Merge pull request #745 from roots/connection-role

Change remote-user role to connection role: tests host key, user
roots · Mar 18, 2017 · 8666765 · 8666765
2 parents fe849e0 + 6851788
commit 8666765
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 34 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,5 @@
 ### HEAD
+* Change `remote-user` role to `connection` role: tests host key, user ([#745](https://github.com/roots/trellis/pull/745))
 * Allow customization of PHP extensions ([#787](https://github.com/roots/trellis/pull/787))
 * Allow for per-project packagist.com authentication ([#762](https://github.com/roots/trellis/pull/762))
 * Set multisite constants false while checking `wp core is-installed` ([#766](https://github.com/roots/trellis/pull/766))

diff --git a/deploy.yml b/deploy.yml
@@ -3,6 +3,14 @@
   vars:
     playbook: deploy.yml
 
+- name: Test Connection
+  hosts: web:&{{ env }}
+  gather_facts: false
+  vars:
+    dynamic_user: false
+  roles:
+    - { role: connection, tags: [connection, always] }
+
 - name: Deploy WP site
   hosts: web:&{{ env }}
   remote_user: "{{ web_user }}"

diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: Require manual definition of remote-user
+  fail:
+    msg: |
+      When using `--ask-pass` option, use `-u` option to define remote-user:
+      ansible-playbook server.yml -e env={{ env | default('production') }} -u root --ask-pass
+  when: dynamic_user | default(true) and ansible_user is not defined and cli_ask_pass | default(false)
+
+- name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }}
+  local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv
+  failed_when: false
+  changed_when: false
+  check_mode: no
+  register: connection_status
+  tags: [connection-tests]
+
+- name: Warn about change in host keys
+  fail:
+    msg: |
+      WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
+
+      If this change in host keys is expected (e.g., if you rebuilt the server
+      or if the Trellis sshd role made changes recently), then run the following
+      command to clear the old host key from your known_hosts.
+
+        ssh-keygen -R {{ connection_status.stdout | regex_replace('(.|\n)*host key for (.*) has changed(.|\n)*', '\2') }}
+
+      Then try your Trellis playbook or SSH connection again.
+
+      If the change is unexpected, cautiously consider why the host identification
+      may have changed and whether you may be victim to a man-in-the-middle attack.
+
+      ---------------------------------------------------
+      {{ (connection_status.stdout.replace('Please contact your system administrator.\r\n', '') |
+          regex_replace ('(.|\n)*(The fingerprint for the(.|\n)*Host key verification failed.)(.|\n)*', '\2') |
+          regex_replace('(\\r\\n|\\n)', '\n\n')).replace('\"', '"') }}
+  when: "'REMOTE HOST IDENTIFICATION HAS CHANGED' in connection_status.stdout"
+  tags: [connection-tests]
+
+- block:
+  - name: Set remote user for each host
+    set_fact:
+      ansible_user: "{{ ansible_user | default(('root' in connection_status.stdout_lines) | ternary('root', admin_user)) }}"
+    check_mode: no
+
+  - name: Announce which user was selected
+    debug:
+      msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}"
+
+  - name: Load become password
+    set_fact:
+      ansible_become_pass: "{% raw %}{% for user in vault_users | default([]) if user.name == ansible_user %}{{ user.password | default('') }}{% endfor %}{% endraw %}"
+    when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined
+    no_log: true
+
+  when: dynamic_user | default(true)
diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml
diff --git a/rollback.yml b/rollback.yml
@@ -3,6 +3,14 @@
   vars:
     playbook: rollback.yml
 
+- name: Test Connection
+  hosts: web:&{{ env }}
+  gather_facts: false
+  vars:
+    dynamic_user: false
+  roles:
+    - { role: connection, tags: [connection, always] }
+
 - name: Rollback a Deploy
   hosts: web:&{{ env }}
   remote_user: "{{ web_user }}"

diff --git a/server.yml b/server.yml
@@ -3,11 +3,11 @@
   vars:
     playbook: server.yml
 
-- name: Determine Remote User
+- name: Test Connection and Determine Remote User
   hosts: web:&{{ env }}
   gather_facts: false
   roles:
-    - { role: remote-user, tags: [remote-user, always] }
+    - { role: connection, tags: [connection, always] }
 
 - name: Install prerequisites
   hosts: web:&{{ env }}

diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml
@@ -1,9 +1,9 @@
 ---
-- name: Determine Remote User
+- name: Test Connection and Determine Remote User
   hosts: "{{ xdebug_tunnel_inventory_host }}"
   gather_facts: false
   roles:
-    - { role: remote-user, tags: [remote-user, always] }
+    - { role: connection, tags: [connection, always] }
 
 - name: Enable or Disable Xdebug and SSH Tunnel
   hosts: "{{ xdebug_tunnel_inventory_host }}"