Add rollback protection

In production environments, we'll refuse to push an out-of-date source repository. This is implemented by storing the current git revision on the servers. There is no protection (yet) against pushing uncommitted changes.

Add rollback protection
e8fcc8ef · ale · b90cc4f6 · e8fcc8ef · e8fcc8ef · e8fcc8ef
Commit e8fcc8ef authored 6 years ago by ale
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -17,3 +17,6 @@ backup_repository_restic_password: ""

 # A fallback SSH key that can be used in an emergency to login as root.
 emergency_ssh_key: ""
+
+# Bypass rollback protection in production.
+skip_rollback_protection: false
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
 ---

+- import_tasks: rollback_protection.yml
+  when: "not testing|default(True)"
+
 - import_tasks: service_discovery.yml

 - import_tasks: apt.yml

--- a/roles/base/tasks/rollback_protection.yml
+++ b/roles/base/tasks/rollback_protection.yml
+---
+
+# Protect production from rollbacks.
+#
+# We store the git commit of HEAD from the source repository being
+# pushed on the remote servers, and we check if the remote commit is
+# older than the local one.
+#
+# To skip the checks in an emergency, set the
+# 'skip_rollback_protection' variable to 'true' in the Ansible
+# configuration.
+
+# Define parameters associated with the source.
+- local_action: shell git rev-parse HEAD
+  register: git_revision_cmd
+  run_once: true
+  become: false
+  changed_when: false
+- set_fact:
+    git_revision: "{{ git_revision_cmd.stdout }}"
+- debug:
+    msg: "Pushing revision {{ git_revision }}"
+
+# Detect remote commit (if present).
+- stat:
+    path: /etc/ai3-ansible-commit
+  register: commit_guard_stat
+
+- slurp:
+    src: /etc/ai3-ansible-commit
+  register: commit_guard_content
+  when: commit_guard_stat.stat.exists
+- set_fact:
+    remote_git_revision: "{{ commit_guard_content.content | b64decode }}"
+  when: commit_guard_stat.stat.exists
+
+# Compare the remote revision with the local one. Ignore errors here
+# so we can call the 'fail' module immediately afterwards, with a
+# custom message.
+- local_action: shell git merge-base --is-ancestor {{ remote_git_revision }} {{ git_revision }}
+  when: commit_guard_stat.stat.exists
+  become: false
+  changed_when: false
+  ignore_errors: true
+  register: commit_compare
+
+- fail:
+    msg: "You are pushing an older version of the sources. Run 'git pull' and try again?"
+  when: "commit_guard_stat.stat.exists and commit_compare.rc != 0 and not skip_rollback_protection"
+
+- copy:
+    dest: /etc/ai3-ansible-commit
+    content: "{{ git_revision }}"