DIR}" +else + WORK_DIR="$(mktemp -d "${TMP_PARENT%/}/enroll-tests.XXXXXX")" +fi -# Install something that has symlinks like apache2, -# to extend the manifests that will be linted later -DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends apache2 +BUNDLE_DIR="${WORK_DIR}/bundle" +BUNDLE_DIFF_DIR="${WORK_DIR}/bundle-diff" +ANSIBLE_DIR="${WORK_DIR}/ansible" +ANSIBLE_NO_COMMON_DIR="${WORK_DIR}/ansible-no-common" +ANSIBLE_FQDN_DIR="${WORK_DIR}/ansible-fqdn" +PUPPET_DIR="${WORK_DIR}/puppet" +PUPPET_FQDN_DIR="${WORK_DIR}/puppet-fqdn" +SALT_DIR="${WORK_DIR}/salt" +SALT_FQDN_DIR="${WORK_DIR}/salt-fqdn" +ANSIBLE_JINJATURTLE_DIR="${WORK_DIR}/ansible-jinjaturtle" +ANSIBLE_NO_JINJATURTLE_DIR="${WORK_DIR}/ansible-no-jinjaturtle" +PUPPET_JINJATURTLE_DIR="${WORK_DIR}/puppet-jinjaturtle" +PUPPET_NO_JINJATURTLE_DIR="${WORK_DIR}/puppet-no-jinjaturtle" +SALT_JINJATURTLE_DIR="${WORK_DIR}/salt-jinjaturtle" +SALT_NO_JINJATURTLE_DIR="${WORK_DIR}/salt-no-jinjaturtle" +TEST_FQDN="${ENROLL_TEST_FQDN:-enroll-ci.example.test}" +JINJATURTLE_FIXTURE="${WORK_DIR}/enroll-tests-jinjaturtle.ini" +ANSIBLE_PLAYBOOK_EXTRA_ARGS=() -# Generate data -poetry run \ - enroll single-shot \ - --harvest "${BUNDLE_DIR}" \ - --out "${ANSIBLE_DIR}" +cleanup() { + if [[ "${KEEP_WORKDIR}" -eq 0 ]]; then + rm -rf "${WORK_DIR}" + else + printf '\nKeeping ENROLL_TEST_WORKDIR: %s\n' "${WORK_DIR}" + fi +} +trap cleanup EXIT -# Analyse -poetry run \ - enroll explain "${BUNDLE_DIR}" -poetry run \ - enroll explain "${BUNDLE_DIR}" --format json | jq +section() { + printf '\n================================================================================\n' + printf '%s\n' "$1" + printf '================================================================================\n' +} -# Validate -poetry run \ - enroll validate --fail-on-warnings "${BUNDLE_DIR}" +run() { + printf '+ ' + printf '%q ' "$@" + printf '\n' + "$@" +} -# Install/remove something, harvest again and diff the harvests -DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cowsay -poetry run \ - enroll harvest --out "${BUNDLE_DIR}2" -# Validate -poetry run \ - enroll validate --fail-on-warnings "${BUNDLE_DIR}2" -# Diff -poetry run \ - enroll diff \ - --old "${BUNDLE_DIR}" \ - --new "${BUNDLE_DIR}2" \ - --format json | jq -DEBIAN_FRONTEND=noninteractive apt-get remove -y --purge cowsay +fail() { + printf 'ERROR: %s\n' "$*" >&2 + exit 1 +} -# Ansible test -builtin cd "${ANSIBLE_DIR}" -# Lint -ansible-lint "${ANSIBLE_DIR}" +require_root() { + if [[ "$(id -u)" -ne 0 ]]; then + fail "tests.sh must be run as root so harvest and CM noop tests can inspect/apply system state." + fi +} -# Run -ansible-playbook playbook.yml -i "localhost," -c local --check --diff +require_supported_ci_os() { + if [[ -r /etc/os-release ]]; then + # shellcheck disable=SC1091 + . /etc/os-release + case "${ID:-}" in + debian) + if [[ "${VERSION_ID:-}" != "13" ]]; then + printf 'WARNING: tests.sh is maintained for Debian 13 CI; detected Debian %s.\n' "${VERSION_ID:-unknown}" >&2 + fi + ;; + almalinux|rhel|rocky|centos|fedora) + printf 'Detected RPM-family CI host: %s %s.\n' "${ID:-unknown}" "${VERSION_ID:-unknown}" >&2 + ;; + *) + printf 'WARNING: tests.sh is maintained for Debian 13 and AlmaLinux/RHEL-family CI; detected %s %s.\n' "${ID:-unknown}" "${VERSION_ID:-unknown}" >&2 + ;; + esac + fi +} + + +pid1_comm() { + if [[ -r /proc/1/comm ]]; then + tr -d '[:space:]' /dev/null 2>&1; then + ps -p 1 -o comm= 2>/dev/null | tr -d '[:space:]' || true + fi +} + +configure_ansible_playbook_extra_args() { + local pid1 + pid1="$(pid1_comm)" + + ANSIBLE_PLAYBOOK_EXTRA_ARGS=() + if [[ "${pid1}" != "systemd" ]]; then + section "Setup: Ansible systemd runtime guard" + printf 'PID 1 is %s, not systemd; disabling generated Ansible systemd runtime enforcement for CI noop plays.\n' "${pid1:-unknown}" + ANSIBLE_PLAYBOOK_EXTRA_ARGS=(-e enroll_manage_systemd_runtime=false) + fi +} + +os_id() { + if [[ -r /etc/os-release ]]; then + # shellcheck disable=SC1091 + . /etc/os-release + printf '%s' "${ID:-unknown}" + else + printf 'unknown' + fi +} + +os_version_major() { + if [[ -r /etc/os-release ]]; then + # shellcheck disable=SC1091 + . /etc/os-release + printf '%s' "${VERSION_ID%%.*}" + else + printf 'unknown' + fi +} + +is_debian() { + [[ "$(os_id)" == "debian" ]] +} + +is_rpm_family() { + case "$(os_id)" in + almalinux|rhel|rocky|centos|fedora) return 0 ;; + *) return 1 ;; + esac +} + +pkg_update_once() { + if is_debian; then + if [[ -z "${APT_UPDATED:-}" ]]; then + section "Setup: apt metadata" + run apt-get update + APT_UPDATED=1 + fi + elif is_rpm_family; then + if [[ -z "${DNF_UPDATED:-}" ]]; then + section "Setup: dnf metadata" + run dnf -y makecache + DNF_UPDATED=1 + fi + else + fail "Unsupported package manager for OS $(os_id)." + fi +} + +translate_packages() { + local translated=() + local pkg + for pkg in "$@"; do + if is_debian; then + translated+=("${pkg}") + continue + fi + + case "${pkg}" in + ansible) translated+=(ansible-core) ;; + apache2) translated+=(httpd) ;; + gnupg) translated+=(gnupg2) ;; + curl) translated+=(curl-minimal) ;; + lsb-release) translated+=(redhat-lsb-core) ;; + puppet) translated+=(puppet-agent) ;; + python3-apt) ;; + python3-jsonschema) translated+=(python3-jsonschema) ;; + python3-venv) ;; + systemctl) translated+=(systemd) ;; + *) translated+=("${pkg}") ;; + esac + done + printf '%s\n' "${translated[@]}" +} + +pkg_install() { + local packages=() + local pkg + + while IFS= read -r pkg; do + [[ -n "${pkg}" ]] && packages+=("${pkg}") + done < <(translate_packages "$@") + + if [[ "${#packages[@]}" -eq 0 ]]; then + return 0 + fi + + pkg_update_once + if is_debian; then + run env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends "${packages[@]}" + elif is_rpm_family; then + ensure_epel_repo + run dnf -y install "${packages[@]}" + else + fail "Unsupported package manager for OS $(os_id)." + fi +} + +pkg_remove_purge() { + if is_debian; then + run env DEBIAN_FRONTEND=noninteractive apt-get remove -y --purge "$@" + elif is_rpm_family; then + run dnf -y remove "$@" + else + fail "Unsupported package manager for OS $(os_id)." + fi +} + +ensure_epel_repo() { + if ! is_rpm_family; then + return + fi + if rpm -q epel-release >/dev/null 2>&1; then + return + fi + run dnf -y install dnf-plugins-core epel-release + run dnf -y config-manager --set-enabled crb || true + DNF_UPDATED= +} + +ensure_salt_repo() { + if is_debian; then + if [[ -e /etc/apt/sources.list.d/salt.sources ]]; then + return + fi + section "Setup: Salt apt repository" + pkg_install ca-certificates curl gnupg + run mkdir -m 755 -p /etc/apt/keyrings + run bash -c "curl -fsSL https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public | gpg --dearmor --yes -o /etc/apt/keyrings/salt-archive-keyring.pgp" + run bash -c "curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.sources > /etc/apt/sources.list.d/salt.sources" + APT_UPDATED= + elif is_rpm_family; then + if [[ -e /etc/yum.repos.d/salt.repo ]]; then + return + fi + section "Setup: Salt dnf repository" + pkg_install ca-certificates curl + run bash -c "curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo > /etc/yum.repos.d/salt.repo" + DNF_UPDATED= + fi +} + +ensure_puppet_repo() { + if ! is_rpm_family; then + return + fi + if rpm -q puppet8-release >/dev/null 2>&1 || [[ -e /etc/yum.repos.d/puppet8-release.repo ]]; then + return + fi + section "Setup: Puppet dnf repository" + local major + major="$(os_version_major)" + run dnf -y install "https://yum.puppet.com/puppet8-release-el-${major}.noarch.rpm" + DNF_UPDATED= +} + +ensure_jinjaturtle() { + section "Setup: JinjaTurtle package" + if command -v jinjaturtle >/dev/null 2>&1; then + printf 'jinjaturtle already available at: %s\n' "$(command -v jinjaturtle)" + return + fi + + if is_debian; then + pkg_install ca-certificates curl gnupg lsb-release + run mkdir -p /usr/share/keyrings + run bash -c "curl -fsSL https://mig5.net/static/mig5.asc | gpg --dearmor --yes -o /usr/share/keyrings/mig5.gpg" + + local codename + codename="$(lsb_release -cs)" + run bash -c "printf '%s\n' 'deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net ${codename} main' > /etc/apt/sources.list.d/mig5.list" + run apt-get update + APT_UPDATED=1 + run env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends jinjaturtle + elif is_rpm_family; then + printf 'Skipping JinjaTurtle package integration on RPM-family CI;\n' + return + else + fail "Unsupported OS for JinjaTurtle package install: $(os_id)." + fi +} + +require_cmd() { + local cmd="$1" + local hint="$2" + if ! command -v "${cmd}" >/dev/null 2>&1; then + fail "Required command '${cmd}' was not found. ${hint}" + fi +} + +ensure_ansible() { + ensure_epel_repo + if ! command -v ansible-playbook >/dev/null 2>&1 || ! command -v ansible-lint >/dev/null 2>&1; then + pkg_install ansible ansible-lint + fi + require_cmd ansible-playbook "Install the ansible/ansible-core package." + require_cmd ansible-lint "Install the ansible-lint package." +} + +ensure_puppet() { + ensure_puppet_repo + if ! command -v puppet >/dev/null 2>&1; then + pkg_install puppet || pkg_install puppet-agent + fi + require_cmd puppet "Install Puppet before running the Puppet noop integration tests." +} + +ensure_salt() { + ensure_salt_repo + if ! command -v salt-call >/dev/null 2>&1; then + pkg_install salt-minion || true + fi + require_cmd salt-call "Install Salt's salt-call binary before running the Salt noop integration tests. This may require configuring the upstream Salt/Broadcom package repository first." +} + +run_pytests() { + section "Python unit tests" + cd "${PROJECT_ROOT}" + run poetry run python -m pytest -vvvv --cov=enroll --cov-report=term-missing --disable-warnings +} + +prepare_harvest_fixture() { + section "Common harvest fixture and CLI smoke checks" + pkg_install jq apache2 + + cat >"${JINJATURTLE_FIXTURE}" <<'EOF' +[enroll_tests] +enabled = true +answer = 42 +EOF + + cd "${PROJECT_ROOT}" + rm -rf "${BUNDLE_DIR}" "${BUNDLE_DIFF_DIR}" + + run poetry run enroll harvest --out "${BUNDLE_DIR}" --include-path "${JINJATURTLE_FIXTURE}" + run poetry run enroll explain "${BUNDLE_DIR}" + run bash -c "poetry run enroll explain '${BUNDLE_DIR}' --format json | jq" + run poetry run enroll validate --fail-on-warnings "${BUNDLE_DIR}" + + pkg_install cowsay + run poetry run enroll harvest --out "${BUNDLE_DIFF_DIR}" --include-path "${JINJATURTLE_FIXTURE}" + run poetry run enroll validate --fail-on-warnings "${BUNDLE_DIFF_DIR}" + run bash -c "poetry run enroll diff --old '${BUNDLE_DIR}' --new '${BUNDLE_DIFF_DIR}' --format json | jq" + pkg_remove_purge cowsay +} + +assert_template_files() { + local manifest_dir="$1" + local extension="$2" + local expected="$3" + local label="$4" + local found + + found="$(find "${manifest_dir}" -type f -name "*.${extension}" -print -quit)" + if [[ "${expected}" == "present" ]]; then + if [[ -z "${found}" ]]; then + fail "Expected ${label} to contain at least one .${extension} template, but none were found." + fi + printf 'Found expected .%s template in %s: %s\n' "${extension}" "${label}" "${found}" + else + if [[ -n "${found}" ]]; then + fail "Expected ${label} to contain no .${extension} templates, but found ${found}." + fi + printf 'Confirmed no .%s templates in %s.\n' "${extension}" "${label}" + fi +} + +run_ansible_jinjaturtle_variant() { + local out_dir="$1" + local expected="$2" + local label="$3" + shift 3 + + ensure_ansible + cd "${PROJECT_ROOT}" + rm -rf "${out_dir}" + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${out_dir}" --target ansible "$@" + assert_template_files "${out_dir}" "j2" "${expected}" "${label}" + ansible-galaxy install -r "${out_dir}/requirements.yml" + run ansible-lint "${out_dir}" + cd "${out_dir}" + run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" +} + +run_puppet_jinjaturtle_variant() { + local out_dir="$1" + local expected="$2" + local label="$3" + shift 3 + + ensure_puppet + cd "${PROJECT_ROOT}" + rm -rf "${out_dir}" + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${out_dir}" --target puppet "$@" + assert_template_files "${out_dir}" "erb" "${expected}" "${label}" + run puppet apply --modulepath "${out_dir}/modules" "${out_dir}/manifests/site.pp" --noop +} + +run_salt_jinjaturtle_variant() { + local out_dir="$1" + local expected="$2" + local label="$3" + shift 3 + + ensure_salt + cd "${PROJECT_ROOT}" + rm -rf "${out_dir}" + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${out_dir}" --target salt "$@" + assert_template_files "${out_dir}" "j2" "${expected}" "${label}" + run salt-call --local --retcode-passthrough --file-root "${out_dir}/states" state.apply test=True +} + +run_jinjaturtle_manifest_tests() { + if is_rpm_family ; then + section "JinjaTurtle integration matrix" + printf 'Skipping JinjaTurtle package integration on RPM-family CI;\n' + return + fi + + ensure_jinjaturtle + require_cmd jinjaturtle "Install JinjaTurtle before running the JinjaTurtle integration matrix." + + section "Ansible JinjaTurtle manifest noop tests" + run_ansible_jinjaturtle_variant "${ANSIBLE_JINJATURTLE_DIR}" present "Ansible with JinjaTurtle on PATH" + run_ansible_jinjaturtle_variant "${ANSIBLE_NO_JINJATURTLE_DIR}" absent "Ansible with --no-jinjaturtle" --no-jinjaturtle + + section "Puppet JinjaTurtle manifest noop tests" + run_puppet_jinjaturtle_variant "${PUPPET_JINJATURTLE_DIR}" present "Puppet with JinjaTurtle on PATH" + run_puppet_jinjaturtle_variant "${PUPPET_NO_JINJATURTLE_DIR}" absent "Puppet with --no-jinjaturtle" --no-jinjaturtle + + section "Salt JinjaTurtle manifest noop tests" + run_salt_jinjaturtle_variant "${SALT_JINJATURTLE_DIR}" present "Salt with JinjaTurtle on PATH" + run_salt_jinjaturtle_variant "${SALT_NO_JINJATURTLE_DIR}" absent "Salt with --no-jinjaturtle" --no-jinjaturtle +} + +run_ansible_noop_tests() { + section "Ansible manifest noop tests" + ensure_ansible + cd "${PROJECT_ROOT}" + rm -rf "${ANSIBLE_DIR}" "${ANSIBLE_NO_COMMON_DIR}" "${ANSIBLE_FQDN_DIR}" + + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_DIR}" --target ansible + ansible-galaxy install -r "${ANSIBLE_DIR}/requirements.yml" + run ansible-lint "${ANSIBLE_DIR}" + cd "${ANSIBLE_DIR}" + run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" + + cd "${PROJECT_ROOT}" + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_NO_COMMON_DIR}" --target ansible --no-common-roles + ansible-galaxy install -r "${ANSIBLE_NO_COMMON_DIR}/requirements.yml" + cd "${ANSIBLE_NO_COMMON_DIR}" + run ansible-playbook playbook.yml -i "localhost," -c local --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" + + cd "${PROJECT_ROOT}" + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${ANSIBLE_FQDN_DIR}" --target ansible --fqdn "${TEST_FQDN}" + ansible-galaxy install -r "${ANSIBLE_FQDN_DIR}/requirements.yml" + cd "${ANSIBLE_FQDN_DIR}" + run ansible-playbook "playbooks/${TEST_FQDN}.yml" -i inventory/hosts.ini -c local --limit "${TEST_FQDN}" --check --diff "${ANSIBLE_PLAYBOOK_EXTRA_ARGS[@]}" +} + +run_puppet_noop_tests() { + section "Puppet manifest noop tests" + ensure_puppet + cd "${PROJECT_ROOT}" + rm -rf "${PUPPET_DIR}" "${PUPPET_FQDN_DIR}" + + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${PUPPET_DIR}" --target puppet + run puppet apply --modulepath "${PUPPET_DIR}/modules" "${PUPPET_DIR}/manifests/site.pp" --noop + + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${PUPPET_FQDN_DIR}" --target puppet --fqdn "${TEST_FQDN}" + run puppet apply \ + --modulepath "${PUPPET_FQDN_DIR}/modules" \ + --hiera_config "${PUPPET_FQDN_DIR}/hiera.yaml" \ + --certname "${TEST_FQDN}" \ + "${PUPPET_FQDN_DIR}/manifests/site.pp" \ + --noop +} + +run_salt_noop_tests() { + section "Salt manifest noop tests" + ensure_salt + cd "${PROJECT_ROOT}" + rm -rf "${SALT_DIR}" "${SALT_FQDN_DIR}" + + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${SALT_DIR}" --target salt + run salt-call --local --retcode-passthrough --file-root "${SALT_DIR}/states" state.apply test=True + + run poetry run enroll manifest --harvest "${BUNDLE_DIR}" --out "${SALT_FQDN_DIR}" --target salt --fqdn "${TEST_FQDN}" + run salt-call \ + --local \ + --retcode-passthrough \ + --id "${TEST_FQDN}" \ + --file-root "${SALT_FQDN_DIR}/states" \ + --pillar-root "${SALT_FQDN_DIR}/pillar" \ + state.apply test=True +} + +main() { + require_root + require_supported_ci_os + run_pytests + prepare_harvest_fixture + configure_ansible_playbook_extra_args + run_ansible_noop_tests + run_puppet_noop_tests + run_salt_noop_tests + run_jinjaturtle_manifest_tests +} + +main "$@" diff --git a/tests/conftest.py b/tests/conftest.py index 2b99213..7c060de 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,7 +1,21 @@ import sys from pathlib import Path +import pytest + # Ensure repository root is on sys.path so `import enroll` resolves to the local package. ROOT = Path(__file__).resolve().parents[1] if str(ROOT) not in sys.path: sys.path.insert(0, str(ROOT)) + + +@pytest.fixture(autouse=True) +def _disable_cli_root_path_prompt_by_default(monkeypatch): + """Keep CLI tests deterministic when the test runner itself runs as root. + + Individual tests that cover the root PATH guard can override this monkeypatch. + """ + + import enroll.cli as cli + + monkeypatch.setattr(cli, "_is_effective_root", lambda: False) diff --git a/tests/state_helpers.py b/tests/state_helpers.py new file mode 100644 index 0000000..9cbca20 --- /dev/null +++ b/tests/state_helpers.py @@ -0,0 +1,234 @@ +from __future__ import annotations + +import copy +import json +from pathlib import Path +from typing import Any + +_VALID_REASON_FALLBACKS = { + "dangerous_user_dotfile": "user_shell_rc", + "possible_secret": "sensitive_content", +} + +_COMMON_ROLES = { + "users", + "apt_config", + "dnf_config", + "etc_custom", + "usr_local_custom", + "extra_paths", +} + + +def _common_role(name: str) -> dict[str, Any]: + out: dict[str, Any] = { + "role_name": name, + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + } + if name == "users": + out["users"] = [] + if name == "extra_paths": + out["include_patterns"] = [] + out["exclude_patterns"] = [] + out["managed_links"] = [] + return out + + +def _normalise_managed_file(mf: dict[str, Any]) -> None: + reason = mf.get("reason") + if reason in _VALID_REASON_FALLBACKS: + mf["reason"] = _VALID_REASON_FALLBACKS[reason] + mf.setdefault("owner", "root") + mf.setdefault("group", "root") + mf.setdefault("mode", "0644") + mf.setdefault("reason", "modified_conffile") + + +def _normalise_managed_dir(md: dict[str, Any]) -> None: + md.setdefault("owner", "root") + md.setdefault("group", "root") + md.setdefault("mode", "0755") + if md.get("reason") in {None, "parent_dir"}: + md["reason"] = "parent_of_managed_file" + + +def _normalise_managed_link(ml: dict[str, Any]) -> None: + ml.setdefault("reason", "enabled_symlink") + + +def _normalise_common_role(role: dict[str, Any], name: str) -> None: + role.setdefault("role_name", name) + role.setdefault("managed_dirs", []) + role.setdefault("managed_files", []) + role.setdefault("excluded", []) + role.setdefault("notes", []) + for mf in role.get("managed_files") or []: + if isinstance(mf, dict): + _normalise_managed_file(mf) + for md in role.get("managed_dirs") or []: + if isinstance(md, dict): + _normalise_managed_dir(md) + for ml in role.get("managed_links") or []: + if isinstance(ml, dict): + _normalise_managed_link(ml) + for ex in role.get("excluded") or []: + if isinstance(ex, dict) and ex.get("reason") in _VALID_REASON_FALLBACKS: + ex["reason"] = _VALID_REASON_FALLBACKS[ex["reason"]] + + +def make_schema_valid_state(state: dict[str, Any]) -> dict[str, Any]: + """Return a current-schema harvest state from a compact renderer fixture. + + Many renderer tests intentionally build only the fields needed by the + renderer under test. Manifest now validates strictly before rendering, so + those fixtures need current-schema boilerplate too. + """ + + st = copy.deepcopy(state) + st.pop("schema_version", None) + + enroll = st.setdefault("enroll", {}) + enroll.setdefault("version", "0.0.test") + enroll.setdefault("harvest_time", 0) + + host = st.setdefault("host", {}) + host.setdefault("hostname", "testhost") + host.setdefault("os", "unknown") + host.setdefault("pkg_backend", "dpkg") + host.setdefault("os_release", {}) + + inv = st.setdefault("inventory", {}) + inv.setdefault("packages", {}) + for pkg in (inv.get("packages") or {}).values(): + if not isinstance(pkg, dict): + continue + pkg.setdefault("version", None) + pkg.setdefault("arches", []) + installations = pkg.setdefault("installations", []) + for inst in installations: + if isinstance(inst, dict): + inst.setdefault("version", str(pkg.get("version") or "1.0")) + inst.setdefault("arch", "amd64") + observed = pkg.setdefault("observed_via", []) + for ov in observed: + if isinstance(ov, dict) and ov.get("kind") not in { + "user_installed", + "systemd_unit", + "package_role", + "firewall_runtime", + }: + ov["kind"] = "package_role" + ov.setdefault("ref", "package") + pkg.setdefault("roles", []) + + roles = st.setdefault("roles", {}) + for name in _COMMON_ROLES: + cur = roles.get(name) + if not isinstance(cur, dict): + roles[name] = _common_role(name) + else: + _normalise_common_role(cur, name) + + roles.setdefault("services", []) + roles.setdefault("packages", []) + + users = roles.get("users") or {} + users.setdefault("users", []) + for user in users.get("users") or []: + if not isinstance(user, dict): + continue + user.setdefault("uid", 0) + user.setdefault("gid", user.get("uid", 0)) + user.setdefault("gecos", "") + user.setdefault("home", f"/home/{user.get('name', 'user')}") + user.setdefault("shell", "/bin/sh") + user.setdefault("primary_group", user.get("name", "users")) + user.setdefault("supplementary_groups", []) + + extra = roles.get("extra_paths") or {} + extra.setdefault("include_patterns", []) + extra.setdefault("exclude_patterns", []) + extra.setdefault("managed_links", []) + + for svc in roles.get("services") or []: + if not isinstance(svc, dict): + continue + _normalise_common_role(svc, str(svc.get("role_name") or "service_role")) + svc.setdefault("unit", "example.service") + svc.setdefault("packages", []) + svc.setdefault("active_state", None) + svc.setdefault("sub_state", None) + svc.setdefault("unit_file_state", None) + svc.setdefault("condition_result", None) + + for pkg in roles.get("packages") or []: + if not isinstance(pkg, dict): + continue + _normalise_common_role( + pkg, str(pkg.get("role_name") or pkg.get("package") or "package_role") + ) + pkg.setdefault("package", str(pkg.get("role_name") or "package")) + + if isinstance(roles.get("sysctl"), dict): + sysctl = roles["sysctl"] + sysctl.setdefault("role_name", "sysctl") + sysctl.setdefault("managed_files", []) + sysctl.setdefault("parameters", {}) + sysctl.setdefault("notes", []) + sysctl.pop("managed_dirs", None) + sysctl.pop("managed_links", None) + for mf in sysctl.get("managed_files") or []: + if isinstance(mf, dict): + _normalise_managed_file(mf) + + if isinstance(roles.get("firewall_runtime"), dict): + fw = roles["firewall_runtime"] + fw.setdefault("role_name", "firewall_runtime") + fw.setdefault("packages", []) + fw.setdefault("ipset_save", None) + fw.setdefault("ipset_sets", []) + fw.setdefault("iptables_v4_save", None) + fw.setdefault("iptables_v6_save", None) + fw.setdefault("notes", []) + + if isinstance(roles.get("flatpak"), dict): + roles["flatpak"].setdefault("role_name", "flatpak") + if isinstance(roles.get("snap"), dict): + roles["snap"].setdefault("role_name", "snap") + if isinstance(roles.get("container_images"), dict): + ci = roles["container_images"] + ci.setdefault("role_name", "container_images") + ci.setdefault("images", []) + ci.setdefault("notes", []) + for img in ci.get("images") or []: + if not isinstance(img, dict): + continue + img.setdefault("engine", "docker") + img.setdefault("scope", "system") + img.setdefault("user", None) + img.setdefault("home", None) + img.setdefault("image_id", None) + img.setdefault("repo_tags", []) + img.setdefault("repo_digests", []) + img.setdefault("pull_ref", None) + img.setdefault("tag_aliases", []) + img.setdefault("os", None) + img.setdefault("architecture", None) + img.setdefault("variant", None) + img.setdefault("platform", None) + img.setdefault("size", None) + img.setdefault("created", None) + img.setdefault("source", "test") + img.setdefault("notes", []) + + return st + + +def write_schema_state(bundle: Path, state: dict[str, Any]) -> None: + bundle.mkdir(parents=True, exist_ok=True) + (bundle / "state.json").write_text( + json.dumps(make_schema_valid_state(state), indent=2), encoding="utf-8" + ) diff --git a/tests/test_accounts.py b/tests/test_accounts.py index d5cc267..ac12774 100644 --- a/tests/test_accounts.py +++ b/tests/test_accounts.py @@ -141,3 +141,375 @@ def test_collect_non_system_users(monkeypatch, tmp_path: Path): assert u.primary_group == "users" assert u.supplementary_groups == ["admins"] assert u.ssh_files == ["/home/alice/.ssh/authorized_keys"] + + +def test_parse_login_defs_file_not_found(tmp_path: Path): + from enroll.accounts import parse_login_defs + + nonexistent = tmp_path / "nonexistent" / "login.defs" + vals = parse_login_defs(str(nonexistent)) + assert vals == {} + + +def test_parse_login_defs_handles_invalid_numbers(tmp_path: Path): + from enroll.accounts import parse_login_defs + + p = tmp_path / "login.defs" + p.write_text("UID_MIN not_a_number\nUID_MAX 60000\n", encoding="utf-8") + vals = parse_login_defs(str(p)) + assert "UID_MIN" not in vals + assert vals["UID_MAX"] == 60000 + + +def test_parse_group_handles_invalid_gid(tmp_path: Path): + from enroll.accounts import parse_group + + p = tmp_path / "group" + p.write_text( + "valid:x:1000:user1\n" "invalid_gid:x:notanint:user2\n", + encoding="utf-8", + ) + gid_to_name, name_to_gid, members = parse_group(str(p)) + assert 1000 in gid_to_name + assert gid_to_name[1000] == "valid" + assert "invalid_gid" not in name_to_gid + + +def test_parse_group_line_too_short(tmp_path: Path): + from enroll.accounts import parse_group + + p = tmp_path / "group" + p.write_text( + "valid:x:1000:user1\n" "shortline:x:1001\n", + encoding="utf-8", + ) + gid_to_name, name_to_gid, members = parse_group(str(p)) + assert 1000 in gid_to_name + assert 1001 not in gid_to_name + + +def test_is_human_user_filters_by_uid_and_shell(): + from enroll.accounts import is_human_user + + assert is_human_user(1000, "/bin/bash", 1000) is True + assert is_human_user(999, "/bin/bash", 1000) is False + assert is_human_user(1000, "/usr/sbin/nologin", 1000) is False + assert is_human_user(1000, "/usr/bin/nologin", 1000) is False + assert is_human_user(1000, "/bin/false", 1000) is False + assert is_human_user(1000, "", 1000) is True + + +def test_find_user_ssh_files_no_ssh_dir(tmp_path: Path): + from enroll.accounts import find_user_ssh_files + + home = tmp_path / "home" / "user" + home.mkdir(parents=True) + assert find_user_ssh_files(str(home)) == [] + + +def test_find_user_ssh_files_ignores_symlink(tmp_path: Path): + from enroll.accounts import find_user_ssh_files + + home = tmp_path / "home" / "user" + sshdir = home / ".ssh" + sshdir.mkdir(parents=True) + target = sshdir / "real_file" + target.write_text("x", encoding="utf-8") + os.symlink(str(target), str(sshdir / "authorized_keys")) + + result = find_user_ssh_files(str(home)) + assert result == [] + + +def test_find_user_ssh_files_ignores_symlinked_ssh_dir(tmp_path: Path): + """A user who replaces ~/.ssh with a symlink to a sensitive directory must + not have files inside it harvested through the symlinked parent. os.path.isdir + follows symlinks, so the directory itself must be checked with islink(). + """ + + from enroll.accounts import find_user_ssh_files + + sensitive = tmp_path / "sensitive" + sensitive.mkdir() + (sensitive / "authorized_keys").write_text("ssh-rsa AAAA...\n", encoding="utf-8") + + home = tmp_path / "home" / "mallory" + home.mkdir(parents=True) + os.symlink(str(sensitive), str(home / ".ssh")) + + assert find_user_ssh_files(str(home)) == [] + + +def test_find_user_ssh_files_handles_home_not_starting_with_slash(): + from enroll.accounts import find_user_ssh_files + + assert find_user_ssh_files("relative/path") == [] + assert find_user_ssh_files("") == [] + + +def test_collect_non_system_users_skips_nologin_users(tmp_path: Path): + import enroll.accounts as a + + orig_parse_login_defs = a.parse_login_defs + orig_parse_passwd = a.parse_passwd + orig_parse_group = a.parse_group + + passwd = tmp_path / "passwd" + passwd.write_text( + "root:x:0:0:root:/root:/bin/bash\n" + "alice:x:1000:1000:Alice:/home/alice:/bin/bash\n" + "nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" + "sysuser:x:100:100:Sys:/home/sys:/bin/bash\n", + encoding="utf-8", + ) + group = tmp_path / "group" + group.write_text("users:x:1000:alice\n", encoding="utf-8") + defs = tmp_path / "login.defs" + defs.write_text("UID_MIN 1000\n", encoding="utf-8") + + monkeypatch_wrapper = lambda fn, p: lambda path=str(p): fn(path) + + a.parse_login_defs = monkeypatch_wrapper(orig_parse_login_defs, defs) + a.parse_passwd = monkeypatch_wrapper(orig_parse_passwd, passwd) + a.parse_group = monkeypatch_wrapper(orig_parse_group, group) + a.find_user_ssh_files = lambda home: [] + + users = a.collect_non_system_users() + assert [u.name for u in users] == ["alice"] + + +def test_collect_non_system_users_skips_below_uid_min(tmp_path: Path): + import enroll.accounts as a + + orig_parse_login_defs = a.parse_login_defs + orig_parse_passwd = a.parse_passwd + orig_parse_group = a.parse_group + + passwd = tmp_path / "passwd" + passwd.write_text( + "root:x:0:0:root:/root:/bin/bash\n" + "sysuser:x:999:999:Sys:/home/sys:/bin/bash\n" + "alice:x:1000:1000:Alice:/home/alice:/bin/bash\n", + encoding="utf-8", + ) + group = tmp_path / "group" + group.write_text("users:x:1000:alice\n", encoding="utf-8") + defs = tmp_path / "login.defs" + defs.write_text("UID_MIN 1000\n", encoding="utf-8") + + a.parse_login_defs = lambda path=str(defs): orig_parse_login_defs(path) + a.parse_passwd = lambda path=str(passwd): orig_parse_passwd(path) + a.parse_group = lambda path=str(group): orig_parse_group(path) + a.find_user_ssh_files = lambda home: [] + + users = a.collect_non_system_users() + assert [u.name for u in users] == ["alice"] + + +def test_parse_group_handles_empty_lines(tmp_path: Path): + from enroll.accounts import parse_group + + p = tmp_path / "group" + p.write_text( + "valid:x:1000:user1\n" "\n" "another:x:1001:user2\n", + encoding="utf-8", + ) + gid_to_name, name_to_gid, members = parse_group(str(p)) + assert 1000 in gid_to_name + assert 1001 in gid_to_name + + +def test_parse_group_handles_short_lines(tmp_path: Path): + from enroll.accounts import parse_group + + p = tmp_path / "group" + p.write_text( + "valid:x:1000:user1\n" "short:x:1001\n" "another:x:1002:user2\n", + encoding="utf-8", + ) + gid_to_name, name_to_gid, members = parse_group(str(p)) + assert 1000 in gid_to_name + assert 1001 not in gid_to_name # skipped due to short line + assert 1002 in gid_to_name + + +def test_find_flatpaks_in_root_detects_remote_branch_and_arch(tmp_path: Path): + import enroll.accounts as a + + root = tmp_path / "flatpak" + (root / "repo").mkdir(parents=True) + (root / "repo" / "config").write_text( + '[remote "acme"]\nurl=https://flatpak.example/repo/\n', + encoding="utf-8", + ) + ref = ( + root + / "repo" + / "refs" + / "remotes" + / "acme" + / "app" + / "com.example.App" + / "x86_64" + / "stable" + ) + ref.parent.mkdir(parents=True) + ref.write_text("checksum\n", encoding="utf-8") + active = root / "app" / "com.example.App" / "x86_64" / "stable" / "active" + active.mkdir(parents=True) + + remotes = a.find_flatpak_remotes(str(root), method="system") + assert [(r.name, r.url, r.method) for r in remotes] == [ + ("acme", "https://flatpak.example/repo/", "system") + ] + + apps = a._find_flatpaks_in_root(str(root), method="system") + assert len(apps) == 1 + assert apps[0].name == "com.example.App" + assert apps[0].remote == "acme" + assert apps[0].branch == "stable" + assert apps[0].arch == "x86_64" + + +def test_parse_snap_list_output_detects_channel_revision_and_modes(): + import enroll.accounts as a + + output = """Name Version Rev Tracking Publisher Notes +code abc 123 latest/stable vscode✓ classic +mydev 1.0 42 latest/edge example devmode,dangerous +bare 1.0 5 latest/stable canonical✓ base +""" + + snaps = {snap.name: snap for snap in a._parse_snap_list_output(output)} + assert snaps["code"].channel == "latest/stable" + assert snaps["code"].revision == 123 + assert snaps["code"].classic is True + assert snaps["mydev"].devmode is True + assert snaps["mydev"].dangerous is True + assert snaps["bare"].notes == ["base"] + + +def test_parse_flatpak_list_output_detects_system_refs(): + from enroll.accounts import _parse_flatpak_list_output + + output = "\n".join( + [ + "app/org.example.App/x86_64/stable\tflathub\tstable\tx86_64", + "runtime/org.freedesktop.Platform/x86_64/24.08\tflathub\t24.08\tx86_64", + ] + ) + + refs = _parse_flatpak_list_output( + output, method="system", columns=("ref", "origin", "branch", "arch") + ) + + assert [(r.kind, r.name, r.remote, r.branch, r.arch) for r in refs] == [ + ("app", "org.example.App", "flathub", "stable", "x86_64"), + ("runtime", "org.freedesktop.Platform", "flathub", "24.08", "x86_64"), + ] + assert refs[0].source == "flatpak-list" + + +def test_find_system_flatpaks_prefers_flatpak_list(monkeypatch): + import subprocess + import enroll.accounts as a + + calls = [] + + def fake_run(args, **kwargs): + calls.append(args) + if args == ["flatpak", "list", "--columns=help"]: + return subprocess.CompletedProcess( + args, + 0, + stdout="application\norigin\nbranch\narch\n", + stderr="", + ) + return subprocess.CompletedProcess( + args, + 0, + stdout="app/org.example.App/x86_64/stable\tacme\tstable\tx86_64\n", + stderr="", + ) + + monkeypatch.setattr(a.shutil, "which", lambda cmd: "/usr/bin/flatpak") + monkeypatch.setattr(a.subprocess, "run", fake_run) + monkeypatch.setattr( + a, + "_find_flatpaks_in_root", + lambda *args, **kwargs: (_ for _ in ()).throw(AssertionError("fallback used")), + ) + + refs = a.find_system_flatpaks() + + assert calls[0] == ["flatpak", "list", "--columns=help"] + assert calls[1][:3] == ["flatpak", "list", "--system"] + assert refs[0].name == "org.example.App" + assert refs[0].method == "system" + assert refs[0].remote == "acme" + + +def test_parse_flatpak_list_output_detects_application_columns(): + from enroll.accounts import _parse_flatpak_list_output + + output = "org.example.App\tflathub\tstable\tx86_64\n" + refs = _parse_flatpak_list_output( + output, method="system", columns=("application", "origin", "branch", "arch") + ) + + assert len(refs) == 1 + assert refs[0].name == "org.example.App" + assert refs[0].kind is None + assert refs[0].remote == "flathub" + assert refs[0].branch == "stable" + assert refs[0].arch == "x86_64" + + +def test_parse_plain_flatpak_list_output_like_default_table(): + from enroll.accounts import _parse_flatpak_list_output + + output = """Name Application ID Version Branch Installation +Mesa org.freedesktop.Platform.GL.default 26.0.6 25.08 system +Mesa (Extra) org.freedesktop.Platform.GL.default 26.0.6 25.08-extra system +Codecs Extra Extension org.freedesktop.Platform.codecs-extra 25.08-extra system +KDE Application Platform org.kde.Platform 6.10 system +OnionShare org.onionshare.OnionShare 2.6.4 stable system +""" + + refs = _parse_flatpak_list_output(output, method="system", columns=None) + by_name_branch = {(r.name, r.branch) for r in refs} + + assert ("org.onionshare.OnionShare", "stable") in by_name_branch + assert ("org.freedesktop.Platform.GL.default", "25.08") in by_name_branch + assert ("org.freedesktop.Platform.GL.default", "25.08-extra") in by_name_branch + assert ("org.kde.Platform", "6.10") in by_name_branch + + +def test_parse_flatpak_columns_help_handles_description_table(): + from enroll.accounts import _parse_flatpak_columns_help + + output = """ +Available columns: + application The application ID + branch The branch + installation The installation +""" + + assert _parse_flatpak_columns_help(output) >= { + "application", + "branch", + "installation", + } + + +def test_flatpak_list_attempts_respect_supported_columns(): + from enroll.accounts import _flatpak_list_attempts + + attempts = _flatpak_list_attempts( + "--system", {"application", "branch", "installation"} + ) + command_strings = [" ".join(args) for args, _columns in attempts] + + assert any("--columns=application,branch" in cmd for cmd in command_strings) + assert not any("origin" in cmd for cmd in command_strings) + assert command_strings[-1] == "flatpak list --system" diff --git a/tests/test_cache_security.py b/tests/test_cache_security.py index 9f31587..a1b7622 100644 --- a/tests/test_cache_security.py +++ b/tests/test_cache_security.py @@ -31,3 +31,108 @@ def test_ensure_dir_secure_ignores_chmod_failures(tmp_path: Path, monkeypatch): # Should not raise. _ensure_dir_secure(d) assert d.exists() and d.is_dir() + + +def test_safe_component_returns_unknown_for_empty_string(): + from enroll.cache import _safe_component + + assert _safe_component("") == "unknown" + assert _safe_component(" ") == "unknown" + + +def test_safe_component_truncates_long_strings(): + from enroll.cache import _safe_component + + long_str = "a" * 100 + result = _safe_component(long_str) + assert len(result) <= 64 + + +def test_safe_component_replaces_special_chars(): + from enroll.cache import _safe_component + + result = _safe_component("hello world!") + assert result == "hello_world_" + + +def test_enroll_cache_dir_uses_xdg_cache_home(monkeypatch): + from enroll.cache import enroll_cache_dir + + monkeypatch.setenv("XDG_CACHE_HOME", "/custom/cache") + result = enroll_cache_dir() + assert str(result) == "/custom/cache/enroll" + + +def test_harvest_cache_state_json_property(): + from enroll.cache import HarvestCache + + cache_dir = HarvestCache(dir=Path("/tmp/test")) + assert cache_dir.state_json == Path("/tmp/test/state.json") + + +def test_new_harvest_cache_dir_chmod_fails(tmp_path: Path, monkeypatch): + from enroll.cache import new_harvest_cache_dir + + def fake_enroll_cache_dir(): + return tmp_path / "enroll" + + def fake_chmod(path, mode): + raise OSError("no") + + monkeypatch.setattr("enroll.cache.enroll_cache_dir", fake_enroll_cache_dir) + monkeypatch.setattr(os, "chmod", fake_chmod) + + # Should not raise even though chmod fails + cache = new_harvest_cache_dir(hint="test") + assert cache.dir.exists() + assert isinstance(cache.dir, Path) + + +def test_enroll_cache_dir_uses_default_when_xdg_not_set(monkeypatch): + from enroll.cache import enroll_cache_dir + + # Remove XDG_CACHE_HOME if it exists + monkeypatch.delenv("XDG_CACHE_HOME", raising=False) + result = enroll_cache_dir() + assert str(result).endswith("/.local/cache/enroll") + + +def test_ensure_dir_secure_refuses_symlink_parent(tmp_path: Path): + from enroll.cache import _ensure_dir_secure + + target = tmp_path / "target" + target.mkdir() + link = tmp_path / "link" + link.symlink_to(target, target_is_directory=True) + + with pytest.raises(RuntimeError, match="symlink"): + _ensure_dir_secure(link / "enroll" / "harvest") + + assert not (target / "enroll" / "harvest").exists() + + +def test_ensure_dir_secure_rejects_unsafe_root_parent(tmp_path: Path, monkeypatch): + from enroll.cache import _ensure_dir_secure + import enroll.harvest_safety as hs + + untrusted = tmp_path / "untrusted" + untrusted.mkdir() + untrusted.chmod(0o777) + + monkeypatch.setattr(hs, "_effective_uid", lambda: 0) + with pytest.raises(RuntimeError, match="not owned by root|writable by group/other"): + _ensure_dir_secure(untrusted / "cache") + + +def test_ensure_dir_secure_rejects_existing_file_when_not_root( + tmp_path: Path, monkeypatch +): + from enroll.cache import _ensure_dir_secure + import enroll.harvest_safety as hs + + path = tmp_path / "cache" + path.write_text("not a dir", encoding="utf-8") + + monkeypatch.setattr(hs, "_effective_uid", lambda: 1000) + with pytest.raises(RuntimeError, match="not a directory"): + _ensure_dir_secure(path) diff --git a/tests/test_cli.py b/tests/test_cli.py index dcdb6a7..86524c0 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -47,6 +47,8 @@ def test_cli_manifest_subcommand_calls_manifest(monkeypatch, tmp_path): # Common manifest args should be passed through by the CLI. called["fqdn"] = kwargs.get("fqdn") called["jinjaturtle"] = kwargs.get("jinjaturtle") + called["no_common_roles"] = kwargs.get("no_common_roles") + called["target"] = kwargs.get("target") monkeypatch.setattr(cli, "manifest", fake_manifest) monkeypatch.setattr( @@ -67,6 +69,125 @@ def test_cli_manifest_subcommand_calls_manifest(monkeypatch, tmp_path): assert called["out"] == str(tmp_path / "ansible") assert called["fqdn"] is None assert called["jinjaturtle"] == "auto" + assert called["no_common_roles"] is False + assert called["target"] == "ansible" + + +def test_cli_force_unsafe_path_before_subcommand_reaches_guard(monkeypatch, tmp_path): + seen = {} + + def fake_confirm(*, force: bool = False) -> None: + seen["force"] = force + + def fake_manifest(_harvest_dir: str, _out_dir: str, **_kwargs): + return None + + monkeypatch.setattr(cli, "_confirm_root_path_safety", fake_confirm) + monkeypatch.setattr(cli, "manifest", fake_manifest) + monkeypatch.setattr( + sys, + "argv", + [ + "enroll", + "--assume-safe-path", + "manifest", + "--harvest", + str(tmp_path / "bundle"), + "--out", + str(tmp_path / "ansible"), + ], + ) + + cli.main() + assert seen["force"] is True + + +def test_cli_force_unsafe_path_after_subcommand_reaches_guard(monkeypatch, tmp_path): + seen = {} + + def fake_confirm(*, force: bool = False) -> None: + seen["force"] = force + + def fake_manifest(_harvest_dir: str, _out_dir: str, **_kwargs): + return None + + monkeypatch.setattr(cli, "_confirm_root_path_safety", fake_confirm) + monkeypatch.setattr(cli, "manifest", fake_manifest) + monkeypatch.setattr( + sys, + "argv", + [ + "enroll", + "manifest", + "--assume-safe-path", + "--harvest", + str(tmp_path / "bundle"), + "--out", + str(tmp_path / "ansible"), + ], + ) + + cli.main() + assert seen["force"] is True + + +def test_cli_manifest_target_puppet_is_forwarded(monkeypatch, tmp_path): + called = {} + + def fake_manifest(harvest_dir: str, out_dir: str, **kwargs): + called["harvest"] = harvest_dir + called["out"] = out_dir + called["target"] = kwargs.get("target") + + monkeypatch.setattr(cli, "manifest", fake_manifest) + monkeypatch.setattr( + sys, + "argv", + [ + "enroll", + "manifest", + "--harvest", + str(tmp_path / "bundle"), + "--out", + str(tmp_path / "puppet"), + "--target", + "puppet", + ], + ) + + cli.main() + assert called["harvest"] == str(tmp_path / "bundle") + assert called["out"] == str(tmp_path / "puppet") + assert called["target"] == "puppet" + + +def test_cli_manifest_no_common_roles_is_forwarded(monkeypatch, tmp_path): + called = {} + + def fake_manifest(harvest_dir: str, out_dir: str, **kwargs): + called["harvest"] = harvest_dir + called["out"] = out_dir + called["no_common_roles"] = kwargs.get("no_common_roles") + + monkeypatch.setattr(cli, "manifest", fake_manifest) + monkeypatch.setattr( + sys, + "argv", + [ + "enroll", + "manifest", + "--harvest", + str(tmp_path / "bundle"), + "--out", + str(tmp_path / "ansible"), + "--no-common-roles", + ], + ) + + cli.main() + assert called["harvest"] == str(tmp_path / "bundle") + assert called["out"] == str(tmp_path / "ansible") + assert called["no_common_roles"] is True def test_cli_enroll_subcommand_runs_harvest_then_manifest(monkeypatch, tmp_path): diff --git a/tests/test_cli_config_and_sops.py b/tests/test_cli_config_and_sops.py index 7e3fe5b..958183d 100644 --- a/tests/test_cli_config_and_sops.py +++ b/tests/test_cli_config_and_sops.py @@ -23,10 +23,10 @@ def test_discover_config_path_precedence(monkeypatch, tmp_path: Path): assert _discover_config_path(["harvest"]) == cfg -def test_discover_config_path_finds_local_and_xdg(monkeypatch, tmp_path: Path): +def test_discover_config_path_ignores_local_and_finds_xdg(monkeypatch, tmp_path: Path): from enroll.cli import _discover_config_path - # local file in cwd + # local files in cwd are deliberately ignored unless passed via --config cwd = tmp_path / "cwd" cwd.mkdir() local = cwd / "enroll.ini" @@ -35,7 +35,8 @@ def test_discover_config_path_finds_local_and_xdg(monkeypatch, tmp_path: Path): monkeypatch.chdir(cwd) monkeypatch.delenv("ENROLL_CONFIG", raising=False) monkeypatch.delenv("XDG_CONFIG_HOME", raising=False) - assert _discover_config_path(["harvest"]) == local + assert _discover_config_path(["harvest"]) is None + assert _discover_config_path(["--config", str(local), "harvest"]) == local # xdg config fallback monkeypatch.chdir(tmp_path) diff --git a/tests/test_cli_helpers.py b/tests/test_cli_helpers.py index 264ff85..b749597 100644 --- a/tests/test_cli_helpers.py +++ b/tests/test_cli_helpers.py @@ -2,13 +2,14 @@ from __future__ import annotations import argparse import configparser +import os import types import textwrap from pathlib import Path def test_discover_config_path_precedence(tmp_path: Path, monkeypatch): - """_discover_config_path: --config > ENROLL_CONFIG > ./enroll.ini > XDG.""" + """_discover_config_path: --config > ENROLL_CONFIG > XDG.""" from enroll.cli import _discover_config_path cfg1 = tmp_path / "one.ini" @@ -27,14 +28,14 @@ def test_discover_config_path_precedence(tmp_path: Path, monkeypatch): monkeypatch.setenv("ENROLL_CONFIG", str(cfg2)) assert _discover_config_path([]) == cfg2 - # Local ./enroll.ini fallback. + # Local ./enroll.ini is ignored unless passed explicitly. monkeypatch.delenv("ENROLL_CONFIG", raising=False) local = tmp_path / "enroll.ini" local.write_text("[enroll]\n", encoding="utf-8") - assert _discover_config_path([]) == local + assert _discover_config_path([]) is None + assert _discover_config_path(["--config", str(local)]) == local # XDG fallback. - local.unlink() xdg = tmp_path / "xdg" cfg3 = xdg / "enroll" / "enroll.ini" cfg3.parent.mkdir(parents=True) @@ -175,3 +176,87 @@ def test_resolve_sops_out_file(tmp_path: Path, monkeypatch): cli._resolve_sops_out_file(out=None, hint="bundle.tar.gz") == fake_cache.dir / "harvest.tar.gz.sops" ) + + +def test_unsafe_root_path_reasons_flags_current_and_writable_dirs(tmp_path: Path): + from enroll.cli import _unsafe_root_path_reasons + + group_writable = tmp_path / "group-writable" + world_writable = tmp_path / "world-writable" + safe = tmp_path / "safe" + group_writable.mkdir() + world_writable.mkdir() + safe.mkdir() + group_writable.chmod(0o775) + world_writable.chmod(0o777) + safe.chmod(0o755) + + reasons = _unsafe_root_path_reasons( + os.pathsep.join( + [ + "", + ".", + "relative-bin", + str(group_writable), + str(world_writable), + str(safe), + ] + ) + ) + + text = "\n".join(reasons) + assert ": empty PATH entry" in text + assert "'.' resolves" in text + assert "relative-bin: relative PATH entry" in text + assert f"{group_writable}: directory is group-writable" in text + assert f"{world_writable}: directory is world-writable" in text + assert str(safe) not in text + + +def test_confirm_root_path_safety_refuses_noninteractive(monkeypatch): + from enroll import cli + + monkeypatch.setattr(cli, "_is_effective_root", lambda: True) + monkeypatch.setattr( + cli, + "_unsafe_root_path_reasons", + lambda path_value=None: [".: '.' resolves to the current directory"], + ) + monkeypatch.setattr(cli.sys.stdin, "isatty", lambda: False) + + try: + cli._confirm_root_path_safety(force=False) + except SystemExit as e: + assert "--assume-safe-path" in str(e) + else: # pragma: no cover - defensive assertion path + raise AssertionError("expected SystemExit") + + +def test_confirm_root_path_safety_force_skips_prompt(monkeypatch): + from enroll import cli + + monkeypatch.setattr(cli, "_is_effective_root", lambda: True) + monkeypatch.setattr( + cli, + "_unsafe_root_path_reasons", + lambda path_value=None: [".: '.' resolves to the current directory"], + ) + + cli._confirm_root_path_safety(force=True) + + +def test_unsafe_root_path_reasons_flags_non_root_owned_dir(tmp_path: Path, monkeypatch): + from enroll import cli + + non_root_owned = tmp_path / "user-bin" + non_root_owned.mkdir() + if hasattr(os, "geteuid") and os.geteuid() == 0: + try: + os.chown(non_root_owned, 65534, -1) + except OSError: + pass + + monkeypatch.setattr(cli, "_is_effective_root", lambda: True) + reasons = cli._unsafe_root_path_reasons(str(non_root_owned)) + + assert any("not owned by root" in reason for reason in reasons) diff --git a/tests/test_cm.py b/tests/test_cm.py new file mode 100644 index 0000000..94b0431 --- /dev/null +++ b/tests/test_cm.py @@ -0,0 +1,107 @@ +from __future__ import annotations + +from enroll.cm import CMModule, resolve_catalog_conflicts + + +def test_resolve_catalog_conflicts_dedupes_before_rendering(): + first = CMModule(role_name="admin", module_name="admin") + first.packages.add("curl") + first.dirs["/etc/default"] = {"owner": "root"} + first.files["/etc/foo.conf"] = {"owner": "root"} + + second = CMModule(role_name="misc", module_name="misc") + second.packages.add("curl") + second.dirs["/etc/default"] = {"owner": "root"} + second.dirs["/etc/foo.conf"] = {"owner": "root"} + second.files["/etc/foo.conf"] = {"owner": "root"} + + resolve_catalog_conflicts([first, second]) + + assert first.packages == {"curl"} + assert "/etc/default" in first.dirs + assert "/etc/foo.conf" in first.files + + assert second.packages == set() + assert second.dirs == {} + assert second.files == {} + assert any("duplicate Package[curl]" in note for note in second.notes) + assert any("duplicate File[/etc/default]" in note for note in second.notes) + assert any("a file or link with the same path" in note for note in second.notes) + + +def test_cm_module_uses_shared_state_io(tmp_path): + state = {"roles": {"packages": []}} + + written = CMModule.write_state(tmp_path, state) + + assert written == tmp_path / "state.json" + assert CMModule.state_path(tmp_path) == written + assert CMModule.load_state(tmp_path) == state + assert CMModule._load_state(tmp_path) == state + + +def test_active_service_units_for_package_snapshot_is_conservative(): + entries = [ + { + "kind": "service", + "snapshot": { + "unit": "docker.service", + "role_name": "docker", + "packages": ["docker.io"], + "active_state": "active", + }, + }, + { + "kind": "service", + "snapshot": { + "unit": "docker-cleanup.service", + "role_name": "docker_cleanup", + "packages": ["docker.io"], + "active_state": "inactive", + }, + }, + ] + + by_package = CMModule.active_service_units_by_package(entries) + + assert by_package == { + "docker.io": [{"unit": "docker.service", "role_name": "docker"}] + } + assert CMModule.active_service_units_for_package_snapshot( + {"package": "docker.io", "role_name": "docker"}, by_package + ) == ["docker.service"] + + +def test_active_service_units_for_package_snapshot_avoids_ambiguous_restarts(): + entries = [ + { + "kind": "service", + "snapshot": { + "unit": "alpha.service", + "role_name": "alpha", + "packages": ["shared"], + "active_state": "active", + }, + }, + { + "kind": "service", + "snapshot": { + "unit": "beta.service", + "role_name": "beta", + "packages": ["shared"], + "active_state": "active", + }, + }, + ] + + by_package = CMModule.active_service_units_by_package(entries) + + assert ( + CMModule.active_service_units_for_package_snapshot( + {"package": "shared", "role_name": "shared"}, by_package + ) + == [] + ) + assert CMModule.active_service_units_for_package_snapshot( + {"package": "shared", "role_name": "beta"}, by_package + ) == ["beta.service"] diff --git a/tests/test_debian.py b/tests/test_debian.py index abad361..40e94f5 100644 --- a/tests/test_debian.py +++ b/tests/test_debian.py @@ -1,6 +1,7 @@ from __future__ import annotations from pathlib import Path +import pytest def test_dpkg_owner_parses_output(monkeypatch): @@ -96,3 +97,448 @@ def test_parse_status_conffiles_handles_continuations(tmp_path: Path): assert m["nginx"]["/etc/nginx/nginx.conf"] == "abcdef" assert m["nginx"]["/etc/nginx/mime.types"] == "123456" assert "other" not in m + + +def test_dpkg_owner_returns_none_on_diversion_only(monkeypatch): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + def fake_run(cmd, text, capture_output): + return P(0, "diversion by foo from: /etc/something\n") + + monkeypatch.setattr(d.subprocess, "run", fake_run) + assert d.dpkg_owner("/etc/something") is None + + +def test_dpkg_owner_handles_line_without_colon(monkeypatch): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + def fake_run(cmd, text, capture_output): + return P(0, "invalid line without colon\n") + + monkeypatch.setattr(d.subprocess, "run", fake_run) + assert d.dpkg_owner("/etc/foo") is None + + +def test_list_manual_packages_returns_empty_on_error(monkeypatch): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + def fake_run(cmd, text, capture_output): + return P(1, "error") + + monkeypatch.setattr(d.subprocess, "run", fake_run) + assert d.list_manual_packages() == [] + + +def test_list_installed_packages_handles_exception(monkeypatch): + import enroll.debian as d + + def fake_run(*args, **kwargs): + raise Exception("simulated error") + + monkeypatch.setattr(d.subprocess, "run", fake_run) + assert d.list_installed_packages() == {} + + +def test_list_installed_packages_parses_output(): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + original_run = d.subprocess.run + + def fake_run(cmd, text, capture_output, check): + return P(0, "nginx\t1.18.0\tamd64\tweb\nvim\t8.2\tamd64\teditors\n") + + d.subprocess.run = fake_run + try: + result = d.list_installed_packages() + assert "nginx" in result + assert result["nginx"][0]["version"] == "1.18.0" + assert result["nginx"][0]["arch"] == "amd64" + assert result["nginx"][0]["section"] == "web" + assert "vim" in result + finally: + d.subprocess.run = original_run + + +def test_list_installed_packages_skips_invalid_lines(): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + original_run = d.subprocess.run + + def fake_run(cmd, text, capture_output, check): + return P(0, "nginx\t1.18.0\tamd64\ninvalid_line\n\t1.0\tamd64\n") + + d.subprocess.run = fake_run + try: + result = d.list_installed_packages() + assert "nginx" in result + assert "invalid_line" not in result + finally: + d.subprocess.run = original_run + + +def test_list_installed_packages_handles_empty_name(): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + original_run = d.subprocess.run + + def fake_run(cmd, text, capture_output, check): + return P(0, "\t1.0\tamd64\nnginx\t1.18.0\tamd64\n") + + d.subprocess.run = fake_run + try: + result = d.list_installed_packages() + assert "" not in result + assert "nginx" in result + finally: + d.subprocess.run = original_run + + +def test_list_installed_packages_sorts_output(): + import enroll.debian as d + + class P: + def __init__(self, rc: int, out: str): + self.returncode = rc + self.stdout = out + self.stderr = "" + + original_run = d.subprocess.run + + def fake_run(cmd, text, capture_output, check): + return P(0, "nginx\t1.18.0\tamd64\nnginx\t1.19.0\tarm64\n") + + d.subprocess.run = fake_run + try: + result = d.list_installed_packages() + assert len(result["nginx"]) == 2 + assert result["nginx"][0]["arch"] == "amd64" + assert result["nginx"][1]["arch"] == "arm64" + finally: + d.subprocess.run = original_run + + +def test_build_dpkg_etc_index_handles_missing_file(tmp_path: Path): + import enroll.debian as d + + info = tmp_path / "info" + info.mkdir() + # Don't create any .list files + + owned, owner_map, topdir_to_pkgs, pkg_to_etc = d.build_dpkg_etc_index(str(info)) + assert owned == set() + assert owner_map == {} + assert topdir_to_pkgs == {} + assert pkg_to_etc == {} + + +def test_build_dpkg_etc_index_skips_non_etc_paths(tmp_path: Path): + import enroll.debian as d + + info = tmp_path / "info" + info.mkdir() + (info / "foo.list").write_text("/usr/bin/foo\n/etc/bar\n", encoding="utf-8") + + owned, owner_map, topdir_to_pkgs, pkg_to_etc = d.build_dpkg_etc_index(str(info)) + assert "/usr/bin/foo" not in owned + assert "/etc/bar" in owned + assert "foo" not in topdir_to_pkgs + + +def test_parse_status_conffiles_handles_missing_status(tmp_path: Path): + import enroll.debian as d + + assert d.parse_status_conffiles(str(tmp_path / "missing-status")) == {} + + +def test_parse_status_conffiles_handles_empty_status(tmp_path: Path): + import enroll.debian as d + + status = tmp_path / "status" + status.write_text("", encoding="utf-8") + m = d.parse_status_conffiles(str(status)) + assert m == {} + + +def test_parse_status_conffiles_handles_package_without_conffiles(tmp_path: Path): + import enroll.debian as d + + status = tmp_path / "status" + status.write_text( + "Package: nginx\nVersion: 1\nStatus: install ok installed\n", + encoding="utf-8", + ) + m = d.parse_status_conffiles(str(status)) + assert m == {} + + +def test_read_pkg_md5sums_returns_empty_if_file_not_exists(tmp_path: Path): + import enroll.debian as d + + result = d.read_pkg_md5sums("nonexistent_package") + assert result == {} + + +def test_read_pkg_md5sums_parses_md5sums_file(tmp_path: Path, monkeypatch): + import enroll.debian as d + + info_dir = tmp_path / "info" + info_dir.mkdir() + md5_file = info_dir / "nginx.md5sums" + md5_file.write_text( + "abcdef1234567890abcdef1234567890 etc/nginx/nginx.conf\n" + "1234567890abcdef1234567890abcdef etc/nginx/sites-enabled/default\n", + encoding="utf-8", + ) + + def fake_exists(path): + return str(path).endswith("nginx.md5sums") + + monkeypatch.setattr(d.os.path, "exists", fake_exists) + + original_open = open + + def fake_open(path, *args, **kwargs): + if "nginx.md5sums" in str(path): + return original_open(md5_file, *args, **kwargs) + return original_open(path, *args, **kwargs) + + monkeypatch.setattr("builtins.open", fake_open, raising=False) + + result = d.read_pkg_md5sums("nginx") + assert result["etc/nginx/nginx.conf"] == "abcdef1234567890abcdef1234567890" + assert ( + result["etc/nginx/sites-enabled/default"] == "1234567890abcdef1234567890abcdef" + ) + + +def test_dpkg_owner_raises_on_command_failure(monkeypatch): + """Test _run raises RuntimeError on non-zero exit.""" + import enroll.debian as d + + class P: + returncode = 1 + stdout = "" + stderr = "command failed" + + def fake_run(cmd, text, capture_output, check=False): + return P() + + monkeypatch.setattr(d.subprocess, "run", fake_run) + + with pytest.raises(RuntimeError) as exc_info: + d._run(["fake", "command"]) + + assert "Command failed" in str(exc_info.value) + assert "fake" in str(exc_info.value) + + +def test_build_dpkg_etc_index_skips_invalid_line_formats(tmp_path: Path): + """Test that lines with less than 3 parts are skipped.""" + import enroll.debian as d + + info = tmp_path / "info" + info.mkdir() + # Create a .list file with invalid format (missing tab-separated fields) + (info / "foo.list").write_text( + "/etc/foo/bar\n" # This is a path, not a tab-separated line + "/etc/foo/baz\n", + encoding="utf-8", + ) + + # Should handle gracefully + owned, owner_map, topdir_to_pkgs, pkg_to_etc = d.build_dpkg_etc_index(str(info)) + # The path lines should be processed normally + assert "/etc/foo/bar" in owned or "/etc/foo/baz" in owned + + +def test_build_dpkg_etc_index_handles_file_not_found(tmp_path: Path): + """Test that FileNotFoundError is handled gracefully.""" + import enroll.debian as d + + info = tmp_path / "info" + info.mkdir() + # Create a .list file that references a non-existent path + (info / "foo.list").write_text( + "/nonexistent/path\n", + encoding="utf-8", + ) + + # Should not raise + owned, owner_map, topdir_to_pkgs, pkg_to_etc = d.build_dpkg_etc_index(str(info)) + # The non-existent path should be skipped + assert "/nonexistent/path" not in owned + + +def test_parse_status_conffiles_skips_empty_lines(tmp_path: Path): + """Test that empty lines in conffiles are skipped.""" + import enroll.debian as d + + status = tmp_path / "status" + status.write_text( + "Package: nginx\n" + "Version: 1\n" + "Conffiles:\n" + " /etc/nginx/nginx.conf abcdef\n" + " /etc/nginx/mime.types 123456\n" + "\n", # Empty line to trigger flush + encoding="utf-8", + ) + + m = d.parse_status_conffiles(str(status)) + assert "/etc/nginx/nginx.conf" in m["nginx"] + assert "/etc/nginx/mime.types" in m["nginx"] + + +def test_read_pkg_md5sums_skips_invalid_md5_lines(tmp_path: Path, monkeypatch): + """Test that lines without proper MD5 format are skipped.""" + import enroll.debian as d + + info_dir = tmp_path / "info" + info_dir.mkdir() + md5_file = info_dir / "foo.md5sums" + md5_file.write_text( + "abcdef1234567890abcdef1234567890 etc/foo/bar\n" + "invalid line without proper format\n" + "1234567890abcdef1234567890abcdef etc/foo/baz\n", + encoding="utf-8", + ) + + def fake_exists(path): + return str(path).endswith("foo.md5sums") + + monkeypatch.setattr(d.os.path, "exists", fake_exists) + + original_open = open + + def fake_open(path, *args, **kwargs): + if "foo.md5sums" in str(path): + return original_open(md5_file, *args, **kwargs) + return original_open(path, *args, **kwargs) + + monkeypatch.setattr("builtins.open", fake_open, raising=False) + + result = d.read_pkg_md5sums("foo") + assert "etc/foo/bar" in result + assert "etc/foo/baz" in result + + +def test_build_dpkg_etc_index_skips_lines_without_tabs(tmp_path: Path): + """Test that lines without tab separators are skipped (parts < 3).""" + import enroll.debian as d + + info = tmp_path / "info" + info.mkdir() + # Create file with lines that don't have tab separators + (info / "foo.list").write_text( + "notabseparator\n" # No tab - should be skipped + "/etc/foo/bar\n", # This is a path line, processed differently + encoding="utf-8", + ) + + owned, owner_map, topdir_to_pkgs, pkg_to_etc = d.build_dpkg_etc_index(str(info)) + # Path lines are still processed + assert "/etc/foo/bar" in owned + + +def test_read_pkg_md5sums_skips_empty_lines(tmp_path: Path, monkeypatch): + """Test that empty lines in md5sums are skipped.""" + import enroll.debian as d + + info_dir = tmp_path / "info" + info_dir.mkdir() + md5_file = info_dir / "bar.md5sums" + md5_file.write_text( + "abcdef1234567890abcdef1234567890 etc/bar/file1\n" + "\n" # Empty line + "1234567890abcdef1234567890abcdef etc/bar/file2\n", + encoding="utf-8", + ) + + def fake_exists(path): + return str(path).endswith("bar.md5sums") + + monkeypatch.setattr(d.os.path, "exists", fake_exists) + + original_open = open + + def fake_open(path, *args, **kwargs): + if "bar.md5sums" in str(path): + return original_open(md5_file, *args, **kwargs) + return original_open(path, *args, **kwargs) + + monkeypatch.setattr("builtins.open", fake_open, raising=False) + + result = d.read_pkg_md5sums("bar") + assert "etc/bar/file1" in result + assert "etc/bar/file2" in result + + +def test_read_pkg_md5sums_skips_lines_not_starting_with_path( + tmp_path: Path, monkeypatch +): + """Test that lines not starting with / are skipped.""" + import enroll.debian as d + + info_dir = tmp_path / "info" + info_dir.mkdir() + md5_file = info_dir / "baz.md5sums" + md5_file.write_text( + "abcdef1234567890abcdef1234567890 etc/baz/file1\n" + "invalid line\n" # Doesn't start with / + "1234567890abcdef1234567890abcdef etc/baz/file2\n", + encoding="utf-8", + ) + + def fake_exists(path): + return str(path).endswith("baz.md5sums") + + monkeypatch.setattr(d.os.path, "exists", fake_exists) + + original_open = open + + def fake_open(path, *args, **kwargs): + if "baz.md5sums" in str(path): + return original_open(md5_file, *args, **kwargs) + return original_open(path, *args, **kwargs) + + monkeypatch.setattr("builtins.open", fake_open, raising=False) + + result = d.read_pkg_md5sums("baz") + assert "etc/baz/file1" in result + assert "etc/baz/file2" in result diff --git a/tests/test_diff_bundle.py b/tests/test_diff_bundle.py index 66ef094..f8c7a3b 100644 --- a/tests/test_diff_bundle.py +++ b/tests/test_diff_bundle.py @@ -6,6 +6,15 @@ from pathlib import Path import pytest +from enroll.diff import ( + _Spinner, + _enforcement_plan, + has_enforceable_drift, + _role_tag, + _utc_now_iso, + _report_markdown, +) + def _make_bundle_dir(tmp_path: Path) -> Path: b = tmp_path / "bundle" @@ -87,3 +96,1326 @@ def test_bundle_from_input_missing_path(tmp_path: Path): with pytest.raises(RuntimeError, match="not found"): d._bundle_from_input(str(tmp_path / "nope"), sops_mode=False) + + +import json +import sys + + +from enroll.diff import ( + _bundle_from_input, + _file_index, + _iter_managed_files, + _load_state, + _pkg_version_display, + _pkg_version_key, + _progress_enabled, + _roles, + _service_units, + _sha256, + _users_by_name, + compare_harvests, +) +from enroll.sopsutil import SopsError + + +def test_progress_enabled_when_tty(monkeypatch): + monkeypatch.setattr(sys.stderr, "isatty", lambda: True) + monkeypatch.delenv("ENROLL_NO_PROGRESS", raising=False) + assert _progress_enabled() is True + + +def test_progress_enabled_when_not_tty(monkeypatch): + monkeypatch.setattr(sys.stderr, "isatty", lambda: False) + monkeypatch.delenv("ENROLL_NO_PROGRESS", raising=False) + assert _progress_enabled() is False + + +def test_progress_enabled_with_env_var(monkeypatch): + monkeypatch.setattr(sys.stderr, "isatty", lambda: True) + monkeypatch.setenv("ENROLL_NO_PROGRESS", "1") + assert _progress_enabled() is False + + monkeypatch.setenv("ENROLL_NO_PROGRESS", "true") + assert _progress_enabled() is False + + monkeypatch.setenv("ENROLL_NO_PROGRESS", "yes") + assert _progress_enabled() is False + + +def test_sha256(tmp_path: Path): + test_file = tmp_path / "test.txt" + test_file.write_text("hello world", encoding="utf-8") + hash_result = _sha256(test_file) + assert len(hash_result) == 64 + + +def test_sha256_empty_file(tmp_path: Path): + test_file = tmp_path / "empty.txt" + test_file.write_bytes(b"") + hash_result = _sha256(test_file) + assert ( + hash_result + == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + ) + + +def test_bundle_from_input_directory(tmp_path: Path): + result = _bundle_from_input(str(tmp_path), sops_mode=False) + assert result.dir == tmp_path + assert result.tempdir is None + + +def test_bundle_from_input_state_json_path(tmp_path: Path): + state_file = tmp_path / "state.json" + state_file.write_text("{}", encoding="utf-8") + result = _bundle_from_input(str(state_file), sops_mode=False) + assert result.dir == tmp_path + assert result.tempdir is None + + +def test_bundle_from_input_not_found(): + with pytest.raises(RuntimeError) as exc_info: + _bundle_from_input("/nonexistent/path", sops_mode=False) + assert "not found" in str(exc_info.value).lower() + + +def test_bundle_from_input_tarball(tmp_path: Path): + bundle_dir = tmp_path / "bundle" + bundle_dir.mkdir() + state_file = bundle_dir / "state.json" + state_file.write_text("{}", encoding="utf-8") + + tar_path = tmp_path / "bundle.tar.gz" + with tarfile.open(tar_path, "w:gz") as tf: + tf.add(bundle_dir, arcname="bundle") + + result = _bundle_from_input(str(tar_path), sops_mode=False) + assert result.dir.exists() + assert result.tempdir is not None + result.tempdir.cleanup() + + +def test_bundle_from_input_invalid_type(tmp_path: Path): + test_file = tmp_path / "test.txt" + test_file.write_text("not a bundle", encoding="utf-8") + + with pytest.raises(RuntimeError) as exc_info: + _bundle_from_input(str(test_file), sops_mode=False) + assert "not a directory" in str(exc_info.value).lower() + + +def test_load_state(tmp_path: Path): + state_file = tmp_path / "state.json" + state_file.write_text('{"host": {"hostname": "test"}}', encoding="utf-8") + result = _load_state(tmp_path) + assert result["host"]["hostname"] == "test" + + +def test_roles_with_roles(): + state = {"roles": {"users": {}, "services": []}} + result = _roles(state) + assert "users" in result + + +def test_service_units_empty(): + assert _service_units({}) == {} + + +def test_service_units_with_services(): + state = { + "roles": { + "services": [ + {"unit": "nginx.service", "active_state": "active"}, + {"unit": "ssh.service", "active_state": "inactive"}, + ] + } + } + result = _service_units(state) + assert "nginx.service" in result + assert "ssh.service" in result + assert result["nginx.service"]["active_state"] == "active" + + +def test_users_by_name_empty(): + assert _users_by_name({}) == {} + + +def test_users_by_name_with_users(): + state = { + "roles": { + "users": { + "users": [ + {"name": "alice", "uid": 1000}, + {"name": "bob", "uid": 1001}, + ] + } + } + } + result = _users_by_name(state) + assert "alice" in result + assert "bob" in result + assert result["alice"]["uid"] == 1000 + + +def test_pkg_version_key_with_version(): + entry = {"version": "1.2.3"} + assert _pkg_version_key(entry) == "1.2.3" + + +def test_pkg_version_key_with_installations(): + entry = { + "installations": [ + {"arch": "x86_64", "version": "1.2.3"}, + {"arch": "aarch64", "version": "1.2.3"}, + ] + } + result = _pkg_version_key(entry) + assert "x86_64:1.2.3" in result + assert "aarch64:1.2.3" in result + + +def test_pkg_version_key_with_empty_version(): + entry = {"version": None} + assert _pkg_version_key(entry) is None + + +def test_pkg_version_key_with_invalid_installations(): + entry = {"installations": ["not_a_dict", {"arch": "x86_64", "version": "1.0"}]} + result = _pkg_version_key(entry) + assert "x86_64:1.0" in result + + +def test_pkg_version_display_with_version(): + entry = {"version": "1.2.3"} + assert _pkg_version_display(entry) == "1.2.3" + + +def test_pkg_version_display_with_installations(): + entry = { + "installations": [ + {"arch": "x86_64", "version": "1.2.3"}, + ] + } + assert _pkg_version_display(entry) == "1.2.3 (x86_64)" + + +def test_pkg_version_display_empty(): + assert _pkg_version_display({}) is None + + +def test_iter_managed_files_empty(): + state = {"roles": {}} + files = list(_iter_managed_files(state)) + assert files == [] + + +def test_iter_managed_files_services(): + state = { + "roles": { + "services": [ + { + "role_name": "nginx", + "managed_files": [ + {"path": "/etc/nginx/nginx.conf", "src_rel": "nginx.conf"} + ], + } + ] + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0] == ( + "nginx", + {"path": "/etc/nginx/nginx.conf", "src_rel": "nginx.conf"}, + ) + + +def test_iter_managed_files_packages(): + state = { + "roles": { + "packages": [ + { + "role_name": "vim", + "managed_files": [{"path": "/usr/bin/vim", "src_rel": "bin/vim"}], + } + ] + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0][0] == "vim" + + +def test_iter_managed_files_users(): + state = { + "roles": { + "users": { + "role_name": "users", + "managed_files": [{"path": "/etc/passwd", "src_rel": "passwd"}], + } + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0][0] == "users" + + +def test_iter_managed_files_apt_config(): + state = { + "roles": { + "apt_config": { + "role_name": "apt_config", + "managed_files": [ + {"path": "/etc/apt/sources.list", "src_rel": "sources.list"} + ], + } + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0][0] == "apt_config" + + +def test_iter_managed_files_etc_custom(): + state = { + "roles": { + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [ + {"path": "/etc/custom.conf", "src_rel": "custom.conf"} + ], + } + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0][0] == "etc_custom" + + +def test_iter_managed_files_usr_local_custom(): + state = { + "roles": { + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_files": [ + {"path": "/usr/local/bin/script", "src_rel": "bin/script"} + ], + } + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0][0] == "usr_local_custom" + + +def test_iter_managed_files_extra_paths(): + state = { + "roles": { + "extra_paths": { + "role_name": "extra_paths", + "managed_files": [{"path": "/opt/app/config", "src_rel": "config"}], + } + } + } + files = list(_iter_managed_files(state)) + assert len(files) == 1 + assert files[0][0] == "extra_paths" + + +def test_file_index_empty(): + state = {"roles": {}} + index = _file_index(Path("/tmp"), state) + assert index == {} + + +def test_file_index_with_files(tmp_path: Path): + state = { + "roles": { + "users": { + "managed_files": [ + {"path": "/etc/passwd", "src_rel": "passwd", "owner": "root"}, + ] + } + } + } + index = _file_index(tmp_path, state) + assert "/etc/passwd" in index + assert index["/etc/passwd"].role == "users" + assert index["/etc/passwd"].owner == "root" + + +def test_file_index_duplicates_first_wins(tmp_path: Path): + state = { + "roles": { + "users": { + "managed_files": [ + {"path": "/etc/passwd", "src_rel": "passwd"}, + ] + }, + "etc_custom": { + "managed_files": [ + {"path": "/etc/passwd", "src_rel": "custom_passwd"}, + ] + }, + } + } + index = _file_index(tmp_path, state) + assert "/etc/passwd" in index + assert index["/etc/passwd"].src_rel == "passwd" + + +def test_file_index_skips_missing_path_or_src_rel(tmp_path: Path): + state = { + "roles": { + "users": { + "managed_files": [ + {"path": "/etc/passwd"}, # missing src_rel + {"src_rel": "passwd"}, # missing path + ] + } + } + } + index = _file_index(tmp_path, state) + assert index == {} + + +def test_compare_harvests_no_changes(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {"vim": {"version": "1.0"}}}, + "roles": {}, + } + ), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {"vim": {"version": "1.0"}}}, + "roles": {}, + } + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests(str(old_bundle), str(new_bundle)) + assert has_changes is False + assert report["packages"]["added"] == [] + assert report["packages"]["removed"] == [] + + +def test_compare_harvests_package_added(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps({"inventory": {"packages": {}}, "roles": {}}), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps( + {"inventory": {"packages": {"vim": {"version": "1.0"}}}, "roles": {}} + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests(str(old_bundle), str(new_bundle)) + assert has_changes is True + assert "vim" in report["packages"]["added"] + + +def test_compare_harvests_package_removed(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps( + {"inventory": {"packages": {"vim": {"version": "1.0"}}}, "roles": {}} + ), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps({"inventory": {"packages": {}}, "roles": {}}), + encoding="utf-8", + ) + + report, has_changes = compare_harvests(str(old_bundle), str(new_bundle)) + assert has_changes is True + assert "vim" in report["packages"]["removed"] + + +def test_compare_harvests_package_version_changed(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps( + {"inventory": {"packages": {"vim": {"version": "1.0"}}}, "roles": {}} + ), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps( + {"inventory": {"packages": {"vim": {"version": "2.0"}}}, "roles": {}} + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests(str(old_bundle), str(new_bundle)) + assert has_changes is True + assert len(report["packages"]["version_changed"]) == 1 + + +def test_compare_harvests_ignore_package_versions(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps( + {"inventory": {"packages": {"vim": {"version": "1.0"}}}, "roles": {}} + ), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps( + {"inventory": {"packages": {"vim": {"version": "2.0"}}}, "roles": {}} + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests( + str(old_bundle), str(new_bundle), ignore_package_versions=True + ) + assert report["packages"]["version_changed_ignored_count"] == 1 + + +def test_compare_harvests_service_added(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps({"inventory": {"packages": {}}, "roles": {"services": []}}), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {}}, + "roles": {"services": [{"unit": "nginx.service"}]}, + } + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests(str(old_bundle), str(new_bundle)) + assert has_changes is True + assert "nginx.service" in report["services"]["enabled_added"] + + +def test_compare_harvests_user_added(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + (old_bundle / "state.json").write_text( + json.dumps({"inventory": {"packages": {}}, "roles": {"users": {"users": []}}}), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + (new_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {}}, + "roles": {"users": {"users": [{"name": "alice", "uid": 1000}]}}, + } + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests(str(old_bundle), str(new_bundle)) + assert has_changes is True + assert "alice" in report["users"]["added"] + + +def test_compare_harvests_with_exclude_paths(tmp_path: Path): + old_bundle = tmp_path / "old" + old_bundle.mkdir() + old_artifacts = old_bundle / "artifacts" / "users" + old_artifacts.mkdir(parents=True) + (old_artifacts / "passwd").write_text("old", encoding="utf-8") + (old_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {}}, + "roles": { + "users": { + "managed_files": [{"path": "/etc/passwd", "src_rel": "passwd"}] + } + }, + } + ), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_bundle.mkdir() + new_artifacts = new_bundle / "artifacts" / "users" + new_artifacts.mkdir(parents=True) + (new_artifacts / "passwd").write_text("new", encoding="utf-8") + (new_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {}}, + "roles": { + "users": { + "managed_files": [{"path": "/etc/passwd", "src_rel": "passwd"}] + } + }, + } + ), + encoding="utf-8", + ) + + report, has_changes = compare_harvests( + str(old_bundle), str(new_bundle), exclude_paths=["/etc/passwd"] + ) + assert "/etc/passwd" not in [f["path"] for f in report["files"]["added"]] + assert "/etc/passwd" not in [f["path"] for f in report["files"]["removed"]] + assert "/etc/passwd" not in [f["path"] for f in report["files"]["changed"]] + + +def test_compare_harvests_rejects_unsafe_artifact_symlink(tmp_path: Path): + secret = tmp_path / "secret.txt" + secret.write_text("do not hash me", encoding="utf-8") + + old_bundle = tmp_path / "old" + old_artifacts = old_bundle / "artifacts" / "users" + old_artifacts.mkdir(parents=True) + (old_artifacts / "passwd").symlink_to(secret) + (old_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {}}, + "roles": { + "users": { + "managed_files": [{"path": "/etc/passwd", "src_rel": "passwd"}] + } + }, + } + ), + encoding="utf-8", + ) + + new_bundle = tmp_path / "new" + new_artifacts = new_bundle / "artifacts" / "users" + new_artifacts.mkdir(parents=True) + (new_artifacts / "passwd").write_text("safe", encoding="utf-8") + (new_bundle / "state.json").write_text( + json.dumps( + { + "inventory": {"packages": {}}, + "roles": { + "users": { + "managed_files": [{"path": "/etc/passwd", "src_rel": "passwd"}] + } + }, + } + ), + encoding="utf-8", + ) + + with pytest.raises(RuntimeError) as exc_info: + compare_harvests(str(old_bundle), str(new_bundle)) + + msg = str(exc_info.value) + assert "old harvest failed validation" in msg + assert "artifact is a symlink" in msg + + +def test_utc_now_iso(): + result = _utc_now_iso() + assert "T" in result + assert "+" in result or "Z" in result + + +def test_spinner_stop_without_start(): + spinner = _Spinner("Test") + spinner.stop(final_line="Done") + # Should not raise + + +def test_spinner_run_exception(monkeypatch): + class FakeStderr: + def write(self, s): + raise Exception("Write error") + + def flush(self): + pass + + monkeypatch.setattr(sys, "stderr", FakeStderr()) + + spinner = _Spinner("Test") + spinner.start() + spinner.stop() + + +def test_spinner_double_start(): + spinner = _Spinner("Test") + spinner.start() + spinner.start() # Should not raise or spawn another thread + spinner.stop() + + +def test_role_tag_normal(): + assert _role_tag("nginx") == "role_nginx" + assert _role_tag("my-app") == "role_my-app" + + +def test_role_tag_with_special_chars(): + assert _role_tag("my.app") == "role_my_app" + assert _role_tag("my app") == "role_my_app" + + +def test_role_tag_empty(): + assert _role_tag("") == "role_other" + assert _role_tag(" ") == "role_other" + + +def test_has_enforceable_drift_packages_removed(): + report = {"packages": {"removed": ["vim"]}} + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_services_removed(): + report = {"services": {"enabled_removed": ["nginx.service"]}} + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_service_changed(): + report = { + "services": { + "changed": [ + { + "unit": "nginx.service", + "changes": {"active_state": {"old": "active", "new": "inactive"}}, + } + ] + } + } + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_service_package_only_changed(): + # Service changed only in packages - should NOT be enforceable + report = { + "services": { + "changed": [ + { + "unit": "nginx.service", + "changes": {"packages": {"added": ["nginx-extra"]}}, + } + ] + } + } + assert has_enforceable_drift(report) is False + + +def test_has_enforceable_drift_users_removed(): + report = {"users": {"removed": ["alice"]}} + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_users_changed(): + report = { + "users": { + "changed": [ + {"name": "alice", "changes": {"uid": {"old": 1000, "new": 1001}}} + ] + } + } + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_files_removed(): + report = { + "files": { + "removed": [{"path": "/etc/passwd", "role": "users", "reason": "conffile"}] + } + } + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_files_changed(): + report = { + "files": { + "changed": [ + { + "path": "/etc/passwd", + "changes": {"content": {"old": "sha1", "new": "sha2"}}, + } + ] + } + } + assert has_enforceable_drift(report) is True + + +def test_has_enforceable_drift_no_drift(): + report = { + "packages": {"added": ["newpkg"]}, + "services": {"enabled_added": ["new.service"]}, + "users": {"added": ["bob"]}, + "files": {"added": ["/opt/newfile"]}, + } + assert has_enforceable_drift(report) is False + + +def test_enforcement_plan_packages_removed(monkeypatch, tmp_path: Path): + old_state = { + "roles": { + "services": [{"role_name": "nginx", "packages": ["nginx"]}], + "packages": [{"role_name": "vim", "package": "vim"}], + } + } + report = {"packages": {"removed": ["nginx", "vim"]}} + + result = _enforcement_plan(report, old_state, tmp_path) + assert "nginx" in result.get("roles", []) + assert "vim" in result.get("roles", []) + assert "role_nginx" in result.get("tags", []) + + +def test_enforcement_plan_users_changed(): + old_state = { + "roles": {"users": {"role_name": "users", "users": [{"name": "alice"}]}} + } + report = {"users": {"changed": [{"name": "alice", "changes": {"uid": {}}}]}} + + result = _enforcement_plan(report, old_state, Path("/tmp")) + assert "users" in result.get("roles", []) + + +def test_enforcement_plan_files_removed(tmp_path: Path): + # Create the artifacts directory structure that _file_index expects + artifacts_dir = tmp_path / "artifacts" / "etc_custom" + artifacts_dir.mkdir(parents=True) + + old_state = { + "roles": { + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [ + {"path": "/etc/custom.conf", "src_rel": "custom.conf"} + ], + } + } + } + report = { + "files": {"removed": [{"path": "/etc/custom.conf", "role": "etc_custom"}]} + } + + result = _enforcement_plan(report, old_state, tmp_path) + assert "etc_custom" in result.get("roles", []) + + +def test_enforcement_plan_no_drift(): + old_state = {"roles": {}} + report = {"packages": {"added": ["newpkg"]}} + + result = _enforcement_plan(report, old_state, Path("/tmp")) + assert result.get("roles", []) == [] + + +def test_bundle_from_input_tgz(monkeypatch, tmp_path: Path): + bundle_dir = tmp_path / "bundle" + bundle_dir.mkdir() + state_file = bundle_dir / "state.json" + state_file.write_text("{}", encoding="utf-8") + + tar_path = tmp_path / "bundle.tgz" + with tarfile.open(tar_path, "w:gz") as tf: + tf.add(bundle_dir, arcname="bundle") + + result = _bundle_from_input(str(tar_path), sops_mode=False) + assert result.dir.exists() + assert result.tempdir is not None + result.tempdir.cleanup() + + +def test_bundle_from_input_sops_mode_no_sops(monkeypatch, tmp_path: Path): + # Create a fake .sops file + sops_file = tmp_path / "harvest.sops" + sops_file.write_bytes(b"encrypted") + + def fake_require(): + raise SopsError("sops not found") + + import enroll.diff as d + + monkeypatch.setattr(d, "require_sops_cmd", fake_require) + + with pytest.raises(SopsError): + _bundle_from_input(str(sops_file), sops_mode=True) + + +def test_report_markdown_basic(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz", "host": "host1"}, + "new": {"input": "new.tar.gz", "host": "host2"}, + "packages": {"added": ["vim"], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + result = _report_markdown(report) + assert "## Packages" in result + assert "+ vim" in result + + +def test_report_markdown_with_enforcement_applied(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz"}, + "new": {"input": "new.tar.gz"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + "enforcement": { + "status": "applied", + "tags": ["role_users"], + "returncode": 0, + "finished_at": "2024-01-01T00:01:00Z", + }, + } + result = _report_markdown(report) + assert "Applied old harvest" in result + assert "role_users" in result + + +def test_report_markdown_with_enforcement_failed(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz"}, + "new": {"input": "new.tar.gz"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + "enforcement": { + "status": "failed", + "returncode": 1, + }, + } + result = _report_markdown(report) + assert "ansible-playbook failed" in result + + +def test_report_markdown_with_enforcement_skipped(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz"}, + "new": {"input": "new.tar.gz"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + "enforcement": { + "status": "skipped", + "reason": "no drift", + }, + } + result = _report_markdown(report) + assert "Skipped" in result + assert "no drift" in result + + +def test_report_markdown_with_version_ignored(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz"}, + "new": {"input": "new.tar.gz"}, + "packages": { + "added": [], + "removed": [], + "version_changed": [{"package": "vim", "old": "1.0", "new": "2.0"}], + "version_changed_ignored_count": 1, + }, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + result = _report_markdown(report) + assert "ignored 1" in result + + +def test_report_markdown_with_service_package_changes(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz"}, + "new": {"input": "new.tar.gz"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": { + "enabled_added": [], + "enabled_removed": [], + "changed": [ + { + "unit": "nginx.service", + "changes": {"packages": {"added": ["nginx-extra"], "removed": []}}, + } + ], + }, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + result = _report_markdown(report) + assert "packages added" in result + + +def test_report_markdown_empty(): + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz"}, + "new": {"input": "new.tar.gz"}, + "packages": {}, + "services": {}, + "users": {}, + "files": {}, + } + result = _report_markdown(report) + assert "## Packages" in result + assert "## Services" in result + + +def test_spinner_start_stop(monkeypatch): + """Test spinner can be started and stopped.""" + import enroll.diff as d + + # Mock threading to avoid actual thread creation + class FakeThread: + def __init__(self, target, name, daemon): + self.target = target + self.daemon = daemon + + def start(self): + pass + + def join(self, timeout): + pass + + monkeypatch.setattr(d.threading, "Thread", FakeThread) + + spinner = d._Spinner("test message") + spinner.start() + spinner.stop() + + +def test_spinner_already_started(monkeypatch): + """Test spinner doesn't restart if already running.""" + import enroll.diff as d + + class FakeThread: + def __init__(self, target, name, daemon): + pass + + def start(self): + pass + + def join(self, timeout): + pass + + monkeypatch.setattr(d.threading, "Thread", FakeThread) + + spinner = d._Spinner("test message") + spinner.start() + spinner._thread = FakeThread(None, None, True) # Simulate already running + spinner.start() # Should return early + + +def test_spinner_stop_clears_line(monkeypatch, tmp_path): + """Test spinner stop clears the line.""" + import enroll.diff as d + import sys + + class FakeThread: + def __init__(self, target, name, daemon): + pass + + def start(self): + pass + + def join(self, timeout): + pass + + monkeypatch.setattr(d.threading, "Thread", FakeThread) + + # Capture stderr writes + writes = [] + original_write = sys.stderr.write + + def capture_write(s): + writes.append(s) + return original_write(s) + + monkeypatch.setattr(sys.stderr, "write", capture_write) + + spinner = d._Spinner("test message") + spinner._last_len = 20 + spinner.stop() + + # Should have written clearing sequence + assert any("\r" in w for w in writes) + + +def test_should_show_spinner_disabled_env(monkeypatch): + """Test spinner disabled via environment variable.""" + import enroll.diff as d + + monkeypatch.setenv("ENROLL_NO_PROGRESS", "1") + assert d._progress_enabled() is False + + monkeypatch.setenv("ENROLL_NO_PROGRESS", "true") + assert d._progress_enabled() is False + + monkeypatch.setenv("ENROLL_NO_PROGRESS", "yes") + assert d._progress_enabled() is False + + +def test_should_show_spinner_exception_on_isatty(monkeypatch): + """Test spinner returns False when isatty raises exception.""" + import enroll.diff as d + import sys + + original_stderr = sys.stderr + + class FakeStderr: + def isatty(self): + raise Exception("No tty") + + monkeypatch.setattr(sys, "stderr", FakeStderr()) + assert d._progress_enabled() is False + + # Restore + monkeypatch.setattr(sys, "stderr", original_stderr) + + +def test_all_packages_from_state(): + """Test _all_packages extracts sorted package list.""" + import enroll.diff as d + + state = { + "inventory": { + "packages": { + "nginx": [{"version": "1.0"}], + "vim": [{"version": "2.0"}], + "bash": [{"version": "3.0"}], + } + } + } + + result = d._all_packages(state) + assert result == ["bash", "nginx", "vim"] + + +def test_all_packages_empty_state(): + """Test _all_packages with empty state.""" + import enroll.diff as d + + state = {"inventory": {"packages": {}}} + result = d._all_packages(state) + assert result == [] + + +def test_roles_from_state(): + """Test _roles extracts roles from state.""" + import enroll.diff as d + + state = {"roles": {"web": {}, "db": {}}} + result = d._roles(state) + assert result == {"web": {}, "db": {}} + + +def test_roles_empty_state(): + """Test _roles with empty state.""" + import enroll.diff as d + + state = {} + result = d._roles(state) + assert result == {} + + +def test_pkg_version_key_with_multiple_versions(): + """Test _pkg_version_key handles multiple versions.""" + import enroll.diff as d + + entry = { + "installations": [ + {"version": "1.0", "arch": "amd64"}, + {"version": "2.0", "arch": "arm64"}, + ] + } + + result = d._pkg_version_key(entry) + # Just check it returns a non-None value with version info + assert result is not None + assert len(result) > 0 + + +def test_pkg_version_key_without_version(): + """Test _pkg_version_key skips entries without version.""" + import enroll.diff as d + + entry = { + "installations": [ + {"arch": "amd64"}, # No version + ] + } + + result = d._pkg_version_key(entry) + assert result is None + + +def test_pkg_version_key_with_empty_installations(): + """Test _pkg_version_key with empty installations.""" + import enroll.diff as d + + entry = {"installations": []} + result = d._pkg_version_key(entry) + assert result is None + + +def test_pkg_version_key_without_installations(): + """Test _pkg_version_key without installations key.""" + import enroll.diff as d + + entry = {} + result = d._pkg_version_key(entry) + assert result is None + + +def test_pkg_version_key_with_direct_version(): + """Test _pkg_version_key with direct version field.""" + import enroll.diff as d + + entry = {"version": "1.2.3"} + result = d._pkg_version_key(entry) + assert result == "1.2.3" + + +def test_report_text_with_exclude_paths(): + """Test _report_text includes exclude paths.""" + import enroll.diff as d + + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz", "host": "host1", "state_mtime": "mtime1"}, + "new": {"input": "new.tar.gz", "host": "host2", "state_mtime": "mtime2"}, + "filters": {"exclude_paths": ["/tmp/*", "/var/log/*"]}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + result = d._report_text(report) + assert "file exclude patterns" in result + assert "/tmp/*" in result + + +def test_report_text_with_ignore_package_versions(): + """Test _report_text includes ignore package versions message.""" + import enroll.diff as d + + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz", "host": "host1", "state_mtime": "mtime1"}, + "new": {"input": "new.tar.gz", "host": "host2", "state_mtime": "mtime2"}, + "filters": {"ignore_package_versions": True}, + "packages": {"version_changed_ignored_count": 5}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + result = d._report_text(report) + assert "package version drift: ignored" in result + assert "ignored 5 changes" in result + + +def test_report_text_with_enforcement_applied(): + """Test _report_text includes enforcement applied status.""" + import enroll.diff as d + + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz", "host": "host1", "state_mtime": "mtime1"}, + "new": {"input": "new.tar.gz", "host": "host2", "state_mtime": "mtime2"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + "enforcement": { + "status": "applied", + "returncode": 0, + "tags": ["test"], + "finished_at": "2024-01-01T01:00:00Z", + }, + } + result = d._report_text(report) + assert "Enforcement" in result + assert "applied old harvest via ansible-playbook" in result + assert "tags=test" in result + + +def test_report_text_with_enforcement_failed(): + """Test _report_text includes enforcement failed status.""" + import enroll.diff as d + + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz", "host": "host1", "state_mtime": "mtime1"}, + "new": {"input": "new.tar.gz", "host": "host2", "state_mtime": "mtime2"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + "enforcement": {"status": "failed", "returncode": 1}, + } + result = d._report_text(report) + assert "Enforcement" in result + assert "ansible-playbook failed" in result + + +def test_report_text_with_enforcement_skipped(): + """Test _report_text includes enforcement skipped status.""" + import enroll.diff as d + + report = { + "generated_at": "2024-01-01T00:00:00Z", + "old": {"input": "old.tar.gz", "host": "host1", "state_mtime": "mtime1"}, + "new": {"input": "new.tar.gz", "host": "host2", "state_mtime": "mtime2"}, + "packages": {"added": [], "removed": [], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + "enforcement": {"status": "skipped", "reason": "no changes"}, + } + result = d._report_text(report) + assert "Enforcement" in result + assert "skipped" in result + assert "no changes" in result diff --git a/tests/test_diff_ignore_versions_exclude_enforce.py b/tests/test_diff_ignore_versions_exclude_enforce.py index fd0524f..89e7d7c 100644 --- a/tests/test_diff_ignore_versions_exclude_enforce.py +++ b/tests/test_diff_ignore_versions_exclude_enforce.py @@ -244,6 +244,7 @@ def test_enforce_old_harvest_runs_ansible_with_tags_from_file_drift( # Stub manifest generation to only create playbook.yml (fast, no real roles needed). def fake_manifest(_harvest_dir: str, out_dir: str, **_kwargs): out = Path(out_dir) + out.mkdir(parents=True, exist_ok=False) (out / "playbook.yml").write_text( "---\n- hosts: all\n gather_facts: false\n roles: []\n", encoding="utf-8", @@ -309,6 +310,165 @@ def test_enforce_old_harvest_runs_ansible_with_tags_from_file_drift( assert "role_usr_local_custom" in str(argv[i + 1]) +def test_enforce_old_harvest_runs_puppet_target(monkeypatch, tmp_path: Path): + import enroll.diff as d + import enroll.manifest as mf + + monkeypatch.setattr( + d.shutil, + "which", + lambda name: "/usr/bin/puppet" if name == "puppet" else None, + ) + + calls: dict[str, object] = {} + + def fake_manifest(_harvest_dir: str, out_dir: str, **kwargs): + calls["manifest_target"] = kwargs.get("target") + out = Path(out_dir) + (out / "manifests").mkdir(parents=True) + (out / "modules").mkdir(parents=True) + (out / "manifests" / "site.pp").write_text( + "node default { }\n", encoding="utf-8" + ) + + monkeypatch.setattr(mf, "manifest", fake_manifest) + + def fake_run( + argv, cwd=None, env=None, capture_output=False, text=False, check=False + ): + calls["argv"] = list(argv) + calls["cwd"] = cwd + return types.SimpleNamespace(returncode=0, stdout="ok", stderr="") + + monkeypatch.setattr(d.subprocess, "run", fake_run) + + old = tmp_path / "old" + _write_bundle(old, {"inventory": {"packages": {}}, "roles": _minimal_roles()}) + + report = { + "packages": {"added": [], "removed": ["curl"], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + + info = d.enforce_old_harvest(str(old), report=report, target="puppet") + + assert info["status"] == "applied" + assert info["target"] == "puppet" + assert info["tool"] == "puppet apply" + assert info["scope"] == "full_manifest" + assert info["tags"] == [] + assert calls["manifest_target"] == "puppet" + + argv = calls.get("argv") + assert argv and argv[:2] == ["/usr/bin/puppet", "apply"] + assert "--modulepath" in argv + assert any( + str(Path(calls["cwd"]) / "manifest" / "manifests" / "site.pp") == str(a) + for a in argv + ) + + +def test_enforce_old_harvest_runs_salt_target(monkeypatch, tmp_path: Path): + import enroll.diff as d + import enroll.manifest as mf + + monkeypatch.setattr( + d.shutil, + "which", + lambda name: "/usr/bin/salt-call" if name == "salt-call" else None, + ) + + calls: dict[str, object] = {} + + def fake_manifest(_harvest_dir: str, out_dir: str, **kwargs): + calls["manifest_target"] = kwargs.get("target") + out = Path(out_dir) + (out / "states").mkdir(parents=True) + (out / "states" / "top.sls").write_text("base:\n '*': []\n", encoding="utf-8") + + monkeypatch.setattr(mf, "manifest", fake_manifest) + + def fake_run( + argv, cwd=None, env=None, capture_output=False, text=False, check=False + ): + calls["argv"] = list(argv) + calls["cwd"] = cwd + return types.SimpleNamespace(returncode=0, stdout="ok", stderr="") + + monkeypatch.setattr(d.subprocess, "run", fake_run) + + old = tmp_path / "old" + _write_bundle(old, {"inventory": {"packages": {}}, "roles": _minimal_roles()}) + + report = { + "packages": {"added": [], "removed": ["curl"], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + + info = d.enforce_old_harvest(str(old), report=report, target="salt") + + assert info["status"] == "applied" + assert info["target"] == "salt" + assert info["tool"] == "salt-call" + assert info["scope"] == "full_manifest" + assert calls["manifest_target"] == "salt" + + argv = calls.get("argv") + assert argv and argv[0] == "/usr/bin/salt-call" + assert "--local" in argv + assert "--file-root" in argv + assert "state.apply" in argv + assert str(Path(calls["cwd"]) / "manifest" / "states") in argv + + +def test_cli_diff_enforce_forwards_target(monkeypatch): + import enroll.cli as cli + + report = { + "packages": {"added": [], "removed": ["curl"], "version_changed": []}, + "services": {"enabled_added": [], "enabled_removed": [], "changed": []}, + "users": {"added": [], "removed": [], "changed": []}, + "files": {"added": [], "removed": [], "changed": []}, + } + + monkeypatch.setattr(cli, "compare_harvests", lambda *a, **k: (report, True)) + monkeypatch.setattr(cli, "has_enforceable_drift", lambda r: True) + + calls: dict[str, object] = {} + + def fake_enforce(old, **kwargs): + calls["old"] = old + calls.update(kwargs) + return {"status": "applied", "target": kwargs.get("target"), "returncode": 0} + + monkeypatch.setattr(cli, "enforce_old_harvest", fake_enforce) + monkeypatch.setattr(cli, "format_report", lambda report, fmt="text": "R\n") + monkeypatch.setattr( + sys, + "argv", + [ + "enroll", + "diff", + "--old", + "/tmp/old", + "--new", + "/tmp/new", + "--enforce", + "--target", + "puppet", + ], + ) + + cli.main() + assert calls["old"] == "/tmp/old" + assert calls["target"] == "puppet" + assert calls["report"] is report + + def test_cli_diff_forwards_exclude_and_ignore_flags(monkeypatch, capsys): import enroll.cli as cli diff --git a/tests/test_diff_notifications.py b/tests/test_diff_notifications.py index 53f6b57..9a433b4 100644 --- a/tests/test_diff_notifications.py +++ b/tests/test_diff_notifications.py @@ -81,3 +81,42 @@ def test_send_email_raises_when_no_delivery_method(monkeypatch): from_addr="a@example.com", to_addrs=["b@example.com"], ) + + +def test_send_email_refuses_smtp_auth_without_starttls(monkeypatch): + from enroll.diff import send_email + + class FakeSMTP: + def __init__(self, *_args, **_kwargs): + pass + + def __enter__(self): + return self + + def __exit__(self, exc_type, exc, tb): + return False + + def ehlo(self): + pass + + def starttls(self): + raise RuntimeError("no starttls") + + def login(self, *_args): + raise AssertionError("login should not be called without TLS") + + def send_message(self, *_args): + raise AssertionError("message should not be sent without TLS") + + monkeypatch.setattr("smtplib.SMTP", FakeSMTP) + + with pytest.raises(RuntimeError, match="STARTTLS failed"): + send_email( + subject="Subj", + body="Body", + from_addr="a@example.com", + to_addrs=["b@example.com"], + smtp="smtp.example.com:587", + smtp_user="user", + smtp_password="secret", + ) diff --git a/tests/test_fsutil.py b/tests/test_fsutil.py index ebe2224..7b5771b 100644 --- a/tests/test_fsutil.py +++ b/tests/test_fsutil.py @@ -23,3 +23,54 @@ def test_stat_triplet_reports_mode(tmp_path: Path): assert mode == "0600" assert owner # non-empty string assert group # non-empty string + + +def test_open_no_follow_path_reads_regular_file(tmp_path: Path): + from enroll.fsutil import open_no_follow_path + + nested = tmp_path / "a" / "b" + nested.mkdir(parents=True) + f = nested / "file.txt" + f.write_text("hello\n", encoding="utf-8") + + fd = open_no_follow_path(str(f)) + try: + assert os.read(fd, 100) == b"hello\n" + finally: + os.close(fd) + + +def test_open_no_follow_path_refuses_symlinked_parent(tmp_path: Path): + import errno + + from enroll.fsutil import open_no_follow_path + + real = tmp_path / "real" + real.mkdir() + (real / "file.txt").write_text("x\n", encoding="utf-8") + (tmp_path / "link").symlink_to(real) + + try: + fd = open_no_follow_path(str(tmp_path / "link" / "file.txt")) + os.close(fd) + raise AssertionError("expected OSError for symlinked parent") + except OSError as e: + assert e.errno == errno.ELOOP + + +def test_open_no_follow_path_refuses_symlinked_leaf(tmp_path: Path): + import errno + + from enroll.fsutil import open_no_follow_path + + target = tmp_path / "target.txt" + target.write_text("x\n", encoding="utf-8") + link = tmp_path / "link.txt" + link.symlink_to(target) + + try: + fd = open_no_follow_path(str(link)) + os.close(fd) + raise AssertionError("expected OSError for symlinked leaf") + except OSError as e: + assert e.errno == errno.ELOOP diff --git a/tests/test_harvest.py b/tests/test_harvest.py index 1b884aa..a308bcf 100644 --- a/tests/test_harvest.py +++ b/tests/test_harvest.py @@ -1,9 +1,35 @@ import json +import os +import pytest + from pathlib import Path -import enroll.harvest as h +import enroll.harvest as harvest +import enroll.system_paths as system_paths from enroll.platform import PlatformInfo from enroll.systemd import UnitInfo +from enroll.pathfilter import PathFilter +import enroll.capture as capture +from enroll.capture import ( + capture_file as _capture_file, + capture_link as _capture_link, + capture_user_shell_dotfiles, + files_differ, +) +from enroll.harvest_types import ExcludedFile, ManagedFile, ManagedLink +from enroll.ignore import IgnorePolicy +from enroll.package_hints import ( + add_pkgs_from_etc_topdirs, + hint_names as _hint_names, +) +from enroll.system_paths import ( + is_confish as _is_confish, + iter_matching_files as _iter_matching_files, + parse_apt_signed_by as _parse_apt_signed_by, + topdirs_for_package as _topdirs_for_package, +) + +from unittest.mock import MagicMock class AllowAllPolicy: @@ -154,17 +180,17 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( else: yield (root, [], []) - monkeypatch.setattr(h.os.path, "isfile", fake_isfile) - monkeypatch.setattr(h.os.path, "isdir", fake_isdir) - monkeypatch.setattr(h.os.path, "islink", fake_islink) - monkeypatch.setattr(h.os.path, "exists", fake_exists) - monkeypatch.setattr(h.os, "walk", fake_walk) + monkeypatch.setattr(harvest.os.path, "isfile", fake_isfile) + monkeypatch.setattr(harvest.os.path, "isdir", fake_isdir) + monkeypatch.setattr(harvest.os.path, "islink", fake_islink) + monkeypatch.setattr(harvest.os.path, "exists", fake_exists) + monkeypatch.setattr(harvest.os, "walk", fake_walk) # Avoid real system access - monkeypatch.setattr(h, "list_enabled_services", lambda: ["openvpn.service"]) - monkeypatch.setattr(h, "list_enabled_timers", lambda: []) + monkeypatch.setattr(harvest, "list_enabled_services", lambda: ["openvpn.service"]) + monkeypatch.setattr(harvest, "list_enabled_timers", lambda: []) monkeypatch.setattr( - h, + harvest, "get_unit_info", lambda unit: UnitInfo( name=unit, @@ -183,7 +209,12 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( owned_etc = {"/etc/openvpn/server.conf"} etc_owner_map = {"/etc/openvpn/server.conf": "openvpn"} topdir_to_pkgs = {"openvpn": {"openvpn"}} - pkg_to_etc_paths = {"openvpn": ["/etc/openvpn/server.conf"], "curl": []} + # curl has a package-owned /etc path, but no changed/custom harvested + # artifacts. That should still be considered a simple package role. + pkg_to_etc_paths = { + "openvpn": ["/etc/openvpn/server.conf"], + "curl": ["/etc/curl/curlrc"], + } backend = FakeBackend( name="dpkg", @@ -199,11 +230,24 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( ) monkeypatch.setattr( - h, "detect_platform", lambda: PlatformInfo("debian", "dpkg", {}) + harvest, "detect_platform", lambda: PlatformInfo("debian", "dpkg", {}) ) - monkeypatch.setattr(h, "get_backend", lambda info=None: backend) + monkeypatch.setattr(harvest, "get_backend", lambda info=None: backend) - monkeypatch.setattr(h, "collect_non_system_users", lambda: []) + monkeypatch.setattr(harvest, "collect_non_system_users", lambda: []) + + import enroll.accounts as accounts + + monkeypatch.setattr(accounts, "find_system_flatpaks", lambda: []) + monkeypatch.setattr(accounts, "find_system_flatpak_remotes", lambda: []) + monkeypatch.setattr( + accounts, "find_user_flatpak_remotes", lambda home, user=None: [] + ) + monkeypatch.setattr( + accounts, + "find_system_snaps", + lambda: [accounts.SnapInstall(name="code", channel="latest/stable")], + ) def fake_stat_triplet(p: str): if p == "/usr/local/bin/myscript": @@ -211,7 +255,8 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( # /usr/local/bin/readme.txt remains non-executable return ("root", "root", "0644") - monkeypatch.setattr(h, "stat_triplet", fake_stat_triplet) + monkeypatch.setattr(harvest, "stat_triplet", fake_stat_triplet) + monkeypatch.setattr(capture, "stat_triplet", fake_stat_triplet) # Avoid needing source files on disk by implementing our own bundle copier def fake_copy(bundle_dir: str, role_name: str, abs_path: str, src_rel: str): @@ -219,9 +264,9 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( dst.parent.mkdir(parents=True, exist_ok=True) dst.write_bytes(files.get(abs_path, b"")) - monkeypatch.setattr(h, "_copy_into_bundle", fake_copy) + monkeypatch.setattr(capture, "copy_into_bundle", fake_copy) - state_path = h.harvest(str(bundle), policy=AllowAllPolicy()) + state_path = harvest.harvest(str(bundle), policy=AllowAllPolicy()) st = json.loads(Path(state_path).read_text(encoding="utf-8")) inv = st["inventory"]["packages"] @@ -232,6 +277,9 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( pkg_roles = st["roles"]["packages"] assert all(pr["package"] != "openvpn" for pr in pkg_roles) assert any(pr["package"] == "curl" for pr in pkg_roles) + curl_role = next(pr for pr in pkg_roles if pr["package"] == "curl") + assert curl_role["has_config"] is False + assert any("No changed or custom configuration" in n for n in curl_role["notes"]) # Inventory provenance: openvpn should be observed via systemd unit. openvpn_obs = inv["openvpn"]["observed_via"] @@ -240,6 +288,9 @@ def test_harvest_dedup_manual_packages_and_builds_etc_custom( for o in openvpn_obs ) + assert st["roles"]["snap"]["role_name"] == "snap" + assert st["roles"]["snap"]["system_snaps"][0]["name"] == "code" + # Service role captured modified conffile svc = st["roles"]["services"][0] assert svc["unit"] == "openvpn.service" @@ -274,21 +325,25 @@ def test_shared_cron_snippet_prefers_matching_role_over_lexicographic( files = {"/etc/cron.d/ntpsec": b"# cron\n"} dirs = {"/etc", "/etc/cron.d"} - monkeypatch.setattr(h.os.path, "isfile", lambda p: p in files) - monkeypatch.setattr(h.os.path, "islink", lambda p: False) - monkeypatch.setattr(h.os.path, "isdir", lambda p: p in dirs) - monkeypatch.setattr(h.os.path, "exists", lambda p: p in files or p in dirs) - monkeypatch.setattr(h.os, "walk", lambda root: [("/etc/cron.d", [], ["ntpsec"])]) + monkeypatch.setattr(harvest.os.path, "isfile", lambda p: p in files) + monkeypatch.setattr(harvest.os.path, "islink", lambda p: False) + monkeypatch.setattr(harvest.os.path, "isdir", lambda p: p in dirs) + monkeypatch.setattr(harvest.os.path, "exists", lambda p: p in files or p in dirs) + monkeypatch.setattr( + harvest.os, "walk", lambda root: [("/etc/cron.d", [], ["ntpsec"])] + ) # Only include the cron snippet in the system capture set. monkeypatch.setattr( - h, "_iter_system_capture_paths", lambda: [("/etc/cron.d/ntpsec", "system_cron")] + system_paths, + "iter_system_capture_paths", + lambda: [("/etc/cron.d/ntpsec", "system_cron")], ) monkeypatch.setattr( - h, "list_enabled_services", lambda: ["apparmor.service", "ntpsec.service"] + harvest, "list_enabled_services", lambda: ["apparmor.service", "ntpsec.service"] ) - monkeypatch.setattr(h, "list_enabled_timers", lambda: []) + monkeypatch.setattr(harvest, "list_enabled_timers", lambda: []) def fake_unit_info(unit: str) -> UnitInfo: if unit == "apparmor.service": @@ -315,7 +370,7 @@ def test_shared_cron_snippet_prefers_matching_role_over_lexicographic( condition_result=None, ) - monkeypatch.setattr(h, "get_unit_info", fake_unit_info) + monkeypatch.setattr(harvest, "get_unit_info", fake_unit_info) # Make apparmor *also* claim the ntpsec package (simulates overly-broad # package inference). The snippet routing should still prefer role 'ntpsec'. @@ -340,21 +395,22 @@ def test_shared_cron_snippet_prefers_matching_role_over_lexicographic( ) monkeypatch.setattr( - h, "detect_platform", lambda: PlatformInfo("debian", "dpkg", {}) + harvest, "detect_platform", lambda: PlatformInfo("debian", "dpkg", {}) ) - monkeypatch.setattr(h, "get_backend", lambda info=None: backend) + monkeypatch.setattr(harvest, "get_backend", lambda info=None: backend) - monkeypatch.setattr(h, "stat_triplet", lambda p: ("root", "root", "0644")) - monkeypatch.setattr(h, "collect_non_system_users", lambda: []) + monkeypatch.setattr(harvest, "stat_triplet", lambda p: ("root", "root", "0644")) + monkeypatch.setattr(capture, "stat_triplet", lambda p: ("root", "root", "0644")) + monkeypatch.setattr(harvest, "collect_non_system_users", lambda: []) def fake_copy(bundle_dir: str, role_name: str, abs_path: str, src_rel: str): dst = Path(bundle_dir) / "artifacts" / role_name / src_rel dst.parent.mkdir(parents=True, exist_ok=True) dst.write_bytes(files[abs_path]) - monkeypatch.setattr(h, "_copy_into_bundle", fake_copy) + monkeypatch.setattr(capture, "copy_into_bundle", fake_copy) - state_path = h.harvest(str(bundle), policy=AllowAllPolicy()) + state_path = harvest.harvest(str(bundle), policy=AllowAllPolicy()) st = json.loads(Path(state_path).read_text(encoding="utf-8")) # Cron snippet should end up attached to the ntpsec role, not apparmor. @@ -367,3 +423,720 @@ def test_shared_cron_snippet_prefers_matching_role_over_lexicographic( assert all( mf["path"] != "/etc/cron.d/ntpsec" for mf in svc_apparmor["managed_files"] ) + + +def test_files_differ_binary(tmp_path: Path): + file1 = tmp_path / "file1.bin" + file2 = tmp_path / "file2.bin" + file1.write_bytes(b"\x00\x01\x02\x03") + file2.write_bytes(b"\x00\x01\x02\x03") + assert files_differ(str(file1), str(file2)) is False + + +def test_files_differ_binary_different(tmp_path: Path): + file1 = tmp_path / "file1.bin" + file2 = tmp_path / "file2.bin" + file1.write_bytes(b"\x00\x01\x02\x03") + file2.write_bytes(b"\x00\x01\x02\x04") + assert files_differ(str(file1), str(file2)) is True + + +def test_files_differ_non_regular_a(tmp_path: Path): + directory = tmp_path / "dir" + directory.mkdir() + file1 = tmp_path / "file1.txt" + file1.write_text("content", encoding="utf-8") + assert files_differ(str(directory), str(file1)) is True + + +def test_topdirs_for_package_with_multiple_paths(): + pkg_to_etc_paths = { + "nginx": ["/etc/nginx/nginx.conf", "/etc/nginx/sites-enabled/default"], + } + result = _topdirs_for_package("nginx", pkg_to_etc_paths) + assert result == {"nginx"} + + +def test_topdirs_for_package_with_multiple_topdirs(): + pkg_to_etc_paths = { + "multi": ["/etc/nginx/nginx.conf", "/etc/ssh/sshd_config"], + } + result = _topdirs_for_package("multi", pkg_to_etc_paths) + assert result == {"nginx", "ssh"} + + +def test_topdirs_for_package_empty(): + result = _topdirs_for_package("empty", {}) + assert result == set() + + +def test_topdirs_for_package_no_etc(): + pkg_to_etc_paths = { + "other": ["/usr/share/doc/file"], + } + result = _topdirs_for_package("other", pkg_to_etc_paths) + assert result == set() + + +def test_files_differ_same_content(tmp_path: Path): + """Test that _files_differ returns False for identical content.""" + file_a = tmp_path / "a.txt" + file_b = tmp_path / "b.txt" + file_a.write_text("same content", encoding="utf-8") + file_b.write_text("same content", encoding="utf-8") + assert files_differ(str(file_a), str(file_b)) is False + + +def test_files_differ_different_content(tmp_path: Path): + """Test that _files_differ returns True for different content.""" + file_a = tmp_path / "a.txt" + file_b = tmp_path / "b.txt" + file_a.write_text("content a", encoding="utf-8") + file_b.write_text("content b", encoding="utf-8") + assert files_differ(str(file_a), str(file_b)) is True + + +def test_files_differ_missing_file(tmp_path: Path): + """Test that _files_differ returns True when one file is missing.""" + file_a = tmp_path / "a.txt" + file_a.write_text("content", encoding="utf-8") + file_b = tmp_path / "b.txt" + assert files_differ(str(file_a), str(file_b)) is True + + +def test_files_differ_both_missing(tmp_path: Path): + """Test that _files_differ returns True when both files are missing.""" + file_a = tmp_path / "a.txt" + file_b = tmp_path / "b.txt" + # Both missing - should return True (they differ in the sense that neither exists) + assert files_differ(str(file_a), str(file_b)) is True + + +def test_files_differ_non_regular_b(tmp_path: Path): + """Test that _files_differ handles non-regular file (symlink).""" + file_a = tmp_path / "a.txt" + file_a.write_text("content", encoding="utf-8") + link_b = tmp_path / "link" + link_b.symlink_to(file_a) + # Symlinks are followed, so content is the same + assert files_differ(str(file_a), str(link_b)) is False + + +def test_files_differ_oserror_on_read(tmp_path: Path, monkeypatch): + """Test that _files_differ returns True on OSError during read.""" + file_a = tmp_path / "a.txt" + file_b = tmp_path / "b.txt" + file_a.write_text("content", encoding="utf-8") + file_b.write_text("content", encoding="utf-8") + + def fake_open(path, *args, **kwargs): + raise OSError("Permission denied") + + monkeypatch.setattr("builtins.open", fake_open, raising=False) + assert files_differ(str(file_a), str(file_b)) is True + + +def test_files_differ_large_file_returns_true(tmp_path: Path): + """Test that _files_differ returns True for files larger than max_bytes.""" + file_a = tmp_path / "a.bin" + file_b = tmp_path / "b.bin" + # Create files larger than default max_bytes (2MB) + data = b"x" * 3_000_000 + file_a.write_bytes(data) + file_b.write_bytes(data) + # Should return True because files are too large + assert files_differ(str(file_a), str(file_b), max_bytes=1_000_000) is True + + +def test_files_differ_size_mismatch(tmp_path: Path): + """Test that _files_differ detects size mismatch quickly.""" + file_a = tmp_path / "a.txt" + file_b = tmp_path / "b.txt" + file_a.write_text("short", encoding="utf-8") + file_b.write_text("much longer content here", encoding="utf-8") + assert files_differ(str(file_a), str(file_b)) is True + + +def test_files_differ_large_files(tmp_path: Path): + """Test that _files_differ handles large files efficiently.""" + file_a = tmp_path / "a.bin" + file_b = tmp_path / "b.bin" + # Create files with same content but large + data = b"x" * 10000 + file_a.write_bytes(data) + file_b.write_bytes(data) + assert files_differ(str(file_a), str(file_b)) is False + + +def test_hint_names_with_unit_and_packages(): + """Test _hint_names extracts hints from unit and packages.""" + result = _hint_names("nginx.service", {"nginx-common", "nginx-core"}) + assert "nginx" in result + assert "nginx-common" in result + assert "nginx-core" in result + + +def test_hint_names_with_template_unit(): + """Test _hint_names handles template units.""" + result = _hint_names("getty@tty1.service", set()) + assert "getty" in result + assert "getty@tty1" in result + + +def test_hint_names_with_dotted_unit(): + """Test _hint_names handles dotted unit names.""" + result = _hint_names("nginx.service", set()) + assert "nginx" in result + + +def test_hint_names_empty(): + """Test _hint_names with empty inputs.""" + result = _hint_names("", set()) + assert result == set() + + +def test_add_pkgs_from_etc_topdirs(): + """Test _add_pkgs_from_etc_topdirs expands hints.""" + hints = {"nginx"} + topdir_to_pkgs = { + "nginx": {"nginx-common", "nginx-core"}, + "ssh": {"openssh-server"}, + } + pkgs = set() + add_pkgs_from_etc_topdirs(hints, topdir_to_pkgs, pkgs) + # Should add packages from matching topdirs + assert "nginx-common" in pkgs or "nginx-core" in pkgs + + +def test_add_pkgs_from_etc_topdirs_empty(): + """Test _add_pkgs_from_etc_topdirs with empty inputs.""" + hints = set() + topdir_to_pkgs = {} + pkgs = set() + add_pkgs_from_etc_topdirs(hints, topdir_to_pkgs, pkgs) + assert pkgs == set() + + +def test_is_confish_with_conf(tmp_path: Path): + """Test _is_confish recognizes .conf files.""" + file1 = tmp_path / "test.conf" + file1.write_text("[Unit]", encoding="utf-8") + assert _is_confish(str(file1)) is True + + +def test_is_confish_with_yaml(tmp_path: Path): + """Test _is_confish recognizes .yaml files.""" + file1 = tmp_path / "test.yaml" + file1.write_text("key: value", encoding="utf-8") + assert _is_confish(str(file1)) is True + + +def test_is_confish_with_json(tmp_path: Path): + """Test _is_confish recognizes .json files.""" + file1 = tmp_path / "test.json" + file1.write_text('{"key": "value"}', encoding="utf-8") + assert _is_confish(str(file1)) is True + + +def test_is_confish_with_service(tmp_path: Path): + """Test _is_confish recognizes .service files.""" + file1 = tmp_path / "test.service" + file1.write_text("[Unit]", encoding="utf-8") + assert _is_confish(str(file1)) is True + + +def test_is_confish_with_extensionless(tmp_path: Path): + """Test _is_confish recognizes extensionless config files.""" + file1 = tmp_path / "default" + file1.write_text("OPTIONS=", encoding="utf-8") + assert _is_confish(str(file1)) is True + + +def test_is_confish_not_config(tmp_path: Path): + """Test _is_confish rejects non-config files.""" + file1 = tmp_path / "test.log" + file1.write_text("log", encoding="utf-8") + assert _is_confish(str(file1)) is False + + +def test_is_confish_nonexistent(): + """Test _is_confish returns False for nonexistent files.""" + assert _is_confish("/nonexistent/file.xyz") is False + + +"""Additional coverage tests for harvest.py""" + + +class TestIsConfish: + """Tests for _is_confish function""" + + def test_is_confish_true_extensions(self, tmp_path): + """Test files with config extensions are detected.""" + for ext in [".conf", ".cfg", ".ini", ".yaml", ".json", ".cnf"]: + f = tmp_path / f"test{ext}" + f.write_text("test", encoding="utf-8") + assert _is_confish(str(f)) is True + + def test_is_confish_false(self, tmp_path): + """Test non-config files are not detected.""" + for name in ["data.txt", "script.sh"]: + f = tmp_path / name + f.write_text("test", encoding="utf-8") + assert _is_confish(str(f)) is False + + +class TestHintNames: + """Tests for _hint_names function""" + + def test_hint_names_simple(self): + """Test simple hint name extraction.""" + result = _hint_names("nginx", {"nginx"}) + assert "nginx" in result + + def test_hint_names_multiple(self): + """Test multiple hint names.""" + result = _hint_names("nginx", {"apache"}) + assert "nginx" in result + assert "apache" in result + + def test_hint_names_empty(self): + """Test empty hint names.""" + result = _hint_names("", set()) + assert result == set() + + def test_hint_names_with_service(self): + """Test hint names with .service suffix.""" + result = _hint_names("nginx.service", set()) + assert "nginx" in result + + def test_hint_names_with_template(self): + """Test hint names with template unit.""" + result = _hint_names("nginx@.service", set()) + assert "nginx" in result + + +class TestTopdirsForPackage: + """Tests for _topdirs_for_package function""" + + def test_topdirs_single_level(self): + """Test topdirs with single level paths.""" + pkg_to_etc = {"nginx": ["/etc/nginx/nginx.conf"]} + result = _topdirs_for_package("nginx", pkg_to_etc) + assert result == {"nginx"} + + def test_topdirs_multiple_paths(self): + """Test topdirs with multiple paths.""" + pkg_to_etc = {"nginx": ["/etc/nginx/nginx.conf", "/etc/nginx/sites-enabled"]} + result = _topdirs_for_package("nginx", pkg_to_etc) + assert result == {"nginx"} + + def test_topdirs_empty(self): + """Test topdirs with empty package.""" + result = _topdirs_for_package("nonexistent", {}) + assert result == set() + + +class TestIterMatchingFiles: + """Tests for _iter_matching_files function""" + + def test_iter_matching_files_glob(self, tmp_path): + """Test glob pattern matching.""" + (tmp_path / "a.txt").write_text("a", encoding="utf-8") + (tmp_path / "b.txt").write_text("b", encoding="utf-8") + (tmp_path / "c.py").write_text("c", encoding="utf-8") + + os.chdir(tmp_path) + result = _iter_matching_files("*.txt") + assert len(result) == 2 + assert any("a.txt" in p for p in result) + assert any("b.txt" in p for p in result) + + def test_iter_matching_files_directory_walk(self, tmp_path): + """Test directory walking.""" + subdir = tmp_path / "sub" + subdir.mkdir() + (tmp_path / "a.txt").write_text("a", encoding="utf-8") + (subdir / "b.txt").write_text("b", encoding="utf-8") + + os.chdir(tmp_path) + result = _iter_matching_files(str(tmp_path)) + assert len(result) == 2 + + def test_iter_matching_files_cap(self, tmp_path): + """Test file cap limit.""" + for i in range(100): + (tmp_path / f"file{i}.txt").write_text(str(i), encoding="utf-8") + + os.chdir(tmp_path) + result = _iter_matching_files("*.txt", cap=10) + assert len(result) == 10 + + +class TestParseAptSignedBy: + """Tests for _parse_apt_signed_by function""" + + def test_parse_apt_signed_by_bracket(self, tmp_path): + """Test parsing signed-by from bracket notation.""" + sources_list = tmp_path / "sources.list" + sources_list.write_text( + "deb [signed-by=/usr/share/keyrings/nginx.gpg] http://nginx.net stable main\n", + encoding="utf-8", + ) + result = _parse_apt_signed_by([str(sources_list)]) + assert "/usr/share/keyrings/nginx.gpg" in result + + def test_parse_apt_signed_by_header(self, tmp_path): + """Test parsing signed-by from header.""" + sources_file = tmp_path / "sources.list" + sources_file.write_text( + "Signed-By: /usr/share/keyrings/foo.gpg\n", encoding="utf-8" + ) + result = _parse_apt_signed_by([str(sources_file)]) + assert "/usr/share/keyrings/foo.gpg" in result + + def test_parse_apt_signed_by_multiple(self, tmp_path): + """Test parsing multiple signed-by paths.""" + sources_file = tmp_path / "sources.list" + sources_file.write_text( + "Signed-By: /usr/share/keyrings/a.gpg, /usr/share/keyrings/b.gpg\n", + encoding="utf-8", + ) + result = _parse_apt_signed_by([str(sources_file)]) + assert "/usr/share/keyrings/a.gpg" in result + assert "/usr/share/keyrings/b.gpg" in result + + def test_parse_apt_signed_by_oserror(self, tmp_path): + """Test handling of unreadable files.""" + result = _parse_apt_signed_by(["/nonexistent/file"]) + assert result == set() + + +class TestCaptureLink: + """Tests for _capture_link function""" + + def test_capture_link_basic(self, tmp_path): + """Test basic link capture.""" + target = tmp_path / "target.txt" + target.write_text("content", encoding="utf-8") + link = tmp_path / "link.txt" + link.symlink_to(target) + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + policy.deny_reason_link = None # No special link denial + + managed: list[ManagedLink] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + + result = _capture_link( + role_name="test_role", + abs_path=str(link), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=set(), + seen_global=set(), + ) + assert result is True + assert len(managed) == 1 + assert managed[0].path == str(link) + + def test_capture_link_deny(self, tmp_path): + """Test link capture with deny policy.""" + target = tmp_path / "target.txt" + target.write_text("content", encoding="utf-8") + link = tmp_path / "link.txt" + link.symlink_to(target) + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value="policy_deny") + + managed: list[ManagedLink] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + + result = _capture_link( + role_name="test_role", + abs_path=str(link), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=set(), + seen_global=set(), + ) + assert result is False + assert len(excluded) == 1 + + def test_capture_link_not_symlink(self, tmp_path): + """Test that regular files are rejected.""" + f = tmp_path / "file.txt" + f.write_text("content", encoding="utf-8") + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + + managed: list[ManagedLink] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + + result = _capture_link( + role_name="test_role", + abs_path=str(f), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=set(), + seen_global=set(), + ) + assert result is False + assert len(excluded) == 1 + + def test_capture_link_seen_role(self, tmp_path): + """Test link capture with seen_role deduplication.""" + target = tmp_path / "target.txt" + target.write_text("content", encoding="utf-8") + link = tmp_path / "link.txt" + link.symlink_to(target) + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + + managed: list[ManagedLink] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + seen_role = {str(link)} + + result = _capture_link( + role_name="test_role", + abs_path=str(link), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=seen_role, + seen_global=None, + ) + assert result is False + assert len(managed) == 0 + + def test_capture_link_seen_global(self, tmp_path): + """Test link capture with seen_global deduplication.""" + target = tmp_path / "target.txt" + target.write_text("content", encoding="utf-8") + link = tmp_path / "link.txt" + link.symlink_to(target) + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + + managed: list[ManagedLink] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + seen_global = {str(link)} + + result = _capture_link( + role_name="test_role", + abs_path=str(link), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=None, + seen_global=seen_global, + ) + assert result is False + assert len(managed) == 0 + + +class TestCaptureFile: + """Tests for _capture_file function""" + + def test_capture_file_basic(self, tmp_path): + """Test basic file capture.""" + bundle = tmp_path / "bundle" + bundle.mkdir() + (bundle / "artifacts").mkdir() + + source = tmp_path / "source.txt" + source.write_text("content", encoding="utf-8") + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + + result = _capture_file( + bundle_dir=str(bundle), + role_name="test_role", + abs_path=str(source), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=set(), + seen_global=set(), + metadata=None, + ) + assert result is True + assert len(managed) == 1 + + def test_capture_file_seen_role(self, tmp_path): + """Test file capture with seen_role deduplication.""" + bundle = tmp_path / "bundle" + bundle.mkdir() + + source = tmp_path / "source.txt" + source.write_text("content", encoding="utf-8") + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + seen_role = {str(source)} + + result = _capture_file( + bundle_dir=str(bundle), + role_name="test_role", + abs_path=str(source), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=seen_role, + seen_global=None, + metadata=None, + ) + assert result is False + assert len(managed) == 0 + + def test_capture_file_seen_global(self, tmp_path): + """Test file capture with seen_global deduplication.""" + bundle = tmp_path / "bundle" + bundle.mkdir() + + source = tmp_path / "source.txt" + source.write_text("content", encoding="utf-8") + + policy = MagicMock(spec=IgnorePolicy) + policy.deny_reason_link = None + policy.deny_reason = MagicMock(return_value=None) + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + path_filter = PathFilter([], []) + seen_global = {str(source)} + + result = _capture_file( + bundle_dir=str(bundle), + role_name="test_role", + abs_path=str(source), + reason="test", + policy=policy, + path_filter=path_filter, + managed_out=managed, + excluded_out=excluded, + seen_role=None, + seen_global=seen_global, + metadata=None, + ) + assert result is False + assert len(managed) == 0 + + +def test_user_shell_dotfiles_are_not_auto_captured_without_dangerous(tmp_path: Path): + home = tmp_path / "home" / "alice" + home.mkdir(parents=True) + (home / ".bashrc").write_text("export DEMO=value\n", encoding="utf-8") + (home / ".bash_aliases").write_text("alias ll='ls -la'\n", encoding="utf-8") + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + + captured = capture_user_shell_dotfiles( + bundle_dir=str(tmp_path / "bundle"), + role_name="users", + home=str(home), + skel_dir=str(tmp_path / "skel"), + enabled=False, + policy=IgnorePolicy(dangerous=False), + path_filter=PathFilter(), + managed_out=managed, + excluded_out=excluded, + seen_role=set(), + seen_global=set(), + ) + + assert captured == 0 + assert managed == [] + assert excluded == [] + assert not (tmp_path / "bundle" / "artifacts" / "users").exists() + + +def test_user_shell_dotfiles_dangerous_captures_changed_files_only(tmp_path: Path): + skel = tmp_path / "skel" + home = tmp_path / "home" / "alice" + skel.mkdir(parents=True) + home.mkdir(parents=True) + + (skel / ".bashrc").write_text("# default bashrc\n", encoding="utf-8") + (home / ".bashrc").write_text("# customised bashrc\n", encoding="utf-8") + + (skel / ".profile").write_text("# default profile\n", encoding="utf-8") + (home / ".profile").write_text("# default profile\n", encoding="utf-8") + + (home / ".bash_aliases").write_text("alias ll='ls -la'\n", encoding="utf-8") + + target = home / "target" + target.write_text("# symlink target\n", encoding="utf-8") + os.symlink(target, home / ".bash_logout") + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + + captured = capture_user_shell_dotfiles( + bundle_dir=str(tmp_path / "bundle"), + role_name="users", + home=str(home), + skel_dir=str(skel), + enabled=True, + policy=IgnorePolicy(dangerous=True), + path_filter=PathFilter(), + managed_out=managed, + excluded_out=excluded, + seen_role=set(), + seen_global=set(), + ) + + captured_paths = {mf.path for mf in managed} + assert captured == 2 + assert str(home / ".bashrc") in captured_paths + assert str(home / ".bash_aliases") in captured_paths + assert str(home / ".profile") not in captured_paths + assert str(home / ".bash_logout") not in captured_paths + assert excluded == [] + + +if __name__ == "__main__": + pytest.main([__file__, "-v"]) diff --git a/tests/test_harvest_collectors.py b/tests/test_harvest_collectors.py new file mode 100644 index 0000000..f4de696 --- /dev/null +++ b/tests/test_harvest_collectors.py @@ -0,0 +1,446 @@ +from __future__ import annotations + +from pathlib import Path + +from enroll.harvest_collectors.context import HarvestContext +from enroll.harvest_collectors.paths import ExtraPathsCollector, UsrLocalCustomCollector +from enroll.harvest_collectors.runtime import RuntimeStateCollector +from enroll.harvest_types import FirewallRuntimeSnapshot, ManagedFile, SysctlSnapshot +from enroll.ignore import IgnorePolicy +from enroll.pathfilter import PathFilter + + +class _Backend: + name = "dpkg" + + +def _context(tmp_path: Path, *, include=(), exclude=(), policy=None) -> HarvestContext: + return HarvestContext( + bundle_dir=str(tmp_path / "bundle"), + policy=policy or IgnorePolicy(), + path_filter=PathFilter(include=include, exclude=exclude), + platform={}, + backend=_Backend(), + installed_pkgs={}, + installed_names=set(), + owned_etc=set(), + etc_owner_map={}, + topdir_to_pkgs={}, + pkg_to_etc_paths={}, + captured_global=set(), + ) + + +def test_runtime_state_collector_preserves_non_root_skip_schema(monkeypatch, tmp_path): + monkeypatch.setattr("enroll.harvest.os.geteuid", lambda: 1000) + + result = RuntimeStateCollector(_context(tmp_path)).collect() + + assert isinstance(result.firewall_runtime_snapshot, FirewallRuntimeSnapshot) + assert isinstance(result.sysctl_snapshot, SysctlSnapshot) + assert result.firewall_runtime_snapshot.role_name == "firewall_runtime" + assert result.sysctl_snapshot.role_name == "sysctl" + assert "not running as root" in result.firewall_runtime_snapshot.notes[0] + assert "not running as root" in result.sysctl_snapshot.notes[0] + + +def test_container_images_collector_records_digest_pinned_docker_images( + monkeypatch, tmp_path +): + import json + import subprocess + + from enroll.harvest_collectors import container_images as ci + from enroll.harvest_collectors.container_images import ContainerImagesCollector + + def fake_which(cmd): + return f"/usr/bin/{cmd}" if cmd == "docker" else None + + def fake_run(argv, check=False, stdout=None, stderr=None, text=False, timeout=None): + if argv[:4] == ["/usr/bin/docker", "image", "ls", "-q"]: + return subprocess.CompletedProcess(argv, 0, "sha256:" + "a" * 64 + "\n", "") + if argv[:3] == ["/usr/bin/docker", "image", "inspect"]: + return subprocess.CompletedProcess( + argv, + 0, + json.dumps( + [ + { + "Id": "sha256:" + "a" * 64, + "RepoTags": ["docker.io/library/nginx:1.27"], + "RepoDigests": [ + "docker.io/library/nginx@sha256:" + "b" * 64 + ], + "Os": "linux", + "Architecture": "amd64", + "Size": 123, + "Created": "2026-01-01T00:00:00Z", + } + ] + ), + "", + ) + raise AssertionError(argv) + + monkeypatch.setattr(ci.shutil, "which", fake_which) + monkeypatch.setattr(ci.subprocess, "run", fake_run) + + result = ContainerImagesCollector(_context(tmp_path)).collect() + + assert result.role_name == "container_images" + assert len(result.images) == 1 + image = result.images[0] + assert image["engine"] == "docker" + assert image["pull_ref"] == "docker.io/library/nginx@sha256:" + "b" * 64 + assert image["platform"] == "linux/amd64" + assert image["tag_aliases"] == [ + { + "ref": "docker.io/library/nginx:1.27", + "repository": "docker.io/library/nginx", + "tag": "1.27", + } + ] + + +def test_container_images_collector_records_unpullable_tagged_images( + monkeypatch, tmp_path +): + import json + import subprocess + + from enroll.harvest_collectors import container_images as ci + from enroll.harvest_collectors.container_images import ContainerImagesCollector + + def fake_which(cmd): + return "/usr/bin/podman" if cmd == "podman" else None + + monkeypatch.setattr(ci.shutil, "which", fake_which) + + def fake_run(argv, check=False, stdout=None, stderr=None, text=False, timeout=None): + if argv[:4] == ["/usr/bin/podman", "image", "ls", "-q"]: + return subprocess.CompletedProcess(argv, 0, "c" * 64 + "\n", "") + if argv[:3] == ["/usr/bin/podman", "image", "inspect"]: + return subprocess.CompletedProcess( + argv, + 0, + json.dumps( + [ + { + "Id": "c" * 64, + "RepoTags": ["localhost/demo:latest"], + "RepoDigests": [], + "Os": "linux", + "Architecture": "amd64", + } + ] + ), + "", + ) + raise AssertionError(argv) + + monkeypatch.setattr(ci.subprocess, "run", fake_run) + + result = ContainerImagesCollector(_context(tmp_path)).collect() + + assert result.images[0]["pull_ref"] is None + assert "exact digest-pinned pull cannot be rendered" in result.images[0]["notes"][0] + + +def test_container_images_collector_notes_list_exceptions(monkeypatch, tmp_path): + from enroll.harvest_collectors import container_images as ci + from enroll.harvest_collectors.container_images import ContainerImagesCollector + + monkeypatch.setattr( + ci.shutil, + "which", + lambda cmd: f"/usr/bin/{cmd}" if cmd == "docker" else None, + ) + + def boom(_argv, *, timeout=20): + raise RuntimeError("socket unavailable") + + monkeypatch.setattr(ci, "_run_command", boom) + + result = ContainerImagesCollector(_context(tmp_path)).collect() + + assert result.images == [] + assert "Failed to list docker images" in result.notes[0] + + +def test_container_images_collector_notes_list_nonzero_without_detail( + monkeypatch, tmp_path +): + import subprocess + + from enroll.harvest_collectors import container_images as ci + from enroll.harvest_collectors.container_images import ContainerImagesCollector + + monkeypatch.setattr( + ci.shutil, + "which", + lambda cmd: f"/usr/bin/{cmd}" if cmd == "podman" else None, + ) + monkeypatch.setattr( + ci, + "_run_command", + lambda argv, *, timeout=20: subprocess.CompletedProcess(argv, 42, "", ""), + ) + + result = ContainerImagesCollector(_context(tmp_path)).collect() + + assert result.images == [] + assert "exit 42" in result.notes[0] + + +def test_container_images_collector_notes_bad_inspect_json(monkeypatch, tmp_path): + import subprocess + + from enroll.harvest_collectors import container_images as ci + from enroll.harvest_collectors.container_images import ContainerImagesCollector + + image_id = "sha256:" + "d" * 64 + monkeypatch.setattr( + ci.shutil, + "which", + lambda cmd: f"/usr/bin/{cmd}" if cmd == "docker" else None, + ) + + def fake_run(argv, *, timeout=20): + if argv[:4] == ["/usr/bin/docker", "image", "ls", "-q"]: + return subprocess.CompletedProcess(argv, 0, image_id + "\n", "") + if argv[:3] == ["/usr/bin/docker", "image", "inspect"]: + return subprocess.CompletedProcess(argv, 0, "not json", "") + raise AssertionError(argv) + + monkeypatch.setattr(ci, "_run_command", fake_run) + + result = ContainerImagesCollector(_context(tmp_path)).collect() + + assert result.images == [] + assert "Failed to parse docker image inspect JSON" in result.notes[0] + + +def test_container_images_collector_notes_unexpected_inspect_shape( + monkeypatch, tmp_path +): + import subprocess + + from enroll.harvest_collectors import container_images as ci + from enroll.harvest_collectors.container_images import ContainerImagesCollector + + image_id = "sha256:" + "e" * 64 + monkeypatch.setattr( + ci.shutil, + "which", + lambda cmd: f"/usr/bin/{cmd}" if cmd == "docker" else None, + ) + + def fake_run(argv, *, timeout=20): + if argv[:4] == ["/usr/bin/docker", "image", "ls", "-q"]: + return subprocess.CompletedProcess(argv, 0, image_id + "\n", "") + if argv[:3] == ["/usr/bin/docker", "image", "inspect"]: + return subprocess.CompletedProcess(argv, 0, '{"not":"a-list"}', "") + raise AssertionError(argv) + + monkeypatch.setattr(ci, "_run_command", fake_run) + + result = ContainerImagesCollector(_context(tmp_path)).collect() + + assert result.images == [] + assert "Unexpected docker image inspect JSON shape" in result.notes[0] + + +def test_extra_paths_collector_records_dirs_files_notes_and_excludes( + monkeypatch, tmp_path +): + from enroll.harvest_collectors import paths + + root = tmp_path / "include" + sub = root / "sub" + skip = root / "skip" + sub.mkdir(parents=True) + skip.mkdir() + keep_file = sub / "keep.conf" + keep_file.write_text("ok", encoding="utf-8") + skip_file = skip / "skip.conf" + skip_file.write_text("no", encoding="utf-8") + + class Policy(IgnorePolicy): + def deny_reason_dir(self, path: str): + return "denied_dir" if path == str(sub) else None + + def fake_stat_triplet(path: str): + return ("root", "root", "0755") + + def fake_capture_file(**kwargs): + kwargs["managed_out"].append( + ManagedFile( + path=kwargs["abs_path"], + src_rel=kwargs["abs_path"].lstrip("/"), + owner="root", + group="root", + mode="0644", + reason=kwargs["reason"], + ) + ) + return True + + monkeypatch.setattr(paths.h, "stat_triplet", fake_stat_triplet) + monkeypatch.setattr(paths, "capture_file", lambda *a, **kw: fake_capture_file(**kw)) + + ctx = _context( + tmp_path, + include=[str(root)], + exclude=[str(skip)], + policy=Policy(), + ) + result = ExtraPathsCollector( + ctx, + seen_by_role={}, + already_all=set(), + include_paths=[str(root)], + exclude_paths=[str(skip)], + ).collect() + + managed_dirs = {d.path for d in result.managed_dirs} + assert str(root) in managed_dirs + assert str(sub) not in managed_dirs # denied by policy + assert str(skip) not in managed_dirs # pruned by exclude filter + assert [m.path for m in result.managed_files] == [str(keep_file)] + assert "User include patterns:" in result.notes + assert f"- {root}" in result.notes + assert f"- {skip}" in result.notes + + +def test_extra_paths_collector_skips_already_captured_files(monkeypatch, tmp_path): + from enroll.harvest_collectors import paths + + root = tmp_path / "include" + root.mkdir() + file_path = root / "keep.conf" + file_path.write_text("ok", encoding="utf-8") + calls: list[str] = [] + + monkeypatch.setattr(paths.h, "stat_triplet", lambda p: ("root", "root", "0755")) + monkeypatch.setattr( + paths, "capture_file", lambda *a, **kw: calls.append(kw["abs_path"]) or True + ) + + ctx = _context(tmp_path, include=[str(root)]) + result = ExtraPathsCollector( + ctx, + seen_by_role={}, + already_all={str(file_path)}, + include_paths=[str(root)], + ).collect() + + assert result.managed_files == [] + assert calls == [] + + +def test_usr_local_custom_collector_scans_executable_bin_and_notes_cap( + monkeypatch, tmp_path +): + from enroll.harvest_collectors import paths + + captured: list[str] = [] + + def fake_isdir(path: str) -> bool: + return path in {"/usr/local/etc", "/usr/local/bin"} + + def fake_walk(root: str): + if root == "/usr/local/etc": + yield root, [], ["app.conf"] + elif root == "/usr/local/bin": + yield root, [], ["tool", "not-exec"] + + def fake_isfile(path: str) -> bool: + return path in { + "/usr/local/etc/app.conf", + "/usr/local/bin/tool", + "/usr/local/bin/not-exec", + } + + def fake_stat_triplet(path: str): + mode = "0755" if path == "/usr/local/bin/tool" else "0644" + return ("root", "root", mode) + + def fake_capture_file(**kwargs): + captured.append(kwargs["abs_path"]) + kwargs["managed_out"].append( + ManagedFile( + path=kwargs["abs_path"], + src_rel=kwargs["abs_path"].lstrip("/"), + owner="root", + group="root", + mode="0644", + reason=kwargs["reason"], + ) + ) + return True + + monkeypatch.setattr(paths.os.path, "isdir", fake_isdir) + monkeypatch.setattr(paths.os, "walk", fake_walk) + monkeypatch.setattr(paths.os.path, "isfile", fake_isfile) + monkeypatch.setattr(paths.os.path, "islink", lambda p: False) + monkeypatch.setattr(paths.h, "stat_triplet", fake_stat_triplet) + monkeypatch.setattr(paths, "capture_file", lambda *a, **kw: fake_capture_file(**kw)) + + ctx = _context(tmp_path) + result = UsrLocalCustomCollector(ctx, seen_by_role={}, already_all=set()).collect() + + assert captured == ["/usr/local/etc/app.conf", "/usr/local/bin/tool"] + assert [m.reason for m in result.managed_files] == [ + "usr_local_etc_custom", + "usr_local_bin_script", + ] + + +def test_extra_paths_collector_records_symlinks_without_following(tmp_path): + root = tmp_path / "include" + root.mkdir() + real_file = root / "real.conf" + real_file.write_text("ok", encoding="utf-8") + (root / "link.conf").symlink_to("real.conf") + + outside = tmp_path / "outside" + outside.mkdir() + (outside / "outside.conf").write_text("do-not-follow", encoding="utf-8") + (root / "shared").symlink_to(outside, target_is_directory=True) + + ctx = _context(tmp_path, include=[str(root)]) + result = ExtraPathsCollector( + ctx, + seen_by_role={}, + already_all=set(), + include_paths=[str(root)], + ).collect() + + links = {(link.path, link.target, link.reason) for link in result.managed_links} + assert (str(root / "link.conf"), "real.conf", "user_include_link") in links + assert (str(root / "shared"), str(outside), "user_include_link") in links + + managed_files = {mf.path for mf in result.managed_files} + assert str(real_file) in managed_files + assert str(outside / "outside.conf") not in managed_files + + +def test_extra_paths_collector_records_include_path_that_is_symlink(tmp_path): + real_root = tmp_path / "real" + real_root.mkdir() + (real_root / "inside.conf").write_text("do-not-follow", encoding="utf-8") + link_root = tmp_path / "linked-root" + link_root.symlink_to(real_root, target_is_directory=True) + + ctx = _context(tmp_path, include=[str(link_root)]) + result = ExtraPathsCollector( + ctx, + seen_by_role={}, + already_all=set(), + include_paths=[str(link_root)], + ).collect() + + assert [(link.path, link.target, link.reason) for link in result.managed_links] == [ + (str(link_root), str(real_root), "user_include_link") + ] + assert result.managed_files == [] diff --git a/tests/test_harvest_collectors_package_manager.py b/tests/test_harvest_collectors_package_manager.py new file mode 100644 index 0000000..ca805dd --- /dev/null +++ b/tests/test_harvest_collectors_package_manager.py @@ -0,0 +1,84 @@ +from __future__ import annotations + +from pathlib import Path + +from enroll.harvest_collectors.context import HarvestContext +from enroll.harvest_collectors.package_manager import PackageManagerConfigCollector +from enroll.harvest_types import ManagedFile +from enroll.ignore import IgnorePolicy +from enroll.pathfilter import PathFilter + + +class _Backend: + def __init__(self, name: str): + self.name = name + + +def _context(tmp_path: Path, backend_name: str) -> HarvestContext: + return HarvestContext( + bundle_dir=str(tmp_path / "bundle"), + policy=IgnorePolicy(), + path_filter=PathFilter(include=(), exclude=()), + platform={}, + backend=_Backend(backend_name), + installed_pkgs={}, + installed_names=set(), + owned_etc=set(), + etc_owner_map={}, + topdir_to_pkgs={}, + pkg_to_etc_paths={}, + captured_global=set(), + ) + + +def _fake_capture(**kwargs): + kwargs["managed_out"].append( + ManagedFile( + path=kwargs["abs_path"], + src_rel=kwargs["abs_path"].lstrip("/"), + owner="root", + group="root", + mode="0644", + reason=kwargs["reason"], + ) + ) + return True + + +def test_package_manager_config_collector_captures_apt_branch(monkeypatch, tmp_path): + from enroll.harvest_collectors import package_manager as pm + + monkeypatch.setattr( + pm, "iter_apt_capture_paths", lambda: [("/etc/apt/a.conf", "apt")] + ) + monkeypatch.setattr(pm, "capture_file", lambda *a, **kw: _fake_capture(**kw)) + + result = PackageManagerConfigCollector(_context(tmp_path, "dpkg"), {}).collect() + + assert [m.path for m in result.apt_config_snapshot.managed_files] == [ + "/etc/apt/a.conf" + ] + assert result.dnf_config_snapshot.managed_files == [] + + +def test_package_manager_config_collector_captures_dnf_branch(monkeypatch, tmp_path): + from enroll.harvest_collectors import package_manager as pm + + monkeypatch.setattr( + pm, "iter_dnf_capture_paths", lambda: [("/etc/dnf/d.conf", "dnf")] + ) + monkeypatch.setattr(pm, "capture_file", lambda *a, **kw: _fake_capture(**kw)) + + result = PackageManagerConfigCollector(_context(tmp_path, "rpm"), {}).collect() + + assert result.apt_config_snapshot.managed_files == [] + assert [m.path for m in result.dnf_config_snapshot.managed_files] == [ + "/etc/dnf/d.conf" + ] + + +def test_package_manager_config_collector_unknown_backend_returns_empty(tmp_path): + result = PackageManagerConfigCollector(_context(tmp_path, "apk"), {}).collect() + + assert result.apt_config_snapshot.managed_files == [] + assert result.dnf_config_snapshot.managed_files == [] diff --git a/tests/test_harvest_cron_logrotate.py b/tests/test_harvest_cron_logrotate.py index d20d371..8e614b3 100644 --- a/tests/test_harvest_cron_logrotate.py +++ b/tests/test_harvest_cron_logrotate.py @@ -4,6 +4,8 @@ import json from pathlib import Path import enroll.harvest as h +import enroll.capture as capture +import enroll.harvest_collectors.cron_logrotate as cron_logrotate from enroll.platform import PlatformInfo from enroll.systemd import UnitInfo @@ -89,7 +91,7 @@ def test_harvest_unifies_cron_and_logrotate_into_dedicated_package_roles( } return list(mapping.get(spec, []))[:cap] - monkeypatch.setattr(h, "_iter_matching_files", fake_iter_matching) + monkeypatch.setattr(cron_logrotate, "iter_matching_files", fake_iter_matching) # Avoid real system probing. monkeypatch.setattr( @@ -128,7 +130,7 @@ def test_harvest_unifies_cron_and_logrotate_into_dedicated_package_roles( ) monkeypatch.setattr(h, "collect_non_system_users", lambda: []) monkeypatch.setattr( - h, + capture, "stat_triplet", lambda p: ("alice" if "alice" in p else "root", "root", "0644"), ) @@ -139,7 +141,7 @@ def test_harvest_unifies_cron_and_logrotate_into_dedicated_package_roles( dst.parent.mkdir(parents=True, exist_ok=True) dst.write_bytes(files.get(abs_path, b"")) - monkeypatch.setattr(h, "_copy_into_bundle", fake_copy) + monkeypatch.setattr(capture, "copy_into_bundle", fake_copy) state_path = h.harvest(str(bundle), policy=AllowAllPolicy()) st = json.loads(Path(state_path).read_text(encoding="utf-8")) diff --git a/tests/test_harvest_helpers.py b/tests/test_harvest_helpers.py index a0d2c91..07ae690 100644 --- a/tests/test_harvest_helpers.py +++ b/tests/test_harvest_helpers.py @@ -4,6 +4,8 @@ import os from pathlib import Path import enroll.harvest as h +import enroll.system_paths as sp +from enroll.package_hints import role_name_from_pkg, role_name_from_unit def test_iter_matching_files_skips_symlinks_and_walks_dirs(monkeypatch, tmp_path: Path): @@ -24,12 +26,12 @@ def test_iter_matching_files_skips_symlinks_and_walks_dirs(monkeypatch, tmp_path str(root / "link"): "link", } - monkeypatch.setattr(h.glob, "glob", lambda spec: [str(root), str(root / "link")]) - monkeypatch.setattr(h.os.path, "islink", lambda p: paths.get(p) == "link") - monkeypatch.setattr(h.os.path, "isfile", lambda p: paths.get(p) == "file") - monkeypatch.setattr(h.os.path, "isdir", lambda p: paths.get(p) == "dir") + monkeypatch.setattr(sp.glob, "glob", lambda spec: [str(root), str(root / "link")]) + monkeypatch.setattr(sp.os.path, "islink", lambda p: paths.get(p) == "link") + monkeypatch.setattr(sp.os.path, "isfile", lambda p: paths.get(p) == "file") + monkeypatch.setattr(sp.os.path, "isdir", lambda p: paths.get(p) == "dir") monkeypatch.setattr( - h.os, + sp.os, "walk", lambda p: [ (str(root), ["sub"], ["real.txt", "link"]), @@ -37,7 +39,7 @@ def test_iter_matching_files_skips_symlinks_and_walks_dirs(monkeypatch, tmp_path ], ) - out = h._iter_matching_files("/whatever/*", cap=100) + out = sp.iter_matching_files("/whatever/*", cap=100) assert str(root / "real.txt") in out assert str(root / "sub" / "nested.txt") in out assert str(root / "link") not in out @@ -57,7 +59,7 @@ def test_parse_apt_signed_by_extracts_keyrings(tmp_path: Path): f3 = tmp_path / "c.sources" f3.write_text("Signed-By: | /bin/echo nope\n", encoding="utf-8") - out = h._parse_apt_signed_by([str(f1), str(f2), str(f3)]) + out = sp.parse_apt_signed_by([str(f1), str(f2), str(f3)]) assert "/usr/share/keyrings/foo.gpg" in out assert "/etc/apt/keyrings/bar.gpg" in out assert "/usr/share/keyrings/baz.gpg" in out @@ -74,9 +76,9 @@ def test_iter_apt_capture_paths_includes_signed_by_keyring(monkeypatch): "/usr/share/keyrings/ext.gpg": "file", } - monkeypatch.setattr(h.os.path, "isdir", lambda p: p in {"/etc/apt"}) + monkeypatch.setattr(sp.os.path, "isdir", lambda p: p in {"/etc/apt"}) monkeypatch.setattr( - h.os, + sp.os, "walk", lambda root: [ ("/etc/apt", ["apt.conf.d", "sources.list.d"], []), @@ -84,8 +86,8 @@ def test_iter_apt_capture_paths_includes_signed_by_keyring(monkeypatch): ("/etc/apt/sources.list.d", [], ["test.list"]), ], ) - monkeypatch.setattr(h.os.path, "islink", lambda p: False) - monkeypatch.setattr(h.os.path, "isfile", lambda p: files.get(p) == "file") + monkeypatch.setattr(sp.os.path, "islink", lambda p: False) + monkeypatch.setattr(sp.os.path, "isfile", lambda p: files.get(p) == "file") # Only treat the sources glob as having a hit. def fake_iter_matching(spec: str, cap: int = 10000): @@ -93,7 +95,7 @@ def test_iter_apt_capture_paths_includes_signed_by_keyring(monkeypatch): return ["/etc/apt/sources.list.d/test.list"] return [] - monkeypatch.setattr(h, "_iter_matching_files", fake_iter_matching) + monkeypatch.setattr(sp, "iter_matching_files", fake_iter_matching) # Provide file contents for the sources file. real_open = open @@ -105,10 +107,10 @@ def test_iter_apt_capture_paths_includes_signed_by_keyring(monkeypatch): # Easier: patch _parse_apt_signed_by directly to avoid filesystem reads. monkeypatch.setattr( - h, "_parse_apt_signed_by", lambda sfs: {"/usr/share/keyrings/ext.gpg"} + sp, "parse_apt_signed_by", lambda sfs: {"/usr/share/keyrings/ext.gpg"} ) - out = h._iter_apt_capture_paths() + out = sp.iter_apt_capture_paths() paths = {p for p, _r in out} reasons = {p: r for p, r in out} assert "/etc/apt/apt.conf.d/00test" in paths @@ -138,19 +140,23 @@ def test_iter_dnf_capture_paths(monkeypatch): return [("/etc/pki/rpm-gpg", [], ["RPM-GPG-KEY"])] return [] - monkeypatch.setattr(h.os.path, "isdir", isdir) - monkeypatch.setattr(h.os, "walk", walk) - monkeypatch.setattr(h.os.path, "islink", lambda p: False) - monkeypatch.setattr(h.os.path, "isfile", lambda p: files.get(p) == "file") - monkeypatch.setattr( - h, - "_iter_matching_files", - lambda spec, cap=10000: ( - ["/etc/yum.repos.d/test.repo"] if spec.endswith("*.repo") else [] - ), - ) + monkeypatch.setattr(sp.os.path, "isdir", isdir) + monkeypatch.setattr(sp.os, "walk", walk) + monkeypatch.setattr(sp.os.path, "islink", lambda p: False) + monkeypatch.setattr(sp.os.path, "isfile", lambda p: files.get(p) == "file") - out = h._iter_dnf_capture_paths() + def fake_iter_matching(spec: str, cap: int = 10000): + if spec == "/etc/yum.conf": + return ["/etc/yum.conf"] + if spec.endswith("*.repo"): + return ["/etc/yum.repos.d/test.repo"] + if spec == "/etc/pki/rpm-gpg/*": + return ["/etc/pki/rpm-gpg/RPM-GPG-KEY"] + return [] + + monkeypatch.setattr(sp, "iter_matching_files", fake_iter_matching) + + out = sp.iter_dnf_capture_paths() paths = {p for p, _r in out} assert "/etc/dnf/dnf.conf" in paths assert "/etc/yum/yum.conf" in paths @@ -160,13 +166,13 @@ def test_iter_dnf_capture_paths(monkeypatch): def test_iter_system_capture_paths_dedupes_first_reason(monkeypatch): - monkeypatch.setattr(h, "_SYSTEM_CAPTURE_GLOBS", [("/a", "r1"), ("/b", "r2")]) + monkeypatch.setattr(sp, "_SYSTEM_CAPTURE_GLOBS", [("/a", "r1"), ("/b", "r2")]) monkeypatch.setattr( - h, - "_iter_matching_files", + sp, + "iter_matching_files", lambda spec, cap=10000: ["/dup"] if spec in {"/a", "/b"} else [], ) - out = h._iter_system_capture_paths() + out = sp.iter_system_capture_paths() assert out == [("/dup", "r1")] @@ -286,3 +292,107 @@ def test_collect_firewall_runtime_snapshot_is_per_family_fallback( assert ( tmp_path / "artifacts" / "firewall_runtime" / "firewall" / "iptables.v6" ).exists() + + +def test_package_role_names_do_not_collide_with_singleton_roles(): + assert role_name_from_pkg("flatpak") == "package_flatpak" + assert role_name_from_pkg("snap") == "package_snap" + assert role_name_from_pkg("users") == "package_users" + assert role_name_from_pkg("nginx") == "nginx" + + +def test_service_role_names_do_not_collide_with_singleton_roles(): + assert role_name_from_unit("flatpak.service") == "service_flatpak" + assert role_name_from_unit("users.service") == "service_users" + assert role_name_from_unit("nginx.service") == "nginx" + + +def test_parse_sysctl_a_output_keeps_persistable_values(monkeypatch): + monkeypatch.setattr( + h, + "_sysctl_key_is_persistable", + lambda key: (key != "kernel.hostname", "test"), + ) + + params, skipped = h._parse_sysctl_a_output( + "net.ipv4.ip_forward = 1\n" + "kernel.hostname = example\n" + "malformed line\n" + "dev.cdrom.info = \n" + "net.ipv4.ip_forward = 0\n" + ) + + assert params == {"net.ipv4.ip_forward": "1"} + assert skipped["non_persistable"] == 1 + assert skipped["malformed"] == 1 + assert skipped["empty_value"] == 1 + assert skipped["duplicate"] == 1 + + +def test_sysctl_filter_skips_non_replayable_runtime_keys(monkeypatch): + for key in ( + "fs.binfmt_misc.status", + "fs.binfmt_misc.register", + "kernel.kexec_load_disabled", + "kernel.kexec_load_limit_panic", + "kernel.kexec_load_limit_reboot", + "kernel.max_rcu_stall_to_panic", + "kernel.modules_disabled", + "kernel.sched_domain.cpu0.domain0.flags", + ): + ok, reason = h._sysctl_key_is_persistable(key) + assert ok is False + assert reason == "volatile/action key" + + monkeypatch.setattr(h, "_sysctl_key_is_persistable", lambda key: (True, "")) + for key in ( + "vm.dirty_background_bytes", + "vm.dirty_background_ratio", + "vm.dirty_bytes", + "vm.dirty_ratio", + ): + ok, reason = h._sysctl_entry_is_persistable(key, "0") + assert ok is False + assert reason == "inactive mutually-exclusive zero value" + assert h._sysctl_entry_is_persistable(key, "10")[0] is True + + +def test_parse_sysctl_a_output_skips_non_replayable_values(monkeypatch): + monkeypatch.setattr( + h, + "_sysctl_key_is_persistable", + lambda key: (key != "kernel.modules_disabled", "volatile/action key"), + ) + + params, skipped = h._parse_sysctl_a_output( + "kernel.modules_disabled = 0\n" + "vm.dirty_background_bytes = 0\n" + "vm.dirty_ratio = 20\n" + "net.ipv4.ip_forward = 1\n" + ) + + assert params == {"net.ipv4.ip_forward": "1", "vm.dirty_ratio": "20"} + assert skipped["non_persistable"] == 2 + + +def test_collect_sysctl_snapshot_writes_generated_artifact(monkeypatch, tmp_path: Path): + monkeypatch.setattr( + h, + "_run_capture_command", + lambda command_key, *, timeout=10: ( + "net.ipv4.ip_forward = 1\nvm.swappiness = 10\n", + None, + ), + ) + monkeypatch.setattr(h, "_sysctl_key_is_persistable", lambda key: (True, "")) + + snap = h._collect_sysctl_snapshot(str(tmp_path)) + + assert snap.role_name == "sysctl" + assert snap.parameters == {"net.ipv4.ip_forward": "1", "vm.swappiness": "10"} + assert len(snap.managed_files) == 1 + assert snap.managed_files[0].path == "/etc/sysctl.d/99-enroll.conf" + conf = tmp_path / "artifacts" / "sysctl" / "sysctl" / "99-enroll.conf" + text = conf.read_text(encoding="utf-8") + assert "net.ipv4.ip_forward = 1" in text + assert "vm.swappiness = 10" in text diff --git a/tests/test_harvest_safety.py b/tests/test_harvest_safety.py new file mode 100644 index 0000000..ef01cc5 --- /dev/null +++ b/tests/test_harvest_safety.py @@ -0,0 +1,322 @@ +from __future__ import annotations + +import os +import stat +from pathlib import Path + +import pytest + +from enroll.capture import capture_file +from enroll.harvest import harvest +from enroll.harvest_types import ExcludedFile, ManagedFile +from enroll.ignore import FileInspection, IgnorePolicy +from enroll.manifest_safety import prepare_manifest_output_dir +from enroll.harvest_safety import OutputSafetyError, prepare_new_private_dir +from enroll.pathfilter import PathFilter + +import enroll.harvest_safety as hs + + +class _RacePolicy(IgnorePolicy): + def inspect_file(self, path: str): + fd = os.open(path, os.O_RDONLY | getattr(os, "O_CLOEXEC", 0)) + try: + st = os.fstat(fd) + data = os.read(fd, st.st_size) + finally: + os.close(fd) + Path(path).write_bytes(b"changed-after-inspection") + return None, FileInspection(data=data, stat_result=st) + + +def test_prepare_new_private_dir_refuses_existing_path(tmp_path: Path): + out = tmp_path / "bundle" + out.mkdir() + with pytest.raises(OutputSafetyError, match="already exists"): + prepare_new_private_dir(out, label="harvest output") + + +def test_prepare_new_private_dir_creates_0700(tmp_path: Path): + out = prepare_new_private_dir(tmp_path / "bundle", label="harvest output") + assert out.exists() + assert (out.stat().st_mode & 0o777) == 0o700 + + +def test_harvest_refuses_existing_plaintext_output_dir(tmp_path: Path): + out = tmp_path / "bundle" + out.mkdir() + with pytest.raises(OutputSafetyError, match="already exists"): + harvest(str(out)) + + +def test_manifest_output_dir_is_private_by_default(tmp_path: Path): + out = prepare_manifest_output_dir(tmp_path / "manifest") + assert (out.stat().st_mode & 0o777) == 0o700 + + +def test_capture_file_writes_inspected_bytes_not_later_source(tmp_path: Path): + source = tmp_path / "source.conf" + source.write_bytes(b"safe-original") + bundle = tmp_path / "bundle" + bundle.mkdir() + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + ok = capture_file( + bundle_dir=str(bundle), + role_name="role", + abs_path=str(source), + reason="test", + policy=_RacePolicy(), + path_filter=PathFilter(), + managed_out=managed, + excluded_out=excluded, + ) + + assert ok is True + artifact = bundle / "artifacts" / "role" / str(source).lstrip("/") + assert artifact.read_bytes() == b"safe-original" + assert source.read_bytes() == b"changed-after-inspection" + + +def test_capture_file_rejects_symlink_source_with_ignore_policy(tmp_path: Path): + target = tmp_path / "target.conf" + target.write_text("safe=true\n", encoding="utf-8") + link = tmp_path / "link.conf" + link.symlink_to(target) + bundle = tmp_path / "bundle" + bundle.mkdir() + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + ok = capture_file( + bundle_dir=str(bundle), + role_name="role", + abs_path=str(link), + reason="test", + policy=IgnorePolicy(), + path_filter=PathFilter(), + managed_out=managed, + excluded_out=excluded, + ) + + assert ok is False + assert managed == [] + # Symlinked sources are now reported with the dedicated symlink_component + # reason (covers both symlinked leaves and symlinked parent directories), + # which is more precise than the old generic not_regular_file. + assert excluded and excluded[0].reason == "symlink_component" + + +def test_capture_file_rejects_symlinked_parent_with_ignore_policy(tmp_path: Path): + """O_NOFOLLOW only guards the final component. A regular file reached + through a symlinked *parent* directory must still be refused, otherwise a + file whose real location is deny-globbed could be captured while its + logical (recorded) path looks safe. + """ + + secret = tmp_path / "secretroot" + secret.mkdir() + (secret / "config").write_text("listen_port=8080\n", encoding="utf-8") + (tmp_path / "allowed").symlink_to(secret, target_is_directory=True) + bundle = tmp_path / "bundle" + bundle.mkdir() + + managed: list[ManagedFile] = [] + excluded: list[ExcludedFile] = [] + ok = capture_file( + bundle_dir=str(bundle), + role_name="role", + abs_path=str(tmp_path / "allowed" / "config"), + reason="test", + policy=IgnorePolicy(), + path_filter=PathFilter(), + managed_out=managed, + excluded_out=excluded, + ) + + assert ok is False + assert managed == [] + assert excluded and excluded[0].reason == "symlink_component" + # Nothing should have been written into the bundle. + artifact = bundle / "artifacts" / "role" / "allowed" / "config" + assert not artifact.exists() + + +def test_prepare_new_private_dir_rejects_symlink_parent(tmp_path: Path): + real = tmp_path / "real" + real.mkdir() + link = tmp_path / "link" + link.symlink_to(real, target_is_directory=True) + + with pytest.raises(OutputSafetyError, match="parent path contains a symlink"): + prepare_new_private_dir(link / "bundle", label="harvest output") + + +def test_manifest_output_dir_rejects_symlink_parent(tmp_path: Path): + from enroll.manifest_safety import ManifestOutputError + + real = tmp_path / "real" + real.mkdir() + link = tmp_path / "link" + link.symlink_to(real, target_is_directory=True) + + with pytest.raises(ManifestOutputError, match="parent path contains a symlink"): + prepare_manifest_output_dir(link / "manifest") + + +def test_prepare_new_private_dir_rejects_untrusted_root_parent( + tmp_path: Path, monkeypatch +): + import enroll.harvest_safety as hs + + untrusted = tmp_path / "untrusted" + untrusted.mkdir() + if hasattr(os, "geteuid") and os.geteuid() == 0: + try: + os.chown(untrusted, 65534, -1) + except OSError: + pass + + monkeypatch.setattr(hs, "_effective_uid", lambda: 0) + with pytest.raises(OutputSafetyError, match="not owned by root"): + prepare_new_private_dir(untrusted / "bundle", label="harvest output") + + +def test_prepare_new_private_dir_uses_real_euid_despite_os_geteuid_monkeypatch( + tmp_path: Path, monkeypatch +): + import enroll.harvest_safety as hs + + monkeypatch.setattr(hs.os, "geteuid", lambda: 0) + out = prepare_new_private_dir(tmp_path / "bundle", label="harvest output") + + assert out.is_dir() + assert (out.stat().st_mode & 0o777) == 0o700 + + +def test_write_text_output_file_replaces_final_symlink_not_target(tmp_path: Path): + from enroll.harvest_safety import write_text_output_file + + target = tmp_path / "target.txt" + target.write_text("old\n", encoding="utf-8") + link = tmp_path / "report.txt" + link.symlink_to(target) + + write_text_output_file(link, "new\n", label="test report") + + assert not link.is_symlink() + assert link.read_text(encoding="utf-8") == "new\n" + assert target.read_text(encoding="utf-8") == "old\n" + + +def test_safe_output_parent_does_not_descend_into_raced_symlink( + tmp_path: Path, monkeypatch +): + import enroll.harvest_safety as hs + + target = tmp_path / "target" + target.mkdir() + link = tmp_path / "link" + real_mkdir = os.mkdir + + def racing_mkdir(path, mode=0o777, *, dir_fd=None): + if Path(path) == link and not link.exists(): + link.symlink_to(target, target_is_directory=True) + if dir_fd is not None: + return real_mkdir(path, mode, dir_fd=dir_fd) + return real_mkdir(path, mode) + + monkeypatch.setattr(hs.os, "mkdir", racing_mkdir) + + with pytest.raises(OutputSafetyError, match="parent path contains a symlink"): + hs.ensure_safe_output_parent(link / "subdir" / "report.txt", label="report") + + assert not (target / "subdir").exists() + + +def _stat_result(mode: int, *, uid: int = 0) -> os.stat_result: + return os.stat_result((mode, 1, 1, 1, uid, 0, 0, 0, 0, 0)) + + +def test_effective_uid_handles_missing_geteuid(monkeypatch): + monkeypatch.setattr(hs, "_OS_GETEUID", None) + assert hs._effective_uid() is None + + +def test_effective_uid_handles_geteuid_error(monkeypatch): + def boom(): + raise OSError("no euid") + + monkeypatch.setattr(hs, "_OS_GETEUID", boom) + assert hs._effective_uid() is None + + +def test_trusted_root_parent_skips_checks_when_not_root(monkeypatch): + monkeypatch.setattr(hs, "_effective_uid", lambda: 1000) + hs._assert_trusted_root_parent( + Path("not-a-dir"), _stat_result(stat.S_IFREG | 0o644, uid=1234), label="x" + ) + + +def test_trusted_root_parent_rejects_non_directory(monkeypatch): + monkeypatch.setattr(hs, "_effective_uid", lambda: 0) + with pytest.raises(OutputSafetyError, match="parent is not a directory"): + hs._assert_trusted_root_parent( + Path("file"), _stat_result(stat.S_IFREG | 0o644), label="x" + ) + + +def test_trusted_root_parent_rejects_group_or_world_writable(monkeypatch): + monkeypatch.setattr(hs, "_effective_uid", lambda: 0) + with pytest.raises(OutputSafetyError, match="writable by group/other"): + hs._assert_trusted_root_parent( + Path("open-dir"), _stat_result(stat.S_IFDIR | 0o777), label="x" + ) + + +def test_trusted_root_parent_allows_root_owned_sticky_shared_dir(monkeypatch): + monkeypatch.setattr(hs, "_effective_uid", lambda: 0) + hs._assert_trusted_root_parent( + Path("tmp"), _stat_result(stat.S_IFDIR | stat.S_ISVTX | 0o777), label="x" + ) + + +def test_assert_no_existing_symlink_components_without_root_trust_still_rejects_symlink( + tmp_path: Path, +): + real = tmp_path / "real" + real.mkdir() + link = tmp_path / "link" + link.symlink_to(real, target_is_directory=True) + + with pytest.raises(OutputSafetyError, match="parent path contains a symlink"): + hs._assert_no_existing_symlink_components( + link / "leaf", label="x", require_trusted_root_parents=False + ) + + +def test_ensure_private_empty_dir_rejects_bad_existing_paths(tmp_path: Path): + file_path = tmp_path / "file" + file_path.write_text("x", encoding="utf-8") + with pytest.raises(OutputSafetyError, match="not a directory"): + hs.ensure_private_empty_dir(file_path, label="cache") + + nonempty = tmp_path / "nonempty" + nonempty.mkdir() + (nonempty / "child").write_text("x", encoding="utf-8") + with pytest.raises(OutputSafetyError, match="not empty"): + hs.ensure_private_empty_dir(nonempty, label="cache") + + real = tmp_path / "real" + real.mkdir() + link = tmp_path / "link" + link.symlink_to(real, target_is_directory=True) + with pytest.raises(OutputSafetyError, match="symlink"): + hs.ensure_private_empty_dir(link, label="cache") + + +def test_ensure_private_empty_dir_creates_private_dir(tmp_path: Path): + out = hs.ensure_private_empty_dir(tmp_path / "new-cache", label="cache") + assert out.is_dir() + assert (out.stat().st_mode & 0o777) == 0o700 diff --git a/tests/test_harvest_symlinks.py b/tests/test_harvest_symlinks.py index b327542..c177cda 100644 --- a/tests/test_harvest_symlinks.py +++ b/tests/test_harvest_symlinks.py @@ -2,6 +2,8 @@ import json from pathlib import Path import enroll.harvest as h +import enroll.harvest_collectors.services as services +import enroll.capture as capture from enroll.platform import PlatformInfo from enroll.systemd import UnitInfo @@ -78,7 +80,7 @@ def _base_monkeypatches(monkeypatch, *, unit: str): # Avoid walking the real filesystem. monkeypatch.setattr(h.os, "walk", lambda root: iter(())) - monkeypatch.setattr(h, "_copy_into_bundle", lambda *a, **k: None) + monkeypatch.setattr(capture, "copy_into_bundle", lambda *a, **k: None) # Default to a "no files exist" view of the world unless a test overrides. monkeypatch.setattr(h.os.path, "isfile", lambda p: False) @@ -119,7 +121,7 @@ def test_harvest_captures_nginx_enabled_symlinks(monkeypatch, tmp_path: Path): return ["/etc/nginx/modules-enabled/mod-http"] return [] - monkeypatch.setattr(h.glob, "glob", fake_glob) + monkeypatch.setattr(services.glob, "glob", fake_glob) state_path = h.harvest(str(bundle), policy=AllowAllPolicy()) st = json.loads(Path(state_path).read_text(encoding="utf-8")) @@ -158,7 +160,7 @@ def test_harvest_does_not_capture_enabled_symlinks_without_role( }, ) monkeypatch.setattr( - h.glob, "glob", lambda pat: ["/etc/nginx/sites-enabled/default"] + services.glob, "glob", lambda pat: ["/etc/nginx/sites-enabled/default"] ) monkeypatch.setattr(h.os.path, "islink", lambda p: True) monkeypatch.setattr(h.os, "readlink", lambda p: "../sites-available/default") @@ -186,7 +188,7 @@ def test_harvest_symlink_capture_respects_ignore_policy(monkeypatch, tmp_path: P monkeypatch.setattr(h.os.path, "islink", lambda p: p in links) monkeypatch.setattr(h.os, "readlink", lambda p: links[p]) monkeypatch.setattr( - h.glob, + services.glob, "glob", lambda pat: ( sorted(list(links.keys())) if pat == "/etc/nginx/sites-enabled/*" else [] @@ -251,7 +253,7 @@ def test_harvest_captures_apache2_enabled_symlinks(monkeypatch, tmp_path: Path): return ["/etc/apache2/conf-enabled/security.conf"] return [] - monkeypatch.setattr(h.glob, "glob", fake_glob) + monkeypatch.setattr(services.glob, "glob", fake_glob) state_path = h.harvest(str(bundle), policy=AllowAllPolicy()) st = json.loads(Path(state_path).read_text(encoding="utf-8")) diff --git a/tests/test_ignore.py b/tests/test_ignore.py index 1eaae01..2f138ef 100644 --- a/tests/test_ignore.py +++ b/tests/test_ignore.py @@ -1,3 +1,8 @@ +from __future__ import annotations + +import os +from pathlib import Path + from enroll.ignore import IgnorePolicy @@ -8,3 +13,406 @@ def test_ignore_policy_denies_common_backup_files(): assert pol.deny_reason("/etc/group-") == "backup_file" assert pol.deny_reason("/etc/something~") == "backup_file" assert pol.deny_reason("/foobar") == "unreadable" + + +def test_deny_reason_dir_with_denied_path(): + pol = IgnorePolicy() + assert pol.deny_reason_dir("/etc/ssl/private/key") == "denied_path" + assert pol.deny_reason_dir("/etc/ssh/ssh_host_key") == "denied_path" + assert pol.deny_reason_dir("/etc/ssh") is None + + +def test_deny_reason_dir_unreadable(tmp_path: Path): + pol = IgnorePolicy() + nonexistent = tmp_path / "nonexistent" + assert pol.deny_reason_dir(str(nonexistent)) == "unreadable" + + +def test_deny_reason_dir_symlink(tmp_path: Path): + pol = IgnorePolicy() + real_dir = tmp_path / "real" + real_dir.mkdir() + link = tmp_path / "link" + os.symlink(str(real_dir), str(link)) + assert pol.deny_reason_dir(str(link)) == "symlink" + + +def test_deny_reason_dir_not_directory(tmp_path: Path): + pol = IgnorePolicy() + regular_file = tmp_path / "file.txt" + regular_file.write_text("content", encoding="utf-8") + assert pol.deny_reason_dir(str(regular_file)) == "not_directory" + + +def test_deny_reason_dir_dangerous_mode(tmp_path: Path): + pol = IgnorePolicy(dangerous=True) + real_dir = tmp_path / "private" + real_dir.mkdir() + assert pol.deny_reason_dir(str(real_dir)) is None + + +def test_deny_reason_link_basic(tmp_path: Path): + pol = IgnorePolicy() + real_file = tmp_path / "real" + real_file.write_text("content", encoding="utf-8") + link = tmp_path / "link" + os.symlink(str(real_file), str(link)) + assert pol.deny_reason_link(str(link)) is None + + +def test_deny_reason_link_denied_path(): + pol = IgnorePolicy() + assert pol.deny_reason_link("/etc/ssh/ssh_host_rsa_key") == "denied_path" + + +def test_deny_reason_link_unreadable(tmp_path: Path): + pol = IgnorePolicy() + # Create a symlink in a directory that doesn't exist + # This simulates an unreadable path + broken_link = tmp_path / "broken_link" + os.symlink("/nonexistent/target", str(broken_link)) + # Broken symlinks are still readable (we can readlink them) + # So they return None (allowed) unless they match deny globs + result = pol.deny_reason_link(str(broken_link)) + # Broken symlinks are allowed - we can still read the link target + assert result is None + + +def test_deny_reason_link_not_symlink(tmp_path: Path): + pol = IgnorePolicy() + regular_file = tmp_path / "file.txt" + regular_file.write_text("content", encoding="utf-8") + assert pol.deny_reason_link(str(regular_file)) == "not_symlink" + + +def test_deny_reason_link_log_file(): + pol = IgnorePolicy() + assert pol.deny_reason_link("/var/log/something.log") == "log_file" + + +def test_deny_reason_link_backup_file(): + pol = IgnorePolicy() + assert pol.deny_reason_link("/etc/passwd-") == "backup_file" + assert pol.deny_reason_link("/etc/something~") == "backup_file" + + +def test_deny_reason_link_dangerous_mode(tmp_path: Path): + pol = IgnorePolicy(dangerous=True) + real_file = tmp_path / "real" + real_file.write_text("content", encoding="utf-8") + link = tmp_path / "link" + os.symlink(str(real_file), str(link)) + assert pol.deny_reason_link(str(link)) is None + + +def test_iter_effective_lines_with_comments(): + pol = IgnorePolicy() + content = b""" +# This is a comment +; This is also a comment +* continuation +def main(): + pass +""" + lines = list(pol.iter_effective_lines(content)) + assert b"def main():" in lines + assert b"# This is a comment" not in lines + + +def test_iter_effective_lines_with_block_comments(): + pol = IgnorePolicy() + content = b""" +/* This is a block comment + spanning multiple lines */ +int x = 5; +""" + lines = list(pol.iter_effective_lines(content)) + assert b"int x = 5;" in lines + assert b"/*" not in lines + + +def test_iter_effective_lines_empty(): + pol = IgnorePolicy() + content = b"" + lines = list(pol.iter_effective_lines(content)) + assert lines == [] + + +def test_deny_reason_binary_not_allowed(tmp_path: Path): + pol = IgnorePolicy() + binary = tmp_path / "random.bin" + binary.write_bytes(b"\x00\x01\x02\x03") + reason = pol.deny_reason(str(binary)) + assert reason == "binary_like" + + +def test_deny_reason_sensitive_content(tmp_path: Path): + pol = IgnorePolicy() + config = tmp_path / "config.txt" + config.write_text("password=secret123", encoding="utf-8") + reason = pol.deny_reason(str(config)) + assert reason == "sensitive_content" + + +def test_deny_reason_sensitive_api_key(tmp_path: Path): + pol = IgnorePolicy() + config = tmp_path / "config.txt" + config.write_text("api_key=abc123", encoding="utf-8") + reason = pol.deny_reason(str(config)) + assert reason == "sensitive_content" + + +def test_deny_reason_private_key(tmp_path: Path): + pol = IgnorePolicy() + key = tmp_path / "key.pem" + key.write_text( + "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA...", encoding="utf-8" + ) + reason = pol.deny_reason(str(key)) + assert reason == "sensitive_content" + + +def test_deny_reason_sensitive_common_assignment_keys(tmp_path: Path): + pol = IgnorePolicy() + cases = { + "password_yaml": "password: hunter2\n", + "password_json": '{"password": "hunter2"}\n', + "db_password": "db_password: hunter2\n", + "client_secret": "client_secret: abc123\n", + "secret_key": "secret_key = abc123\n", + "auth_token": "auth_token: abc123\n", + "passphrase": "passphrase: abc123\n", + "credentials": "credentials = abc123\n", + } + for name, text in cases.items(): + config = tmp_path / name + config.write_text(text, encoding="utf-8") + assert pol.deny_reason(str(config)) == "sensitive_content", name + + +def test_deny_reason_sensitive_common_cloud_assignment_keys(tmp_path: Path): + pol = IgnorePolicy() + cases = { + "aws_access_key_id": "aws_access_key_id = AKIAIOSFODNN7EXAMPLE\n", + "aws_secret_access_key": "aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCY\n", + "azure_client_secret": "azure_client_secret: abc123\n", + "google_application_credentials": "GOOGLE_APPLICATION_CREDENTIALS=/etc/app/key.json\n", + "gcp_service_account": "gcp_service_account: svc@example.iam.gserviceaccount.com\n", + "service_account_key": "service_account_key: abc123\n", + } + for name, text in cases.items(): + config = tmp_path / name + config.write_text(text, encoding="utf-8") + assert pol.deny_reason(str(config)) == "sensitive_content", name + + +def test_deny_reason_too_large(tmp_path: Path): + pol = IgnorePolicy(max_file_bytes=100) + large = tmp_path / "large.txt" + large.write_bytes(b"x" * 200) + reason = pol.deny_reason(str(large)) + assert reason == "too_large" + + +def test_deny_reason_unreadable(tmp_path: Path): + pol = IgnorePolicy() + nonexistent = tmp_path / "nonexistent" + reason = pol.deny_reason(str(nonexistent)) + assert reason == "unreadable" + + +def test_deny_reason_not_regular_file(tmp_path: Path): + pol = IgnorePolicy() + directory = tmp_path / "dir" + directory.mkdir() + reason = pol.deny_reason(str(directory)) + assert reason == "not_regular_file" + + +def test_deny_reason_symlink_file(tmp_path: Path): + pol = IgnorePolicy() + real_file = tmp_path / "real" + real_file.write_text("content", encoding="utf-8") + link = tmp_path / "link" + os.symlink(str(real_file), str(link)) + reason = pol.deny_reason(str(link)) + # A symlinked path (final component or parent) is refused with the + # dedicated symlink_component reason so operators can tell symlink + # redirection apart from genuine non-regular files (sockets, devices). + assert reason == "symlink_component" + + +def test_deny_reason_logs(tmp_path: Path): + pol = IgnorePolicy() + log = tmp_path / "test.log" + log.write_text("log content", encoding="utf-8") + assert pol.deny_reason(str(log)) == "log_file" + + +def test_deny_reason_backup_file(tmp_path: Path): + pol = IgnorePolicy() + backup = tmp_path / "file~" + backup.write_text("backup", encoding="utf-8") + assert pol.deny_reason(str(backup)) == "backup_file" + + +def test_deny_reason_shadow_file(): + pol = IgnorePolicy() + assert pol.deny_reason("/etc/shadow") == "denied_path" + assert pol.deny_reason("/etc/gshadow") == "denied_path" + + +def test_deny_reason_ssl_private(): + pol = IgnorePolicy() + assert pol.deny_reason("/etc/ssl/private/key.pem") == "denied_path" + + +def test_deny_reason_ssh_host_keys(): + pol = IgnorePolicy() + assert pol.deny_reason("/etc/ssh/ssh_host_rsa_key") == "denied_path" + assert pol.deny_reason("/etc/ssh/ssh_host_ed25519_key") == "denied_path" + + +def test_deny_reason_letsencrypt(): + pol = IgnorePolicy() + assert ( + pol.deny_reason("/etc/letsencrypt/live/example.com/fullchain.pem") + == "denied_path" + ) + + +def test_deny_reason_shadow_backup(): + pol = IgnorePolicy() + assert pol.deny_reason("/etc/shadow-") == "backup_file" + assert pol.deny_reason("/etc/passwd-") == "backup_file" + + +def test_detects_encrypted_private_key_marker(tmp_path): + p = tmp_path / "key.pem" + p.write_text( + "-----BEGIN ENCRYPTED PRIVATE KEY-----\nabc\n-----END ENCRYPTED PRIVATE KEY-----\n", + encoding="utf-8", + ) + assert IgnorePolicy().deny_reason(str(p)) == "sensitive_content" + + +def test_detects_pgp_private_key_marker(tmp_path): + p = tmp_path / "pgp.asc" + p.write_text( + "-----BEGIN PGP PRIVATE KEY BLOCK-----\nabc\n-----END PGP PRIVATE KEY BLOCK-----\n", + encoding="utf-8", + ) + assert IgnorePolicy().deny_reason(str(p)) == "sensitive_content" + + +def test_secret_scan_reads_whole_file_under_size_cap(tmp_path): + p = tmp_path / "large.conf" + p.write_bytes(b"A" * 70_000 + b"\nlate_token = abc123\n") + assert IgnorePolicy().deny_reason(str(p)) == "sensitive_content" + + +def test_normalize_for_match_collapses_noncanonical_paths(): + from enroll.ignore import normalize_for_match + + assert normalize_for_match("/etc/shadow") == "/etc/shadow" + assert normalize_for_match("/etc//shadow") == "/etc/shadow" + assert normalize_for_match("/etc/foo/../shadow") == "/etc/shadow" + assert normalize_for_match("/etc/./shadow") == "/etc/shadow" + assert normalize_for_match("/etc/shadow/") == "/etc/shadow" + # A leading "//" is POSIX-significant to normpath but must collapse for + # glob matching anchored at "/". + assert normalize_for_match("//etc/shadow") == "/etc/shadow" + # "///" collapses to "/" via normpath already; ensure we don't mangle it. + assert normalize_for_match("///etc/shadow") == "/etc/shadow" + # Empty stays empty (no crash). + assert normalize_for_match("") == "" + + +def test_deny_reason_denies_noncanonical_sensitive_paths(): + # Regression: non-canonical spellings of a denied path must still be denied + # rather than slipping past the deny glob. Defense-in-depth on top of the + # O_NOFOLLOW open in inspect_file(); see normalize_for_match(). + pol = IgnorePolicy() + assert pol._path_deny_reason("/etc//shadow") == "denied_path" + assert pol._path_deny_reason("/etc/foo/../shadow") == "denied_path" + assert pol._path_deny_reason("/etc/./shadow") == "denied_path" + assert pol._path_deny_reason("/etc/ssl/private/../private/key") == "denied_path" + assert pol._path_deny_reason("//etc/shadow") == "denied_path" + # A normal config path is unaffected. + assert pol._path_deny_reason("/etc/nginx/nginx.conf") is None + + +def test_deny_reason_dir_denies_noncanonical_sensitive_paths(): + pol = IgnorePolicy() + # normpath("/etc/ssl/private/../private") -> "/etc/ssl/private" which is the + # glob root itself, so use paths that still resolve to a child of it. + assert pol.deny_reason_dir("/etc/ssl/private/sub/../child") == "denied_path" + assert pol.deny_reason_dir("/etc//ssl/private/sub") == "denied_path" + + +def test_deny_reason_link_denies_noncanonical_sensitive_paths(): + pol = IgnorePolicy() + assert pol.deny_reason_link("/etc/ssh/../ssh/ssh_host_rsa_key") == "denied_path" + assert pol.deny_reason_link("/etc//ssh/ssh_host_ed25519_key") == "denied_path" + + +def test_noncanonical_backup_and_log_fastpaths(): + pol = IgnorePolicy() + assert pol._path_deny_reason("/var/log/foo/../bar.log") == "log_file" + assert pol._path_deny_reason("/etc/foo/../something~") == "backup_file" + assert pol._path_deny_reason("/etc//passwd-") == "backup_file" + + +def test_inspect_file_refuses_symlinked_parent_directory(tmp_path: Path): + """A regular file reached through a symlinked *parent* directory must be + refused, even though O_NOFOLLOW alone would only guard the final + component. Otherwise a file whose real location is deny-globbed (or whose + content is benign) could be captured while its logical path looks safe. + """ + + pol = IgnorePolicy() + secret = tmp_path / "secretroot" + secret.mkdir() + (secret / "config").write_text("listen_port=8080\n", encoding="utf-8") + (tmp_path / "allowed").symlink_to(secret) + + reason, inspection = pol.inspect_file(str(tmp_path / "allowed" / "config")) + assert reason == "symlink_component" + assert inspection is None + + +def test_inspect_file_refuses_denyglob_evasion_via_symlinked_parent(tmp_path: Path): + """The strongest variant: the real file lives under a deny-globbed dir, + but is reached via a symlinked parent so the *logical* path does not match + the deny glob. Content is non-secret-looking (DH params), so only the + parent-symlink check stands between the operator and disclosure. + """ + + pol = IgnorePolicy() + realdir = tmp_path / "ssl_private" + realdir.mkdir() + (realdir / "dhparam.pem").write_text( + "-----BEGIN DH PARAMETERS-----\nMII...\n-----END DH PARAMETERS-----\n", + encoding="utf-8", + ) + (tmp_path / "innocent").symlink_to(realdir) + + reason, inspection = pol.inspect_file(str(tmp_path / "innocent" / "dhparam.pem")) + assert reason == "symlink_component" + assert inspection is None + + +def test_inspect_file_still_captures_normal_nested_file(tmp_path: Path): + """Regression guard: ordinary files in real (non-symlinked) directories + must still be inspected and returned. + """ + + pol = IgnorePolicy() + nested = tmp_path / "etc" / "myapp" + nested.mkdir(parents=True) + (nested / "app.conf").write_text("workers=4\n", encoding="utf-8") + + reason, inspection = pol.inspect_file(str(nested / "app.conf")) + assert reason is None + assert inspection is not None + assert inspection.data == b"workers=4\n" diff --git a/tests/test_jinjaturtle.py b/tests/test_jinjaturtle.py index b2c9022..464f473 100644 --- a/tests/test_jinjaturtle.py +++ b/tests/test_jinjaturtle.py @@ -1,7 +1,8 @@ -import json from pathlib import Path +from state_helpers import write_schema_state import enroll.manifest as manifest_mod +import enroll.jinjaturtle as jinjaturtle_mod from enroll.jinjaturtle import JinjifyResult @@ -31,7 +32,10 @@ def test_manifest_uses_jinjaturtle_templates_and_does_not_copy_raw( "foo": { "version": "1.0", "arches": [], - "installations": [{"version": "1.0", "arch": "amd64"}], + "installations": [ + {"version": "1.0", "arch": "amd64", "section": "utils"} + ], + "section": "utils", "observed_via": [{"kind": "systemd_unit", "ref": "foo.service"}], "roles": ["foo"], } @@ -99,11 +103,11 @@ def test_manifest_uses_jinjaturtle_templates_and_does_not_copy_raw( } bundle.mkdir(parents=True, exist_ok=True) - (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8") + write_schema_state(bundle, state) # Pretend jinjaturtle exists. monkeypatch.setattr( - manifest_mod, "find_jinjaturtle_cmd", lambda: "/usr/bin/jinjaturtle" + jinjaturtle_mod, "find_jinjaturtle_cmd", lambda: "/usr/bin/jinjaturtle" ) # Stub jinjaturtle output. @@ -116,20 +120,20 @@ def test_manifest_uses_jinjaturtle_templates_and_does_not_copy_raw( vars_text="foo_key: 1\n", ) - monkeypatch.setattr(manifest_mod, "run_jinjaturtle", fake_run_jinjaturtle) + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) manifest_mod.manifest(str(bundle), str(out), jinjaturtle="on") - # Template should exist in the role. - assert (out / "roles" / "foo" / "templates" / "etc" / "foo.ini.j2").exists() + role_dir = out / "roles" / "utils" + + # Template should exist in the grouped section role. + assert (role_dir / "templates" / "etc" / "foo.ini.j2").exists() # Raw file should NOT be copied into role files/ because it was templatised. - assert not (out / "roles" / "foo" / "files" / "etc" / "foo.ini").exists() + assert not (role_dir / "files" / "etc" / "foo.ini").exists() # Defaults should include jinjaturtle vars. - defaults = (out / "roles" / "foo" / "defaults" / "main.yml").read_text( - encoding="utf-8" - ) + defaults = (role_dir / "defaults" / "main.yml").read_text(encoding="utf-8") assert "foo_key: 1" in defaults @@ -143,3 +147,118 @@ def test_openssh_paths_are_jinjaturtle_supported_and_forced_to_ssh() -> None: assert can_jinjify_path("/etc/ssh/sshd_config") assert can_jinjify_path("/etc/ssh/ssh_config") + + +def test_jinjify_managed_files_namespaces_multiple_templates( + monkeypatch, tmp_path: Path +): + from enroll.jinjaturtle import jinjify_managed_files + + bundle = tmp_path / "bundle" + template_root = tmp_path / "templates" + for rel in ("etc/foo/a.yaml", "etc/foo/b.yaml"): + path = bundle / "artifacts" / "foo" / rel + path.parent.mkdir(parents=True, exist_ok=True) + path.write_text("ignore: []\n", encoding="utf-8") + + calls = [] + + def fake_run_jinjaturtle(jt_exe, src_path, *, role_name, force_format=None): + calls.append((Path(src_path).name, role_name)) + return JinjifyResult( + template_text=f"ignore: {{{{ {role_name}_ignore }}}}\n", + vars_text=f"{role_name}_ignore: []\n", + ) + + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) + + templated, vars_text = jinjify_managed_files( + bundle, + "foo", + template_root, + [ + {"path": "/etc/foo/a.yaml", "src_rel": "etc/foo/a.yaml"}, + {"path": "/etc/foo/b.yaml", "src_rel": "etc/foo/b.yaml"}, + ], + jt_exe="jinjaturtle", + jt_enabled=True, + overwrite_templates=True, + role_name="foo", + ) + + assert templated == {"etc/foo/a.yaml", "etc/foo/b.yaml"} + assert calls == [ + ("a.yaml", "foo_etc_foo_a_yaml"), + ("b.yaml", "foo_etc_foo_b_yaml"), + ] + assert "foo_etc_foo_a_yaml_ignore: []" in vars_text + assert "foo_etc_foo_b_yaml_ignore: []" in vars_text + assert (template_root / "etc" / "foo" / "a.yaml.j2").read_text( + encoding="utf-8" + ) == "ignore: {{ foo_etc_foo_a_yaml_ignore }}\n" + + +def test_jinjify_managed_files_rejects_templates_with_missing_defaults( + monkeypatch, tmp_path: Path +): + from enroll.jinjaturtle import jinjify_managed_files + + bundle = tmp_path / "bundle" + template_root = tmp_path / "templates" + artifact = bundle / "artifacts" / "foo" / "etc" / "foo" / "pdk.yaml" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("ignore: []\n", encoding="utf-8") + + def fake_run_jinjaturtle(jt_exe, src_path, *, role_name, force_format=None): + return JinjifyResult( + template_text=f"ignore: {{{{ {role_name}_ignore }}}}\n", + vars_text="--- {}\n", + ) + + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) + + templated, vars_text = jinjify_managed_files( + bundle, + "foo", + template_root, + [{"path": "/etc/foo/pdk.yaml", "src_rel": "etc/foo/pdk.yaml"}], + jt_exe="jinjaturtle", + jt_enabled=True, + overwrite_templates=True, + role_name="foo", + ) + + assert templated == set() + assert vars_text == "" + assert not (template_root / "etc" / "foo" / "pdk.yaml.j2").exists() + + +def test_jinjify_artifact_rejects_unsafe_src_rel(monkeypatch, tmp_path: Path): + from enroll.jinjaturtle import jinjify_artifact + + bundle = tmp_path / "bundle" + template_root = tmp_path / "templates" + outside = tmp_path / "outside.yaml" + outside.write_text("key: value\n", encoding="utf-8") + + called = False + + def fake_run_jinjaturtle(*_args, **_kwargs): + nonlocal called + called = True + return JinjifyResult(template_text="key: {{ key }}\n", vars_text="key: value\n") + + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) + + result = jinjify_artifact( + bundle, + "foo", + "../outside.yaml", + "/etc/foo.yaml", + template_root, + jt_exe="jinjaturtle", + jt_enabled=True, + ) + + assert result is None + assert called is False diff --git a/tests/test_manifest.py b/tests/test_manifest.py index 658d77f..27721ea 100644 --- a/tests/test_manifest.py +++ b/tests/test_manifest.py @@ -1,4 +1,3 @@ -import json from pathlib import Path import os @@ -7,6 +6,85 @@ import tarfile import pytest import enroll.manifest as manifest +from state_helpers import write_schema_state +import enroll.jinjaturtle as jinjaturtle_mod +from enroll import ansible as ansible_layout +from enroll import ansible as ansible_tasks +from enroll import ansible as ansible_yaml +from enroll import yamlutil as yaml_helpers + + +def _minimal_package_state(packages): + return { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": { + "packages": { + p["package"]: { + "version": "1.0", + "arches": ["amd64"], + "installations": [ + { + "version": "1.0", + "arch": "amd64", + "section": p.get("section") or "misc", + } + ], + "section": p.get("section") or "misc", + "observed_via": [{"kind": "package_role", "ref": p["role_name"]}], + "roles": [p["role_name"]], + } + for p in packages + } + }, + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": packages, + "apt_config": { + "role_name": "apt_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "include_patterns": [], + "exclude_patterns": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + }, + } + + +def _write_state(bundle: Path, state: dict) -> None: + write_schema_state(bundle, state) def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path): @@ -151,7 +229,7 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path): } bundle.mkdir(parents=True, exist_ok=True) - (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8") + write_schema_state(bundle, state) # Create artifact for etc_custom file so copy works (bundle / "artifacts" / "etc_custom" / "etc" / "default").mkdir( @@ -181,15 +259,21 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path): bundle / "artifacts" / "usr_local_custom" / "usr" / "local" / "bin" / "myscript" ).write_text("#!/bin/sh\necho hi\n", encoding="utf-8") - manifest.manifest(str(bundle), str(out)) + manifest.manifest(str(bundle), str(out), no_common_roles=True) # Service role: systemd management should be gated on foo_manage_unit and a probe. tasks = (out / "roles" / "foo" / "tasks" / "main.yml").read_text(encoding="utf-8") assert "- name: Probe whether systemd unit exists and is manageable" in tasks - assert "when: foo_manage_unit | default(false)" in tasks + assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks + assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks assert ( - "when:\n - foo_manage_unit | default(false)\n - _unit_probe is succeeded\n" - in tasks + "when:\n - enroll_manage_systemd_runtime | default(true) | bool\n" + " - foo_manage_unit | default(false)\n" in tasks + ) + assert ( + "when:\n - enroll_manage_systemd_runtime | default(true) | bool\n" + " - foo_manage_unit | default(false)\n" + " - _unit_probe is succeeded\n" in tasks ) # Ensure we didn't emit deprecated/broken '{{ }}' delimiters in when: lines. @@ -204,6 +288,12 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path): assert "foo_systemd_enabled: true" in defaults assert "foo_systemd_state: stopped" in defaults + handlers = (out / "roles" / "foo" / "handlers" / "main.yml").read_text( + encoding="utf-8" + ) + assert "- name: Restart service" in handlers + assert "state: restarted" in handlers + # Playbook should include users, etc_custom, packages, and services pb = (out / "playbook.yml").read_text(encoding="utf-8") assert "role: users" in pb @@ -213,6 +303,558 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path): assert "role: foo" in pb +def test_manifest_groups_simple_packages_by_section_by_default(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + state = _minimal_package_state( + [ + { + "package": "curl", + "role_name": "curl", + "section": "net", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + { + "package": "rsync", + "role_name": "rsync", + "section": "net", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + { + "package": "vim", + "role_name": "vim", + "section": "editors", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + { + "package": "nginx", + "role_name": "nginx", + "section": "httpd", + "has_config": True, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + ] + ) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + assert (out / "roles" / "net").exists() + assert (out / "roles" / "editors").exists() + assert (out / "roles" / "httpd").exists() + assert not (out / "roles" / "curl").exists() + assert not (out / "roles" / "rsync").exists() + assert not (out / "roles" / "vim").exists() + assert not (out / "roles" / "nginx").exists() + + net_defaults = (out / "roles" / "net" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + assert "- curl" in net_defaults + assert "- rsync" in net_defaults + + pb = (out / "playbook.yml").read_text(encoding="utf-8") + assert "role: net" in pb + assert "role: editors" in pb + assert "role: httpd" in pb + + +def test_manifest_no_common_roles_preserves_package_roles(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + state = _minimal_package_state( + [ + { + "package": "curl", + "role_name": "curl", + "section": "net", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + { + "package": "vim", + "role_name": "vim", + "section": "editors", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + ] + ) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), no_common_roles=True) + + assert (out / "roles" / "curl").exists() + assert (out / "roles" / "vim").exists() + assert not (out / "roles" / "net").exists() + assert not (out / "roles" / "editors").exists() + + +def test_manifest_groups_excluded_package_paths_into_common_roles(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + state = _minimal_package_state( + [ + { + "package": "secret-agent", + "role_name": "secret_agent", + "section": "net", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [ + {"path": "/etc/secret-agent/key", "reason": "possible_secret"} + ], + "notes": [], + } + ] + ) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + assert (out / "roles" / "net").exists() + assert not (out / "roles" / "secret_agent").exists() + assert not (out / "roles" / "net" / "README.md").exists() + readme = (out / "README.md").read_text(encoding="utf-8") + assert "/etc/secret-agent/key" in readme + + +def test_manifest_groups_managed_package_config_into_common_role(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + (bundle / "artifacts" / "nginx" / "etc" / "nginx").mkdir( + parents=True, exist_ok=True + ) + (bundle / "artifacts" / "nginx" / "etc" / "nginx" / "nginx.conf").write_text( + "worker_processes auto;\n", encoding="utf-8" + ) + state = _minimal_package_state( + [ + { + "package": "nginx", + "role_name": "nginx", + "section": "httpd", + "has_config": True, + "managed_files": [ + { + "path": "/etc/nginx/nginx.conf", + "src_rel": "etc/nginx/nginx.conf", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "modified_conffile", + } + ], + "managed_dirs": [ + { + "path": "/etc/nginx", + "owner": "root", + "group": "root", + "mode": "0755", + "reason": "parent_of_managed_file", + } + ], + "managed_links": [], + "excluded": [], + "notes": [], + } + ] + ) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + assert (out / "roles" / "httpd").exists() + assert not (out / "roles" / "nginx").exists() + defaults = (out / "roles" / "httpd" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + assert "- nginx" in defaults + assert "dest: /etc/nginx/nginx.conf" in defaults + assert (out / "roles" / "httpd" / "files" / "etc" / "nginx" / "nginx.conf").exists() + + +def test_manifest_groups_systemd_units_into_common_role(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + (bundle / "artifacts" / "network_manager" / "etc" / "NetworkManager").mkdir( + parents=True, exist_ok=True + ) + ( + bundle + / "artifacts" + / "network_manager" + / "etc" + / "NetworkManager" + / "NetworkManager.conf" + ).write_text("[main]\n", encoding="utf-8") + + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": { + "packages": { + "network-manager": { + "version": "1.0", + "arches": ["amd64"], + "installations": [ + {"version": "1.0", "arch": "amd64", "section": "net"} + ], + "section": "net", + "observed_via": [ + {"kind": "systemd_unit", "ref": "NetworkManager.service"} + ], + "roles": ["network_manager", "network_manager_dispatcher"], + } + } + }, + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [ + { + "unit": "NetworkManager.service", + "role_name": "network_manager", + "packages": ["network-manager"], + "active_state": "active", + "sub_state": "running", + "unit_file_state": "enabled", + "condition_result": "yes", + "managed_files": [ + { + "path": "/etc/NetworkManager/NetworkManager.conf", + "src_rel": "etc/NetworkManager/NetworkManager.conf", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "modified_conffile", + } + ], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + { + "unit": "NetworkManager-dispatcher.service", + "role_name": "network_manager_dispatcher", + "packages": ["network-manager"], + "active_state": "inactive", + "sub_state": "dead", + "unit_file_state": "enabled", + "condition_result": "no", + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + ], + "packages": [], + "apt_config": { + "role_name": "apt_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "include_patterns": [], + "exclude_patterns": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + assert (out / "roles" / "net").exists() + assert not (out / "roles" / "network_manager").exists() + assert not (out / "roles" / "network_manager_dispatcher").exists() + defaults = (out / "roles" / "net" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + assert "- network-manager" in defaults + assert "name: NetworkManager.service" in defaults + assert "name: NetworkManager-dispatcher.service" in defaults + assert "dest: /etc/NetworkManager/NetworkManager.conf" in defaults + tasks = (out / "roles" / "net" / "tasks" / "main.yml").read_text(encoding="utf-8") + assert "Ensure grouped unit enablement matches harvest" in tasks + assert 'no_log: "{{ enroll_hide_systemd_status | default(true) | bool }}"' in tasks + assert "enroll_manage_systemd_runtime | default(true) | bool" in tasks + assert "Restart managed services" not in tasks + + defaults_text = (out / "roles" / "net" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + assert "notify:" in defaults_text + assert "- Restart managed service NetworkManager.service" in defaults_text + assert ( + "Restart managed service NetworkManager-dispatcher.service" not in defaults_text + ) + + handlers = (out / "roles" / "net" / "handlers" / "main.yml").read_text( + encoding="utf-8" + ) + assert "Run systemd daemon-reload" in handlers + assert "when: enroll_manage_systemd_runtime | default(true) | bool" in handlers + assert "- name: Restart managed service NetworkManager.service" in handlers + assert "name: NetworkManager.service" in handlers + assert "state: restarted" in handlers + assert "Restart managed services" not in handlers + assert "Restart managed service NetworkManager-dispatcher.service" not in handlers + + +def test_manifest_common_package_file_notifies_matching_active_service(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + (bundle / "artifacts" / "docker" / "etc" / "docker").mkdir( + parents=True, exist_ok=True + ) + (bundle / "artifacts" / "docker" / "etc" / "docker" / "daemon.json").write_text( + '{"log-driver":"json-file"}\n', encoding="utf-8" + ) + + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": { + "packages": { + "docker.io": { + "version": "1.0", + "arches": ["amd64"], + "installations": [ + {"version": "1.0", "arch": "amd64", "section": "admin"} + ], + "section": "admin", + "observed_via": [ + {"kind": "systemd_unit", "ref": "docker.service"}, + {"kind": "package_role", "ref": "docker"}, + ], + "roles": ["docker"], + } + } + }, + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [ + { + "unit": "docker.service", + "role_name": "docker", + "packages": ["docker.io"], + "active_state": "active", + "sub_state": "running", + "unit_file_state": "enabled", + "condition_result": "yes", + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + } + ], + "packages": [ + { + "package": "docker.io", + "role_name": "docker", + "section": "admin", + "has_config": True, + "managed_files": [ + { + "path": "/etc/docker/daemon.json", + "src_rel": "etc/docker/daemon.json", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "modified_conffile", + } + ], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + } + ], + "apt_config": { + "role_name": "apt_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "include_patterns": [], + "exclude_patterns": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + defaults = (out / "roles" / "admin" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + assert "dest: /etc/docker/daemon.json" in defaults + assert "- Restart managed service docker.service" in defaults + + handlers = (out / "roles" / "admin" / "handlers" / "main.yml").read_text( + encoding="utf-8" + ) + assert "- name: Restart managed service docker.service" in handlers + assert "name: docker.service" in handlers + assert "Restart managed services" not in handlers + + +def test_manifest_fqdn_implies_no_common_roles(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + state = _minimal_package_state( + [ + { + "package": "curl", + "role_name": "curl", + "section": "net", + "has_config": False, + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + } + ] + ) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), fqdn="host1.example.test") + + assert (out / "roles" / "curl").exists() + assert not (out / "roles" / "net").exists() + + +def test_manifest_fqdn_rejects_unsafe_path_like_name(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + escape = tmp_path / "escape" + state = _minimal_package_state([]) + _write_state(bundle, state) + + with pytest.raises(Exception, match="--fqdn"): + manifest.manifest(str(bundle), str(out), fqdn=str(escape / "node")) + + assert not (escape / "node.yml").exists() + assert not (escape / "node" / "users.yml").exists() + + +def test_manifest_fqdn_rejects_newline_inventory_injection(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + state = _minimal_package_state([]) + _write_state(bundle, state) + + with pytest.raises(Exception, match="--fqdn"): + manifest.manifest(str(bundle), str(out), fqdn="host1\nmalicious: true") + + +def test_manifest_fqdn_existing_output_rejects_symlink_component(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + escape = tmp_path / "escape" + state = _minimal_package_state([]) + _write_state(bundle, state) + + (out / "inventory").mkdir(parents=True) + escape.mkdir() + (out / "inventory" / "host_vars").symlink_to(escape, target_is_directory=True) + + with pytest.raises(Exception, match="symlink"): + manifest.manifest(str(bundle), str(out), fqdn="host1.example.test") + + assert not (escape / "host1.example.test" / "users.yml").exists() + + def test_manifest_site_mode_creates_host_inventory_and_raw_files(tmp_path: Path): """In --fqdn mode, host-specific state goes into inventory/host_vars.""" @@ -334,7 +976,7 @@ def test_manifest_site_mode_creates_host_inventory_and_raw_files(tmp_path: Path) } bundle.mkdir(parents=True, exist_ok=True) - (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8") + write_schema_state(bundle, state) # Artifacts for usr_local_custom file so copy works. (bundle / "artifacts" / "usr_local_custom" / "usr" / "local" / "etc").mkdir( @@ -389,7 +1031,7 @@ def test_copy2_replace_overwrites_readonly_destination(tmp_path: Path): import os import stat - from enroll.manifest import _copy2_replace + from enroll.ansible import _copy2_replace src = tmp_path / "src" dst = tmp_path / "dst" @@ -485,7 +1127,7 @@ def test_manifest_includes_dnf_config_role_when_present(tmp_path: Path): } bundle.mkdir(parents=True, exist_ok=True) - (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8") + write_schema_state(bundle, state) manifest.manifest(str(bundle), str(out)) @@ -499,14 +1141,15 @@ def test_manifest_includes_dnf_config_role_when_present(tmp_path: Path): assert "Deploy any other managed files" in tasks -def test_render_install_packages_tasks_contains_dnf_branch(): - from enroll.manifest import _render_install_packages_tasks +def test_render_install_packages_tasks_uses_generic_package_provider(): + from enroll.ansible import _render_install_packages_tasks txt = _render_install_packages_tasks("role", "role") - assert "ansible.builtin.apt" in txt - assert "ansible.builtin.dnf" in txt assert "ansible.builtin.package" in txt - assert "pkg_mgr" in txt + assert "ansible.builtin.apt" not in txt + assert "ansible.builtin.dnf" not in txt + assert "ansible.builtin.dnf5" not in txt + assert "pkg_mgr" not in txt def test_manifest_orders_cron_and_logrotate_at_playbook_tail(tmp_path: Path): @@ -621,7 +1264,7 @@ def test_manifest_orders_cron_and_logrotate_at_playbook_tail(tmp_path: Path): ) bundle.mkdir(parents=True, exist_ok=True) - (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8") + write_schema_state(bundle, state) manifest.manifest(str(bundle), str(out)) @@ -631,19 +1274,10 @@ def test_manifest_orders_cron_and_logrotate_at_playbook_tail(tmp_path: Path): ln.strip().removeprefix("- ").strip() for ln in pb if ln.startswith(" - ") ] - # Ensure tail ordering. - assert roles[-2:] == ["role: cron", "role: logrotate"] + # Ensure the grouped role containing cron/logrotate is still ordered after users. + assert roles[-1] == "role: misc" + assert roles.index("role: users") < roles.index("role: misc") assert "role: users" in roles - assert roles.index("role: users") < roles.index("role: cron") - - -def test_yaml_helpers_fallback_when_yaml_unavailable(monkeypatch): - monkeypatch.setattr(manifest, "_try_yaml", lambda: None) - assert manifest._yaml_load_mapping("foo: 1\n") == {} - out = manifest._yaml_dump_mapping({"b": 2, "a": 1}) - # Best-effort fallback is key: repr(value) - assert out.splitlines()[0].startswith("a: ") - assert out.endswith("\n") def test_copy2_replace_makes_readonly_sources_user_writable( @@ -655,7 +1289,7 @@ def test_copy2_replace_makes_readonly_sources_user_writable( # Make source read-only; copy2 preserves mode, so tmp will be read-only too. os.chmod(src, 0o444) - manifest._copy2_replace(str(src), str(dst)) + ansible_layout._copy2_replace(str(src), str(dst)) st = os.stat(dst, follow_symlinks=False) assert stat.S_IMODE(st.st_mode) & stat.S_IWUSR @@ -769,17 +1403,15 @@ def test_manifest_applies_jinjaturtle_to_jinjifyable_managed_file( }, }, } - (bundle / "state.json").write_text( - __import__("json").dumps(state), encoding="utf-8" - ) + write_schema_state(bundle, state) - monkeypatch.setattr(manifest, "find_jinjaturtle_cmd", lambda: "jinjaturtle") + monkeypatch.setattr(jinjaturtle_mod, "find_jinjaturtle_cmd", lambda: "jinjaturtle") class _Res: template_text = "key={{ foo }}\n" vars_text = "foo: 123\n" - monkeypatch.setattr(manifest, "run_jinjaturtle", lambda *a, **k: _Res()) + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", lambda *a, **k: _Res()) out_dir = tmp_path / "out" manifest.manifest(str(bundle), str(out_dir), jinjaturtle="on") @@ -869,16 +1501,21 @@ def test_manifest_writes_firewall_runtime_role(tmp_path: Path): }, }, } - (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8") + write_schema_state(bundle, state) manifest.manifest(str(bundle), str(out)) tasks = (out / "roles" / "firewall_runtime" / "tasks" / "main.yml").read_text( encoding="utf-8" ) - assert "ipset restore -exist" in tasks - assert "iptables-restore /etc/enroll/firewall/iptables.v4" in tasks - assert "ipset flush {{ item }}" in tasks + handlers = (out / "roles" / "firewall_runtime" / "handlers" / "main.yml").read_text( + encoding="utf-8" + ) + assert "notify: Restore captured ipsets" in tasks + assert "notify: Restore captured IPv4 iptables rules" in tasks + assert "ipset restore -exist" in handlers + assert "iptables-restore /etc/enroll/firewall/iptables.v4" in handlers + assert "ipset flush {{ item }}" in handlers defaults = (out / "roles" / "firewall_runtime" / "defaults" / "main.yml").read_text( encoding="utf-8" @@ -888,7 +1525,868 @@ def test_manifest_writes_firewall_runtime_role(tmp_path: Path): assert "firewall_runtime_restore_iptables: true" in defaults pb = (out / "playbook.yml").read_text(encoding="utf-8") + assert "role: enroll_runtime" in pb assert "role: firewall_runtime" in pb + assert pb.index("role: enroll_runtime") < pb.index("role: firewall_runtime") + runtime_tasks = (out / "roles" / "enroll_runtime" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + assert "path: /etc/enroll" in runtime_tasks assert ( out / "roles" / "firewall_runtime" / "files" / "firewall" / "ipset.save" ).exists() + + +def test_yamlutil_uses_pyyaml(): + import yaml + + assert hasattr(yaml, "safe_load") + assert hasattr(yaml, "dump") + + +def test_yaml_load_mapping_with_yaml(tmp_path: Path): + text = """ +key1: value1 +key2: + nested: value +list: + - item1 + - item2 +""" + result = yaml_helpers.yaml_load_mapping(text) + assert result["key1"] == "value1" + assert result["key2"]["nested"] == "value" + assert result["list"] == ["item1", "item2"] + + +def test_yaml_load_mapping_empty(): + result = yaml_helpers.yaml_load_mapping("") + assert result == {} + + +def test_yaml_load_mapping_invalid(): + result = yaml_helpers.yaml_load_mapping("invalid: yaml: :") + assert result == {} + + +def test_yaml_load_mapping_not_dict(): + result = yaml_helpers.yaml_load_mapping("- item1\n- item2") + assert result == {} + + +def test_yaml_load_mapping_none(): + result = yaml_helpers.yaml_load_mapping("~") + assert result == {} + + +def test_yaml_dump_mapping_with_yaml(tmp_path: Path): + obj = {"key1": "value1", "key2": 123} + result = yaml_helpers.yaml_dump_mapping(obj) + assert "key1: value1" in result + assert "key2:" in result + + +def test_yaml_dump_mapping_empty(): + result = yaml_helpers.yaml_dump_mapping({}) + # Empty dict produces '{}' + assert result.strip() == "{}" + + +def test_yaml_dump_mapping_with_nested(tmp_path: Path): + obj = {"key1": {"nested": "value"}} + result = yaml_helpers.yaml_dump_mapping(obj) + assert "nested:" in result + + +def test_merge_mappings_overwrite_simple(): + existing = {"key1": "old", "key2": "keep"} + incoming = {"key1": "new", "key3": "added"} + result = ansible_yaml._merge_mappings_overwrite(existing, incoming) + assert result["key1"] == "new" + assert result["key2"] == "keep" + assert result["key3"] == "added" + + +def test_merge_mappings_overwrite_nested(): + existing = {"key1": {"a": 1}} + incoming = {"key1": {"b": 2}} + result = ansible_yaml._merge_mappings_overwrite(existing, incoming) + # Nested dicts are replaced, not merged + assert result["key1"] == {"b": 2} + + +def test_merge_mappings_overwrite_empty(): + result = ansible_yaml._merge_mappings_overwrite({}, {"key": "value"}) + assert result == {"key": "value"} + + result = ansible_yaml._merge_mappings_overwrite({"key": "value"}, {}) + assert result == {"key": "value"} + + +def test_copy2_replace(tmp_path: Path): + src = tmp_path / "src.txt" + src.write_text("content", encoding="utf-8") + dst = tmp_path / "dst" / "subdir" / "dst.txt" + + ansible_layout._copy2_replace(str(src), str(dst)) + + assert dst.exists() + assert dst.read_text(encoding="utf-8") == "content" + + +def test_copy2_replace_preserves_metadata(tmp_path: Path): + src = tmp_path / "src.txt" + src.write_text("content", encoding="utf-8") + os.chmod(str(src), 0o644) + dst = tmp_path / "dst.txt" + + ansible_layout._copy2_replace(str(src), str(dst)) + + assert dst.exists() + st = dst.stat() + assert stat.S_IMODE(st.st_mode) == 0o644 + + +def test_copy2_replace_atomic(tmp_path: Path): + src = tmp_path / "src.txt" + src.write_text("content", encoding="utf-8") + dst = tmp_path / "dst.txt" + + # Write initial content + dst.write_text("old", encoding="utf-8") + + ansible_layout._copy2_replace(str(src), str(dst)) + + assert dst.read_text(encoding="utf-8") == "content" + + +def test_render_firewall_runtime_tasks_empty(): + result = ansible_tasks._render_role_tasks( + ansible_tasks.AnsibleRole("firewall_runtime"), firewall_runtime=True + ) + # Function always returns at least a basic playbook structure + assert isinstance(result, str) + assert len(result) > 0 + + +def test_render_firewall_runtime_tasks_with_iptables(): + result = ansible_tasks._render_role_tasks( + ansible_tasks.AnsibleRole("firewall_runtime"), firewall_runtime=True + ) + assert len(result) >= 1 + + +def test_render_firewall_runtime_tasks_with_ipset(): + result = ansible_tasks._render_role_tasks( + ansible_tasks.AnsibleRole("firewall_runtime"), firewall_runtime=True + ) + assert len(result) >= 1 + + +def test_render_firewall_runtime_tasks_with_ipv6(): + result = ansible_tasks._render_role_tasks( + ansible_tasks.AnsibleRole("firewall_runtime"), firewall_runtime=True + ) + assert len(result) >= 1 + + +def test_manifest_renders_flatpak_and_snap_details(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "gid": 1000, + "gecos": "Alice", + "home": "/home/alice", + "shell": "/bin/bash", + "primary_group": "alice", + "supplementary_groups": [], + } + ], + "managed_files": [], + "excluded": [], + "notes": [], + "user_flatpak_remotes": [ + { + "name": "acme-user", + "method": "user", + "url": "https://flatpak.example/user-repo/", + "user": "alice", + "home": "/home/alice", + }, + ], + "user_flatpaks": { + "alice": [ + { + "name": "org.example.UserApp", + "method": "user", + "remote": "acme-user", + "branch": "stable", + "arch": "x86_64", + } + ] + }, + }, + "flatpak": { + "role_name": "flatpak", + "remotes": [ + { + "name": "acme", + "method": "system", + "url": "https://flatpak.example/repo/", + }, + ], + "system_flatpaks": [ + { + "name": "com.example.App", + "method": "system", + "remote": "acme", + "branch": "stable", + "arch": "x86_64", + } + ], + "notes": [], + }, + "snap": { + "role_name": "snap", + "system_snaps": [ + { + "name": "code", + "channel": "latest/stable", + "revision": 123, + "classic": True, + "notes": ["classic"], + } + ], + "notes": [], + }, + "services": [], + "packages": [], + "apt_config": { + "role_name": "apt_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "include_patterns": [], + "exclude_patterns": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + }, + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + users_defaults = (out / "roles" / "users" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + users_tasks = (out / "roles" / "users" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + assert not (out / "roles" / "users" / "README.md").exists() + users_readme = (out / "README.md").read_text(encoding="utf-8") + flatpak_defaults = (out / "roles" / "flatpak" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + flatpak_tasks = (out / "roles" / "flatpak" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + snap_defaults = (out / "roles" / "snap" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + snap_tasks = (out / "roles" / "snap" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + + assert "users_flatpak_remotes:" in users_defaults + assert "remote: acme-user" in users_defaults + assert "community.general.snap" not in users_tasks + assert "Install system-wide snaps" not in users_tasks + assert "Install system-wide Flatpaks" not in users_tasks + assert "ansible-galaxy collection install -r requirements.yml" in users_readme + + assert "snap_system_snaps:" in snap_defaults + assert "channel: latest/stable" in snap_defaults + assert "classic: true" in snap_defaults + assert "community.general.snap" in snap_tasks + assert "Install system-wide snaps with full detected attributes" in snap_tasks + assert "Install system-wide snaps with compatibility options" in snap_tasks + assert "Install system-wide snaps with minimal options" in snap_tasks + assert "ignore_errors: true" in snap_tasks + + assert "flatpak_system_flatpaks:" in flatpak_defaults + assert "remote: acme" in flatpak_defaults + assert "community.general.flatpak" in flatpak_tasks + assert "Install system-wide Flatpaks" in flatpak_tasks + assert (out / "requirements.yml").exists() + + +def test_users_role_without_portable_apps_omits_community_general_tasks(tmp_path): + bundle = tmp_path / "bundle" + out = tmp_path / "out" + state = { + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "gid": 1000, + "gecos": "Alice", + "home": "/home/alice", + "shell": "/bin/bash", + "primary_group": "alice", + "supplementary_groups": [], + } + ], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + }, + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + users_tasks = (out / "roles" / "users" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + users_meta = (out / "roles" / "users" / "meta" / "main.yml").read_text( + encoding="utf-8" + ) + + assert "community.general.flatpak" not in users_tasks + assert "community.general.snap" not in users_tasks + assert "collections:" not in users_meta + + +def test_users_role_only_creates_ssh_dir_when_managed_ssh_files_exist(tmp_path): + bundle = tmp_path / "bundle" + out = tmp_path / "out" + (bundle / "artifacts" / "users" / "alice" / ".ssh").mkdir( + parents=True, exist_ok=True + ) + (bundle / "artifacts" / "users" / "bob").mkdir(parents=True, exist_ok=True) + (bundle / "artifacts" / "users" / "alice" / ".ssh" / "authorized_keys").write_text( + "ssh-ed25519 example alice\n", encoding="utf-8" + ) + (bundle / "artifacts" / "users" / "bob" / ".bashrc").write_text( + "alias ll='ls -l'\n", encoding="utf-8" + ) + state = { + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "home": "/home/alice", + "primary_group": "alice", + "supplementary_groups": [], + }, + { + "name": "bob", + "uid": 1001, + "home": "/home/bob", + "primary_group": "bob", + "supplementary_groups": [], + }, + { + "name": "carol", + "uid": 1002, + "home": "/home/carol", + "primary_group": "carol", + "supplementary_groups": [], + }, + ], + "managed_files": [ + { + "path": "/home/alice/.ssh/authorized_keys", + "src_rel": "alice/.ssh/authorized_keys", + "mode": "0644", + "reason": "authorized_keys", + }, + { + "path": "/home/bob/.bashrc", + "src_rel": "bob/.bashrc", + "mode": "0644", + "reason": "dangerous_user_dotfile", + }, + ], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + }, + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + users_defaults_text = (out / "roles" / "users" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + users_defaults = yaml_helpers.yaml_load_mapping(users_defaults_text) + users_tasks = (out / "roles" / "users" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + + assert users_defaults["users_ssh_dirs"] == [ + { + "dest": "/home/alice/.ssh", + "group": "alice", + "mode": "0700", + "owner": "alice", + } + ] + assert 'loop: "{{ users_ssh_dirs | default([]) }}"' in users_tasks + assert 'path: "{{ item.ssh_dir }}"' not in users_tasks + assert "users_ssh_files" in users_defaults + + +def test_manifest_emits_flatpak_role_even_when_no_flatpaks(tmp_path): + bundle = tmp_path / "bundle" + out = tmp_path / "out" + state = { + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + "user_flatpaks": {}, + "user_flatpak_remotes": [], + }, + "flatpak": { + "role_name": "flatpak", + "system_flatpaks": [], + "remotes": [], + "notes": [], + }, + "services": [], + "packages": [], + } + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + flatpak_tasks = (out / "roles" / "flatpak" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + flatpak_defaults = (out / "roles" / "flatpak" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + + assert "flatpak_system_flatpaks: []" in flatpak_defaults + assert "flatpak_remotes: []" in flatpak_defaults + assert "Install system-wide Flatpaks" in flatpak_tasks + assert "Ensure system Flatpak remotes exist" in flatpak_tasks + + +def test_manifest_avoids_package_role_collision_with_flatpak_singleton(tmp_path): + bundle = tmp_path / "bundle" + out = tmp_path / "out" + state = { + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + "user_flatpaks": {}, + "user_flatpak_remotes": [], + }, + "flatpak": { + "role_name": "flatpak", + "remotes": [ + { + "name": "flathub", + "method": "system", + "url": "https://dl.flathub.org/repo/", + } + ], + "system_flatpaks": [ + { + "name": "org.onionshare.OnionShare", + "method": "system", + "remote": "flathub", + "branch": "stable", + "arch": "x86_64", + } + ], + "notes": [], + }, + "services": [], + "packages": [ + { + "package": "flatpak", + "role_name": "flatpak", + "managed_files": [], + "managed_dirs": [], + "managed_links": [], + "excluded": [], + "notes": [], + "has_config": True, + } + ], + } + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out), no_common_roles=True) + + flatpak_defaults = (out / "roles" / "flatpak" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + playbook = (out / "playbook.yml").read_text(encoding="utf-8") + + assert "org.onionshare.OnionShare" in flatpak_defaults + assert (out / "roles" / "package_flatpak" / "tasks" / "main.yml").exists() + assert "role: flatpak" in playbook + assert "role: package_flatpak" in playbook + + +def test_manifest_writes_sysctl_role(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + (bundle / "artifacts" / "sysctl" / "sysctl").mkdir(parents=True, exist_ok=True) + (bundle / "artifacts" / "sysctl" / "sysctl" / "99-enroll.conf").write_text( + "net.ipv4.ip_forward = 1\n", + encoding="utf-8", + ) + + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + "apt_config": { + "role_name": "apt_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "sysctl": { + "role_name": "sysctl", + "managed_files": [ + { + "path": "/etc/sysctl.d/99-enroll.conf", + "src_rel": "sysctl/99-enroll.conf", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "system_sysctl", + } + ], + "parameters": {"net.ipv4.ip_forward": "1"}, + "notes": ["Captured 1 live writable sysctl parameter(s)."], + }, + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + "ipset_save": None, + "ipset_sets": [], + "iptables_v4_save": None, + "iptables_v6_save": None, + "notes": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_files": [], + "excluded": [], + "notes": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "include_patterns": [], + "exclude_patterns": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + }, + } + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + tasks = (out / "roles" / "sysctl" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + assert "dest: /etc/sysctl.d/99-enroll.conf" in tasks + assert "notify: Apply captured sysctl configuration" in tasks + + handlers = (out / "roles" / "sysctl" / "handlers" / "main.yml").read_text( + encoding="utf-8" + ) + assert "- -p" in handlers + assert "- /etc/sysctl.d/99-enroll.conf" in handlers + + defaults = (out / "roles" / "sysctl" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + assert "sysctl_conf_src_rel: sysctl/99-enroll.conf" in defaults + assert "sysctl_ignore_apply_errors: true" in defaults + + pb = (out / "playbook.yml").read_text(encoding="utf-8") + assert "role: sysctl" in pb + assert (out / "roles" / "sysctl" / "files" / "sysctl" / "99-enroll.conf").exists() + + +def test_manifest_renders_container_image_role_for_ansible(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + digest = "docker.io/library/nginx@sha256:" + "a" * 64 + podman_digest = "quay.io/example/app@sha256:" + "b" * 64 + state = { + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + "container_images": { + "role_name": "container_images", + "images": [ + { + "engine": "docker", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "c" * 64, + "repo_tags": ["docker.io/library/nginx:1.27"], + "repo_digests": [digest], + "pull_ref": digest, + "tag_aliases": [ + { + "ref": "docker.io/library/nginx:1.27", + "repository": "docker.io/library/nginx", + "tag": "1.27", + } + ], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 123, + "created": "2026-01-01T00:00:00Z", + "source": "docker image inspect", + "notes": [], + }, + { + "engine": "podman", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "d" * 64, + "repo_tags": ["quay.io/example/app:prod"], + "repo_digests": [podman_digest], + "pull_ref": podman_digest, + "tag_aliases": [ + { + "ref": "quay.io/example/app:prod", + "repository": "quay.io/example/app", + "tag": "prod", + } + ], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 456, + "created": "2026-01-01T00:00:00Z", + "source": "podman image inspect", + "notes": [], + }, + ], + "notes": [], + }, + } + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out)) + + defaults = (out / "roles" / "container_images" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + tasks = (out / "roles" / "container_images" / "tasks" / "main.yml").read_text( + encoding="utf-8" + ) + meta = (out / "roles" / "container_images" / "meta" / "main.yml").read_text( + encoding="utf-8" + ) + requirements = (out / "requirements.yml").read_text(encoding="utf-8") + playbook = (out / "playbook.yml").read_text(encoding="utf-8") + + assert "container_images:" in defaults + assert digest in defaults + assert podman_digest in defaults + assert "community.docker.docker_image_pull" in tasks + assert "community.docker.docker_image_tag" in tasks + assert "selectattr('pull_ref')" in tasks + assert "item.pull_ref | default('', true) | length > 0" in tasks + assert "containers.podman.podman_image" in tasks + assert "containers.podman.podman_tag" in tasks + assert "repository:" in tasks + assert "target_names:" in tasks + assert "community.docker" in meta + assert "containers.podman" in meta + assert "name: community.docker" in requirements + assert "name: containers.podman" in requirements + assert "role: container_images" in playbook + + +def test_manifest_writes_container_images_to_hostvars_in_fqdn_mode(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + digest = "docker.io/library/nginx@sha256:" + "a" * 64 + state = { + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + "container_images": { + "role_name": "container_images", + "images": [ + { + "engine": "docker", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "c" * 64, + "repo_tags": ["docker.io/library/nginx:1.27"], + "repo_digests": [digest], + "pull_ref": digest, + "tag_aliases": [], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 123, + "created": "2026-01-01T00:00:00Z", + "source": "docker image inspect", + "notes": [], + } + ], + "notes": [], + }, + } + } + bundle.mkdir(parents=True, exist_ok=True) + write_schema_state(bundle, state) + + manifest.manifest(str(bundle), str(out), fqdn="host.example.test") + + defaults = (out / "roles" / "container_images" / "defaults" / "main.yml").read_text( + encoding="utf-8" + ) + hostvars = ( + out / "inventory" / "host_vars" / "host.example.test" / "container_images.yml" + ).read_text(encoding="utf-8") + playbook = (out / "playbooks" / "host.example.test.yml").read_text(encoding="utf-8") + + assert "container_images: []" in defaults + assert digest in hostvars + assert "role: container_images" in playbook + + +def test_manifest_non_fqdn_refuses_existing_output(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "ansible" + bundle.mkdir(parents=True) + out.mkdir() + write_schema_state(bundle, _minimal_package_state([])) + + with pytest.raises(RuntimeError, match="already exists"): + manifest.manifest(str(bundle), str(out), no_common_roles=True) + + +def test_yaml_dump_mapping_emits_ansible_unsafe_tag_for_marked_values(): + from enroll.render_safety import ansible_unsafe_data + + data = ansible_unsafe_data({"value": "{{ lookup('pipe','id') }}"}) + dumped = yaml_helpers.yaml_dump_mapping(data) + + assert "value: !unsafe" in dumped + assert "{{ lookup(''pipe'',''id'') }}" in dumped + loaded = yaml_helpers.yaml_load_mapping(dumped) + assert loaded["value"] == "{{ lookup('pipe','id') }}" diff --git a/tests/test_manifest_ansible.py b/tests/test_manifest_ansible.py new file mode 100644 index 0000000..48a2721 --- /dev/null +++ b/tests/test_manifest_ansible.py @@ -0,0 +1,162 @@ +from __future__ import annotations + +from enroll.cm import CMModule +from enroll.ansible import AnsibleRole + + +def test_ansible_role_extends_cm_module_and_normalises_service_snapshot(): + role = AnsibleRole("network") + + role.add_service_snapshot( + { + "role_name": "networking", + "unit": "networking.service", + "packages": ["ifupdown"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [ + { + "path": "/etc/network", + "owner": "root", + "group": "root", + "mode": "0755", + } + ], + "managed_files": [ + { + "path": "/etc/network/interfaces", + "src_rel": "etc/network/interfaces", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "service_config", + } + ], + "managed_links": [ + { + "path": "/etc/systemd/system/multi-user.target.wants/networking.service", + "target": "/usr/lib/systemd/system/networking.service", + } + ], + "excluded": [{"path": "/etc/network/secrets", "reason": "secret"}], + "notes": ["captured for test"], + } + ) + + assert isinstance(role, CMModule) + assert role.sorted_packages == ["ifupdown"] + assert role.dirs["/etc/network"]["mode"] == "0755" + assert role.files["/etc/network/interfaces"]["src_rel"] == "etc/network/interfaces" + assert ( + role.links["/etc/systemd/system/multi-user.target.wants/networking.service"][ + "src" + ] + == "/usr/lib/systemd/system/networking.service" + ) + assert role.systemd_units_var == [ + { + "name": "networking.service", + "manage": True, + "enabled": True, + "state": "started", + } + ] + assert role.excluded == [{"path": "/etc/network/secrets", "reason": "secret"}] + assert role.notes == ["captured for test"] + assert "service `networking.service` from role `networking`" in role.origin_lines + + +def test_ansible_role_normalises_package_snapshot(): + role = AnsibleRole("admin") + role.add_package_snapshot( + { + "role_name": "curl", + "package": "curl", + "managed_files": [ + { + "path": "/etc/curlrc", + "src_rel": "etc/curlrc", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + } + ) + + assert isinstance(role, CMModule) + assert role.sorted_packages == ["curl"] + assert role.files["/etc/curlrc"]["dest"] == "/etc/curlrc" + assert role.services == {} + assert role.origin_lines == ["package `curl` from role `curl`"] + + +from pathlib import Path + +from state_helpers import write_schema_state + +from enroll import manifest, yamlutil as yaml_helpers + + +def _ansible_jinja_payload_state(payload: str) -> dict: + return { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "gid": 1000, + "gecos": payload, + "home": "/home/alice", + "shell": "/bin/bash", + "primary_group": "alice", + "supplementary_groups": [], + } + ], + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + }, + } + + +def test_ansible_static_marks_harvested_jinja_values_unsafe(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "out" + payload = "{{ lookup('pipe','touch /tmp/PWNED_BY_ENROLL_ANSIBLE') }}" + write_schema_state(bundle, _ansible_jinja_payload_state(payload)) + + manifest.manifest(str(bundle), str(out), target="ansible") + + defaults = out / "roles" / "users" / "defaults" / "main.yml" + text = defaults.read_text(encoding="utf-8") + assert "gecos: !unsafe" in text + assert "lookup(''pipe'',''touch /tmp/PWNED_BY_ENROLL_ANSIBLE'')" in text + loaded = yaml_helpers.yaml_load_mapping(text) + assert loaded["users_users"][0]["gecos"] == payload + + +def test_ansible_fqdn_marks_harvested_jinja_values_unsafe(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "out" + payload = "{{ lookup('pipe','touch /tmp/PWNED_BY_ENROLL_ANSIBLE') }}" + write_schema_state(bundle, _ansible_jinja_payload_state(payload)) + + manifest.manifest(str(bundle), str(out), target="ansible", fqdn="host.example.test") + + hostvars = out / "inventory" / "host_vars" / "host.example.test" / "users.yml" + text = hostvars.read_text(encoding="utf-8") + assert "gecos: !unsafe" in text + assert "lookup(''pipe'',''touch /tmp/PWNED_BY_ENROLL_ANSIBLE'')" in text + loaded = yaml_helpers.yaml_load_mapping(text) + assert loaded["users_users"][0]["gecos"] == payload diff --git a/tests/test_manifest_puppet.py b/tests/test_manifest_puppet.py new file mode 100644 index 0000000..3aac35f --- /dev/null +++ b/tests/test_manifest_puppet.py @@ -0,0 +1,1479 @@ +from __future__ import annotations + +import json +from pathlib import Path + +import yaml + +from state_helpers import write_schema_state + +from enroll import manifest +from enroll.puppet import ( + PuppetRole, + _puppet_name, + _render_role_class, + _role_hiera_values, +) + + +def _write_state(bundle: Path, state: dict) -> None: + write_schema_state(bundle, state) + + +def test_manifest_puppet_writes_control_repo_style_output(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + artifact = bundle / "artifacts" / "foo" / "etc" / "foo.conf" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("setting = true\n", encoding="utf-8") + sysctl_artifact = bundle / "artifacts" / "sysctl" / "sysctl" / "99-enroll.conf" + sysctl_artifact.parent.mkdir(parents=True, exist_ok=True) + sysctl_artifact.write_text("net.ipv4.ip_forward = 1\n", encoding="utf-8") + + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "gid": 1000, + "gecos": "Alice Example", + "home": "/home/alice", + "shell": "/bin/bash", + "primary_group": "alice", + "supplementary_groups": ["docker"], + } + ], + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [ + { + "unit": "foo.service", + "role_name": "foo", + "packages": ["foo"], + "active_state": "active", + "sub_state": "running", + "unit_file_state": "enabled", + "condition_result": "yes", + "managed_dirs": [ + { + "path": "/etc/foo", + "owner": "root", + "group": "root", + "mode": "0755", + "reason": "parent_dir", + } + ], + "managed_files": [ + { + "path": "/etc/foo/foo.conf", + "src_rel": "etc/foo.conf", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "modified_conffile", + } + ], + "managed_links": [], + "excluded": [], + "notes": [], + } + ], + "packages": [ + { + "package": "curl", + "role_name": "curl", + "section": "net", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + "excluded": [], + "notes": [], + } + ], + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "sysctl": { + "role_name": "sysctl", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/sysctl.d/99-enroll.conf", + "src_rel": "sysctl/99-enroll.conf", + "owner": "root", + "group": "root", + "mode": "0644", + "reason": "system_sysctl", + } + ], + "parameters": {"net.ipv4.ip_forward": "1"}, + "notes": [], + }, + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + "ipset_save": None, + "ipset_sets": [], + "iptables_v4_save": None, + "iptables_v6_save": None, + "notes": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "include_patterns": [], + "exclude_patterns": [], + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet", fqdn="test.example") + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert "node 'test.example' {" in site_pp + assert "lookup('enroll::classes'" in site_pp + assert "$enroll_classes.each" in site_pp + assert "include $enroll_class" in site_pp + assert "node default {" in site_pp + + assert (out / "hiera.yaml").exists() + node_data = yaml.safe_load( + (out / "data" / "nodes" / "test.example.yaml").read_text(encoding="utf-8") + ) + assert node_data["enroll::classes"] == ["curl", "foo", "users", "sysctl"] + assert node_data["curl::packages"] == ["curl"] + assert node_data["foo::packages"] == ["foo"] + assert node_data["foo::files"]["/etc/foo/foo.conf"]["source"] == ( + "puppet:///modules/foo/nodes/test.example/etc/foo.conf" + ) + assert node_data["foo::files"]["/etc/foo/foo.conf"]["notify_services"] == [ + "foo.service" + ] + assert node_data["foo::services"]["foo.service"] == { + "ensure": "running", + "enable": True, + } + assert node_data["users::users"]["alice"]["comment"] == "Alice Example" + assert node_data["users::users"]["alice"]["groups"] == ["docker"] + assert node_data["sysctl::files"]["/etc/sysctl.d/99-enroll.conf"]["source"] == ( + "puppet:///modules/sysctl/nodes/test.example/sysctl/99-enroll.conf" + ) + + curl_pp = (out / "modules" / "curl" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "class curl" in curl_pp + assert "Array[String] $packages = []" in curl_pp + assert "package { $package_name:" in curl_pp + assert "package { 'curl':" not in curl_pp + + foo_pp = (out / "modules" / "foo" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "class foo" in foo_pp + assert "Hash[String, Hash] $files = {}" in foo_pp + assert "* => $attrs" in foo_pp + assert "package { 'foo':" not in foo_pp + assert "file { '/etc/foo/foo.conf':" not in foo_pp + + users_pp = (out / "modules" / "users" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "class users" in users_pp + assert "Hash[String, Hash] $users = {}" in users_pp + assert "user { 'alice':" not in users_pp + + sysctl_pp = (out / "modules" / "sysctl" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "class sysctl" in sysctl_pp + assert "Boolean $sysctl_apply = true" in sysctl_pp + assert "Boolean $sysctl_ignore_apply_errors = true" in sysctl_pp + assert "exec { 'enroll-apply-sysctl':" in sysctl_pp + assert ( + "if $sysctl_apply and '/etc/sysctl.d/99-enroll.conf' in $files {" in sysctl_pp + ) + + assert ( + out + / "modules" + / "foo" + / "files" + / "nodes" + / "test.example" + / "etc" + / "foo.conf" + ).exists() + assert ( + out + / "modules" + / "sysctl" + / "files" + / "nodes" + / "test.example" + / "sysctl" + / "99-enroll.conf" + ).exists() + + +def test_manifest_puppet_fqdn_package_notify_service_declared_in_same_role( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + artifact = bundle / "artifacts" / "apparmor" / "etc" / "apparmor" / "parser.conf" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("cache-loc /var/cache/apparmor\n", encoding="utf-8") + + state = { + "schema_version": 3, + "host": {"hostname": "vpn-ssh", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {"apparmor": {"section": "admin"}}}, + "roles": { + "services": [ + { + "unit": "apparmor.service", + "role_name": "apparmor_service", + "packages": ["apparmor"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + } + ], + "packages": [ + { + "package": "apparmor", + "role_name": "apparmor", + "section": "admin", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/apparmor/parser.conf", + "src_rel": "etc/apparmor/parser.conf", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [], + } + ], + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + }, + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + }, + "sysctl": {"role_name": "sysctl", "managed_dirs": [], "managed_files": []}, + "firewall_runtime": {"role_name": "firewall_runtime", "packages": []}, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet", fqdn="vpn-ssh") + + node_data = yaml.safe_load( + (out / "data" / "nodes" / "vpn-ssh.yaml").read_text(encoding="utf-8") + ) + assert node_data["apparmor::files"]["/etc/apparmor/parser.conf"][ + "notify_services" + ] == ["apparmor.service"] + assert node_data["apparmor::services"]["apparmor.service"] == { + "ensure": "running", + "enable": True, + } + + apparmor_pp = (out / "modules" / "apparmor" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "Hash[String, Hash] $services = {}" in apparmor_pp + assert "service { $resource_title:" in apparmor_pp + assert apparmor_pp.index("$services.each") < apparmor_pp.index("$files.each") + assert "$attrs['notify_services'].map" in apparmor_pp + assert "notify => $notify_targets" in apparmor_pp + + +def test_manifest_puppet_fqdn_mode_can_accumulate_separate_node_data( + tmp_path: Path, +): + out = tmp_path / "puppet" + + def write_bundle(name: str, content: str) -> Path: + bundle = tmp_path / name + artifact = bundle / "artifacts" / "foo" / "etc" / "foo.conf" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text(content, encoding="utf-8") + _write_state( + bundle, + { + "schema_version": 3, + "host": {"hostname": name, "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "services": [ + { + "unit": "foo.service", + "role_name": "foo", + "packages": ["foo"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/foo/foo.conf", + "src_rel": "etc/foo.conf", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [], + } + ], + "packages": [], + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + }, + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + }, + "sysctl": { + "role_name": "sysctl", + "managed_dirs": [], + "managed_files": [], + }, + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + }, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + }, + ) + return bundle + + first = write_bundle("first", "first = true\n") + second = write_bundle("second", "second = true\n") + + manifest.manifest(str(first), str(out), target="puppet", fqdn="first.example") + manifest.manifest(str(second), str(out), target="puppet", fqdn="second.example") + + assert (out / "data" / "nodes" / "first.example.yaml").exists() + assert (out / "data" / "nodes" / "second.example.yaml").exists() + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert "node 'first.example' {" in site_pp + assert "node 'second.example' {" in site_pp + + first_artifact = ( + out + / "modules" + / "foo" + / "files" + / "nodes" + / "first.example" + / "etc" + / "foo.conf" + ) + second_artifact = ( + out + / "modules" + / "foo" + / "files" + / "nodes" + / "second.example" + / "etc" + / "foo.conf" + ) + assert first_artifact.read_text(encoding="utf-8") == "first = true\n" + assert second_artifact.read_text(encoding="utf-8") == "second = true\n" + + first_data = yaml.safe_load( + (out / "data" / "nodes" / "first.example.yaml").read_text(encoding="utf-8") + ) + second_data = yaml.safe_load( + (out / "data" / "nodes" / "second.example.yaml").read_text(encoding="utf-8") + ) + assert first_data["foo::files"]["/etc/foo/foo.conf"]["source"] == ( + "puppet:///modules/foo/nodes/first.example/etc/foo.conf" + ) + assert second_data["foo::files"]["/etc/foo/foo.conf"]["source"] == ( + "puppet:///modules/foo/nodes/second.example/etc/foo.conf" + ) + + +def test_manifest_puppet_uses_default_node_and_common_package_modules(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + artifact = bundle / "artifacts" / "foo" / "etc" / "foo.conf" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("setting = true\n", encoding="utf-8") + + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": { + "packages": { + "curl": {"section": "net"}, + "foo": {"installations": [{"section": "net"}]}, + } + }, + "roles": { + "services": [ + { + "unit": "foo.service", + "role_name": "foo", + "packages": ["foo"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/foo/foo.conf", + "src_rel": "etc/foo.conf", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [], + } + ], + "packages": [ + { + "package": "curl", + "role_name": "curl", + "section": "net", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + } + ], + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + }, + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + }, + "sysctl": {"role_name": "sysctl", "managed_dirs": [], "managed_files": []}, + "firewall_runtime": {"role_name": "firewall_runtime", "packages": []}, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet") + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert site_pp == "node default {\n include net\n}\n" + + net_pp = (out / "modules" / "net" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "class net" in net_pp + assert "package { 'curl':" in net_pp + assert "package { 'foo':" in net_pp + assert "file { '/etc/foo/foo.conf':" in net_pp + assert "source => 'puppet:///modules/net/etc/foo.conf'" in net_pp + assert "notify => Service['foo.service']" in net_pp + assert "service { 'foo.service':" in net_pp + assert (out / "modules" / "net" / "files" / "etc" / "foo.conf").exists() + assert not (out / "modules" / "curl").exists() + assert not (out / "modules" / "foo").exists() + + +def test_manifest_puppet_avoids_reserved_module_names_and_duplicate_resources( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": { + "packages": { + "alpha": {"section": "admin"}, + "beta": {"section": "misc"}, + "gamma": {"section": "default"}, + } + }, + "roles": { + "packages": [ + { + "package": "alpha", + "role_name": "alpha", + "section": "admin", + "managed_dirs": [ + { + "path": "/etc/default", + "owner": "root", + "group": "root", + "mode": "0755", + } + ], + "managed_files": [], + "managed_links": [], + }, + { + "package": "beta", + "role_name": "beta", + "section": "misc", + "managed_dirs": [ + { + "path": "/etc/default", + "owner": "root", + "group": "root", + "mode": "0755", + } + ], + "managed_files": [], + "managed_links": [], + }, + { + "package": "gamma", + "role_name": "gamma", + "section": "default", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + ], + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + }, + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + }, + "sysctl": {"role_name": "sysctl", "managed_dirs": [], "managed_files": []}, + "firewall_runtime": {"role_name": "firewall_runtime", "packages": []}, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet") + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert "include default\n" not in site_pp + assert "include package_group_default" in site_pp + assert ( + out / "modules" / "package_group_default" / "manifests" / "init.pp" + ).exists() + + init_pps = "\n".join( + p.read_text(encoding="utf-8") + for p in sorted((out / "modules").glob("*/manifests/init.pp")) + ) + assert init_pps.count("file { '/etc/default':") == 1 + + +def test_manifest_rejects_unknown_target(tmp_path: Path): + bundle = tmp_path / "bundle" + _write_state(bundle, {"roles": {}}) + + try: + manifest.manifest(str(bundle), str(tmp_path / "out"), target="chef") + except ValueError as e: + assert "unsupported manifest target" in str(e) + else: + raise AssertionError("expected ValueError") + + +def test_manifest_puppet_renders_container_images_static_and_hiera(tmp_path: Path): + digest = "docker.io/library/nginx@sha256:" + "a" * 64 + podman_digest = "quay.io/example/app@sha256:" + "b" * 64 + state = { + "roles": { + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + "container_images": { + "role_name": "container_images", + "images": [ + { + "engine": "docker", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "c" * 64, + "repo_tags": ["docker.io/library/nginx:1.27"], + "repo_digests": [digest], + "pull_ref": digest, + "tag_aliases": [ + { + "ref": "docker.io/library/nginx:1.27", + "repository": "docker.io/library/nginx", + "tag": "1.27", + } + ], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 123, + "created": "2026-01-01T00:00:00Z", + "source": "docker image inspect", + "notes": [], + }, + { + "engine": "podman", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "d" * 64, + "repo_tags": ["quay.io/example/app:prod"], + "repo_digests": [podman_digest], + "pull_ref": podman_digest, + "tag_aliases": [], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 456, + "created": "2026-01-01T00:00:00Z", + "source": "podman image inspect", + "notes": [], + }, + ], + "notes": [], + }, + } + } + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + _write_state(bundle, state) + manifest.manifest(str(bundle), str(out), target="puppet") + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert "include container_images" in site_pp + pp = (out / "modules" / "container_images" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "docker::image" not in pp + assert "docker pull" in pp + assert "Docker::Image" not in pp + assert digest in pp + assert "docker tag" in pp + assert "podman pull" in pp + metadata = json.loads( + (out / "modules" / "container_images" / "metadata.json").read_text( + encoding="utf-8" + ) + ) + assert metadata["dependencies"] == [] + + fqdn_out = tmp_path / "puppet-fqdn" + manifest.manifest(str(bundle), str(fqdn_out), target="puppet", fqdn="node.example") + node_data = yaml.safe_load( + (fqdn_out / "data" / "nodes" / "node.example.yaml").read_text(encoding="utf-8") + ) + assert node_data["container_images::container_images"][0]["pull_ref"] == digest + fqdn_pp = ( + fqdn_out / "modules" / "container_images" / "manifests" / "init.pp" + ).read_text(encoding="utf-8") + assert "Array[Hash] $container_images = []" in fqdn_pp + assert "docker::image" not in fqdn_pp + assert "enroll-docker-pull-${idx}" in fqdn_pp + assert "enroll-podman-pull-${idx}" in fqdn_pp + assert "$image['pull_cmd']" in fqdn_pp + assert "podman pull" in ( + fqdn_out / "data" / "nodes" / "node.example.yaml" + ).read_text(encoding="utf-8") + + +def test_manifest_puppet_renders_firewall_runtime_resources(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + fw_dir = bundle / "artifacts" / "firewall_runtime" / "firewall" + fw_dir.mkdir(parents=True, exist_ok=True) + (fw_dir / "ipset.save").write_text( + "create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n", + encoding="utf-8", + ) + (fw_dir / "iptables.v4").write_text( + "*filter\n:INPUT DROP [0:0]\n-A INPUT -m set --match-set blocklist src -j DROP\nCOMMIT\n", + encoding="utf-8", + ) + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": ["ipset", "iptables"], + "ipset_save": "firewall/ipset.save", + "ipset_sets": ["blocklist"], + "iptables_v4_save": "firewall/iptables.v4", + "iptables_v6_save": None, + "notes": [], + } + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet") + + pp = (out / "modules" / "firewall_runtime" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + runtime_pp = ( + out / "modules" / "enroll_runtime" / "manifests" / "init.pp" + ).read_text(encoding="utf-8") + assert "file { '/etc/enroll':" in runtime_pp + assert "file { '/etc/enroll':" not in pp + assert "file { '/etc/enroll/firewall':" in pp + assert "require => File['/etc/enroll']," in pp + assert "file { '/etc/enroll/firewall/ipset.save':" in pp + assert "ipset restore -exist" in pp + assert "ipset flush blocklist" in pp + assert "iptables-restore /etc/enroll/firewall/iptables.v4" in pp + assert "refreshonly => true" in pp + assert "subscribe => File['/etc/enroll/firewall/iptables.v4']" in pp + assert "iptables-save >" not in pp + assert "Live firewall runtime snapshots were detected" not in pp + assert ( + out / "modules" / "firewall_runtime" / "files" / "firewall" / "ipset.save" + ).exists() + + fqdn_out = tmp_path / "puppet-fqdn" + manifest.manifest(str(bundle), str(fqdn_out), target="puppet", fqdn="node.example") + node_data = yaml.safe_load( + (fqdn_out / "data" / "nodes" / "node.example.yaml").read_text(encoding="utf-8") + ) + assert "enroll_runtime" in node_data["enroll::classes"] + assert "firewall_runtime" in node_data["enroll::classes"] + assert node_data["enroll::classes"].index("enroll_runtime") < node_data[ + "enroll::classes" + ].index("firewall_runtime") + assert node_data["enroll_runtime::dirs"]["/etc/enroll"]["ensure"] == "directory" + assert node_data["firewall_runtime::firewall_runtime"]["ipset_sets"] == [ + "blocklist" + ] + assert ( + "ipset restore -exist" + in node_data["firewall_runtime::firewall_runtime"]["ipset_restore_cmd"] + ) + assert ( + node_data["firewall_runtime::files"]["/etc/enroll/firewall/ipset.save"][ + "source" + ] + == "puppet:///modules/firewall_runtime/nodes/node.example/firewall/ipset.save" + ) + fqdn_pp = ( + fqdn_out / "modules" / "firewall_runtime" / "manifests" / "init.pp" + ).read_text(encoding="utf-8") + assert "Hash $firewall_runtime = {}" in fqdn_pp + assert "$firewall_runtime['ipset_restore_cmd']" in fqdn_pp + + +def test_manifest_puppet_omits_firewall_runtime_when_no_rules_were_sampled( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + "ipset_save": None, + "ipset_sets": [], + "iptables_v4_save": None, + "iptables_v6_save": None, + "notes": [ + "not running as root; live firewall runtime was not captured" + ], + } + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="puppet") + + site_pp = (out / "manifests" / "site.pp").read_text(encoding="utf-8") + assert "include enroll_runtime" not in site_pp + assert "include firewall_runtime" not in site_pp + assert not (out / "modules" / "enroll_runtime").exists() + assert not (out / "modules" / "firewall_runtime").exists() + + +def _puppet_flatpak_snap_users_snapshot() -> dict: + return { + "users": [ + { + "name": "alice", + "uid": 1000, + "primary_group": "alice", + "supplementary_groups": ["docker"], + "home": "/home/alice", + "shell": "/bin/bash", + "gecos": "Alice,,,Other", + } + ], + "user_flatpak_remotes": [ + { + "method": "user", + "user": "alice", + "name": "flathub", + "url": "https://dl.flathub.org/repo/flathub.flatpakrepo", + } + ], + "user_flatpaks": { + "alice": [ + { + "ref": "app/org.foo.App/x86_64/stable", + "remote": "flathub", + } + ] + }, + } + + +def _puppet_system_flatpak_snapshot() -> dict: + return { + "remotes": [ + { + "name": "systemrepo", + "url": "https://example.invalid/repo.flatpakrepo", + } + ], + "system_flatpaks": [ + { + "name": "org.system.App", + "remote": "systemrepo", + } + ], + } + + +def _puppet_snap_snapshot() -> dict: + return { + "system_snaps": [ + { + "name": "hello-world", + "tracking": "latest/stable", + "confinement": "classic", + }, + { + "name": "danger-snap", + "revision": "42", + "notes": ["installed with --dangerous"], + }, + ], + } + + +def test_puppet_role_renders_flatpaks_snaps_and_user_flatpaks() -> None: + role = PuppetRole("apps") + role.add_users_snapshot(_puppet_flatpak_snap_users_snapshot()) + role.add_flatpak_snapshot(_puppet_system_flatpak_snapshot()) + role.add_snap_snapshot(_puppet_snap_snapshot()) + + rendered = _render_role_class(role) + assert "group { 'alice':" in rendered + assert "user { 'alice':" in rendered + assert "flatpak --user remote-add --if-not-exists flathub" in rendered + assert "HOME=/home/alice" in rendered + assert "require => User['alice']" in rendered + assert "flatpak --user install -y flathub app/org.foo.App/x86_64/stable" in rendered + assert "flatpak --system install -y systemrepo org.system.App" in rendered + assert "snap install hello-world --channel=latest/stable --classic" in rendered + assert "snap install danger-snap --revision=42 --dangerous" in rendered + + hiera = _role_hiera_values(role) + assert hiera["apps::flatpak_remotes"][0]["environment"] == [ + "HOME=/home/alice", + "XDG_DATA_HOME=/home/alice/.local/share", + ] + assert hiera["apps::flatpaks"][0]["user"] == "alice" + assert hiera["apps::snaps"][0]["classic"] is True + assert hiera["apps::snaps"][1]["dangerous"] is True + + +def test_puppet_role_records_container_image_limitations() -> None: + role = PuppetRole("container_images") + role.add_container_images_snapshot( + { + "images": [ + "not-a-dict", + {"engine": "containerd", "pull_ref": "example.invalid/app@sha256:abc"}, + { + "engine": "docker", + "repo_tags": ["example.invalid/app:latest"], + "pull_ref": "", + }, + ], + "notes": ["image capture note"], + } + ) + + assert role.container_images == [] + assert any("has no RepoDigest" in note for note in role.notes) + assert role.notes[-1] == "image capture note" + + +def test_puppet_managed_content_notes_missing_artifacts_and_links( + tmp_path: Path, +) -> None: + bundle = tmp_path / "bundle" + module_files = tmp_path / "puppet" / "modules" / "demo" / "files" + role = PuppetRole("demo") + role.add_managed_content( + { + "managed_dirs": [ + { + "path": "/etc/demo", + "owner": "root", + "group": "root", + "mode": "0750", + } + ], + "managed_files": [ + {"path": "", "src_rel": "etc/ignored.conf"}, + {"path": "/etc/missing.conf", "src_rel": "etc/missing.conf"}, + ], + "managed_links": [ + {"path": "", "target": "/nowhere"}, + {"path": "/etc/demo/current", "target": "/opt/demo/current"}, + ], + }, + bundle_dir=str(bundle), + artifact_role="demo", + module_files_dir=module_files, + ) + + assert role.dirs["/etc/demo"]["mode"] == "0750" + assert role.links["/etc/demo/current"]["target"] == "/opt/demo/current" + assert any("Skipped /etc/missing.conf" in note for note in role.notes) + + +def test_puppet_names_are_sanitised_for_target_reserved_words() -> None: + assert _puppet_name("") == "role" + assert _puppet_name("123") == "role_123" + assert _puppet_name("node") == "role_node" + assert _puppet_name("web-app") == "web_app" + + +def test_manifest_puppet_uses_jinjaturtle_erb_templates(monkeypatch, tmp_path: Path): + import enroll.jinjaturtle as jinjaturtle_mod + from enroll.jinjaturtle import JinjifyResult + + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + artifact = bundle / "artifacts" / "foo" / "etc" / "foo.ini" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("[main]\nkey = 1\n", encoding="utf-8") + + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "services": [ + { + "unit": "foo.service", + "role_name": "foo", + "packages": ["foo"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/foo.ini", + "src_rel": "etc/foo.ini", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [], + } + ], + "packages": [], + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + }, + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + }, + "sysctl": {"role_name": "sysctl", "managed_dirs": [], "managed_files": []}, + "firewall_runtime": {"role_name": "firewall_runtime", "packages": []}, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + } + _write_state(bundle, state) + + monkeypatch.setattr( + jinjaturtle_mod, "find_jinjaturtle_cmd", lambda: "/usr/bin/jinjaturtle" + ) + monkeypatch.setattr(jinjaturtle_mod, "can_jinjify_path", lambda _path: True) + + calls = [] + + def fake_run_jinjaturtle( + jt_exe: str, + src_path: str, + *, + role_name: str, + force_format=None, + template_engine: str = "jinja2", + puppet_class=None, + ): + calls.append((role_name, template_engine, puppet_class)) + assert template_engine == "erb" + assert puppet_class == "foo" + return JinjifyResult( + template_text="[main]\nkey = <%= @main_key %>\n", + vars_text="foo::main_key: 1\n", + ) + + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) + + manifest.manifest( + str(bundle), + str(out), + target="puppet", + jinjaturtle="on", + no_common_roles=True, + ) + + assert calls == [("foo", "erb", "foo")] + assert (out / "modules" / "foo" / "templates" / "etc" / "foo.ini.erb").read_text( + encoding="utf-8" + ) == "[main]\nkey = <%= @main_key %>\n" + assert not (out / "modules" / "foo" / "files" / "etc" / "foo.ini").exists() + + init_pp = (out / "modules" / "foo" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "Any $main_key = 1," in init_pp + assert "content => template('foo/etc/foo.ini.erb')" in init_pp + assert "source =>" not in init_pp + + +def test_manifest_puppet_fqdn_writes_erb_template_values_to_node_hiera( + monkeypatch, tmp_path: Path +): + import enroll.jinjaturtle as jinjaturtle_mod + from enroll.jinjaturtle import JinjifyResult + + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + artifact = bundle / "artifacts" / "foo" / "etc" / "foo.ini" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("[main]\nkey = 1\n", encoding="utf-8") + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "services": [ + { + "unit": "foo.service", + "role_name": "foo", + "packages": ["foo"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [], + "managed_files": [ + {"path": "/etc/foo.ini", "src_rel": "etc/foo.ini"} + ], + "managed_links": [], + } + ], + "packages": [], + "users": { + "role_name": "users", + "users": [], + "managed_dirs": [], + "managed_files": [], + }, + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + }, + "sysctl": {"role_name": "sysctl", "managed_dirs": [], "managed_files": []}, + "firewall_runtime": {"role_name": "firewall_runtime", "packages": []}, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + } + _write_state(bundle, state) + + monkeypatch.setattr( + jinjaturtle_mod, "find_jinjaturtle_cmd", lambda: "/usr/bin/jinjaturtle" + ) + monkeypatch.setattr(jinjaturtle_mod, "can_jinjify_path", lambda _path: True) + monkeypatch.setattr( + jinjaturtle_mod, + "run_jinjaturtle", + lambda *a, **k: JinjifyResult( + template_text="[main]\nkey = <%= @main_key %>\n", + vars_text="foo::main_key: 1\n", + ), + ) + + manifest.manifest( + str(bundle), str(out), target="puppet", fqdn="test.example", jinjaturtle="on" + ) + + node_data = yaml.safe_load( + (out / "data" / "nodes" / "test.example.yaml").read_text(encoding="utf-8") + ) + assert node_data["foo::main_key"] == 1 + assert node_data["foo::files"]["/etc/foo.ini"]["template"] == "foo/etc/foo.ini.erb" + assert "source" not in node_data["foo::files"]["/etc/foo.ini"] + init_pp = (out / "modules" / "foo" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "Any $main_key = undef," in init_pp + assert "content => template($attrs['template'])" in init_pp + + +def test_pp_quote_common_case_is_single_quoted_and_stable(): + """Values without control characters keep the historical single-quoted form.""" + from enroll.puppet import _pp_quote + + assert _pp_quote("Alice Example") == "'Alice Example'" + assert _pp_quote("0644") == "'0644'" + assert _pp_quote("/etc/nginx/nginx.conf") == "'/etc/nginx/nginx.conf'" + # Single quote and backslash keep their single-quoted escaping. + assert _pp_quote("a'b") == "'a\\'b'" + assert _pp_quote("back\\slash") == "'back\\\\slash'" + + +def test_pp_quote_neutralises_raw_control_characters(): + """A tampered harvest cannot splatter raw control characters into a manifest. + + GECOS and similar scalars are newline-delimited on a live host, so control + characters only appear via a hand-edited/tampered state.json. When present, + _pp_quote switches to a double-quoted Puppet string and escapes them rather + than emitting them verbatim. + """ + from enroll.puppet import _pp_quote + + rendered = _pp_quote("a\ntouch /tmp/pwned") + assert rendered == '"a\\ntouch /tmp/pwned"' + # No raw C0/DEL byte survives into the rendered scalar. + for value in ("a\nb", "x\r\ny", "a\tb", "a\x00b", "a\x7fb"): + out = _pp_quote(value) + assert not any(ch in out for ch in [chr(c) for c in range(0x20)] + ["\x7f"]) + + +def test_pp_quote_double_fallback_cannot_introduce_interpolation(): + """The double-quoted fallback must not enable Puppet interpolation/breakout.""" + from enroll.puppet import _pp_quote + + # $ would interpolate in a double-quoted Puppet string; it must be escaped. + out = _pp_quote("a\n${::osfamily}") + assert "\\${::osfamily}" in out + assert "${::osfamily}" not in out.replace("\\${::osfamily}", "") + # A double quote cannot terminate the string early. + out2 = _pp_quote('a\n"; notify{x:} ') + assert out2.startswith('"') and out2.endswith('"') + assert '\\"' in out2 + + +def test_manifest_puppet_user_gecos_with_newline_is_single_line(tmp_path: Path): + """End-to-end: a newline in a user's gecos yields a single-line comment.""" + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + state = { + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "eviluser", + "uid": 1001, + "primary_group": "evil", + "supplementary_groups": [], + "home": "/home/eviluser", + "shell": "/bin/bash", + "gecos": "Real Name\ntouch /tmp/pwned", + } + ], + "managed_files": [], + "managed_dirs": [], + "excluded": [], + "notes": [], + } + } + } + _write_state(bundle, state) + manifest.manifest(str(bundle), str(out), target="puppet") + + init_pp = (out / "modules" / "users" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + # The comment attribute must be on one line with the newline escaped. + assert 'comment => "Real Name\\ntouch /tmp/pwned"' in init_pp + # And there must be no line that is just the injected command. + assert "\ntouch /tmp/pwned\n" not in init_pp + + +def _puppet_hiera_payload_state(payload: str) -> dict: + return { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "gid": 1000, + "gecos": payload, + "home": "/home/alice", + "shell": "/bin/bash", + "primary_group": "alice", + "supplementary_groups": [], + } + ], + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + "services": [], + "packages": [], + }, + } + + +def test_manifest_puppet_static_quotes_template_like_harvested_values( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + payload = "%{lookup('enroll::classes')}" + _write_state(bundle, _puppet_hiera_payload_state(payload)) + + manifest.manifest(str(bundle), str(out), target="puppet") + + init_pp = (out / "modules" / "users" / "manifests" / "init.pp").read_text( + encoding="utf-8" + ) + assert "comment => '%{lookup(\\'enroll::classes\\')}'" in init_pp + + +def test_manifest_puppet_hiera_escapes_harvested_interpolation_tokens( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "puppet" + payload = "%{lookup('enroll::classes')}" + _write_state(bundle, _puppet_hiera_payload_state(payload)) + + manifest.manifest(str(bundle), str(out), target="puppet", fqdn="node.example") + + node_yaml = out / "data" / "nodes" / "node.example.yaml" + text = node_yaml.read_text(encoding="utf-8") + assert payload not in text + assert "%{literal(''%'')}{lookup(''enroll::classes'')}" in text + data = yaml.safe_load(text) + assert ( + data["users::users"]["alice"]["comment"] + == "%{literal('%')}{lookup('enroll::classes')}" + ) diff --git a/tests/test_manifest_safety.py b/tests/test_manifest_safety.py new file mode 100644 index 0000000..deb764d --- /dev/null +++ b/tests/test_manifest_safety.py @@ -0,0 +1,126 @@ +from __future__ import annotations + +import os +from pathlib import Path + +import pytest + +from enroll.manifest_safety import ( + ArtifactSafetyError, + ManifestOutputError, + copy_safe_artifact_file, + iter_safe_artifact_files, + prepare_manifest_output_dir, + safe_artifact_file, + validate_site_fqdn, +) + + +def test_validate_site_fqdn_accepts_and_normalises_simple_values(): + assert validate_site_fqdn(None) is None + assert validate_site_fqdn(" ") is None + assert validate_site_fqdn("host_1.example") == "host_1.example" + + +@pytest.mark.parametrize( + "value", ["../host", "host/name", "host\\name", "host\nname", "-bad", ".", ".."] +) +def test_validate_site_fqdn_rejects_path_or_inventory_injection(value: str): + with pytest.raises(ManifestOutputError): + validate_site_fqdn(value) + + +def test_prepare_manifest_output_dir_allows_existing_clean_tree_in_site_mode( + tmp_path: Path, +): + out = tmp_path / "site" + out.mkdir() + (out / ".git").mkdir() + (out / ".git" / "ignored-link").symlink_to(tmp_path, target_is_directory=True) + + assert prepare_manifest_output_dir(out, allow_existing=True) == out + + +def test_prepare_manifest_output_dir_rejects_existing_tree_symlink(tmp_path: Path): + out = tmp_path / "site" + out.mkdir() + (out / "bad-link").symlink_to(tmp_path, target_is_directory=True) + + with pytest.raises(ManifestOutputError, match="contains a symlink"): + prepare_manifest_output_dir(out, allow_existing=True) + + +def test_safe_artifact_file_accepts_regular_file_and_copy(tmp_path: Path): + bundle = tmp_path / "bundle" + artifact = bundle / "artifacts" / "role" / "etc" / "app.conf" + artifact.parent.mkdir(parents=True) + artifact.write_text("managed=true\n", encoding="utf-8") + + assert safe_artifact_file(bundle, "role", "etc/app.conf") == artifact + + dst = tmp_path / "copy.conf" + copy_safe_artifact_file(artifact, dst) + assert dst.read_text(encoding="utf-8") == "managed=true\n" + + +def test_safe_artifact_file_rejects_unsafe_role_and_src(tmp_path: Path): + bundle = tmp_path / "bundle" + with pytest.raises(ArtifactSafetyError, match="must be relative"): + safe_artifact_file(bundle, "/role", "file") + with pytest.raises(ArtifactSafetyError, match="unsafe path component"): + safe_artifact_file(bundle, "role", "../file") + with pytest.raises(ArtifactSafetyError, match="NUL"): + safe_artifact_file(bundle, "role", "bad\x00file") + + +def test_safe_artifact_file_rejects_artifacts_symlink(tmp_path: Path): + bundle = tmp_path / "bundle" + bundle.mkdir() + (bundle / "artifacts").symlink_to(tmp_path, target_is_directory=True) + + with pytest.raises(ArtifactSafetyError, match="artifacts directory is a symlink"): + safe_artifact_file(bundle, "role", "file") + + +def test_safe_artifact_file_rejects_bad_artifact_kinds(tmp_path: Path): + bundle = tmp_path / "bundle" + role_dir = bundle / "artifacts" / "role" + role_dir.mkdir(parents=True) + + target = role_dir / "target" + target.write_text("x", encoding="utf-8") + (role_dir / "link").symlink_to(target) + with pytest.raises(ArtifactSafetyError, match="symlink"): + safe_artifact_file(bundle, "role", "link") + + (role_dir / "dir-artifact").mkdir() + with pytest.raises(ArtifactSafetyError, match="not a regular file"): + safe_artifact_file(bundle, "role", "dir-artifact") + + hardlink = role_dir / "hardlink" + os.link(target, hardlink) + with pytest.raises(ArtifactSafetyError, match="hardlinked"): + safe_artifact_file(bundle, "role", "target") + + +def test_iter_safe_artifact_files_handles_missing_and_bad_role_dirs(tmp_path: Path): + bundle = tmp_path / "bundle" + assert list(iter_safe_artifact_files(bundle, "missing")) == [] + + role_file = bundle / "artifacts" / "role" + role_file.parent.mkdir(parents=True) + role_file.write_text("not a dir", encoding="utf-8") + with pytest.raises(ArtifactSafetyError, match="not a directory"): + list(iter_safe_artifact_files(bundle, "role")) + + +def test_iter_safe_artifact_files_rejects_symlink_subdir(tmp_path: Path): + bundle = tmp_path / "bundle" + role_dir = bundle / "artifacts" / "role" + role_dir.mkdir(parents=True) + real = tmp_path / "real" + real.mkdir() + (role_dir / "linkdir").symlink_to(real, target_is_directory=True) + + with pytest.raises(ArtifactSafetyError, match="directory is a symlink"): + list(iter_safe_artifact_files(bundle, "role")) diff --git a/tests/test_manifest_salt.py b/tests/test_manifest_salt.py new file mode 100644 index 0000000..aa3e5ab --- /dev/null +++ b/tests/test_manifest_salt.py @@ -0,0 +1,1045 @@ +from __future__ import annotations + +from collections import OrderedDict +from pathlib import Path + +import yaml + +from state_helpers import write_schema_state + +from enroll import manifest +from enroll.salt import ( + SaltRole, + _render_pillar_role, + _render_static_role, + _role_pillar_values, + _salt_name, + _state_id, +) + + +def _write_state(bundle: Path, state: dict) -> None: + write_schema_state(bundle, state) + + +def _sample_state() -> dict: + return { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": { + "packages": {"foo": {"section": "net"}, "curl": {"section": "net"}} + }, + "roles": { + "users": { + "role_name": "users", + "users": [ + { + "name": "alice", + "uid": 1000, + "gid": 1000, + "gecos": "Alice Example", + "home": "/home/alice", + "shell": "/bin/bash", + "primary_group": "alice", + "supplementary_groups": ["docker"], + } + ], + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + "excluded": [], + "notes": [], + }, + "services": [ + { + "unit": "foo.service", + "role_name": "foo", + "packages": ["foo"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [ + { + "path": "/etc/foo", + "owner": "root", + "group": "root", + "mode": "0755", + } + ], + "managed_files": [ + { + "path": "/etc/foo/foo.conf", + "src_rel": "etc/foo.conf", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [ + {"path": "/etc/foo/enabled.conf", "target": "/etc/foo/foo.conf"} + ], + "excluded": [], + "notes": [], + } + ], + "packages": [ + { + "package": "curl", + "role_name": "curl", + "section": "net", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + "excluded": [], + "notes": [], + } + ], + "apt_config": { + "role_name": "apt_config", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + "dnf_config": { + "role_name": "dnf_config", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + "sysctl": { + "role_name": "sysctl", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/sysctl.d/99-enroll.conf", + "src_rel": "sysctl/99-enroll.conf", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [], + "parameters": {"net.ipv4.ip_forward": "1"}, + "notes": [], + }, + "firewall_runtime": {"role_name": "firewall_runtime", "packages": []}, + "etc_custom": { + "role_name": "etc_custom", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + "usr_local_custom": { + "role_name": "usr_local_custom", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + "extra_paths": { + "role_name": "extra_paths", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + }, + }, + } + + +def _write_sample_artifacts(bundle: Path) -> None: + artifact = bundle / "artifacts" / "foo" / "etc" / "foo.conf" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("setting = true\n", encoding="utf-8") + sysctl_artifact = bundle / "artifacts" / "sysctl" / "sysctl" / "99-enroll.conf" + sysctl_artifact.parent.mkdir(parents=True, exist_ok=True) + sysctl_artifact.write_text("net.ipv4.ip_forward = 1\n", encoding="utf-8") + + +def test_manifest_salt_writes_single_site_state_tree(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + _write_sample_artifacts(bundle) + _write_state(bundle, _sample_state()) + + manifest.manifest(str(bundle), str(out), target="salt") + + top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8")) + assert top["base"]["*"] == ["roles.net", "roles.users", "roles.sysctl"] + + net_sls = (out / "states" / "roles" / "net" / "init.sls").read_text( + encoding="utf-8" + ) + assert "pkg.installed:" in net_sls + assert '- name: "curl"' in net_sls + assert '- name: "foo"' in net_sls + assert '"/etc/foo/foo.conf":' in net_sls + assert 'source: "salt://roles/net/files/etc/foo.conf"' in net_sls + assert "watch_in:" in net_sls + assert 'service: "enroll_service_net_foo_service_20435514"' in net_sls + assert "file.symlink:" in net_sls + assert "service.running:" in net_sls + assert (out / "states" / "roles" / "net" / "files" / "etc" / "foo.conf").exists() + + users_sls = (out / "states" / "roles" / "users" / "init.sls").read_text( + encoding="utf-8" + ) + assert "group.present:" in users_sls + assert "user.present:" in users_sls + assert "Alice Example" in users_sls + assert "optional_groups" not in users_sls + assert "- remove_groups: false" in users_sls + + sysctl_sls = (out / "states" / "roles" / "sysctl" / "init.sls").read_text( + encoding="utf-8" + ) + assert "cmd.run:" in sysctl_sls + assert "sysctl -e -p /etc/sysctl.d/99-enroll.conf || true" in sysctl_sls + assert (out / "README.md").exists() + assert (out / "config" / "master.d" / "enroll.conf").exists() + + +def test_manifest_salt_fqdn_package_watch_targets_declared_service_role( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + artifact = bundle / "artifacts" / "apparmor" / "etc" / "apparmor" / "parser.conf" + artifact.parent.mkdir(parents=True, exist_ok=True) + artifact.write_text("cache-loc /var/cache/apparmor\n", encoding="utf-8") + + state = _sample_state() + state["inventory"] = {"packages": {"apparmor": {"section": "admin"}}} + state["roles"]["services"] = [ + { + "unit": "apparmor.service", + "role_name": "apparmor_service", + "packages": ["apparmor"], + "active_state": "active", + "unit_file_state": "enabled", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + } + ] + state["roles"]["packages"] = [ + { + "package": "apparmor", + "role_name": "apparmor", + "section": "admin", + "managed_dirs": [], + "managed_files": [ + { + "path": "/etc/apparmor/parser.conf", + "src_rel": "etc/apparmor/parser.conf", + "owner": "root", + "group": "root", + "mode": "0644", + } + ], + "managed_links": [], + } + ] + state["roles"]["sysctl"] = { + "role_name": "sysctl", + "managed_dirs": [], + "managed_files": [], + "managed_links": [], + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt", fqdn="vpn-ssh") + + pillar_top = yaml.safe_load( + (out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + node_sls = pillar_top["base"]["vpn-ssh"][0] + pillar_path = out / "pillar" / Path(*node_sls.split(".")) + pillar = yaml.safe_load(pillar_path.with_suffix(".sls").read_text(encoding="utf-8")) + roles = pillar["enroll"]["roles"] + expected_service_state = _state_id( + "service", "apparmor.service", role="apparmor_service" + ) + + assert roles["apparmor"]["files"]["/etc/apparmor/parser.conf"]["watch_in"] == [ + {"service": expected_service_state} + ] + assert roles["apparmor_service"]["services"]["apparmor.service"]["state_id"] == ( + expected_service_state + ) + + +def test_manifest_salt_fqdn_mode_uses_pillar_and_accumulates_nodes(tmp_path: Path): + out = tmp_path / "salt" + + def write_bundle(name: str, content: str) -> Path: + bundle = tmp_path / name + _write_sample_artifacts(bundle) + (bundle / "artifacts" / "foo" / "etc" / "foo.conf").write_text( + content, encoding="utf-8" + ) + state = _sample_state() + state["host"]["hostname"] = name + _write_state(bundle, state) + return bundle + + first = write_bundle("first", "first=true\n") + second = write_bundle("second", "second=true\n") + + manifest.manifest(str(first), str(out), target="salt", fqdn="first.example") + manifest.manifest(str(second), str(out), target="salt", fqdn="second.example") + + state_top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8")) + assert state_top["base"]["first.example"] == [ + "roles.curl", + "roles.foo", + "roles.users", + "roles.sysctl", + ] + assert state_top["base"]["second.example"] == [ + "roles.curl", + "roles.foo", + "roles.users", + "roles.sysctl", + ] + + pillar_top = yaml.safe_load( + (out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + assert set(pillar_top["base"]) == {"first.example", "second.example"} + first_pillar_sls = pillar_top["base"]["first.example"][0] + first_node = out / "pillar" / Path(*first_pillar_sls.split(".")) + first_data = yaml.safe_load( + first_node.with_suffix(".sls").read_text(encoding="utf-8") + ) + assert first_data["enroll"]["classes"] == [ + "roles.curl", + "roles.foo", + "roles.users", + "roles.sysctl", + ] + assert first_data["enroll"]["roles"]["foo"]["packages"] == ["foo"] + assert first_data["enroll"]["roles"]["foo"]["files"]["/etc/foo/foo.conf"][ + "source" + ] == ("salt://roles/foo/files/nodes/first.example/etc/foo.conf") + + foo_sls = (out / "states" / "roles" / "foo" / "init.sls").read_text( + encoding="utf-8" + ) + assert "salt['pillar.get']('enroll:roles:foo'" in foo_sls + assert "pkg.installed:" in foo_sls + assert "file.managed:" in foo_sls + assert ( + out + / "states" + / "roles" + / "foo" + / "files" + / "nodes" + / "first.example" + / "etc" + / "foo.conf" + ).exists() + assert ( + out + / "states" + / "roles" + / "foo" + / "files" + / "nodes" + / "second.example" + / "etc" + / "foo.conf" + ).exists() + + +def test_manifest_salt_user_gecos_and_groups_are_salt_safe(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = _sample_state() + state["roles"]["users"]["users"][0]["name"] = "node" + state["roles"]["users"]["users"][0]["primary_group"] = "node" + state["roles"]["users"]["users"][0]["gid"] = 1000 + state["roles"]["users"]["users"][0]["gecos"] = "Node,,," + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt") + + users_sls = (out / "states" / "roles" / "users" / "init.sls").read_text( + encoding="utf-8" + ) + assert '- fullname: "Node"' in users_sls + assert "Node,,," not in users_sls + assert "optional_groups" not in users_sls + assert "- remove_groups: false" in users_sls + + +def test_manifest_salt_fqdn_user_pillar_gecos_and_groups_are_salt_safe(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = _sample_state() + state["roles"]["users"]["users"][0]["gecos"] = "Node,,," + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt", fqdn="node.example") + + pillar_top = yaml.safe_load( + (out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + node_sls = pillar_top["base"]["node.example"][0] + pillar_path = out / "pillar" / Path(*node_sls.split(".")) + data = yaml.safe_load(pillar_path.with_suffix(".sls").read_text(encoding="utf-8")) + alice = data["enroll"]["roles"]["users"]["users"]["alice"] + assert alice["fullname"] == "Node" + assert "Node,,," not in pillar_path.with_suffix(".sls").read_text(encoding="utf-8") + assert alice["remove_groups"] is False + assert "optional_groups" not in pillar_path.with_suffix(".sls").read_text( + encoding="utf-8" + ) + + users_sls = (out / "states" / "roles" / "users" / "init.sls").read_text( + encoding="utf-8" + ) + assert "optional_groups" not in users_sls + assert "remove_groups" in users_sls + + +def test_cli_manifest_target_salt_is_forwarded(monkeypatch, tmp_path): + import sys + + import enroll.cli as cli + + called = {} + + def fake_manifest(harvest_dir: str, out_dir: str, **kwargs): + called["harvest"] = harvest_dir + called["out"] = out_dir + called["target"] = kwargs.get("target") + + monkeypatch.setattr(cli, "manifest", fake_manifest) + monkeypatch.setattr( + sys, + "argv", + [ + "enroll", + "manifest", + "--harvest", + str(tmp_path / "bundle"), + "--out", + str(tmp_path / "salt"), + "--target", + "salt", + ], + ) + + cli.main() + assert called["harvest"] == str(tmp_path / "bundle") + assert called["out"] == str(tmp_path / "salt") + assert called["target"] == "salt" + + +def test_manifest_salt_renders_container_images_in_single_and_fqdn_modes( + tmp_path: Path, +): + digest = "docker.io/library/nginx@sha256:" + "a" * 64 + podman_digest = "quay.io/example/app@sha256:" + "b" * 64 + state = _sample_state() + state["roles"]["container_images"] = { + "role_name": "container_images", + "images": [ + { + "engine": "docker", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "c" * 64, + "repo_tags": ["docker.io/library/nginx:1.27"], + "repo_digests": [digest], + "pull_ref": digest, + "tag_aliases": [ + { + "ref": "docker.io/library/nginx:1.27", + "repository": "docker.io/library/nginx", + "tag": "1.27", + } + ], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 123, + "created": "2026-01-01T00:00:00Z", + "source": "docker image inspect", + "notes": [], + }, + { + "engine": "podman", + "scope": "system", + "user": None, + "home": None, + "image_id": "sha256:" + "d" * 64, + "repo_tags": ["quay.io/example/app:prod"], + "repo_digests": [podman_digest], + "pull_ref": podman_digest, + "tag_aliases": [ + { + "ref": "quay.io/example/app:prod", + "repository": "quay.io/example/app", + "tag": "prod", + } + ], + "os": "linux", + "architecture": "amd64", + "variant": None, + "platform": "linux/amd64", + "size": 456, + "created": "2026-01-01T00:00:00Z", + "source": "podman image inspect", + "notes": [], + }, + ], + "notes": [], + } + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt") + + top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8")) + assert "roles.container_images" in top["base"]["*"] + sls = (out / "states" / "roles" / "container_images" / "init.sls").read_text( + encoding="utf-8" + ) + assert "docker_image.present:" not in sls + assert "docker pull" in sls + assert digest in sls + assert "docker image inspect" in sls + assert "{{.Id}}" not in sls + assert "sed -n" in sls + assert "docker tag" in sls + assert "- cmd: enroll_docker_pull_container_images" in sls + assert "podman pull" in sls + assert "podman tag" in sls + + fqdn_out = tmp_path / "salt-fqdn" + manifest.manifest(str(bundle), str(fqdn_out), target="salt", fqdn="node.example") + pillar_top = yaml.safe_load( + (fqdn_out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + node_sls = pillar_top["base"]["node.example"][0] + pillar_path = fqdn_out / "pillar" / Path(*node_sls.split(".")) + pillar = yaml.safe_load(pillar_path.with_suffix(".sls").read_text(encoding="utf-8")) + assert ( + pillar["enroll"]["roles"]["container_images"]["container_images"][0]["pull_ref"] + == digest + ) + fqdn_sls = ( + fqdn_out / "states" / "roles" / "container_images" / "init.sls" + ).read_text(encoding="utf-8") + assert "docker_image.present:" not in fqdn_sls + assert "enroll_docker_pull_container_images" in fqdn_sls + assert "enroll_podman_pull_container_images" in fqdn_sls + assert "image.get('pull_cmd')" in fqdn_sls + pillar_text = pillar_path.with_suffix(".sls").read_text(encoding="utf-8") + assert "docker pull" in pillar_text + assert "docker image inspect" in pillar_text + assert "{{.Id}}" not in pillar_text + assert "sed -n" in pillar_text + assert "podman pull" in pillar_text + + +def test_manifest_salt_uses_jinjaturtle_templates(monkeypatch, tmp_path: Path): + import enroll.jinjaturtle as jinjaturtle_mod + from enroll.jinjaturtle import JinjifyResult + + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = _sample_state() + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + monkeypatch.setattr( + jinjaturtle_mod, "find_jinjaturtle_cmd", lambda: "/usr/bin/jinjaturtle" + ) + monkeypatch.setattr(jinjaturtle_mod, "can_jinjify_path", lambda _path: True) + + def fake_run_jinjaturtle( + jt_exe: str, src_path: str, *, role_name: str, force_format=None + ): + assert jt_exe == "/usr/bin/jinjaturtle" + assert role_name == "foo" + assert src_path.endswith("artifacts/foo/etc/foo.conf") + return JinjifyResult( + template_text="setting = {{ foo_setting }}\n", + vars_text="foo_setting: true\n", + ) + + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) + + manifest.manifest(str(bundle), str(out), target="salt", jinjaturtle="on") + + role_dir = out / "states" / "roles" / "net" + assert (role_dir / "templates" / "etc" / "foo.conf.j2").read_text( + encoding="utf-8" + ) == "setting = {{ foo_setting }}\n" + assert not (role_dir / "files" / "etc" / "foo.conf").exists() + sls = (role_dir / "init.sls").read_text(encoding="utf-8") + assert 'source: "salt://roles/net/templates/etc/foo.conf.j2"' in sls + assert 'template: "jinja"' in sls + assert "foo_setting: true" in sls + + fqdn_out = tmp_path / "salt-fqdn" + manifest.manifest( + str(bundle), + str(fqdn_out), + target="salt", + fqdn="node.example", + jinjaturtle="on", + ) + + fqdn_role_dir = fqdn_out / "states" / "roles" / "foo" + assert (fqdn_role_dir / "templates" / "etc" / "foo.conf.j2").exists() + assert not ( + fqdn_role_dir / "files" / "nodes" / "node.example" / "etc" / "foo.conf" + ).exists() + pillar_top = yaml.safe_load( + (fqdn_out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + node_sls = pillar_top["base"]["node.example"][0] + pillar_path = fqdn_out / "pillar" / Path(*node_sls.split(".")) + pillar = yaml.safe_load(pillar_path.with_suffix(".sls").read_text(encoding="utf-8")) + file_data = pillar["enroll"]["roles"]["foo"]["files"]["/etc/foo/foo.conf"] + assert file_data["source"] == "salt://roles/foo/templates/etc/foo.conf.j2" + assert file_data["watch_in"] == [ + {"service": "enroll_service_foo_foo_service_20435514"} + ] + assert file_data["template"] == "jinja" + assert file_data["context"] == {"foo_setting": True} + + +def test_manifest_salt_rewrites_jinjaturtle_json_filters(monkeypatch, tmp_path: Path): + import enroll.jinjaturtle as jinjaturtle_mod + from enroll.jinjaturtle import JinjifyResult + + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = _sample_state() + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + monkeypatch.setattr( + jinjaturtle_mod, "find_jinjaturtle_cmd", lambda: "/usr/bin/jinjaturtle" + ) + monkeypatch.setattr(jinjaturtle_mod, "can_jinjify_path", lambda _path: True) + + def fake_run_jinjaturtle( + jt_exe: str, src_path: str, *, role_name: str, force_format=None + ): + return JinjifyResult( + template_text='{ "setting": {{ foo_setting | to_json(ensure_ascii=False) }} }\n', + vars_text='foo_setting: "alpha"\n', + ) + + monkeypatch.setattr(jinjaturtle_mod, "run_jinjaturtle", fake_run_jinjaturtle) + + manifest.manifest(str(bundle), str(out), target="salt", jinjaturtle="on") + + template_text = ( + out / "states" / "roles" / "net" / "templates" / "etc" / "foo.conf.j2" + ).read_text(encoding="utf-8") + assert "to_json" not in template_text + assert "foo_setting__enroll_json" in template_text + sls = (out / "states" / "roles" / "net" / "init.sls").read_text(encoding="utf-8") + assert "foo_setting__enroll_json:" in sls + assert '"alpha"' in sls + + +def test_manifest_salt_pillar_role_uses_json_for_template_context() -> None: + role = SaltRole("foo") + role.add_managed_file( + "/etc/foo.json", + source="salt://roles/foo/templates/etc/foo.json.j2", + user="root", + group="root", + mode="0644", + makedirs=True, + template="jinja", + context=OrderedDict( + [("foo_name", "alpha"), ("foo_nested", OrderedDict([("x", 1)]))] + ), + ) + + pillar = _role_pillar_values(role) + assert type(pillar["files"]["/etc/foo.json"]["context"]) is dict + assert type(pillar["files"]["/etc/foo.json"]["context"]["foo_nested"]) is dict + + rendered = _render_static_role(role) + assert "foo_nested:" in rendered + context_block = ( + _render_pillar_role(role).split("context:", 1)[1].split("{% endif %}", 1)[0] + ) + assert "|yaml_encode" not in context_block + assert "|tojson" in _render_pillar_role(role) + + +def test_manifest_salt_renders_firewall_runtime_states(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + fw_dir = bundle / "artifacts" / "firewall_runtime" / "firewall" + fw_dir.mkdir(parents=True, exist_ok=True) + (fw_dir / "ipset.save").write_text( + "create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n", + encoding="utf-8", + ) + (fw_dir / "iptables.v4").write_text( + "*filter\n:INPUT DROP [0:0]\n-A INPUT -m set --match-set blocklist src -j DROP\nCOMMIT\n", + encoding="utf-8", + ) + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": ["ipset", "iptables"], + "ipset_save": "firewall/ipset.save", + "ipset_sets": ["blocklist"], + "iptables_v4_save": "firewall/iptables.v4", + "iptables_v6_save": None, + "notes": [], + } + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt") + + top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8")) + assert "roles.enroll_runtime" in top["base"]["*"] + assert top["base"]["*"].index("roles.enroll_runtime") < top["base"]["*"].index( + "roles.firewall_runtime" + ) + runtime_sls = (out / "states" / "roles" / "enroll_runtime" / "init.sls").read_text( + encoding="utf-8" + ) + assert '"/etc/enroll":' in runtime_sls + sls = (out / "states" / "roles" / "firewall_runtime" / "init.sls").read_text( + encoding="utf-8" + ) + assert '"/etc/enroll":' not in sls + assert '"/etc/enroll/firewall":' in sls + assert '- file: "/etc/enroll"' in sls + assert '"/etc/enroll/firewall/ipset.save":' in sls + assert "ipset restore -exist" in sls + assert "ipset flush blocklist" in sls + assert "iptables-restore /etc/enroll/firewall/iptables.v4" in sls + assert " - onchanges:" in sls + assert ' - file: "/etc/enroll/firewall/iptables.v4"' in sls + assert "iptables-save >" not in sls + assert "Live firewall runtime snapshots were detected" not in sls + assert ( + out + / "states" + / "roles" + / "firewall_runtime" + / "files" + / "firewall" + / "ipset.save" + ).exists() + + fqdn_out = tmp_path / "salt-fqdn" + manifest.manifest(str(bundle), str(fqdn_out), target="salt", fqdn="node.example") + pillar_top = yaml.safe_load( + (fqdn_out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + node_sls = pillar_top["base"]["node.example"][0] + pillar_path = fqdn_out / "pillar" / Path(*node_sls.split(".")) + pillar = yaml.safe_load(pillar_path.with_suffix(".sls").read_text(encoding="utf-8")) + assert "roles.enroll_runtime" in pillar["enroll"]["classes"] + assert "firewall_runtime" in pillar["enroll"]["roles"] + assert ( + pillar["enroll"]["roles"]["enroll_runtime"]["dirs"]["/etc/enroll"]["mode"] + == "0750" + ) + role_data = pillar["enroll"]["roles"]["firewall_runtime"] + assert role_data["firewall_runtime"]["ipset_sets"] == ["blocklist"] + assert "ipset restore -exist" in role_data["firewall_runtime"]["ipset_restore_cmd"] + assert role_data["files"]["/etc/enroll/firewall/ipset.save"]["source"] == ( + "salt://roles/firewall_runtime/files/nodes/node.example/firewall/ipset.save" + ) + fqdn_sls = ( + fqdn_out / "states" / "roles" / "firewall_runtime" / "init.sls" + ).read_text(encoding="utf-8") + assert "firewall_runtime.get('ipset_restore_cmd')" in fqdn_sls + + +def test_manifest_salt_omits_firewall_runtime_when_no_rules_were_sampled( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = { + "schema_version": 3, + "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, + "inventory": {"packages": {}}, + "roles": { + "firewall_runtime": { + "role_name": "firewall_runtime", + "packages": [], + "ipset_save": None, + "ipset_sets": [], + "iptables_v4_save": None, + "iptables_v6_save": None, + "notes": [ + "not running as root; live firewall runtime was not captured" + ], + } + }, + } + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt") + + top = yaml.safe_load((out / "states" / "top.sls").read_text(encoding="utf-8")) + assert "roles.enroll_runtime" not in top["base"]["*"] + assert "roles.firewall_runtime" not in top["base"]["*"] + assert not (out / "states" / "roles" / "enroll_runtime").exists() + assert not (out / "states" / "roles" / "firewall_runtime").exists() + + +def _salt_flatpak_snap_users_snapshot() -> dict: + return { + "users": [ + { + "name": "alice", + "uid": 1000, + "primary_group": "alice", + "supplementary_groups": ["docker"], + "home": "/home/alice", + "shell": "/bin/bash", + "gecos": "Alice,,,Other", + } + ], + "user_flatpak_remotes": [ + { + "method": "user", + "user": "alice", + "name": "flathub", + "url": "https://dl.flathub.org/repo/flathub.flatpakrepo", + } + ], + "user_flatpaks": { + "alice": [ + { + "ref": "app/org.foo.App/x86_64/stable", + "remote": "flathub", + } + ] + }, + } + + +def _salt_system_flatpak_snapshot() -> dict: + return { + "remotes": [ + { + "name": "systemrepo", + "url": "https://example.invalid/repo.flatpakrepo", + } + ], + "system_flatpaks": [ + { + "name": "org.system.App", + "remote": "systemrepo", + } + ], + } + + +def _salt_snap_snapshot() -> dict: + return { + "system_snaps": [ + { + "name": "hello-world", + "tracking": "latest/stable", + "confinement": "classic", + }, + { + "name": "danger-snap", + "revision": "42", + "notes": ["installed with --dangerous"], + }, + ], + } + + +def test_salt_role_renders_flatpaks_snaps_and_user_flatpaks() -> None: + role = SaltRole("apps") + role.add_users_snapshot(_salt_flatpak_snap_users_snapshot()) + role.add_flatpak_snapshot(_salt_system_flatpak_snapshot()) + role.add_snap_snapshot(_salt_snap_snapshot()) + + rendered = _render_static_role(role) + assert "group.present:" in rendered + assert "user.present:" in rendered + assert "flatpak --user remote-add --if-not-exists flathub" in rendered + assert ' - HOME: "/home/alice"' in rendered + assert " - user: enroll_user_apps_alice_522b276a" in rendered + assert "flatpak --user install -y flathub app/org.foo.App/x86_64/stable" in rendered + assert "flatpak --system install -y systemrepo org.system.App" in rendered + assert "snap install hello-world --channel=latest/stable --classic" in rendered + assert "snap install danger-snap --revision=42 --dangerous" in rendered + + pillar = _role_pillar_values(role) + assert pillar["flatpak_remotes"][0]["env"] == { + "HOME": "/home/alice", + "XDG_DATA_HOME": "/home/alice/.local/share", + } + assert pillar["flatpaks"][0]["user"] == "alice" + assert pillar["snaps"][0]["classic"] is True + assert pillar["snaps"][1]["dangerous"] is True + + +def test_salt_role_records_container_image_limitations() -> None: + role = SaltRole("container_images") + role.add_container_images_snapshot( + { + "images": [ + "not-a-dict", + {"engine": "containerd", "pull_ref": "example.invalid/app@sha256:abc"}, + { + "engine": "docker", + "repo_tags": ["example.invalid/app:latest"], + "pull_ref": "", + }, + ], + "notes": ["image capture note"], + } + ) + + assert role.container_images == [] + assert any("has no RepoDigest" in note for note in role.notes) + assert role.notes[-1] == "image capture note" + + +def test_salt_managed_content_notes_missing_artifacts_and_links( + tmp_path: Path, +) -> None: + bundle = tmp_path / "bundle" + role_files = tmp_path / "salt" / "states" / "roles" / "demo" / "files" + role = SaltRole("demo") + role.add_managed_content( + { + "managed_dirs": [ + { + "path": "/etc/demo", + "owner": "root", + "group": "root", + "mode": "0750", + } + ], + "managed_files": [ + {"path": "", "src_rel": "etc/ignored.conf"}, + {"path": "/etc/missing.conf", "src_rel": "etc/missing.conf"}, + ], + "managed_links": [ + {"path": "", "target": "/nowhere"}, + {"path": "/etc/demo/current", "target": "/opt/demo/current"}, + ], + }, + bundle_dir=str(bundle), + artifact_role="demo", + role_files_dir=role_files, + ) + + assert role.dirs["/etc/demo"]["mode"] == "0750" + assert role.links["/etc/demo/current"]["target"] == "/opt/demo/current" + assert any("Skipped /etc/missing.conf" in note for note in role.notes) + + +def test_salt_names_are_sanitised_for_target_reserved_words() -> None: + assert _salt_name("") == "role" + assert _salt_name("123") == "role_123" + assert _salt_name("top") == "role_top" + assert _salt_name("web-app") == "web_app" + + +def test_manifest_salt_static_escapes_harvested_jinja_delimiters(tmp_path: Path): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = _sample_state() + payload = "{{ salt['cmd.run']('touch /tmp/PWNED_BY_ENROLL_SALT') }}" + state["roles"]["users"]["users"][0]["gecos"] = payload + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt") + + users_sls = (out / "states" / "roles" / "users" / "init.sls").read_text( + encoding="utf-8" + ) + assert payload not in users_sls + assert "\\u007b\\u007b salt['cmd.run']" in users_sls + + calls = [] + + class FakeCmd: + def run(self, command): + calls.append(command) + return "EXECUTED" + + from jinja2 import Template + + rendered = Template(users_sls).render(salt={"cmd.run": FakeCmd().run}) + rendered_data = yaml.safe_load(rendered) + assert calls == [] + user_state = next( + state + for state in rendered_data.values() + if isinstance(state, dict) and "user.present" in state + ) + attrs = user_state["user.present"] + fullname = next(item["fullname"] for item in attrs if "fullname" in item) + assert fullname == payload + + +def test_manifest_salt_fqdn_escapes_harvested_jinja_delimiters_in_pillar( + tmp_path: Path, +): + bundle = tmp_path / "bundle" + out = tmp_path / "salt" + state = _sample_state() + payload = "{{ salt['cmd.run']('touch /tmp/PWNED_BY_ENROLL_SALT') }}" + state["roles"]["users"]["users"][0]["gecos"] = payload + _write_sample_artifacts(bundle) + _write_state(bundle, state) + + manifest.manifest(str(bundle), str(out), target="salt", fqdn="node.example") + + pillar_top = yaml.safe_load( + (out / "pillar" / "top.sls").read_text(encoding="utf-8") + ) + node_sls = pillar_top["base"]["node.example"][0] + pillar_path = out / "pillar" / Path(*node_sls.split(".")) + text = pillar_path.with_suffix(".sls").read_text(encoding="utf-8") + assert payload not in text + assert "\\u007b\\u007b salt['cmd.run']" in text + + calls = [] + + class FakeCmd: + def run(self, command): + calls.append(command) + return "EXECUTED" + + from jinja2 import Template + + rendered = Template(text).render(salt={"cmd.run": FakeCmd().run}) + rendered_data = yaml.safe_load(rendered) + assert calls == [] + assert ( + rendered_data["enroll"]["roles"]["users"]["users"]["alice"]["fullname"] + == payload + ) diff --git a/tests/test_manifest_symlinks.py b/tests/test_manifest_symlinks.py index 81c6fb7..b2a3af6 100644 --- a/tests/test_manifest_symlinks.py +++ b/tests/test_manifest_symlinks.py @@ -1,6 +1,7 @@ -import json from pathlib import Path +from state_helpers import write_schema_state + import enroll.manifest as manifest @@ -10,7 +11,20 @@ def test_manifest_emits_symlink_tasks_and_vars(tmp_path: Path): state = { "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"}, - "inventory": {"packages": {}}, + "inventory": { + "packages": { + "nginx": { + "version": "1.0", + "arches": ["amd64"], + "installations": [ + {"version": "1.0", "arch": "amd64", "section": "httpd"} + ], + "section": "httpd", + "observed_via": [{"kind": "systemd_unit", "ref": "nginx.service"}], + "roles": ["nginx"], + } + } + }, "roles": { "users": { "role_name": "users", @@ -79,18 +93,17 @@ def test_manifest_emits_symlink_tasks_and_vars(tmp_path: Path): bundle.mkdir(parents=True, exist_ok=True) (bundle / "artifacts").mkdir(parents=True, exist_ok=True) - (bundle / "state.json").write_text(json.dumps(state), encoding="utf-8") + write_schema_state(bundle, state) manifest.manifest(str(bundle), str(out)) - tasks = (out / "roles" / "nginx" / "tasks" / "main.yml").read_text(encoding="utf-8") + role_dir = out / "roles" / "httpd" + tasks = (role_dir / "tasks" / "main.yml").read_text(encoding="utf-8") assert "- name: Ensure managed symlinks exist" in tasks - assert 'loop: "{{ nginx_managed_links | default([]) }}"' in tasks + assert 'loop: "{{ httpd_managed_links | default([]) }}"' in tasks - defaults = (out / "roles" / "nginx" / "defaults" / "main.yml").read_text( - encoding="utf-8" - ) - # The role defaults should include the converted link mapping. - assert "nginx_managed_links:" in defaults + defaults = (role_dir / "defaults" / "main.yml").read_text(encoding="utf-8") + # The grouped role defaults should include the converted link mapping. + assert "httpd_managed_links:" in defaults assert "dest: /etc/nginx/sites-enabled/default" in defaults assert "src: ../sites-available/default" in defaults diff --git a/tests/test_misc_coverage.py b/tests/test_misc_coverage.py deleted file mode 100644 index 1ff6e98..0000000 --- a/tests/test_misc_coverage.py +++ /dev/null @@ -1,416 +0,0 @@ -from __future__ import annotations - -import json -import os -import stat -import subprocess -import sys -import types -from pathlib import Path -from types import SimpleNamespace - -import pytest - -from enroll.cache import _safe_component, new_harvest_cache_dir -from enroll.ignore import IgnorePolicy -from enroll.sopsutil import ( - SopsError, - _pgp_arg, - decrypt_file_binary_to, - encrypt_file_binary, -) - - -def test_safe_component_sanitizes_and_bounds_length(): - assert _safe_component(" ") == "unknown" - assert _safe_component("a/b c") == "a_b_c" - assert _safe_component("x" * 200) == "x" * 64 - - -def test_new_harvest_cache_dir_uses_xdg_cache_home(tmp_path: Path, monkeypatch): - monkeypatch.setenv("XDG_CACHE_HOME", str(tmp_path / "xdg")) - hc = new_harvest_cache_dir(hint="my host/01") - assert hc.dir.exists() - assert "my_host_01" in hc.dir.name - assert str(hc.dir).startswith(str(tmp_path / "xdg")) - # best-effort: ensure directory is not world-readable on typical FS - try: - mode = stat.S_IMODE(hc.dir.stat().st_mode) - assert mode & 0o077 == 0 - except OSError: - pass - - -def test_ignore_policy_denies_binary_and_sensitive_content(tmp_path: Path): - p_bin = tmp_path / "binfile" - p_bin.write_bytes(b"abc\x00def") - assert IgnorePolicy().deny_reason(str(p_bin)) == "binary_like" - - p_secret = tmp_path / "secret.conf" - p_secret.write_text("password=foo\n", encoding="utf-8") - assert IgnorePolicy().deny_reason(str(p_secret)) == "sensitive_content" - - # dangerous mode disables heuristic scanning (but still checks file-ness/size) - assert IgnorePolicy(dangerous=True).deny_reason(str(p_secret)) is None - - -def test_ignore_policy_denies_usr_local_shadow_by_glob(): - # This should short-circuit before stat() (path doesn't need to exist). - assert IgnorePolicy().deny_reason("/usr/local/etc/shadow") == "denied_path" - - -def test_sops_pgp_arg_and_encrypt_decrypt_roundtrip(tmp_path: Path, monkeypatch): - assert _pgp_arg([" ABC ", "DEF"]) == "ABC,DEF" - with pytest.raises(SopsError): - _pgp_arg([]) - - # Stub out sops and subprocess. - import enroll.sopsutil as s - - monkeypatch.setattr(s, "require_sops_cmd", lambda: "sops") - - class R: - def __init__(self, rc: int, out: bytes, err: bytes = b""): - self.returncode = rc - self.stdout = out - self.stderr = err - - calls = [] - - def fake_run(cmd, capture_output, check): - calls.append(cmd) - # Return a deterministic payload so we can assert file writes. - if "--encrypt" in cmd: - return R(0, b"ENCRYPTED") - if "--decrypt" in cmd: - return R(0, b"PLAINTEXT") - return R(1, b"", b"bad") - - monkeypatch.setattr(s.subprocess, "run", fake_run) - - src = tmp_path / "src.bin" - src.write_bytes(b"x") - enc = tmp_path / "out.sops" - dec = tmp_path / "out.bin" - - encrypt_file_binary(src, enc, pgp_fingerprints=["ABC"], mode=0o600) - assert enc.read_bytes() == b"ENCRYPTED" - - decrypt_file_binary_to(enc, dec, mode=0o644) - assert dec.read_bytes() == b"PLAINTEXT" - - # Sanity: we invoked encrypt and decrypt. - assert any("--encrypt" in c for c in calls) - assert any("--decrypt" in c for c in calls) - - -def test_cache_dir_defaults_to_home_cache(monkeypatch, tmp_path: Path): - # Ensure default path uses ~/.cache when XDG_CACHE_HOME is unset. - from enroll.cache import enroll_cache_dir - - monkeypatch.delenv("XDG_CACHE_HOME", raising=False) - monkeypatch.setattr(Path, "home", lambda: tmp_path) - - p = enroll_cache_dir() - assert str(p).startswith(str(tmp_path)) - assert p.name == "enroll" - - -def test_harvest_cache_state_json_property(tmp_path: Path): - from enroll.cache import HarvestCache - - hc = HarvestCache(tmp_path / "h1") - assert hc.state_json == hc.dir / "state.json" - - -def test_cache_dir_security_rejects_symlink(tmp_path: Path): - from enroll.cache import _ensure_dir_secure - - real = tmp_path / "real" - real.mkdir() - link = tmp_path / "link" - link.symlink_to(real, target_is_directory=True) - - with pytest.raises(RuntimeError, match="Refusing to use symlink"): - _ensure_dir_secure(link) - - -def test_cache_dir_chmod_failures_are_ignored(monkeypatch, tmp_path: Path): - from enroll import cache - - # Make the cache base path deterministic and writable. - monkeypatch.setattr(cache, "enroll_cache_dir", lambda: tmp_path) - - # Force os.chmod to fail to cover the "except OSError: pass" paths. - monkeypatch.setattr( - os, "chmod", lambda *a, **k: (_ for _ in ()).throw(OSError("nope")) - ) - - hc = cache.new_harvest_cache_dir() - assert hc.dir.exists() - assert hc.dir.is_dir() - - -def test_stat_triplet_falls_back_to_numeric_ids(monkeypatch, tmp_path: Path): - from enroll.fsutil import stat_triplet - import pwd - import grp - - p = tmp_path / "x" - p.write_text("x", encoding="utf-8") - - # Force username/group resolution failures. - monkeypatch.setattr( - pwd, "getpwuid", lambda _uid: (_ for _ in ()).throw(KeyError("no user")) - ) - monkeypatch.setattr( - grp, "getgrgid", lambda _gid: (_ for _ in ()).throw(KeyError("no group")) - ) - - owner, group, mode = stat_triplet(str(p)) - assert owner.isdigit() - assert group.isdigit() - assert len(mode) == 4 - - -def test_ignore_policy_iter_effective_lines_removes_block_comments(): - from enroll.ignore import IgnorePolicy - - pol = IgnorePolicy() - data = b"""keep1 -/* -drop me -*/ -keep2 -""" - assert list(pol.iter_effective_lines(data)) == [b"keep1", b"keep2"] - - -def test_ignore_policy_deny_reason_dir_variants(tmp_path: Path): - from enroll.ignore import IgnorePolicy - - pol = IgnorePolicy() - - # denied by glob - assert pol.deny_reason_dir("/etc/shadow") == "denied_path" - - # symlink rejected - d = tmp_path / "d" - d.mkdir() - link = tmp_path / "l" - link.symlink_to(d, target_is_directory=True) - assert pol.deny_reason_dir(str(link)) == "symlink" - - # not a directory - f = tmp_path / "f" - f.write_text("x", encoding="utf-8") - assert pol.deny_reason_dir(str(f)) == "not_directory" - - # ok - assert pol.deny_reason_dir(str(d)) is None - - -def test_run_jinjaturtle_parses_outputs(monkeypatch, tmp_path: Path): - # Fully unit-test enroll.jinjaturtle.run_jinjaturtle by stubbing subprocess.run. - from enroll.jinjaturtle import run_jinjaturtle - - def fake_run(cmd, **kwargs): # noqa: ARG001 - # cmd includes "-d -t