Metadata-Version: 2.1
Name: rhc-playbook-verifier
Version: 1.0.0
Summary: Verifier for GPG-signed Ansible playbooks
Author: CSI Client Tools
Author-email: csi-client-tools-bugs@redhat.com
License: MIT
Keywords: Red Hat,Red Hat Insights,Ansible,gnupg
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: pyyaml
Provides-Extra: dev
Requires-Dist: pytest ; extra == 'dev'
Requires-Dist: ruff ; extra == 'dev'
Requires-Dist: mypy ; extra == 'dev'
Requires-Dist: types-PyYAML ; extra == 'dev'

# Ansible playbook verifier

When some Red Hat Insights service instructs a RHEL system to take some action (disable password-based SSH access to root account, update all packages containing CVEs, convert from CentOS to RHEL), it does so by sending an Ansible playbook to the host system.

Before the host executes the playbook, it verifies the embedded GPG signature to ensure the playbook can be trusted. That is what the Ansible playbook verifier does.

Historically, the Verifier has been a Python application shipped via Insights Client through its Core. This repository replaces it.

**References:**

- [Red Hat Insights](https://consoledot.redhat.com/insights): Red Hat cloud services
- [yggdrasil](https://github.com/RedHatInsights/yggdrasil): MQTT broker that delivers playbooks from Insights to the host
- [rhc-worker-playbook](https://github.com/RedHatInsights/rhc-worker-playbook): Yggdrasil worker executing signed Ansible playbooks
- [rhc-worker-script](https://github.com/oamg/rhc-worker-script): Yggdrasil worker executing Python or Bash scripts from signed YAML files
- [insights-client](https://github.com/RedHatInsights/insights-client): The wrapper around Insights Core
- [insights-core](https://github.com/RedHatInsights/insights-core): The old Playbook verifier location (see `insights/client/apps/ansible/`)


## Development

### Running

```shell
# python
python3 -m pip install -e .[dev]
cat data/playbooks/... | rhc-playbook-verifier
```

### Testing

```shell
# python
make check-py
make test-py
make integration-py
```

<details>

<summary>More testing tips</summary>

```shell
# python coverage
PYTHONPATH=python/ python3 -m coverage run -m pytest python/tests-unit/
python3 -m coverage report
python3 -m coverage html
```

</details>

### Building

The Python verifier can be built as an RPM package. The following command will build an `.noarch.rpm` in `rpm/` directory.

```shell
dnf install -y epel-release  # CentOS Stream, RHEL
dnf install -y rpmdevtools mock
make rpm VERSION=1.0.0 BUILDROOT=fedora-40-x86_64
```


## Contributing

This project is developed under the [MIT license](LICENSE).

See [CONTRIBUTING.md](CONTRIBUTING.md) to learn more about the contribution process, Conventional Commits and Developer Certificate of Origin.
