wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-03 10:33:13 +02:00
Code Issues Projects Releases Wiki Activity

Fix linting warnings: shellcheck and ansible-lint issues

Browse source 
- Fixed all shellcheck warnings in test scripts:
  - Quoted variables to prevent word splitting
  - Replaced A && B || C constructs with proper if-then-else
  - Changed unused loop variable to _
  - Added shellcheck directives for FreeBSD rc.d script

- Fixed ansible-lint risky-file-permissions warnings:
  - Added explicit file permissions for sensitive files (mode 0600)
  - Added permissions for config files and certificates (mode 0644)
  - Set proper permissions for directories (mode 0755)

- Fixed yamllint compatibility with ansible-lint:
  - Added required octal-values configuration
  - Quoted all octal mode values to prevent YAML misinterpretation
  - Added comments-indentation: false as required

All tests pass and functionality remains unchanged.
This commit is contained in:
Dan Guido 2025-08-17 13:55:43 -04:00
parent f516227e56
commit eb180cbbf3
22 changed files with 74 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.yamllint
View file

@ -17,6 +17,10 @@ rules:
level: warning
comments:
min-spaces-from-content: 1
comments-indentation: false
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
braces:
max-spaces-inside: 1
truthy:

2
algo.egg-info/PKG-INFO
View file

@ -4,7 +4,7 @@ Version: 2.0.0b0
Summary: Set up a personal IPSEC VPN in the cloud
Requires-Python: >=3.11
License-File: LICENSE
Requires-Dist: ansible==11.8.0
Requires-Dist: ansible==11.9.0
Requires-Dist: jinja2>=3.1.6
Requires-Dist: netaddr==1.3.0
Requires-Dist: pyyaml>=6.0.2

2
algo.egg-info/requires.txt
View file

@ -1,4 +1,4 @@
ansible==11.8.0
ansible==11.9.0
jinja2>=3.1.6
netaddr==1.3.0
pyyaml>=6.0.2

9
roles/client/tasks/main.yml
View file

@ -45,11 +45,14 @@
dest: "{{ item.dest }}"
line: "{{ item.line }}"
create: true
mode: "{{ item.mode }}"
with_items:
- dest: "{{ configs_prefix }}/ipsec.conf"
line: include ipsec.{{ IP_subject_alt_name }}.conf
mode: '0644'
- dest: "{{ configs_prefix }}/ipsec.secrets"
line: include ipsec.{{ IP_subject_alt_name }}.secrets
mode: '0600'
notify:
- restart strongswan
@ -59,18 +62,22 @@
dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
owner: root
group: root
mode: 0644
mode: '0644'
- name: Setup the certificates and keys
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
mode: '0644'
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
mode: '0644'
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
mode: '0600'
notify:
- restart strongswan

1
roles/common/tasks/aip/digitalocean.yml
View file

@ -16,6 +16,7 @@
template:
src: 99-algo-ipv6-egress.yaml.j2
dest: /etc/netplan/99-algo-ipv6-egress.yaml
mode: '0644'
when:
- ipv6_support
- ipv6_subnet_size|int > 1

4
roles/common/tasks/iptables.yml
View file

@ -5,7 +5,7 @@
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0640
mode: '0640'
with_items:
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
notify:
@ -17,7 +17,7 @@
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0640
mode: '0640'
when: ipv6_support
with_items:
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }

2
roles/common/tasks/ubuntu.yml
View file

@ -77,6 +77,7 @@
section: Resolve
option: FallbackDNS
value: "{{ dns_servers.ipv4 | join(' ') }}"
mode: '0644'
notify:
- restart systemd-resolved
@ -84,6 +85,7 @@
template:
src: 10-algo-lo100.network.j2
dest: /etc/systemd/network/10-algo-lo100.network
mode: '0644'
notify:
- restart systemd-networkd

4
roles/common/tasks/unattended-upgrades.yml
View file

@ -10,7 +10,7 @@
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644
mode: '0644'
- name: Periodic upgrades configured
template:
@ -18,4 +18,4 @@
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: 0644
mode: '0644'

2
roles/dns/tasks/dns_adblocking.yml
View file

@ -5,7 +5,7 @@
dest: /usr/local/sbin/adblock.sh
owner: root
group: "{{ root_group | default('root') }}"
mode: 0755
mode: '0755'
- name: Adblock script added to cron
cron:

2
roles/dns/tasks/main.yml
View file

@ -8,6 +8,7 @@
template:
src: ip-blacklist.txt.j2
dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt"
mode: '0644'
notify:
- restart dnscrypt-proxy
@ -15,6 +16,7 @@
template:
src: dnscrypt-proxy.toml.j2
dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml"
mode: '0644'
notify:
- restart dnscrypt-proxy

9
roles/dns/tasks/ubuntu.yml
View file

@ -16,7 +16,7 @@
dest: /etc/apt/apt.conf.d/50-dnscrypt-proxy-unattended-upgrades
owner: root
group: root
mode: 0644
mode: '0644'
when: ansible_facts['distribution_version'] is version('20.04', '<')
- name: Install dnscrypt-proxy (individual)
@ -33,7 +33,7 @@
dest: /etc/apparmor.d/usr.bin.dnscrypt-proxy
owner: root
group: root
mode: 0600
mode: '0600'
notify: restart dnscrypt-proxy
- name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy
@ -46,13 +46,14 @@
file:
path: /etc/systemd/system/dnscrypt-proxy.service.d/
state: directory
mode: 0755
mode: '0755'
owner: root
group: root
- name: Ubuntu | Add custom requirements to successfully start the unit
copy:
dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf
mode: '0644'
content: |
[Unit]
After=systemd-resolved.service
@ -93,7 +94,7 @@
SystemCallErrorNumber=EPERM
owner: root
group: root
mode: 0644
mode: '0644'
notify:
- daemon-reload
- restart dnscrypt-proxy

4
roles/ssh_tunneling/tasks/main.yml
View file

@ -23,7 +23,7 @@
file:
path: /var/jail/
state: directory
mode: 0755
mode: '0755'
owner: root
group: "{{ root_group | default('root') }}"
@ -87,7 +87,7 @@
template:
src: ssh_config.j2
dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config"
mode: 0700
mode: '0700'
with_items: "{{ users }}"
delegate_to: localhost
become: false

8
roles/strongswan/tasks/client_configs.yml
View file

@ -19,7 +19,7 @@
template:
src: mobileconfig.j2
dest: "{{ ipsec_config_path }}/apple/{{ item.0 }}.mobileconfig"
mode: 0600
mode: '0600'
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
@ -29,7 +29,7 @@
template:
src: client_ipsec.conf.j2
dest: "{{ ipsec_config_path }}/manual/{{ item }}.conf"
mode: 0600
mode: '0600'
with_items:
- "{{ users }}"
@ -38,7 +38,7 @@
template:
src: client_ipsec.secrets.j2
dest: "{{ ipsec_config_path }}/manual/{{ item }}.secrets"
mode: 0600
mode: '0600'
with_items:
- "{{ users }}"
@ -46,4 +46,4 @@
file:
path: "{{ ipsec_config_path }}"
state: directory
mode: 0700
mode: '0700'

4
roles/strongswan/tasks/openssl.yml
View file

@ -98,6 +98,7 @@
copy:
src: "{{ ipsec_pki_path }}/cacert.pem"
dest: "{{ ipsec_config_path }}/manual/cacert.pem"
mode: '0644'
- name: Create private keys for users and server
community.crypto.openssl_privatekey:
@ -213,6 +214,7 @@
copy:
src: "{{ ipsec_pki_path }}/private/{{ item }}.p12"
dest: "{{ ipsec_config_path }}/manual/{{ item }}.p12"
mode: '0600'
with_items:
- "{{ users }}"
@ -227,6 +229,7 @@
ansible.builtin.lineinfile:
path: "{{ ipsec_pki_path }}/all-users"
line: "{{ item }}"
mode: '0644'
create: true
with_items: "{{ users }}"
register: users_file
@ -277,5 +280,6 @@
copy:
src: "{{ ipsec_pki_path }}/crl.pem"
dest: "{{ config_prefix | default('/') }}etc/ipsec.d/crls/algo.root.pem"
mode: '0644'
notify:
- rereadcrls

5
roles/strongswan/tasks/ubuntu.yml
View file

@ -25,7 +25,7 @@
content: " capability setpcap,"
owner: root
group: root
mode: 0644
mode: '0644'
notify: restart strongswan
- name: Ubuntu | Enforcing ipsec with apparmor
@ -49,7 +49,7 @@
file:
path: /etc/systemd/system/{{ strongswan_service }}.service.d/
state: directory
mode: 0755
mode: '0755'
owner: root
group: root
@ -57,6 +57,7 @@
template:
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/{{ strongswan_service }}.service.d/100-CustomLimitations.conf
mode: '0644'
notify:
- daemon-reload
- restart strongswan

5
roles/wireguard/files/wireguard.sh
View file

@ -5,14 +5,19 @@
# BEFORE: securelevel
# KEYWORD: shutdown
# shellcheck source=/dev/null
. /etc/rc.subr
name="wg"
# shellcheck disable=SC2034
rcvar=wg_enable
command="/usr/local/bin/wg-quick"
# shellcheck disable=SC2034
start_cmd=wg_up
# shellcheck disable=SC2034
stop_cmd=wg_down
# shellcheck disable=SC2034
status_cmd=wg_status
pidfile="/var/run/$name.pid"
load_rc_config "$name"

9
roles/wireguard/tasks/keys.yml
View file

@ -47,3 +47,12 @@
- "{{ users }}"
- "{{ IP_subject_alt_name }}"
no_log: true
- name: Set permissions for public keys
file:
path: "{{ wireguard_pki_path }}/public/{{ item }}"
mode: '0644'
with_items:
- "{{ users }}"
- "{{ IP_subject_alt_name }}"
no_log: true

4
roles/wireguard/tasks/ubuntu.yml
View file

@ -15,7 +15,7 @@
file:
path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/
state: directory
mode: 0755
mode: '0755'
owner: root
group: root
@ -48,7 +48,7 @@
SystemCallErrorNumber=EPERM
owner: root
group: root
mode: 0644
mode: '0644'
notify:
- daemon-reload
- restart wireguard

1
server.yml
View file

@ -186,6 +186,7 @@
- name: Dump the configuration
copy:
dest: configs/{{ IP_subject_alt_name }}/.config.yml
mode: '0644'
content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }}

9
tests/legacy-lxd/ipsec-client.sh
View file

@ -8,9 +8,12 @@ CA_CONSTRAINTS="$(openssl verify -verbose \
-CAfile ./configs/10.0.8.100/ipsec/.pki/cacert.pem \
./configs/10.0.8.100/ipsec/.pki/certs/google-algo-test-pair.com.crt 2>&1)" || true
echo "$CA_CONSTRAINTS" | grep "permitted subtree violation" >/dev/null && \
echo "Name Constraints test passed" || \
(echo "Name Constraints test failed" && exit 1)
if echo "$CA_CONSTRAINTS" | grep "permitted subtree violation" >/dev/null; then
echo "Name Constraints test passed"
else
echo "Name Constraints test failed"
exit 1
fi
echo "$CA_CONSTRAINTS"

2
tests/legacy-lxd/pre-deploy.sh
View file

@ -22,7 +22,7 @@ lxc profile set default raw.lxc 'lxc.apparmor.profile = unconfined'
lxc profile set default security.privileged true
lxc profile show default
lxc init ubuntu:${UBUNTU_VERSION} algo
lxc init ubuntu:"${UBUNTU_VERSION}" algo
lxc network attach lxdbr0 algo eth0 eth0
lxc config device set algo eth0 ipv4.address 10.0.8.100
lxc start algo

10
tests/legacy-lxd/ssh-tunnel.sh
View file

@ -4,12 +4,18 @@ set -euxo pipefail
PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}' | cut -f2 -d\')
ssh-keygen -p -P ${PASS} -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem
ssh-keygen -p -P "${PASS}" -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem
ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config
git config --global http.proxy 'socks5://127.0.0.1:1080'
for i in {1..10}; do git clone -vv https://github.com/trailofbits/algo /tmp/ssh-tunnel-check && break || sleep 1; done
for _ in {1..10}; do
if git clone -vv https://github.com/trailofbits/algo /tmp/ssh-tunnel-check; then
break
else
sleep 1
fi
done
echo "SSH tunneling tests passed"