wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-05 19:43:22 +02:00
Code Issues Projects Releases Wiki Activity

Fix linting warnings: shellcheck and ansible-lint issues

Browse source 
- Fixed all shellcheck warnings in test scripts:
  - Quoted variables to prevent word splitting
  - Replaced A && B || C constructs with proper if-then-else
  - Changed unused loop variable to _
  - Added shellcheck directives for FreeBSD rc.d script

- Fixed ansible-lint risky-file-permissions warnings:
  - Added explicit file permissions for sensitive files (mode 0600)
  - Added permissions for config files and certificates (mode 0644)
  - Set proper permissions for directories (mode 0755)

- Fixed yamllint compatibility with ansible-lint:
  - Added required octal-values configuration
  - Quoted all octal mode values to prevent YAML misinterpretation
  - Added comments-indentation: false as required

All tests pass and functionality remains unchanged.
This commit is contained in:
Dan Guido 2025-08-17 13:55:43 -04:00
parent f516227e56
commit eb180cbbf3
22 changed files with 74 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.yamllint
View file

@ -17,6 +17,10 @@ rules:
level: warning level: warning
comments: comments:
min-spaces-from-content: 1 min-spaces-from-content: 1
comments-indentation: false
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
braces: braces:
max-spaces-inside: 1 max-spaces-inside: 1
truthy: truthy:

2
algo.egg-info/PKG-INFO
View file

@ -4,7 +4,7 @@ Version: 2.0.0b0
Summary: Set up a personal IPSEC VPN in the cloud Summary: Set up a personal IPSEC VPN in the cloud
Requires-Python: >=3.11 Requires-Python: >=3.11
License-File: LICENSE License-File: LICENSE
Requires-Dist: ansible==11.8.0 Requires-Dist: ansible==11.9.0
Requires-Dist: jinja2>=3.1.6 Requires-Dist: jinja2>=3.1.6
Requires-Dist: netaddr==1.3.0 Requires-Dist: netaddr==1.3.0
Requires-Dist: pyyaml>=6.0.2 Requires-Dist: pyyaml>=6.0.2

2
algo.egg-info/requires.txt
View file

@ -1,4 +1,4 @@
ansible==11.8.0 ansible==11.9.0
jinja2>=3.1.6 jinja2>=3.1.6
netaddr==1.3.0 netaddr==1.3.0
pyyaml>=6.0.2 pyyaml>=6.0.2

9
roles/client/tasks/main.yml
View file

@ -45,11 +45,14 @@
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
line: "{{ item.line }}" line: "{{ item.line }}"
create: true create: true
mode: "{{ item.mode }}"
with_items: with_items:
- dest: "{{ configs_prefix }}/ipsec.conf" - dest: "{{ configs_prefix }}/ipsec.conf"
line: include ipsec.{{ IP_subject_alt_name }}.conf line: include ipsec.{{ IP_subject_alt_name }}.conf
mode: '0644'
- dest: "{{ configs_prefix }}/ipsec.secrets" - dest: "{{ configs_prefix }}/ipsec.secrets"
line: include ipsec.{{ IP_subject_alt_name }}.secrets line: include ipsec.{{ IP_subject_alt_name }}.secrets
mode: '0600'
notify: notify:
- restart strongswan - restart strongswan
@ -59,18 +62,22 @@
dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf" dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
- name: Setup the certificates and keys - name: Setup the certificates and keys
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items: with_items:
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt" dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
mode: '0644'
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem" dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
mode: '0644'
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key" dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
mode: '0600'
notify: notify:
- restart strongswan - restart strongswan

1
roles/common/tasks/aip/digitalocean.yml
View file

@ -16,6 +16,7 @@
template: template:
src: 99-algo-ipv6-egress.yaml.j2 src: 99-algo-ipv6-egress.yaml.j2
dest: /etc/netplan/99-algo-ipv6-egress.yaml dest: /etc/netplan/99-algo-ipv6-egress.yaml
mode: '0644'
when: when:
- ipv6_support - ipv6_support
- ipv6_subnet_size|int > 1 - ipv6_subnet_size|int > 1

4
roles/common/tasks/iptables.yml
View file

@ -5,7 +5,7 @@
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: root owner: root
group: root group: root
mode: 0640 mode: '0640'
with_items: with_items:
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
notify: notify:
@ -17,7 +17,7 @@
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: root owner: root
group: root group: root
mode: 0640 mode: '0640'
when: ipv6_support when: ipv6_support
with_items: with_items:
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }

2
roles/common/tasks/ubuntu.yml
View file

@ -77,6 +77,7 @@
section: Resolve section: Resolve
option: FallbackDNS option: FallbackDNS
value: "{{ dns_servers.ipv4 | join(' ') }}" value: "{{ dns_servers.ipv4 | join(' ') }}"
mode: '0644'
notify: notify:
- restart systemd-resolved - restart systemd-resolved
@ -84,6 +85,7 @@
template: template:
src: 10-algo-lo100.network.j2 src: 10-algo-lo100.network.j2
dest: /etc/systemd/network/10-algo-lo100.network dest: /etc/systemd/network/10-algo-lo100.network
mode: '0644'
notify: notify:
- restart systemd-networkd - restart systemd-networkd

4
roles/common/tasks/unattended-upgrades.yml
View file

@ -10,7 +10,7 @@
dest: /etc/apt/apt.conf.d/50unattended-upgrades dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
- name: Periodic upgrades configured - name: Periodic upgrades configured
template: template:
@ -18,4 +18,4 @@
dest: /etc/apt/apt.conf.d/10periodic dest: /etc/apt/apt.conf.d/10periodic
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'

2
roles/dns/tasks/dns_adblocking.yml
View file

@ -5,7 +5,7 @@
dest: /usr/local/sbin/adblock.sh dest: /usr/local/sbin/adblock.sh
owner: root owner: root
group: "{{ root_group | default('root') }}" group: "{{ root_group | default('root') }}"
mode: 0755 mode: '0755'
- name: Adblock script added to cron - name: Adblock script added to cron
cron: cron:

2
roles/dns/tasks/main.yml
View file

@ -8,6 +8,7 @@
template: template:
src: ip-blacklist.txt.j2 src: ip-blacklist.txt.j2
dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt" dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt"
mode: '0644'
notify: notify:
- restart dnscrypt-proxy - restart dnscrypt-proxy
@ -15,6 +16,7 @@
template: template:
src: dnscrypt-proxy.toml.j2 src: dnscrypt-proxy.toml.j2
dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml" dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml"
mode: '0644'
notify: notify:
- restart dnscrypt-proxy - restart dnscrypt-proxy

9
roles/dns/tasks/ubuntu.yml
View file

@ -16,7 +16,7 @@
dest: /etc/apt/apt.conf.d/50-dnscrypt-proxy-unattended-upgrades dest: /etc/apt/apt.conf.d/50-dnscrypt-proxy-unattended-upgrades
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
when: ansible_facts['distribution_version'] is version('20.04', '<') when: ansible_facts['distribution_version'] is version('20.04', '<')
- name: Install dnscrypt-proxy (individual) - name: Install dnscrypt-proxy (individual)
@ -33,7 +33,7 @@
dest: /etc/apparmor.d/usr.bin.dnscrypt-proxy dest: /etc/apparmor.d/usr.bin.dnscrypt-proxy
owner: root owner: root
group: root group: root
mode: 0600 mode: '0600'
notify: restart dnscrypt-proxy notify: restart dnscrypt-proxy
- name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy - name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy
@ -46,13 +46,14 @@
file: file:
path: /etc/systemd/system/dnscrypt-proxy.service.d/ path: /etc/systemd/system/dnscrypt-proxy.service.d/
state: directory state: directory
mode: 0755 mode: '0755'
owner: root owner: root
group: root group: root
- name: Ubuntu | Add custom requirements to successfully start the unit - name: Ubuntu | Add custom requirements to successfully start the unit
copy: copy:
dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf
mode: '0644'
content: | content: |
[Unit] [Unit]
After=systemd-resolved.service After=systemd-resolved.service
@ -93,7 +94,7 @@
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
notify: notify:
- daemon-reload - daemon-reload
- restart dnscrypt-proxy - restart dnscrypt-proxy

4
roles/ssh_tunneling/tasks/main.yml
View file

@ -23,7 +23,7 @@
file: file:
path: /var/jail/ path: /var/jail/
state: directory state: directory
mode: 0755 mode: '0755'
owner: root owner: root
group: "{{ root_group | default('root') }}" group: "{{ root_group | default('root') }}"
@ -87,7 +87,7 @@
template: template:
src: ssh_config.j2 src: ssh_config.j2
dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config" dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config"
mode: 0700 mode: '0700'
with_items: "{{ users }}" with_items: "{{ users }}"
delegate_to: localhost delegate_to: localhost
become: false become: false

8
roles/strongswan/tasks/client_configs.yml
View file

@ -19,7 +19,7 @@
template: template:
src: mobileconfig.j2 src: mobileconfig.j2
dest: "{{ ipsec_config_path }}/apple/{{ item.0 }}.mobileconfig" dest: "{{ ipsec_config_path }}/apple/{{ item.0 }}.mobileconfig"
mode: 0600 mode: '0600'
with_together: with_together:
- "{{ users }}" - "{{ users }}"
- "{{ PayloadContent.results }}" - "{{ PayloadContent.results }}"
@ -29,7 +29,7 @@
template: template:
src: client_ipsec.conf.j2 src: client_ipsec.conf.j2
dest: "{{ ipsec_config_path }}/manual/{{ item }}.conf" dest: "{{ ipsec_config_path }}/manual/{{ item }}.conf"
mode: 0600 mode: '0600'
with_items: with_items:
- "{{ users }}" - "{{ users }}"
@ -38,7 +38,7 @@
template: template:
src: client_ipsec.secrets.j2 src: client_ipsec.secrets.j2
dest: "{{ ipsec_config_path }}/manual/{{ item }}.secrets" dest: "{{ ipsec_config_path }}/manual/{{ item }}.secrets"
mode: 0600 mode: '0600'
with_items: with_items:
- "{{ users }}" - "{{ users }}"
@ -46,4 +46,4 @@
file: file:
path: "{{ ipsec_config_path }}" path: "{{ ipsec_config_path }}"
state: directory state: directory
mode: 0700 mode: '0700'

4
roles/strongswan/tasks/openssl.yml
View file

@ -98,6 +98,7 @@
copy: copy:
src: "{{ ipsec_pki_path }}/cacert.pem" src: "{{ ipsec_pki_path }}/cacert.pem"
dest: "{{ ipsec_config_path }}/manual/cacert.pem" dest: "{{ ipsec_config_path }}/manual/cacert.pem"
mode: '0644'
- name: Create private keys for users and server - name: Create private keys for users and server
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
@ -213,6 +214,7 @@
copy: copy:
src: "{{ ipsec_pki_path }}/private/{{ item }}.p12" src: "{{ ipsec_pki_path }}/private/{{ item }}.p12"
dest: "{{ ipsec_config_path }}/manual/{{ item }}.p12" dest: "{{ ipsec_config_path }}/manual/{{ item }}.p12"
mode: '0600'
with_items: with_items:
- "{{ users }}" - "{{ users }}"
@ -227,6 +229,7 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ ipsec_pki_path }}/all-users" path: "{{ ipsec_pki_path }}/all-users"
line: "{{ item }}" line: "{{ item }}"
mode: '0644'
create: true create: true
with_items: "{{ users }}" with_items: "{{ users }}"
register: users_file register: users_file
@ -277,5 +280,6 @@
copy: copy:
src: "{{ ipsec_pki_path }}/crl.pem" src: "{{ ipsec_pki_path }}/crl.pem"
dest: "{{ config_prefix | default('/') }}etc/ipsec.d/crls/algo.root.pem" dest: "{{ config_prefix | default('/') }}etc/ipsec.d/crls/algo.root.pem"
mode: '0644'
notify: notify:
- rereadcrls - rereadcrls

5
roles/strongswan/tasks/ubuntu.yml
View file

@ -25,7 +25,7 @@
content: " capability setpcap," content: " capability setpcap,"
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
notify: restart strongswan notify: restart strongswan
- name: Ubuntu | Enforcing ipsec with apparmor - name: Ubuntu | Enforcing ipsec with apparmor
@ -49,7 +49,7 @@
file: file:
path: /etc/systemd/system/{{ strongswan_service }}.service.d/ path: /etc/systemd/system/{{ strongswan_service }}.service.d/
state: directory state: directory
mode: 0755 mode: '0755'
owner: root owner: root
group: root group: root
@ -57,6 +57,7 @@
template: template:
src: 100-CustomLimitations.conf.j2 src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/{{ strongswan_service }}.service.d/100-CustomLimitations.conf dest: /etc/systemd/system/{{ strongswan_service }}.service.d/100-CustomLimitations.conf
mode: '0644'
notify: notify:
- daemon-reload - daemon-reload
- restart strongswan - restart strongswan

5
roles/wireguard/files/wireguard.sh
View file

@ -5,14 +5,19 @@
# BEFORE: securelevel # BEFORE: securelevel
# KEYWORD: shutdown # KEYWORD: shutdown
# shellcheck source=/dev/null
. /etc/rc.subr . /etc/rc.subr
name="wg" name="wg"
# shellcheck disable=SC2034
rcvar=wg_enable rcvar=wg_enable
command="/usr/local/bin/wg-quick" command="/usr/local/bin/wg-quick"
# shellcheck disable=SC2034
start_cmd=wg_up start_cmd=wg_up
# shellcheck disable=SC2034
stop_cmd=wg_down stop_cmd=wg_down
# shellcheck disable=SC2034
status_cmd=wg_status status_cmd=wg_status
pidfile="/var/run/$name.pid" pidfile="/var/run/$name.pid"
load_rc_config "$name" load_rc_config "$name"

9
roles/wireguard/tasks/keys.yml
View file

@ -47,3 +47,12 @@
- "{{ users }}" - "{{ users }}"
- "{{ IP_subject_alt_name }}" - "{{ IP_subject_alt_name }}"
no_log: true no_log: true
- name: Set permissions for public keys
file:
path: "{{ wireguard_pki_path }}/public/{{ item }}"
mode: '0644'
with_items:
- "{{ users }}"
- "{{ IP_subject_alt_name }}"
no_log: true

4
roles/wireguard/tasks/ubuntu.yml
View file

@ -15,7 +15,7 @@
file: file:
path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/ path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/
state: directory state: directory
mode: 0755 mode: '0755'
owner: root owner: root
group: root group: root
@ -48,7 +48,7 @@
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
notify: notify:
- daemon-reload - daemon-reload
- restart wireguard - restart wireguard

1
server.yml
View file

@ -186,6 +186,7 @@
- name: Dump the configuration - name: Dump the configuration
copy: copy:
dest: configs/{{ IP_subject_alt_name }}/.config.yml dest: configs/{{ IP_subject_alt_name }}/.config.yml
mode: '0644'
content: | content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }} server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }} server_user: {{ ansible_ssh_user }}

9
tests/legacy-lxd/ipsec-client.sh
View file

@ -8,9 +8,12 @@ CA_CONSTRAINTS="$(openssl verify -verbose \
-CAfile ./configs/10.0.8.100/ipsec/.pki/cacert.pem \ -CAfile ./configs/10.0.8.100/ipsec/.pki/cacert.pem \
./configs/10.0.8.100/ipsec/.pki/certs/google-algo-test-pair.com.crt 2>&1)" || true ./configs/10.0.8.100/ipsec/.pki/certs/google-algo-test-pair.com.crt 2>&1)" || true
echo "$CA_CONSTRAINTS" | grep "permitted subtree violation" >/dev/null && \ if echo "$CA_CONSTRAINTS" | grep "permitted subtree violation" >/dev/null; then
echo "Name Constraints test passed" || \ echo "Name Constraints test passed"
(echo "Name Constraints test failed" && exit 1) else
echo "Name Constraints test failed"
exit 1
fi
echo "$CA_CONSTRAINTS" echo "$CA_CONSTRAINTS"

2
tests/legacy-lxd/pre-deploy.sh
View file

@ -22,7 +22,7 @@ lxc profile set default raw.lxc 'lxc.apparmor.profile = unconfined'
lxc profile set default security.privileged true lxc profile set default security.privileged true
lxc profile show default lxc profile show default
lxc init ubuntu:${UBUNTU_VERSION} algo lxc init ubuntu:"${UBUNTU_VERSION}" algo
lxc network attach lxdbr0 algo eth0 eth0 lxc network attach lxdbr0 algo eth0 eth0
lxc config device set algo eth0 ipv4.address 10.0.8.100 lxc config device set algo eth0 ipv4.address 10.0.8.100
lxc start algo lxc start algo

10
tests/legacy-lxd/ssh-tunnel.sh
View file

@ -4,12 +4,18 @@ set -euxo pipefail
PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}' | cut -f2 -d\') PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}' | cut -f2 -d\')
ssh-keygen -p -P ${PASS} -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem ssh-keygen -p -P "${PASS}" -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem
ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config
git config --global http.proxy 'socks5://127.0.0.1:1080' git config --global http.proxy 'socks5://127.0.0.1:1080'
for i in {1..10}; do git clone -vv https://github.com/trailofbits/algo /tmp/ssh-tunnel-check && break || sleep 1; done for _ in {1..10}; do
if git clone -vv https://github.com/trailofbits/algo /tmp/ssh-tunnel-check; then
break
else
sleep 1
fi
done
echo "SSH tunneling tests passed" echo "SSH tunneling tests passed"