Use Porchetta-Industries/CrackMapExec to test Rust

jsf9k · jsf9k · commit bd6f50192dbb · 2025-01-24T17:27:13.000-05:00
The resyncgg/ripgen tool is no longer being installed on our Kali
AMIs (cisagov/kali-packer), and CrackMapExec is the only other
assessment tool we install that uses Rust.
diff --git a/molecule/rust/converge.yml b/molecule/rust/converge.yml
@@ -2,15 +2,41 @@
 - name: Converge
   hosts: all
   tasks:
-    - name: Install resyncgg/ripgen
-      # We do prepend the name of the role to the role variables, but
-      # Molecule does its own role discovery with inconsistent naming.
-      # This is the reason for the noqa below.
+    # CrackMapExec itself requires that git be installed because some
+    # of its Python dependencies are pulled directly via git.
+    #
+    # The following CrackMapExec dependencies require the specified
+    # packages be installed:
+    # * gssapi requires the krb5-config executable from the
+    #   libkrb5-dev package
+    - name: Install CrackMapExec dependencies
+      ansible.builtin.package:
+        name:
+          - git
+          - libkrb5-dev
+
+    # We do prepend the name of the role to the role variables, but
+    # Molecule does its own role discovery with inconsistent naming.
+    # This is the reason for the noqa below.
+    - name: Install Porchetta-Industries/CrackMapExec
       ansible.builtin.include_role: # noqa var-naming[no-role-prefix]
         name: ansible-role-assessment-tool
+      # The fact that CrackMapExec has Python dependencies that are
+      # pulled directly via git means that this role cannot possibly
+      # pass idempotence.
+      tags:
+        - molecule-idempotence-notest
       vars:
-        assessment_tool_archive_src: https://github.com/resyncgg/ripgen/tarball/main
-        assessment_tool_install_dir: /tools/ripgen
+        assessment_tool_archive_src: >
+          https://github.com/Porchetta-Industries/CrackMapExec/tarball/master
+        # This is not a cargo project, although it requires a Rust
+        # compiler.
+        assessment_tool_cargo_build: false
+        assessment_tool_install_dir: /tools/CrackMapExec
+        assessment_tool_pip_packages:
+          - .
+        # Although this is a Python project, the dependency aardwolf
+        # requires a Rust compiler to build its native code.
         assessment_tool_rust: true
         assessment_tool_unarchive_extra_opts:
           - --strip-components=1
diff --git a/molecule/rust/tests/test_rust.py b/molecule/rust/tests/test_rust.py
@@ -2,7 +2,6 @@
 
 # Standard Python Libraries
 import os
-import stat
 
 # Third-Party Libraries
 import pytest
@@ -16,7 +15,7 @@
 @pytest.mark.parametrize(
     "d",
     [
-        "/tools/ripgen",
+        "/tools/CrackMapExec",
     ],
 )
 def test_directories(host, d):
@@ -37,17 +36,3 @@ def test_directories(host, d):
 def test_packages(host, pkg):
     """Test that appropriate packages were installed."""
     assert host.package(pkg).is_installed
-
-
-@pytest.mark.parametrize(
-    "path",
-    [
-        "/tools/ripgen/target/release/ripgen",
-    ],
-)
-def test_build_product(host, path):
-    """Test that the build product exists."""
-    product = host.file(path)
-    assert product.exists
-    assert product.is_file
-    assert product.mode | stat.S_IXUSR
