diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml new file mode 100644 index 000000000..7605dd8b7 --- /dev/null +++ b/roles/0-init/tasks/validate_vars.yml @@ -0,0 +1,117 @@ +# 2020-01-21: Ansible Input Validation (basic sanity checking for now) to check +# that /etc/iiab/local_vars.yml *_install and *_enabled variables appear +# coherent (i.e. defined, have type boolean & with plausible values!) Stricter +# validation is needed when roles/playbooks/tasks are later invoked. Risks +# abound, but Ansible's inverting logic when boolean vars are accidentally +# declared as strings is especially dangerous, so it's the main focus below. + +# "Ansible 2.8+ ADVISORY: avoid warnings by using 'when: var | bool' for +# top-level BARE vars (in case they're strings, instead of boolean)" +# https://github.com/iiab/iiab/issues/1632 + +# "How Exactly Does Ansible Parse Boolean Variables?" +# https://stackoverflow.com/questions/47877464/how-exactly-does-ansible-parse-boolean-variables/47877502#47877502 +# ...is very helpful but has it slightly wrong, as Ansible implements only ~18 +# of YAML's 22 definitions of boolean (https://yaml.org/type/bool.html). +# i.e. Ansible fails to implement y|Y|n|N, only allowing ~18 boolean values: +# +# yes|Yes|YES|no|No|NO +# |true|True|TRUE|false|False|FALSE +# |on|On|ON|off|Off|OFF +# +# Otherwise 'var != (var | bool)' is dangerously common, e.g. (1) when a var +# is not one of the above ~18 words (forcing it to become a string) or (2) when +# a var is accidentally set using quotes (forcing it to become a string) these +# ~18 words too WILL FAIL as strings (as will any non-empty string...so beware +# casting strings to boolean later on...can make the situation worse!) +# https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.8.html#bare-variables-in-conditionals + +# "How do i fail a task in Ansible if the variable contains a boolean value? +# I want to perform input validation for Ansible playbooks" +# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 + +- name: Set vars_checklist for 46 + 46 vars ("XYZ_install" + "XYZ_enabled") to be checked + set_fact: + vars_checklist: + - hostapd + - dhcpd + - named + - dnsmasq + - captiveportal + - bluetooth + - wondershaper + - sshd + - openvpn + - nginx + - apache + - mysql + - squid + - dansguardian + - postgresql + - cups + - samba + - idmgr + - azuracast + - dokuwiki + - ejabberd + - elgg + - gitea + - lokole + - mediawiki + - mosquitto + - nodered + - nextcloud + - pbx + - wordpress + - kalite + - kolibri + - kiwix + - moodle + - mongodb + - sugarizer + - transmission + - awstats + - monit + - munin + - phpmyadmin + - vnstat + - internetarchive + - minetest + - calibre + - calibreweb + +- name: Assert that 46 "XYZ_install" vars are defined + assert: + that: "{{ item }}_install is defined" + quiet: yes + loop: "{{ vars_checklist }}" + #register: install_vars_defined + +- name: Assert that 46 "XYZ_enabled" vars are defined + assert: + that: "{{ item }}_enabled is defined" + quiet: yes + loop: "{{ vars_checklist }}" + #register: enabled_vars_defined + +- name: Assert that 46 "XYZ_install" vars are type boolean (not type string, which can invert logic!) + assert: + that: "{{ item }}_install | type_debug == 'bool'" + quiet: yes + loop: "{{ vars_checklist }}" + #register: install_vars_boolean + +- name: Assert that 46 "XYZ_enabled" vars are type boolean (not type string, which can invert logic!) + assert: + that: "{{ item }}_enabled | type_debug == 'bool'" + quiet: yes + loop: "{{ vars_checklist }}" + #register: enabled_vars_boolean + +- name: 'DISALLOW "XYZ_install: False" WITH "XYZ_enabled: True" for 46 var pairs' + assert: + that: "{{ item }}_install or not {{ item }}_enabled" + #fail_msg: '{{ item }}_install or not {{ item }}_enabled {{ item }}_install is {{ {{ item }}_install }} {{ item }}_enabled is {{ {{ item }}_enabled }}' # Is there a way to output var values ? + quiet: yes + loop: "{{ vars_checklist }}" + #register: var_pairs_validation