mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-05-08 14:23:11 +00:00
Thomas Woerner
GitHub
60
tests/cert/test_cert_client_context.yml
Normal file
60
tests/cert/test_cert_client_context.yml
Normal file
@@ -0,0 +1,60 @@
|
||||
---
|
||||
- name: Test cert
|
||||
hosts: ipaclients, ipaserver
|
||||
become: false
|
||||
gather_facts: false
|
||||
module_defaults:
|
||||
ipacert:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_contetx: "{{ ipa_context | default(omit) }}"
|
||||
|
||||
tasks:
|
||||
- name: Include FreeIPA facts.
|
||||
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
|
||||
|
||||
# Test will only be executed if host is not a server.
|
||||
- name: Execute with server context in the client.
|
||||
ipacert:
|
||||
ipaapi_context: server
|
||||
name: ThisShouldNotWork
|
||||
register: result
|
||||
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
|
||||
when: ipa_host_is_client
|
||||
|
||||
# Import basic module tests, and execute with ipa_context set to 'client'.
|
||||
# If ipaclients is set, it will be executed using the client, if not,
|
||||
# ipaserver will be used.
|
||||
#
|
||||
# With this setup, tests can be executed against an IPA client, against
|
||||
# an IPA server using "client" context, and ensure that tests are executed
|
||||
# in upstream CI.
|
||||
|
||||
- name: Test host certs using client context, in client host.
|
||||
ansible.builtin.import_playbook: test_cert_host.yml
|
||||
when: groups['ipaclients']
|
||||
vars:
|
||||
ipa_test_host: ipaclients
|
||||
|
||||
- name: Test service certs using client context, in client host.
|
||||
ansible.builtin.import_playbook: test_cert_service.yml
|
||||
when: groups['ipaclients']
|
||||
vars:
|
||||
ipa_test_host: ipaclients
|
||||
|
||||
- name: Test user certs using client context, in client host.
|
||||
ansible.builtin.import_playbook: test_cert_user.yml
|
||||
when: groups['ipaclients']
|
||||
vars:
|
||||
ipa_test_host: ipaclients
|
||||
|
||||
- name: Test host certs using client context, in server host.
|
||||
ansible.builtin.import_playbook: test_cert_host.yml
|
||||
when: groups['ipaclients'] is not defined or not groups['ipaclients']
|
||||
|
||||
- name: Test service certs using client context, in server host.
|
||||
ansible.builtin.import_playbook: test_cert_service.yml
|
||||
when: groups['ipaclients'] is not defined or not groups['ipaclients']
|
||||
|
||||
- name: Test user certs using client context, in server host.
|
||||
ansible.builtin.import_playbook: test_cert_user.yml
|
||||
when: groups['ipaclients'] is not defined or not groups['ipaclients']
|
||||
214
tests/cert/test_cert_host.yml
Normal file
214
tests/cert/test_cert_host.yml
Normal file
@@ -0,0 +1,214 @@
|
||||
---
|
||||
- name: Test host certificate requests
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
become: false
|
||||
gather_facts: false
|
||||
module_defaults:
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
ipacert:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
# ipacert only supports client context
|
||||
ipaapi_context: "client"
|
||||
|
||||
tasks:
|
||||
|
||||
# SETUP
|
||||
|
||||
- name: Ensure test files do not exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "/root/retrieved.pem"
|
||||
- "/root/cert_1.pem"
|
||||
- "/root/host.csr"
|
||||
|
||||
# Ensure test items exist
|
||||
|
||||
- name: Ensure domain name is set
|
||||
ansible.builtin.set_fact:
|
||||
ipa_domain: ipa.test
|
||||
when: ipa_domain is not defined
|
||||
|
||||
- name: Ensure test host exists
|
||||
ipahost:
|
||||
name: "certhost.{{ ipa_domain }}"
|
||||
state: present
|
||||
force: true
|
||||
|
||||
- name: Create CSR
|
||||
ansible.builtin.shell:
|
||||
cmd: "openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certhost.{{ ipa_domain }}"
|
||||
register: host_req
|
||||
|
||||
- name: Create CSR file
|
||||
ansible.builtin.copy:
|
||||
dest: "/root/host.csr"
|
||||
content: "{{ host_req.stdout }}"
|
||||
mode: 0644
|
||||
|
||||
# TESTS
|
||||
|
||||
- name: Request certificate for host
|
||||
ipacert:
|
||||
csr: '{{ host_req.stdout }}'
|
||||
principal: "host/certhost.{{ ipa_domain }}"
|
||||
state: requested
|
||||
register: host_cert
|
||||
failed_when: not host_cert.changed or host_cert.failed
|
||||
|
||||
- name: Display data from the requested certificate.
|
||||
ansible.builtin.debug:
|
||||
var: host_cert
|
||||
|
||||
- name: Retrieve certificate for host
|
||||
ipacert:
|
||||
serial_number: "{{ host_cert.certificate.serial_number }}"
|
||||
state: retrieved
|
||||
register: retrieved
|
||||
failed_when: retrieved.certificate.serial_number != host_cert.certificate.serial_number
|
||||
|
||||
- name: Display data from the retrieved certificate.
|
||||
ansible.builtin.debug:
|
||||
var: retrieved
|
||||
|
||||
- name: Place certificate on hold
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: held
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Place certificate on hold, again
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: held
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Release hold on certificate
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Release hold on certificate, again
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Revoke certificate
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: revoked
|
||||
reason: keyCompromise
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Revoke certificate, again
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: revoked
|
||||
reason: keyCompromise
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Try to revoke inexistent certificate
|
||||
ipacert:
|
||||
serial_number: 0x123456789
|
||||
reason: 9
|
||||
state: revoked
|
||||
register: result
|
||||
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
|
||||
|
||||
- name: Try to release revoked certificate
|
||||
ipacert:
|
||||
serial_number: '{{ host_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
|
||||
|
||||
- name: Request certificate for host and save to file
|
||||
ipacert:
|
||||
csr: '{{ host_req.stdout }}'
|
||||
principal: "host/certhost.{{ ipa_domain }}"
|
||||
certificate_out: "/root/cert_1.pem"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed or result.certificate
|
||||
|
||||
- name: Check requested certificate file
|
||||
ansible.builtin.file:
|
||||
path: "/root/cert_1.pem"
|
||||
check_mode: true
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Retrieve certificate for host to a file
|
||||
ipacert:
|
||||
serial_number: "{{ host_cert.certificate.serial_number }}"
|
||||
certificate_out: "/root/retrieved.pem"
|
||||
state: retrieved
|
||||
register: result
|
||||
failed_when: result.changed or result.failed or result.certificate
|
||||
|
||||
- name: Check retrieved certificate file
|
||||
ansible.builtin.file:
|
||||
path: "/root/retrieved.pem"
|
||||
check_mode: true
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Request with invalid CSR.
|
||||
ipacert:
|
||||
csr: |
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
|
||||
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
|
||||
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
|
||||
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
|
||||
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
principal: "host/certhost.{{ ipa_domain }}"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
|
||||
|
||||
- name: Request certificate using a file
|
||||
ipacert:
|
||||
csr_file: "/root/host.csr"
|
||||
principal: "host/certhost.{{ ipa_domain }}"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Request certificate using an invalid profile
|
||||
ipacert:
|
||||
csr_file: "/root/host.csr"
|
||||
principal: "host/certhost.{{ ipa_domain }}"
|
||||
profile: invalid_profile
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
|
||||
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Removet test host
|
||||
ipahost:
|
||||
name: "certhost.{{ ipa_domain }}"
|
||||
state: absent
|
||||
|
||||
- name: Ensure test files do not exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "/root/retrieved.pem"
|
||||
- "/root/cert_1.pem"
|
||||
- "/root/host.csr"
|
||||
232
tests/cert/test_cert_service.yml
Normal file
232
tests/cert/test_cert_service.yml
Normal file
@@ -0,0 +1,232 @@
|
||||
---
|
||||
- name: Test service certificate requests
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
# Change "become" or "gather_facts" to "yes",
|
||||
# if you test playbook requires any.
|
||||
become: false
|
||||
gather_facts: false
|
||||
module_defaults:
|
||||
ipahost:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
ipaservice:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
ipacert:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
# ipacert only supports client context
|
||||
ipaapi_context: "client"
|
||||
|
||||
tasks:
|
||||
|
||||
# SETUP
|
||||
|
||||
- name: Ensure test files do not exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "/root/retrieved.pem"
|
||||
- "/root/cert_1.pem"
|
||||
- "/root/service.csr"
|
||||
|
||||
# Ensure test items exist
|
||||
|
||||
- name: Ensure domain name is set
|
||||
ansible.builtin.set_fact:
|
||||
ipa_domain: ipa.test
|
||||
when: ipa_domain is not defined
|
||||
|
||||
- name: Ensure test host exist
|
||||
ipahost:
|
||||
name: "certservice.{{ ipa_domain }}"
|
||||
force: true
|
||||
state: present
|
||||
|
||||
- name: Ensure service exist
|
||||
ipaservice:
|
||||
name: "HTTP/certservice.{{ ipa_domain }}"
|
||||
force: true
|
||||
state: present
|
||||
|
||||
- name: Create signing request for certificate
|
||||
ansible.builtin.shell:
|
||||
cmd: "openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certservice.{{ ipa_domain }}"
|
||||
register: service_req
|
||||
|
||||
- name: Create CSR file
|
||||
ansible.builtin.copy:
|
||||
dest: "/root/service.csr"
|
||||
content: "{{ service_req.stdout }}"
|
||||
mode: '0644'
|
||||
|
||||
# TESTS
|
||||
|
||||
- name: Request certificate for service
|
||||
ipacert:
|
||||
csr: '{{ service_req.stdout }}'
|
||||
principal: "HTTP/certservice.{{ ipa_domain }}"
|
||||
add_principal: true
|
||||
state: requested
|
||||
register: service_cert
|
||||
failed_when: not service_cert.changed or service_cert.failed
|
||||
|
||||
- name: Display data from the requested certificate.
|
||||
ansible.builtin.debug:
|
||||
var: service_cert
|
||||
|
||||
- name: Retrieve certificate for service
|
||||
ipacert:
|
||||
serial_number: "{{ service_cert.certificate.serial_number }}"
|
||||
state: retrieved
|
||||
register: retrieved
|
||||
failed_when: retrieved.certificate.serial_number != service_cert.certificate.serial_number
|
||||
|
||||
- name: Display data from the retrieved certificate.
|
||||
ansible.builtin.debug:
|
||||
var: retrieved
|
||||
|
||||
- name: Place certificate on hold
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: held
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Place certificate on hold, again
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: held
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Release hold on certificate
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Release hold on certificate, again
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Revoke certificate
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: revoked
|
||||
reason: keyCompromise
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Revoke certificate, again
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: revoked
|
||||
reason: keyCompromise
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Try to revoke inexistent certificate
|
||||
ipacert:
|
||||
serial_number: 0x123456789
|
||||
reason: 9
|
||||
state: revoked
|
||||
register: result
|
||||
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
|
||||
|
||||
- name: Try to release revoked certificate
|
||||
ipacert:
|
||||
serial_number: '{{ service_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
|
||||
|
||||
- name: Request certificate for service and save to file
|
||||
ipacert:
|
||||
csr: '{{ service_req.stdout }}'
|
||||
principal: "HTTP/certservice.{{ ipa_domain }}"
|
||||
add_principal: true
|
||||
certificate_out: "/root/cert_1.pem"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed or result.certificate
|
||||
|
||||
- name: Check requested certificate file
|
||||
ansible.builtin.file:
|
||||
path: "/root/cert_1.pem"
|
||||
check_mode: true
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Retrieve certificate for service to a file
|
||||
ipacert:
|
||||
serial_number: "{{ service_cert.certificate.serial_number }}"
|
||||
certificate_out: "/root/retrieved.pem"
|
||||
state: retrieved
|
||||
register: result
|
||||
failed_when: result.changed or result.failed or result.certificate
|
||||
|
||||
- name: Check retrieved certificate file
|
||||
ansible.builtin.file:
|
||||
path: "/root/retrieved.pem"
|
||||
check_mode: true
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Request with invalid CSR.
|
||||
ipacert:
|
||||
csr: |
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
|
||||
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
|
||||
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
|
||||
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
|
||||
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
principal: "HTTP/certservice.{{ ipa_domain }}"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
|
||||
|
||||
- name: Request certificate using a file
|
||||
ipacert:
|
||||
csr_file: "/root/service.csr"
|
||||
principal: "HTTP/certservice.{{ ipa_domain }}"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Request certificate using an invalid profile
|
||||
ipacert:
|
||||
csr_file: "/root/service.csr"
|
||||
principal: "HTTP/certservice.{{ ipa_domain }}"
|
||||
profile: invalid_profile
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Remove test service
|
||||
ipaservice:
|
||||
name: "HTTP/certservice.{{ ipa_domain }}"
|
||||
state: absent
|
||||
continue: true
|
||||
|
||||
- name: Remove test host
|
||||
ipahost:
|
||||
name: certservice.example.com
|
||||
state: absent
|
||||
|
||||
- name: Ensure test files do not exist
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "/root/retrieved.pem"
|
||||
- "/root/cert_1.pem"
|
||||
- "/root/service.csr"
|
||||
213
tests/cert/test_cert_user.yml
Normal file
213
tests/cert/test_cert_user.yml
Normal file
@@ -0,0 +1,213 @@
|
||||
---
|
||||
- name: Test user certificate requests
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
become: false
|
||||
gather_facts: false
|
||||
module_defaults:
|
||||
ipauser:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
ipacert:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
# ipacert only supports client context
|
||||
ipaapi_context: "client"
|
||||
|
||||
tasks:
|
||||
|
||||
# Ensure test files do not exist
|
||||
|
||||
- name: Check retrieved certificate file
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "/root/retrieved.pem"
|
||||
- "/root/cert_1.pem"
|
||||
- "/root/user.csr"
|
||||
|
||||
# Ensure test items exist.
|
||||
|
||||
- name: Ensure test user exists
|
||||
ipauser:
|
||||
name: certuser
|
||||
first: certificate
|
||||
last: user
|
||||
|
||||
- name: Crete CSR
|
||||
ansible.builtin.shell:
|
||||
cmd:
|
||||
'openssl req -newkey rsa:1024 -keyout /dev/null -nodes -subj /CN=certuser -reqexts IECUserRoles
|
||||
-config <(cat /etc/pki/tls/openssl.cnf; printf "[IECUserRoles]\n1.2.840.10070.8.1=ASN1:UTF8String:hello world")'
|
||||
executable: /bin/bash
|
||||
register: user_req
|
||||
|
||||
- name: Create CSR file
|
||||
ansible.builtin.copy:
|
||||
dest: "/root/user.csr"
|
||||
content: "{{ user_req.stdout }}"
|
||||
mode: 0644
|
||||
|
||||
# TESTS
|
||||
|
||||
- name: Request certificate for user
|
||||
ipacert:
|
||||
csr: '{{ user_req.stdout }}'
|
||||
principal: certuser
|
||||
profile: IECUserRoles
|
||||
state: requested
|
||||
register: user_cert
|
||||
failed_when: not user_cert.changed or user_cert.failed
|
||||
|
||||
- name: Display data from the requested certificate.
|
||||
ansible.builtin.debug:
|
||||
var: user_cert
|
||||
|
||||
- name: Retrieve certificate for user
|
||||
ipacert:
|
||||
serial_number: "{{ user_cert.certificate.serial_number }}"
|
||||
state: retrieved
|
||||
register: retrieved
|
||||
failed_when: retrieved.certificate.serial_number != user_cert.certificate.serial_number
|
||||
|
||||
- name: Display data from the retrieved certificate.
|
||||
ansible.builtin.debug:
|
||||
var: retrieved
|
||||
|
||||
- name: Place certificate on hold
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: held
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Place certificate on hold, again
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: held
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Release hold on certificate
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Release hold on certificate, again
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Revoke certificate
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: revoked
|
||||
reason: keyCompromise
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Revoke certificate, again
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: revoked
|
||||
reason: keyCompromise
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Try to revoke inexistent certificate
|
||||
ipacert:
|
||||
serial_number: 0x123456789
|
||||
reason: 9
|
||||
state: revoked
|
||||
register: result
|
||||
failed_when: not (result.failed and ("Request failed with status 404" in result.msg or "Certificate serial number 0x123456789 not found" in result.msg))
|
||||
|
||||
- name: Try to release revoked certificate
|
||||
ipacert:
|
||||
serial_number: '{{ user_cert.certificate.serial_number }}'
|
||||
state: released
|
||||
register: result
|
||||
failed_when: not result.failed or "Cannot release hold on certificate revoked with reason" not in result.msg
|
||||
|
||||
- name: Request certificate for user and save to file
|
||||
ipacert:
|
||||
csr: '{{ user_req.stdout }}'
|
||||
principal: certuser
|
||||
profile: IECUserRoles
|
||||
certificate_out: "/root/cert_1.pem"
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed or result.certificate
|
||||
|
||||
- name: Check requested certificate file
|
||||
ansible.builtin.file:
|
||||
path: "/root/cert_1.pem"
|
||||
check_mode: true
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Retrieve certificate for user to a file
|
||||
ipacert:
|
||||
serial_number: "{{ user_cert.certificate.serial_number }}"
|
||||
certificate_out: "/root/retrieved.pem"
|
||||
state: retrieved
|
||||
register: result
|
||||
failed_when: result.changed or result.failed or result.certificate
|
||||
|
||||
- name: Check retrieved certificate file
|
||||
ansible.builtin.file:
|
||||
path: "/root/retrieved.pem"
|
||||
check_mode: true
|
||||
register: result
|
||||
failed_when: result.changed or result.failed
|
||||
|
||||
- name: Request with invalid CSR.
|
||||
ipacert:
|
||||
csr: |
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
BNxXqLcHylNEyg8SH0u63bWyxtgoDBfdZwdGAhYuJ+g4ev79J5eYoB0CAwEAAaAr
|
||||
MCkGCSqGSIb3DQEJDjEcMBowGAYHKoZIzlYIAQQNDAtoZWxsbyB3b3JsZDANBgkq
|
||||
hkiG9w0BAQsFAAOBgQADCi5BHDv1mrBFDWqYytFpQ1mrvr/mdax3AYXxNL2UEV8j
|
||||
AqZAFTEnJXL/u1eVQtI1yotqxakyUBN4XZBP2CBgJRO93Mtry8cgvU1sPdU8Mavx
|
||||
5gSnlP74Hio2ziscWWydlxpYxFx0gkKvu+0nyIpz954SVYwQ2wwk5FRqZnxI5w==
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
principal: certuser
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not (result.failed and "Failure decoding Certificate Signing Request" in result.msg)
|
||||
|
||||
- name: Request certificate using a file
|
||||
ipacert:
|
||||
csr_file: "/root/user.csr"
|
||||
principal: certuser
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not result.changed or result.failed
|
||||
|
||||
- name: Request certificate using an invalid profile
|
||||
ipacert:
|
||||
csr_file: "/root/user.csr"
|
||||
principal: certuser
|
||||
profile: invalid_profile
|
||||
state: requested
|
||||
register: result
|
||||
failed_when: not (result.failed and "Request failed with status 400" in result.msg)
|
||||
|
||||
# CLEANUP TEST ITEMS
|
||||
|
||||
- name: Remove test user
|
||||
ipauser:
|
||||
name: certuser
|
||||
state: absent
|
||||
|
||||
- name: Check retrieved certificate file
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "/root/retrieved.pem"
|
||||
- "/root/cert_1.pem"
|
||||
- "/root/user.csr"
|
||||
Reference in New Issue
Block a user