Update security versions for CentOS7 packages (#13)

pending
(Pablo Orviz) #1

Update security versions for CentOS7 packages (#13)

  • Update C7 security versions according to CESA-2019:2030, CESA-2019:0483 and CESA-2019:2118
  • Get CA version programmaticaly
  • Fix invalid scape sequence
  • Fix lint errors
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
index 21b4782..66f6cd4 100644
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@@ -2,6 +2,10 @@ import os
 import pytest
 import testinfra.utils.ansible_runner
 import re
+from six.moves.urllib.request import urlopen
+from xml.dom import minidom
+
+
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
 
@@ -51,7 +55,7 @@ def test_repositories_present(host, repo_file, os_major_version):
 )
 def test_repositories_enabled(host, repo_file):
     content = host.file("/etc/yum.repos.d/"+repo_file).content.decode('utf8')
-    enabled_regex = re.compile("enabled\s*=\s*1")
+    enabled_regex = re.compile(r'enabled\s*=\s*1')
     assert enabled_regex.search(content) is not None
 
 
@@ -63,9 +67,15 @@ def test_crl_files(host):
 
 # def test_crl_freshness(host):
 
+
 def test_egi_policy(host):
     ca_package_name = "ca-policy-egi-core"
-    ca_package_version = "1.95"
+    ca_package_version_url = ("http://repository.egi.eu/sw/production"
+                              "/cas/1/current/release.xml")
+    _doc = minidom.parse(urlopen(ca_package_version_url))
+    _version = _doc.getElementsByTagName('Version')[0].firstChild.data
+    ca_package_version = _version.split('-')[0]
+
     pkg = host.package(ca_package_name)
     assert pkg.is_installed
     assert pkg.version.startswith(ca_package_version)
diff --git a/tasks/main.yml b/tasks/main.yml
index 139e589..6d35de7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: OS specific variables
-  include_vars: "{{ ansible_distribution |lower}}{{ ansible_distribution_major_version }}.yml"
+  include_vars: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}.yml"
 
 - name: Fail if release is not defined
   fail:
diff --git a/tasks/redhat.yml b/tasks/redhat.yml
index 934a43e..ade05eb 100644
--- a/tasks/redhat.yml
+++ b/tasks/redhat.yml
@@ -9,9 +9,10 @@
     name: "{{ release_url[release] }}"
     state: present
 
-- name: Ensure UMD base candidate repository is enabled
+- name: Ensure UMD candidate repositories are enabled
   block:
-    - yum_repository:
+    - name: Enable UMD candidate base
+      yum_repository:
         name: "UMD-{{ release }}-candidate-base"
         description: "UMD-{{ release }} candidate - base"
         file: "UMD-{{ release }}-candidate"
@@ -20,7 +21,8 @@
         enabled: yes
         priority: 1
         gpgcheck: no
-    - yum_repository:
+    - name: Enable UMD candidate updates
+      yum_repository:
         name: "UMD-{{ release }}-candidate-updates"
         description: "UMD-{{ release }} candidate - updates"
         file: "UMD-{{ release }}-candidate"
@@ -34,7 +36,7 @@
 - name: Ensure yum-utils is present
   package:
     name: yum-utils
-    state: latest
+    state: present
   when: enable_testing_repo or enable_untested_repo
 
 # these tasks are not idempotent - they should be replaced with some "replace" tasks, in a block
diff --git a/vars/RedHat7.yml b/vars/RedHat7.yml
index a3802d2..8b2b30e 100644
--- a/vars/RedHat7.yml
+++ b/vars/RedHat7.yml
@@ -8,12 +8,12 @@ baseline_packages:
 
 security_updates:
   - name: python
-    patched_version: "2.7.5-76.el7"
+    patched_version: "2.7.5-86.el7"
   - name: python-libs
-    patched_version: "2.7.5-76.el7"
+    patched_version: "2.7.5-86.el7"
   - name: openssl-libs
-    patched_version: "1.0.2k-16.el7"
+    patched_version: "1.0.2k-19.el7"
   - name: openssl
-    patched_version: "1.0.2k-16.el7"
+    patched_version: "1.0.2k-19.el7"
   - name: glibc
-    patched_version: "2.17-260.el7"
+    patched_version: "2.17-292.el7"

GitHub sha: e867a63f