From 33ef158b094f16d5e04ea9db3ed8bad010744d02 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 26 Apr 2025 09:01:44 +0200 Subject: [PATCH] Fix linting errors. --- .azure-pipelines/templates/matrix.yml | 14 +- .azure-pipelines/templates/test.yml | 68 +- .github/workflows/ansible-test.yml | 2 +- .github/workflows/docs-pr.yml | 2 +- .github/workflows/docs-push.yml | 2 +- .github/workflows/ee.yml | 2 +- antsibull-nox.toml | 2 + galaxy.yml | 2 +- plugins/filter/gpg_fingerprint.py | 1 + plugins/filter/openssl_csr_info.py | 1 + plugins/filter/openssl_privatekey_info.py | 1 + plugins/filter/openssl_publickey_info.py | 1 + plugins/filter/parse_serial.py | 1 + plugins/filter/split_pem.py | 1 + plugins/filter/to_serial.py | 1 + plugins/filter/x509_certificate_info.py | 1 + plugins/filter/x509_crl_info.py | 1 + plugins/lookup/gpg_fingerprint.py | 1 + plugins/modules/acme_account.py | 1 + plugins/modules/acme_account_info.py | 1 + plugins/modules/acme_ari_info.py | 1 + plugins/modules/acme_certificate.py | 2 + .../acme_certificate_deactivate_authz.py | 1 + .../modules/acme_certificate_order_create.py | 3 +- .../acme_certificate_order_finalize.py | 3 +- .../modules/acme_certificate_order_info.py | 2 +- .../acme_certificate_order_validate.py | 3 +- .../modules/acme_certificate_renewal_info.py | 1 + plugins/modules/acme_certificate_revoke.py | 1 + plugins/modules/acme_challenge_cert_helper.py | 1 + plugins/modules/acme_inspect.py | 40 +- plugins/modules/certificate_complete_chain.py | 1 + plugins/modules/crypto_info.py | 1 + plugins/modules/ecs_certificate.py | 18 +- plugins/modules/ecs_domain.py | 1 + plugins/modules/get_certificate.py | 1 + plugins/modules/luks_device.py | 1 + plugins/modules/openssh_cert.py | 1 + plugins/modules/openssh_keypair.py | 1 + plugins/modules/openssl_csr.py | 1 + plugins/modules/openssl_csr_info.py | 1 + plugins/modules/openssl_csr_pipe.py | 1 + plugins/modules/openssl_dhparam.py | 1 + plugins/modules/openssl_pkcs12.py | 1 + plugins/modules/openssl_privatekey.py | 1 + plugins/modules/openssl_privatekey_convert.py | 1 + plugins/modules/openssl_privatekey_info.py | 1 + plugins/modules/openssl_privatekey_pipe.py | 1 + plugins/modules/openssl_publickey.py | 1 + plugins/modules/openssl_publickey_info.py | 1 + plugins/modules/openssl_signature.py | 1 + plugins/modules/openssl_signature_info.py | 1 + plugins/modules/x509_certificate.py | 1 + plugins/modules/x509_certificate_convert.py | 1 + plugins/modules/x509_certificate_info.py | 1 + plugins/modules/x509_certificate_pipe.py | 1 + plugins/modules/x509_crl.py | 1 + plugins/modules/x509_crl_info.py | 1 + tests/ee/all.yml | 16 +- tests/ee/roles/luks_device/tasks/main.yml | 40 +- tests/ee/roles/smoke/tasks/main.yml | 4 +- tests/integration/requirements.yml | 4 +- .../targets/acme_account/tasks/impl.yml | 46 +- .../targets/acme_account/tasks/main.yml | 20 +- .../targets/acme_account_info/tasks/impl.yml | 26 +- .../targets/acme_account_info/tasks/main.yml | 20 +- .../targets/acme_ari_info/tasks/impl.yml | 16 +- .../targets/acme_ari_info/tasks/main.yml | 20 +- .../targets/acme_certificate/tasks/impl.yml | 198 ++--- .../targets/acme_certificate/tasks/main.yml | 112 +-- .../acme_certificate/tests/validate.yml | 48 +- .../tasks/main.yml | 20 +- .../acme_certificate_order/tasks/main.yml | 16 +- .../tasks/impl.yml | 18 +- .../tasks/main.yml | 20 +- .../acme_certificate_revoke/tasks/impl.yml | 18 +- .../acme_certificate_revoke/tasks/main.yml | 20 +- .../acme_challenge_cert_helper/tasks/main.yml | 50 +- .../targets/acme_inspect/tasks/impl.yml | 34 +- .../targets/acme_inspect/tasks/main.yml | 20 +- .../targets/acme_inspect/tests/validate.yml | 174 ++--- .../tasks/create.yml | 44 +- .../tasks/created.yml | 20 +- .../tasks/existing.yml | 168 ++--- .../certificate_complete_chain/tasks/main.yml | 30 +- .../targets/ecs_certificate/tasks/main.yml | 257 ++++--- .../targets/ecs_domain/tasks/main.yml | 398 +++++----- .../targets/filter_split_pem/tasks/main.yml | 5 +- .../tasks/impl.yml | 4 +- .../tasks/main.yml | 8 +- .../filter_x509_crl_info/tasks/main.yml | 12 +- .../targets/get_certificate/tasks/main.yml | 44 +- .../get_certificate/tests/validate.yml | 2 +- .../targets/luks_device/tasks/main.yml | 40 +- .../tasks/tests/create-destroy.yml | 40 +- .../luks_device/tasks/tests/cryptname.yml | 12 +- .../tasks/tests/key-management.yml | 18 +- .../tasks/tests/keyfile_binary_nocopy.yml | 8 +- .../tasks/tests/keyslot-create-destroy.yml | 40 +- .../tasks/tests/keyslot-duplicate.yml | 8 +- .../tasks/tests/keyslot-options.yml | 10 +- .../luks_device/tasks/tests/passphrase.yml | 16 +- .../luks_device/tasks/tests/performance.yml | 8 +- .../openssh_cert/tests/key_idempotency.yml | 28 +- .../openssh_keypair/tests/regenerate.yml | 148 ++-- .../targets/openssl_csr/tasks/main.yml | 34 +- .../targets/openssl_csr_pipe/tasks/main.yml | 8 +- .../targets/openssl_dhparam/tasks/main.yml | 12 +- .../targets/openssl_pkcs12/tasks/impl.yml | 700 +++++++++--------- .../targets/openssl_pkcs12/tasks/main.yml | 120 +-- .../targets/openssl_privatekey/tasks/impl.yml | 685 +++++++++-------- .../targets/openssl_privatekey/tasks/main.yml | 20 +- .../openssl_privatekey/tests/validate.yml | 14 +- .../openssl_privatekey_convert/tasks/main.yml | 8 +- .../openssl_privatekey_pipe/tasks/main.yml | 8 +- .../targets/openssl_publickey/tasks/main.yml | 30 +- .../targets/prepare_http_tests/tasks/main.yml | 2 +- .../targets/setup_openssl/tasks/main.yml | 44 +- .../targets/setup_pyopenssl/tasks/main.yml | 72 +- .../targets/setup_ssh_agent/tasks/main.yml | 2 +- .../x509_certificate-acme/tasks/impl.yml | 14 +- .../x509_certificate-acme/tasks/main.yml | 76 +- .../targets/x509_certificate/tasks/ownca.yml | 10 +- .../x509_certificate/tasks/removal.yml | 10 +- .../x509_certificate/tests/validate_ownca.yml | 14 +- .../tests/validate_selfsigned.yml | 24 +- .../x509_certificate_convert/tasks/main.yml | 12 +- .../x509_certificate_info/tasks/impl.yml | 10 +- .../x509_certificate_info/tasks/main.yml | 8 +- .../x509_certificate_pipe/tasks/impl.yml | 24 +- .../x509_certificate_pipe/tasks/main.yml | 8 +- .../targets/x509_crl/tasks/main.yml | 14 +- 132 files changed, 2305 insertions(+), 2214 deletions(-) diff --git a/.azure-pipelines/templates/matrix.yml b/.azure-pipelines/templates/matrix.yml index 48763758..49f5d859 100644 --- a/.azure-pipelines/templates/matrix.yml +++ b/.azure-pipelines/templates/matrix.yml @@ -50,11 +50,11 @@ jobs: parameters: jobs: - ${{ if eq(length(parameters.groups), 0) }}: - - ${{ each target in parameters.targets }}: - - name: ${{ format(parameters.nameFormat, coalesce(target.name, target.test)) }} - test: ${{ format(parameters.testFormat, coalesce(target.test, target.name)) }} - - ${{ if not(eq(length(parameters.groups), 0)) }}: - - ${{ each group in parameters.groups }}: - ${{ each target in parameters.targets }}: - - name: ${{ format(format(parameters.nameGroupFormat, parameters.nameFormat), coalesce(target.name, target.test), group) }} - test: ${{ format(format(parameters.testGroupFormat, parameters.testFormat), coalesce(target.test, target.name), group) }} + - name: ${{ format(parameters.nameFormat, coalesce(target.name, target.test)) }} + test: ${{ format(parameters.testFormat, coalesce(target.test, target.name)) }} + - ${{ if not(eq(length(parameters.groups), 0)) }}: + - ${{ each group in parameters.groups }}: + - ${{ each target in parameters.targets }}: + - name: ${{ format(format(parameters.nameGroupFormat, parameters.nameFormat), coalesce(target.name, target.test), group) }} + test: ${{ format(format(parameters.testGroupFormat, parameters.testFormat), coalesce(target.test, target.name), group) }} diff --git a/.azure-pipelines/templates/test.yml b/.azure-pipelines/templates/test.yml index 700cf629..b263379c 100644 --- a/.azure-pipelines/templates/test.yml +++ b/.azure-pipelines/templates/test.yml @@ -14,37 +14,37 @@ parameters: jobs: - ${{ each job in parameters.jobs }}: - - job: test_${{ replace(replace(replace(job.test, '/', '_'), '.', '_'), '-', '_') }} - displayName: ${{ job.name }} - container: default - workspace: - clean: all - steps: - - checkout: self - fetchDepth: $(fetchDepth) - path: $(checkoutPath) - - bash: .azure-pipelines/scripts/run-tests.sh "$(entryPoint)" "${{ job.test }}" "$(coverageBranches)" - displayName: Run Tests - - bash: .azure-pipelines/scripts/process-results.sh - condition: succeededOrFailed() - displayName: Process Results - - bash: .azure-pipelines/scripts/aggregate-coverage.sh "$(Agent.TempDirectory)" - condition: eq(variables.haveCoverageData, 'true') - displayName: Aggregate Coverage Data - - task: PublishTestResults@2 - condition: eq(variables.haveTestResults, 'true') - inputs: - testResultsFiles: "$(outputPath)/junit/*.xml" - displayName: Publish Test Results - - task: PublishPipelineArtifact@1 - condition: eq(variables.haveBotResults, 'true') - displayName: Publish Bot Results - inputs: - targetPath: "$(outputPath)/bot/" - artifactName: "Bot $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)" - - task: PublishPipelineArtifact@1 - condition: eq(variables.haveCoverageData, 'true') - displayName: Publish Coverage Data - inputs: - targetPath: "$(Agent.TempDirectory)/coverage/" - artifactName: "Coverage $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)" + - job: test_${{ replace(replace(replace(job.test, '/', '_'), '.', '_'), '-', '_') }} + displayName: ${{ job.name }} + container: default + workspace: + clean: all + steps: + - checkout: self + fetchDepth: $(fetchDepth) + path: $(checkoutPath) + - bash: .azure-pipelines/scripts/run-tests.sh "$(entryPoint)" "${{ job.test }}" "$(coverageBranches)" + displayName: Run Tests + - bash: .azure-pipelines/scripts/process-results.sh + condition: succeededOrFailed() + displayName: Process Results + - bash: .azure-pipelines/scripts/aggregate-coverage.sh "$(Agent.TempDirectory)" + condition: eq(variables.haveCoverageData, 'true') + displayName: Aggregate Coverage Data + - task: PublishTestResults@2 + condition: eq(variables.haveTestResults, 'true') + inputs: + testResultsFiles: "$(outputPath)/junit/*.xml" + displayName: Publish Test Results + - task: PublishPipelineArtifact@1 + condition: eq(variables.haveBotResults, 'true') + displayName: Publish Bot Results + inputs: + targetPath: "$(outputPath)/bot/" + artifactName: "Bot $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)" + - task: PublishPipelineArtifact@1 + condition: eq(variables.haveCoverageData, 'true') + displayName: Publish Coverage Data + inputs: + targetPath: "$(Agent.TempDirectory)/coverage/" + artifactName: "Coverage $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)" diff --git a/.github/workflows/ansible-test.yml b/.github/workflows/ansible-test.yml index 6fcf441a..baa08c54 100644 --- a/.github/workflows/ansible-test.yml +++ b/.github/workflows/ansible-test.yml @@ -7,7 +7,7 @@ # https://github.com/marketplace/actions/ansible-test name: EOL CI -on: +'on': # Run EOL CI against all pushes (direct commits, also merged PRs), Pull Requests push: branches: diff --git a/.github/workflows/docs-pr.yml b/.github/workflows/docs-pr.yml index 2c88efd4..cd3751bd 100644 --- a/.github/workflows/docs-pr.yml +++ b/.github/workflows/docs-pr.yml @@ -7,7 +7,7 @@ name: Collection Docs concurrency: group: docs-pr-${{ github.head_ref }} cancel-in-progress: true -on: +'on': pull_request_target: types: [opened, synchronize, reopened, closed] diff --git a/.github/workflows/docs-push.yml b/.github/workflows/docs-push.yml index 323fa479..eaa0c2a9 100644 --- a/.github/workflows/docs-push.yml +++ b/.github/workflows/docs-push.yml @@ -7,7 +7,7 @@ name: Collection Docs concurrency: group: docs-push-${{ github.sha }} cancel-in-progress: true -on: +'on': push: branches: - main diff --git a/.github/workflows/ee.yml b/.github/workflows/ee.yml index e916482e..73e58dc9 100644 --- a/.github/workflows/ee.yml +++ b/.github/workflows/ee.yml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later name: execution environment -on: +'on': # Run CI against all pushes (direct commits, also merged PRs), Pull Requests push: branches: diff --git a/antsibull-nox.toml b/antsibull-nox.toml index 731cf539..7b433d22 100644 --- a/antsibull-nox.toml +++ b/antsibull-nox.toml @@ -42,3 +42,5 @@ doc_fragment = "community.crypto.attributes.actiongroup_acme" [sessions.build_import_check] run_galaxy_importer = true + +# [sessions.ansible_lint] diff --git a/galaxy.yml b/galaxy.yml index d82bf1ec..124c5de9 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,7 +16,7 @@ license: - BSD-2-Clause - BSD-3-Clause - PSF-2.0 -#license_file: COPYING +# license_file: COPYING tags: - acme - certificate diff --git a/plugins/filter/gpg_fingerprint.py b/plugins/filter/gpg_fingerprint.py index 7ce53473..5de27994 100644 --- a/plugins/filter/gpg_fingerprint.py +++ b/plugins/filter/gpg_fingerprint.py @@ -27,6 +27,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show fingerprint of GPG public key ansible.builtin.debug: msg: "{{ lookup('file', '/path/to/public_key.gpg') | community.crypto.gpg_fingerprint }}" diff --git a/plugins/filter/openssl_csr_info.py b/plugins/filter/openssl_csr_info.py index 0485f90a..32dc79ba 100644 --- a/plugins/filter/openssl_csr_info.py +++ b/plugins/filter/openssl_csr_info.py @@ -31,6 +31,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show the Subject Alt Names of the CSR ansible.builtin.debug: msg: >- diff --git a/plugins/filter/openssl_privatekey_info.py b/plugins/filter/openssl_privatekey_info.py index d9bbcabc..6af341ed 100644 --- a/plugins/filter/openssl_privatekey_info.py +++ b/plugins/filter/openssl_privatekey_info.py @@ -40,6 +40,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show the Subject Alt Names of the CSR ansible.builtin.debug: msg: >- diff --git a/plugins/filter/openssl_publickey_info.py b/plugins/filter/openssl_publickey_info.py index e294e19b..df660a70 100644 --- a/plugins/filter/openssl_publickey_info.py +++ b/plugins/filter/openssl_publickey_info.py @@ -27,6 +27,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show the type of a public key ansible.builtin.debug: msg: >- diff --git a/plugins/filter/parse_serial.py b/plugins/filter/parse_serial.py index ed48c9f5..78e6080e 100644 --- a/plugins/filter/parse_serial.py +++ b/plugins/filter/parse_serial.py @@ -27,6 +27,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Parse serial number ansible.builtin.debug: msg: "{{ '11:22:33' | community.crypto.parse_serial }}" diff --git a/plugins/filter/split_pem.py b/plugins/filter/split_pem.py index eae46759..c4ed7344 100644 --- a/plugins/filter/split_pem.py +++ b/plugins/filter/split_pem.py @@ -24,6 +24,7 @@ options: """ EXAMPLES = r""" +--- - name: Print all CA certificates ansible.builtin.debug: msg: '{{ item }}' diff --git a/plugins/filter/to_serial.py b/plugins/filter/to_serial.py index e4946795..2da1ce1d 100644 --- a/plugins/filter/to_serial.py +++ b/plugins/filter/to_serial.py @@ -25,6 +25,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Convert integer to serial number ansible.builtin.debug: msg: "{{ 1234567 | community.crypto.to_serial }}" diff --git a/plugins/filter/x509_certificate_info.py b/plugins/filter/x509_certificate_info.py index 774e44a2..a623ada1 100644 --- a/plugins/filter/x509_certificate_info.py +++ b/plugins/filter/x509_certificate_info.py @@ -31,6 +31,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show the Subject Alt Names of the certificate ansible.builtin.debug: msg: >- diff --git a/plugins/filter/x509_crl_info.py b/plugins/filter/x509_crl_info.py index d897b91f..91a2a499 100644 --- a/plugins/filter/x509_crl_info.py +++ b/plugins/filter/x509_crl_info.py @@ -39,6 +39,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show the Organization Name of the CRL's subject ansible.builtin.debug: msg: >- diff --git a/plugins/lookup/gpg_fingerprint.py b/plugins/lookup/gpg_fingerprint.py index 642e133a..98b6ada5 100644 --- a/plugins/lookup/gpg_fingerprint.py +++ b/plugins/lookup/gpg_fingerprint.py @@ -28,6 +28,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Show fingerprint of GPG public key ansible.builtin.debug: msg: "{{ lookup('community.crypto.gpg_fingerprint', '/path/to/public_key.gpg') }}" diff --git a/plugins/modules/acme_account.py b/plugins/modules/acme_account.py index e2d18f76..da068a77 100644 --- a/plugins/modules/acme_account.py +++ b/plugins/modules/acme_account.py @@ -130,6 +130,7 @@ options: """ EXAMPLES = r""" +--- - name: Make sure account exists and has given contacts. We agree to TOS. community.crypto.acme_account: account_key_src: /etc/pki/cert/private/account.key diff --git a/plugins/modules/acme_account_info.py b/plugins/modules/acme_account_info.py index 01918922..a42e8896 100644 --- a/plugins/modules/acme_account_info.py +++ b/plugins/modules/acme_account_info.py @@ -47,6 +47,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Check whether an account with the given account key exists community.crypto.acme_account_info: account_key_src: /etc/pki/cert/private/account.key diff --git a/plugins/modules/acme_ari_info.py b/plugins/modules/acme_ari_info.py index 0fb63829..43ae04b4 100644 --- a/plugins/modules/acme_ari_info.py +++ b/plugins/modules/acme_ari_info.py @@ -44,6 +44,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Retrieve renewal information for a certificate community.crypto.acme_ari_info: certificate_path: /etc/httpd/ssl/sample.com.crt diff --git a/plugins/modules/acme_certificate.py b/plugins/modules/acme_certificate.py index 7ca930ff..45dc3cde 100644 --- a/plugins/modules/acme_certificate.py +++ b/plugins/modules/acme_certificate.py @@ -302,6 +302,7 @@ options: """ EXAMPLES = r""" +--- ### Example with HTTP challenge ### - name: Create a challenge for sample.com using a account key from a variable. @@ -356,6 +357,7 @@ EXAMPLES = r""" chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt data: "{{ sample_com_challenge }}" +--- ### Example with DNS challenge against production ACME server ### - name: Create a challenge for sample.com using a account key file. diff --git a/plugins/modules/acme_certificate_deactivate_authz.py b/plugins/modules/acme_certificate_deactivate_authz.py index f01c8b72..bea64f30 100644 --- a/plugins/modules/acme_certificate_deactivate_authz.py +++ b/plugins/modules/acme_certificate_deactivate_authz.py @@ -45,6 +45,7 @@ options: """ EXAMPLES = r""" +--- - name: Deactivate all authzs for an order community.crypto.acme_certificate_deactivate_authz: account_key_content: "{{ account_private_key }}" diff --git a/plugins/modules/acme_certificate_order_create.py b/plugins/modules/acme_certificate_order_create.py index 08102281..0e52388c 100644 --- a/plugins/modules/acme_certificate_order_create.py +++ b/plugins/modules/acme_certificate_order_create.py @@ -10,7 +10,6 @@ __metaclass__ = type DOCUMENTATION = ''' ---- module: acme_certificate_order_create author: Felix Fontein (@felixfontein) version_added: 2.24.0 @@ -160,6 +159,7 @@ options: ''' EXAMPLES = r''' +--- ### Example with HTTP-01 challenge ### - name: Create a challenge for sample.com using a account key from a variable @@ -207,6 +207,7 @@ EXAMPLES = r''' fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt +--- ### Example with DNS challenge against production ACME server ### - name: Create a challenge for sample.com using a account key file. diff --git a/plugins/modules/acme_certificate_order_finalize.py b/plugins/modules/acme_certificate_order_finalize.py index 30900ad2..85359a1e 100644 --- a/plugins/modules/acme_certificate_order_finalize.py +++ b/plugins/modules/acme_certificate_order_finalize.py @@ -10,7 +10,6 @@ __metaclass__ = type DOCUMENTATION = ''' ---- module: acme_certificate_order_finalize author: Felix Fontein (@felixfontein) version_added: 2.24.0 @@ -172,6 +171,7 @@ options: ''' EXAMPLES = r''' +--- ### Example with HTTP-01 challenge ### - name: Create a challenge for sample.com using a account key from a variable @@ -219,6 +219,7 @@ EXAMPLES = r''' fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt +--- ### Example with DNS challenge against production ACME server ### - name: Create a challenge for sample.com using a account key file. diff --git a/plugins/modules/acme_certificate_order_info.py b/plugins/modules/acme_certificate_order_info.py index 25486483..cfa63279 100644 --- a/plugins/modules/acme_certificate_order_info.py +++ b/plugins/modules/acme_certificate_order_info.py @@ -10,7 +10,6 @@ __metaclass__ = type DOCUMENTATION = ''' ---- module: acme_certificate_order_info author: Felix Fontein (@felixfontein) version_added: 2.24.0 @@ -59,6 +58,7 @@ options: ''' EXAMPLES = r''' +--- - name: Create a challenge for sample.com using a account key from a variable community.crypto.acme_certificate_order_create: account_key_content: "{{ account_private_key }}" diff --git a/plugins/modules/acme_certificate_order_validate.py b/plugins/modules/acme_certificate_order_validate.py index 1943656e..5727879f 100644 --- a/plugins/modules/acme_certificate_order_validate.py +++ b/plugins/modules/acme_certificate_order_validate.py @@ -10,7 +10,6 @@ __metaclass__ = type DOCUMENTATION = ''' ---- module: acme_certificate_order_validate author: Felix Fontein (@felixfontein) version_added: 2.24.0 @@ -97,6 +96,7 @@ options: ''' EXAMPLES = r''' +--- ### Example with HTTP-01 challenge ### - name: Create a challenge for sample.com using a account key from a variable @@ -144,6 +144,7 @@ EXAMPLES = r''' fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt chain_dest: /etc/httpd/ssl/sample.com-intermediate.crt +--- ### Example with DNS challenge against production ACME server ### - name: Create a challenge for sample.com using a account key file. diff --git a/plugins/modules/acme_certificate_renewal_info.py b/plugins/modules/acme_certificate_renewal_info.py index 2a0c575e..b87eefab 100644 --- a/plugins/modules/acme_certificate_renewal_info.py +++ b/plugins/modules/acme_certificate_renewal_info.py @@ -97,6 +97,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Retrieve renewal information for a certificate community.crypto.acme_certificate_renewal_info: certificate_path: /etc/httpd/ssl/sample.com.crt diff --git a/plugins/modules/acme_certificate_revoke.py b/plugins/modules/acme_certificate_revoke.py index a1fc7cc4..9b0cf6bd 100644 --- a/plugins/modules/acme_certificate_revoke.py +++ b/plugins/modules/acme_certificate_revoke.py @@ -99,6 +99,7 @@ options: """ EXAMPLES = r""" +--- - name: Revoke certificate with account key community.crypto.acme_certificate_revoke: account_key_src: /etc/pki/cert/private/account.key diff --git a/plugins/modules/acme_challenge_cert_helper.py b/plugins/modules/acme_challenge_cert_helper.py index f4b08344..e333e9a6 100644 --- a/plugins/modules/acme_challenge_cert_helper.py +++ b/plugins/modules/acme_challenge_cert_helper.py @@ -74,6 +74,7 @@ options: """ EXAMPLES = r""" +--- - name: Create challenges for a given CRT for sample.com community.crypto.acme_certificate: account_key_src: /etc/pki/cert/private/account.key diff --git a/plugins/modules/acme_inspect.py b/plugins/modules/acme_inspect.py index 016eef20..15d1eb53 100644 --- a/plugins/modules/acme_inspect.py +++ b/plugins/modules/acme_inspect.py @@ -77,6 +77,7 @@ options: """ EXAMPLES = r""" +--- - name: Get directory community.crypto.acme_inspect: acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory @@ -181,24 +182,43 @@ directory: description: The ACME directory's content. returned: always type: dict - sample: {"a85k3x9f91A4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", + sample: { + "a85k3x9f91A4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", - "meta": {"caaIdentities": ["letsencrypt.org"], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", - "website": "https://letsencrypt.org"}, + "meta": { + "caaIdentities": ["letsencrypt.org"], + "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", + "website": "https://letsencrypt.org", + }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", - "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"} + "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" + } headers: description: The request's HTTP headers (with lowercase keys). returned: always type: dict - sample: {"boulder-requester": "12345", "cache-control": "max-age=0, no-cache, no-store", "connection": "close", "content-length": "904", - "content-type": "application/json", "cookies": {}, "cookies_string": "", "date": "Wed, 07 Nov 2018 12:34:56 GMT", "expires": "Wed, - 07 Nov 2018 12:44:56 GMT", "link": ';rel="terms-of-service"', - "msg": "OK (904 bytes)", "pragma": "no-cache", "replay-nonce": "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGH", "server": "nginx", - "status": 200, "strict-transport-security": "max-age=604800", "url": "https://acme-v02.api.letsencrypt.org/acme/acct/46161", - "x-frame-options": "DENY"} + sample: { + "boulder-requester": "12345", + "cache-control": "max-age=0, no-cache, no-store", + "connection": "close", + "content-length": "904", + "content-type": "application/json", + "cookies": {}, + "cookies_string": "", + "date": "Wed, 07 Nov 2018 12:34:56 GMT", + "expires": "Wed, 07 Nov 2018 12:44:56 GMT", + "link": ';rel="terms-of-service"', + "msg": "OK (904 bytes)", + "pragma": "no-cache", + "replay-nonce": "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGH", + "server": "nginx", + "status": 200, + "strict-transport-security": "max-age=604800", + "url": "https://acme-v02.api.letsencrypt.org/acme/acct/46161", + "x-frame-options": "DENY", + } output_text: description: The raw text output. returned: always diff --git a/plugins/modules/certificate_complete_chain.py b/plugins/modules/certificate_complete_chain.py index 5e1965d4..4e38193d 100644 --- a/plugins/modules/certificate_complete_chain.py +++ b/plugins/modules/certificate_complete_chain.py @@ -67,6 +67,7 @@ options: EXAMPLES = r""" +--- # Given a leaf certificate for www.ansible.com and one or more intermediate # certificates, finds the associated root certificate. - name: Find root certificate diff --git a/plugins/modules/crypto_info.py b/plugins/modules/crypto_info.py index 7e887141..371fcbfe 100644 --- a/plugins/modules/crypto_info.py +++ b/plugins/modules/crypto_info.py @@ -26,6 +26,7 @@ options: {} """ EXAMPLES = r""" +--- - name: Retrieve information community.crypto.crypto_info: account_key_src: /etc/pki/cert/private/account.key diff --git a/plugins/modules/ecs_certificate.py b/plugins/modules/ecs_certificate.py index 288179d6..76f53c90 100644 --- a/plugins/modules/ecs_certificate.py +++ b/plugins/modules/ecs_certificate.py @@ -140,8 +140,21 @@ options: - If a certificate is being reissued or renewed, this parameter is ignored, and the O(cert_type) of the initial certificate is used. type: str - choices: ['STANDARD_SSL', 'ADVANTAGE_SSL', 'UC_SSL', 'EV_SSL', 'WILDCARD_SSL', 'PRIVATE_SSL', 'PD_SSL', 'CODE_SIGNING', - 'EV_CODE_SIGNING', 'CDS_INDIVIDUAL', 'CDS_GROUP', 'CDS_ENT_LITE', 'CDS_ENT_PRO', 'SMIME_ENT'] + choices: + - STANDARD_SSL + - ADVANTAGE_SSL + - UC_SSL + - EV_SSL + - WILDCARD_SSL + - PRIVATE_SSL + - PD_SSL + - CODE_SIGNING + - EV_CODE_SIGNING + - CDS_INDIVIDUAL + - CDS_GROUP + - CDS_ENT_LITE + - CDS_ENT_PRO + - SMIME_ENT subject_alt_name: description: - The subject alternative name identifiers, as an array of values (applies to O(cert_type) with a value of V(STANDARD_SSL), @@ -377,6 +390,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Request a new certificate from Entrust with bare minimum parameters. Will request a new certificate if current one is valid but within 30 days of expiry. If replacing an existing file in path, will back it up. community.crypto.ecs_certificate: diff --git a/plugins/modules/ecs_domain.py b/plugins/modules/ecs_domain.py index 6e1e010f..d41e5d1e 100644 --- a/plugins/modules/ecs_domain.py +++ b/plugins/modules/ecs_domain.py @@ -100,6 +100,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Request domain validation using email validation for client ID of 2. community.crypto.ecs_domain: domain_name: ansible.com diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index 0e296808..1a1c9004 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -220,6 +220,7 @@ unverified_chain: """ EXAMPLES = r""" +--- - name: Get the cert from an RDP port community.crypto.get_certificate: host: "1.2.3.4" diff --git a/plugins/modules/luks_device.py b/plugins/modules/luks_device.py index ebb48c64..744b19a5 100644 --- a/plugins/modules/luks_device.py +++ b/plugins/modules/luks_device.py @@ -290,6 +290,7 @@ author: Jan Pokorny (@japokorn) """ EXAMPLES = r""" +--- - name: Create LUKS container (remains unchanged if it already exists) community.crypto.luks_device: device: "/dev/loop0" diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index b6e1d82c..a0f4212d 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -201,6 +201,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSH user certificate that is valid forever and for all users community.crypto.openssh_cert: type: user diff --git a/plugins/modules/openssh_keypair.py b/plugins/modules/openssh_keypair.py index 0269e529..ac4c232b 100644 --- a/plugins/modules/openssh_keypair.py +++ b/plugins/modules/openssh_keypair.py @@ -142,6 +142,7 @@ notes: """ EXAMPLES = r""" +--- - name: Generate an OpenSSH keypair with the default values (4096 bits, rsa) community.crypto.openssh_keypair: path: /tmp/id_ssh_rsa diff --git a/plugins/modules/openssl_csr.py b/plugins/modules/openssl_csr.py index dcc1015e..960fca4f 100644 --- a/plugins/modules/openssl_csr.py +++ b/plugins/modules/openssl_csr.py @@ -72,6 +72,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr diff --git a/plugins/modules/openssl_csr_info.py b/plugins/modules/openssl_csr_info.py index 53cdfe85..dd9797e6 100644 --- a/plugins/modules/openssl_csr_info.py +++ b/plugins/modules/openssl_csr_info.py @@ -59,6 +59,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/ssl/csr/www.ansible.com.csr diff --git a/plugins/modules/openssl_csr_pipe.py b/plugins/modules/openssl_csr_pipe.py index 93ef55bd..9c2b10e7 100644 --- a/plugins/modules/openssl_csr_pipe.py +++ b/plugins/modules/openssl_csr_pipe.py @@ -49,6 +49,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr_pipe: privatekey_path: /etc/ssl/private/ansible.com.pem diff --git a/plugins/modules/openssl_dhparam.py b/plugins/modules/openssl_dhparam.py index 52c85dcf..28a0485b 100644 --- a/plugins/modules/openssl_dhparam.py +++ b/plugins/modules/openssl_dhparam.py @@ -92,6 +92,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate Diffie-Hellman parameters with the default size (4096 bits) community.crypto.openssl_dhparam: path: /etc/ssl/dhparams.pem diff --git a/plugins/modules/openssl_pkcs12.py b/plugins/modules/openssl_pkcs12.py index 94fb244f..ac32c29f 100644 --- a/plugins/modules/openssl_pkcs12.py +++ b/plugins/modules/openssl_pkcs12.py @@ -187,6 +187,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate PKCS#12 file community.crypto.openssl_pkcs12: action: export diff --git a/plugins/modules/openssl_privatekey.py b/plugins/modules/openssl_privatekey.py index 1feb5079..7572e697 100644 --- a/plugins/modules/openssl_privatekey.py +++ b/plugins/modules/openssl_privatekey.py @@ -77,6 +77,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem diff --git a/plugins/modules/openssl_privatekey_convert.py b/plugins/modules/openssl_privatekey_convert.py index d53d216f..c42954b5 100644 --- a/plugins/modules/openssl_privatekey_convert.py +++ b/plugins/modules/openssl_privatekey_convert.py @@ -45,6 +45,7 @@ seealso: [] """ EXAMPLES = r""" +--- - name: Convert private key to PKCS8 format with passphrase community.crypto.openssl_privatekey_convert: src_path: /etc/ssl/private/ansible.com.pem diff --git a/plugins/modules/openssl_privatekey_info.py b/plugins/modules/openssl_privatekey_info.py index 944f0482..c4c9443e 100644 --- a/plugins/modules/openssl_privatekey_info.py +++ b/plugins/modules/openssl_privatekey_info.py @@ -81,6 +81,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem diff --git a/plugins/modules/openssl_privatekey_pipe.py b/plugins/modules/openssl_privatekey_pipe.py index 5bdbaeff..7f45785d 100644 --- a/plugins/modules/openssl_privatekey_pipe.py +++ b/plugins/modules/openssl_privatekey_pipe.py @@ -86,6 +86,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey_pipe: register: output diff --git a/plugins/modules/openssl_publickey.py b/plugins/modules/openssl_publickey.py index 30bd792e..6d074039 100644 --- a/plugins/modules/openssl_publickey.py +++ b/plugins/modules/openssl_publickey.py @@ -110,6 +110,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL public key in PEM format community.crypto.openssl_publickey: path: /etc/ssl/public/ansible.com.pem diff --git a/plugins/modules/openssl_publickey_info.py b/plugins/modules/openssl_publickey_info.py index 33b639dd..5117ca35 100644 --- a/plugins/modules/openssl_publickey_info.py +++ b/plugins/modules/openssl_publickey_info.py @@ -53,6 +53,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/ssl/private/ansible.com.pem diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py index d35f18db..0af85026 100644 --- a/plugins/modules/openssl_signature.py +++ b/plugins/modules/openssl_signature.py @@ -75,6 +75,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Sign example file community.crypto.openssl_signature: privatekey_path: private.key diff --git a/plugins/modules/openssl_signature_info.py b/plugins/modules/openssl_signature_info.py index 4b6e049c..cdf899b1 100644 --- a/plugins/modules/openssl_signature_info.py +++ b/plugins/modules/openssl_signature_info.py @@ -64,6 +64,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Sign example file community.crypto.openssl_signature: privatekey_path: private.key diff --git a/plugins/modules/x509_certificate.py b/plugins/modules/x509_certificate.py index 53e82030..8eec9d7b 100644 --- a/plugins/modules/x509_certificate.py +++ b/plugins/modules/x509_certificate.py @@ -95,6 +95,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate: path: /etc/ssl/crt/ansible.com.crt diff --git a/plugins/modules/x509_certificate_convert.py b/plugins/modules/x509_certificate_convert.py index 2c30663a..4f641102 100644 --- a/plugins/modules/x509_certificate_convert.py +++ b/plugins/modules/x509_certificate_convert.py @@ -93,6 +93,7 @@ requirements: """ EXAMPLES = r""" +--- - name: Convert PEM X.509 certificate to DER format community.crypto.x509_certificate_convert: src_path: /etc/ssl/cert/ansible.com.pem diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index 2f6e66e1..5943205a 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -79,6 +79,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate: path: /etc/ssl/crt/ansible.com.crt diff --git a/plugins/modules/x509_certificate_pipe.py b/plugins/modules/x509_certificate_pipe.py index e7c312cf..b95057d6 100644 --- a/plugins/modules/x509_certificate_pipe.py +++ b/plugins/modules/x509_certificate_pipe.py @@ -55,6 +55,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate_pipe: provider: selfsigned diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py index ac23f0f1..e67eb858 100644 --- a/plugins/modules/x509_crl.py +++ b/plugins/modules/x509_crl.py @@ -292,6 +292,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Generate a CRL community.crypto.x509_crl: path: /etc/ssl/my-ca.crl diff --git a/plugins/modules/x509_crl_info.py b/plugins/modules/x509_crl_info.py index 83bddb9c..23c01193 100644 --- a/plugins/modules/x509_crl_info.py +++ b/plugins/modules/x509_crl_info.py @@ -57,6 +57,7 @@ seealso: """ EXAMPLES = r""" +--- - name: Get information on CRL community.crypto.x509_crl_info: path: /etc/ssl/my-ca.crl diff --git a/tests/ee/all.yml b/tests/ee/all.yml index 28aa0f5e..a8f1f666 100644 --- a/tests/ee/all.yml +++ b/tests/ee/all.yml @@ -36,13 +36,13 @@ state: directory - block: - - name: Include all roles - ansible.builtin.include_role: - name: "{{ item }}" - loop: "{{ result.files | map(attribute='path') | map('regex_replace', '.*/', '') | sort }}" + - name: Include all roles + ansible.builtin.include_role: + name: "{{ item }}" + loop: "{{ result.files | map(attribute='path') | map('regex_replace', '.*/', '') | sort }}" always: - - name: Remove output directory - ansible.builtin.file: - path: "{{ output_path }}" - state: absent + - name: Remove output directory + ansible.builtin.file: + path: "{{ output_path }}" + state: absent diff --git a/tests/ee/roles/luks_device/tasks/main.yml b/tests/ee/roles/luks_device/tasks/main.yml index 410a8e59..9469fedc 100644 --- a/tests/ee/roles/luks_device/tasks/main.yml +++ b/tests/ee/roles/luks_device/tasks/main.yml @@ -23,27 +23,27 @@ # supports working with container files directly. when: false block: - - name: Create lookback device - command: losetup -f {{ cryptfile_path }} + - name: Create lookback device + command: losetup -f {{ cryptfile_path }} - - name: Determine loop device name - command: losetup -j {{ cryptfile_path }} --output name - register: cryptfile_device_output + - name: Determine loop device name + command: losetup -j {{ cryptfile_path }} --output name + register: cryptfile_device_output - - set_fact: - cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}" + - set_fact: + cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}" - - name: Create LUKS container - community.crypto.luks_device: - device: "{{ cryptfile_device }}" - # device: "{{ cryptfile_path }}" - state: present - keyfile: "{{ keyfile_path }}" - pbkdf: - iteration_time: 0.1 + - name: Create LUKS container + community.crypto.luks_device: + device: "{{ cryptfile_device }}" + # device: "{{ cryptfile_path }}" + state: present + keyfile: "{{ keyfile_path }}" + pbkdf: + iteration_time: 0.1 - - name: Destroy LUKS container - community.crypto.luks_device: - device: "{{ cryptfile_device }}" - # device: "{{ cryptfile_path }}" - state: absent + - name: Destroy LUKS container + community.crypto.luks_device: + device: "{{ cryptfile_device }}" + # device: "{{ cryptfile_path }}" + state: absent diff --git a/tests/ee/roles/smoke/tasks/main.yml b/tests/ee/roles/smoke/tasks/main.yml index 1e8b659b..a883b111 100644 --- a/tests/ee/roles/smoke/tasks/main.yml +++ b/tests/ee/roles/smoke/tasks/main.yml @@ -7,7 +7,7 @@ smoke_ipaddress: register: result -- name: Validate result +- name: Validate result assert: that: - result.msg == 'Everything is ok' @@ -16,7 +16,7 @@ smoke_pyyaml: register: result -- name: Validate result +- name: Validate result assert: that: - result.msg == 'Everything is ok' diff --git a/tests/integration/requirements.yml b/tests/integration/requirements.yml index 524cb7d9..f1f22787 100644 --- a/tests/integration/requirements.yml +++ b/tests/integration/requirements.yml @@ -4,5 +4,5 @@ # SPDX-License-Identifier: GPL-3.0-or-later collections: -- community.general -- community.internal_test_tools + - community.general + - community.internal_test_tools diff --git a/tests/integration/targets/acme_account/tasks/impl.yml b/tests/integration/targets/acme_account/tasks/impl.yml index 7ba8890c..3d218763 100644 --- a/tests/integration/targets/acme_account/tasks/impl.yml +++ b/tests/integration/targets/acme_account/tasks/impl.yml @@ -4,21 +4,21 @@ # SPDX-License-Identifier: GPL-3.0-or-later - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" - passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" - type: ECC - curve: secp256r1 - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" + type: ECC + curve: secp256r1 + force: true + loop: "{{ account_keys }}" - - name: Parse account keys (to ease debugging some test failures) - openssl_privatekey_info: - path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" - passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" - return_private_key_data: true - loop: "{{ account_keys }}" + - name: Parse account keys (to ease debugging some test failures) + openssl_privatekey_info: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" + return_private_key_data: true + loop: "{{ account_keys }}" vars: account_keys: @@ -52,7 +52,7 @@ allow_creation: true terms_agreed: true contact: - - mailto:example@example.org + - mailto:example@example.org check_mode: true diff: true register: account_created_check @@ -68,7 +68,7 @@ allow_creation: true terms_agreed: true contact: - - mailto:example@example.org + - mailto:example@example.org register: account_created - name: Create it now (idempotent) @@ -82,7 +82,7 @@ allow_creation: true terms_agreed: true contact: - - mailto:example@example.org + - mailto:example@example.org register: account_created_idempotent - name: Read account key @@ -100,7 +100,7 @@ state: present # allow_creation: false contact: - - mailto:example@example.com + - mailto:example@example.com check_mode: true diff: true register: account_modified_check @@ -115,7 +115,7 @@ state: present # allow_creation: false contact: - - mailto:example@example.com + - mailto:example@example.com register: account_modified - name: Change email address (idempotent) @@ -129,7 +129,7 @@ state: present # allow_creation: false contact: - - mailto:example@example.com + - mailto:example@example.com register: account_modified_idempotent - name: Cannot access account with wrong URI @@ -194,7 +194,7 @@ new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" state: changed_key contact: - - mailto:example@example.com + - mailto:example@example.com check_mode: true diff: true register: account_change_key_check @@ -210,7 +210,7 @@ new_account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" state: changed_key contact: - - mailto:example@example.com + - mailto:example@example.com register: account_change_key - name: Deactivate account (check mode, diff) @@ -284,7 +284,7 @@ allow_creation: true terms_agreed: true contact: - - mailto:example@example.org + - mailto:example@example.org external_account_binding: kid: "{{ item.kid }}" alg: "{{ item.alg }}" diff --git a/tests/integration/targets/acme_account/tasks/main.yml b/tests/integration/targets/acme_account/tasks/main.yml index 68d47973..ae702a4f 100644 --- a/tests/integration/targets/acme_account/tasks/main.yml +++ b/tests/integration/targets/acme_account/tasks/main.yml @@ -9,12 +9,12 @@ #################################################################### - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -30,11 +30,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_account_info/tasks/impl.yml b/tests/integration/targets/acme_account_info/tasks/impl.yml index d621603d..25ae9287 100644 --- a/tests/integration/targets/acme_account_info/tasks/impl.yml +++ b/tests/integration/targets/acme_account_info/tasks/impl.yml @@ -4,19 +4,19 @@ # SPDX-License-Identifier: GPL-3.0-or-later - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item }}.pem" - type: ECC - curve: secp256r1 - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item }}.pem" + type: ECC + curve: secp256r1 + force: true + loop: "{{ account_keys }}" - - name: Parse account keys (to ease debugging some test failures) - openssl_privatekey_info: - path: "{{ remote_tmp_dir }}/{{ item }}.pem" - return_private_key_data: true - loop: "{{ account_keys }}" + - name: Parse account keys (to ease debugging some test failures) + openssl_privatekey_info: + path: "{{ remote_tmp_dir }}/{{ item }}.pem" + return_private_key_data: true + loop: "{{ account_keys }}" vars: account_keys: @@ -43,7 +43,7 @@ allow_creation: true terms_agreed: true contact: - - mailto:example@example.org + - mailto:example@example.org - name: Check that account exists acme_account_info: diff --git a/tests/integration/targets/acme_account_info/tasks/main.yml b/tests/integration/targets/acme_account_info/tasks/main.yml index 68d47973..ae702a4f 100644 --- a/tests/integration/targets/acme_account_info/tasks/main.yml +++ b/tests/integration/targets/acme_account_info/tasks/main.yml @@ -9,12 +9,12 @@ #################################################################### - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -30,11 +30,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_ari_info/tasks/impl.yml b/tests/integration/targets/acme_ari_info/tasks/impl.yml index 53c6168c..bda73d53 100644 --- a/tests/integration/targets/acme_ari_info/tasks/impl.yml +++ b/tests/integration/targets/acme_ari_info/tasks/impl.yml @@ -5,14 +5,14 @@ ## SET UP ACCOUNT KEYS ######################################################################## - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" - type: "{{ item.type }}" - size: "{{ item.size | default(omit) }}" - curve: "{{ item.curve | default(omit) }}" - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + type: "{{ item.type }}" + size: "{{ item.size | default(omit) }}" + curve: "{{ item.curve | default(omit) }}" + force: true + loop: "{{ account_keys }}" vars: account_keys: diff --git a/tests/integration/targets/acme_ari_info/tasks/main.yml b/tests/integration/targets/acme_ari_info/tasks/main.yml index 75b7d374..93bb446e 100644 --- a/tests/integration/targets/acme_ari_info/tasks/main.yml +++ b/tests/integration/targets/acme_ari_info/tasks/main.yml @@ -13,12 +13,12 @@ when: acme_supports_ari block: - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -34,11 +34,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_certificate/tasks/impl.yml b/tests/integration/targets/acme_certificate/tasks/impl.yml index 18dda9d5..907e3eac 100644 --- a/tests/integration/targets/acme_certificate/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate/tasks/impl.yml @@ -5,14 +5,14 @@ ## SET UP ACCOUNT KEYS ######################################################################## - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" - type: "{{ item.type }}" - size: "{{ item.size | default(omit) }}" - curve: "{{ item.curve | default(omit) }}" - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + type: "{{ item.type }}" + size: "{{ item.size | default(omit) }}" + curve: "{{ item.curve | default(omit) }}" + force: true + loop: "{{ account_keys }}" vars: account_keys: @@ -25,6 +25,7 @@ - name: account-rsa type: RSA size: "{{ default_rsa_key_size }}" + ## SET UP ACCOUNTS ############################################################################ - name: Make sure ECC256 account hasn't been created yet acme_account: @@ -49,8 +50,8 @@ allow_creation: true terms_agreed: true contact: - - mailto:example@example.org - - mailto:example@example.com + - mailto:example@example.org + - mailto:example@example.com - name: Create RSA account acme_account: select_crypto_backend: "{{ select_crypto_backend }}" @@ -62,6 +63,7 @@ allow_creation: true terms_agreed: true contact: [] + ## OBTAIN CERTIFICATES ######################################################################## - name: Obtain cert 1 include_tasks: obtain-cert.yml @@ -272,97 +274,98 @@ cert_5_recreate_3: "{{ challenge_data is changed }}" cert_5d_obtain_results: "{{ certificate_obtain_result }}" - block: - - name: Obtain cert 6 - include_tasks: obtain-cert.yml - vars: - certgen_title: Certificate 6 - certificate_name: cert-6 - key_type: rsa - rsa_bits: "{{ default_rsa_key_size }}" - subject_alt_name: "DNS:example.org" - subject_alt_name_critical: false - account_key: account-ec256 - challenge: tls-alpn-01 - modify_account: true - deactivate_authzs: false - force: false - remaining_days: 1 - terms_agreed: true - account_email: "example@example.org" - acme_expected_root_number: 0 - select_chain: - # All intermediates have the same subject key identifier, so always - # the first chain will be found, and we need a second condition to - # make sure that the first condition actually works. (The second - # condition has been tested above.) - - test_certificates: first - subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}" - - test_certificates: last - issuer: "{{ acme_roots[1].subject }}" - use_csr_content: true - - name: Store obtain results for cert 6 - set_fact: - cert_6_obtain_results: "{{ certificate_obtain_result }}" - cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" + - name: Obtain cert 6 + include_tasks: obtain-cert.yml + vars: + certgen_title: Certificate 6 + certificate_name: cert-6 + key_type: rsa + rsa_bits: "{{ default_rsa_key_size }}" + subject_alt_name: "DNS:example.org" + subject_alt_name_critical: false + account_key: account-ec256 + challenge: tls-alpn-01 + modify_account: true + deactivate_authzs: false + force: false + remaining_days: 1 + terms_agreed: true + account_email: "example@example.org" + acme_expected_root_number: 0 + select_chain: + # All intermediates have the same subject key identifier, so always + # the first chain will be found, and we need a second condition to + # make sure that the first condition actually works. (The second + # condition has been tested above.) + - test_certificates: first + subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}" + - test_certificates: last + issuer: "{{ acme_roots[1].subject }}" + use_csr_content: true + - name: Store obtain results for cert 6 + set_fact: + cert_6_obtain_results: "{{ certificate_obtain_result }}" + cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" when: acme_intermediates[0].subject_key_identifier is defined - block: - - name: Obtain cert 7 - include_tasks: obtain-cert.yml - vars: - certgen_title: Certificate 7 - certificate_name: cert-7 - key_type: rsa - rsa_bits: "{{ default_rsa_key_size }}" - subject_alt_name: - - "IP:127.0.0.1" - # - "IP:::1" - subject_alt_name_critical: false - account_key: account-ec256 - challenge: http-01 - modify_account: true - deactivate_authzs: false - force: false - remaining_days: 1 - terms_agreed: true - account_email: "example@example.org" - acme_expected_root_number: 2 - select_chain: - - test_certificates: last - authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}" - use_csr_content: false - - name: Store obtain results for cert 7 - set_fact: - cert_7_obtain_results: "{{ certificate_obtain_result }}" - cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}" + - name: Obtain cert 7 + include_tasks: obtain-cert.yml + vars: + certgen_title: Certificate 7 + certificate_name: cert-7 + key_type: rsa + rsa_bits: "{{ default_rsa_key_size }}" + subject_alt_name: + - "IP:127.0.0.1" + # - "IP:::1" + subject_alt_name_critical: false + account_key: account-ec256 + challenge: http-01 + modify_account: true + deactivate_authzs: false + force: false + remaining_days: 1 + terms_agreed: true + account_email: "example@example.org" + acme_expected_root_number: 2 + select_chain: + - test_certificates: last + authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}" + use_csr_content: false + - name: Store obtain results for cert 7 + set_fact: + cert_7_obtain_results: "{{ certificate_obtain_result }}" + cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}" when: acme_roots[2].subject_key_identifier is defined - block: - - name: Obtain cert 8 - include_tasks: obtain-cert.yml - vars: - certgen_title: Certificate 8 - certificate_name: cert-8 - key_type: rsa - rsa_bits: "{{ default_rsa_key_size_certificates }}" - subject_alt_name: - - "IP:127.0.0.1" - # IPv4 only since our test validation server doesn't work - # with IPv6 (thanks to Python's socketserver). - subject_alt_name_critical: false - account_key: account-ec256 - challenge: tls-alpn-01 - challenge_alpn_tls: acme_challenge_cert_helper - modify_account: true - deactivate_authzs: false - force: false - remaining_days: 1 - terms_agreed: true - account_email: "example@example.org" - use_csr_content: true - - name: Store obtain results for cert 8 - set_fact: - cert_8_obtain_results: "{{ certificate_obtain_result }}" - cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" + - name: Obtain cert 8 + include_tasks: obtain-cert.yml + vars: + certgen_title: Certificate 8 + certificate_name: cert-8 + key_type: rsa + rsa_bits: "{{ default_rsa_key_size_certificates }}" + subject_alt_name: + - "IP:127.0.0.1" + # IPv4 only since our test validation server doesn't work + # with IPv6 (thanks to Python's socketserver). + subject_alt_name_critical: false + account_key: account-ec256 + challenge: tls-alpn-01 + challenge_alpn_tls: acme_challenge_cert_helper + modify_account: true + deactivate_authzs: false + force: false + remaining_days: 1 + terms_agreed: true + account_email: "example@example.org" + use_csr_content: true + - name: Store obtain results for cert 8 + set_fact: + cert_8_obtain_results: "{{ certificate_obtain_result }}" + cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" when: cryptography_version.stdout is version('1.3', '>=') + ## DISSECT CERTIFICATES ####################################################################### # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate. - name: Verifying cert 1 @@ -400,6 +403,7 @@ ignore_errors: true register: cert_8_valid when: cryptography_version.stdout is version('1.3', '>=') + # Dump certificate info - name: Dumping cert 1 command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text' @@ -428,6 +432,7 @@ command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text' register: cert_8_text when: cryptography_version.stdout is version('1.3', '>=') + # Dump certificate info - name: Dumping cert 1 x509_certificate_info: @@ -464,6 +469,7 @@ path: "{{ remote_tmp_dir }}/cert-8.pem" register: cert_8_info when: cryptography_version.stdout is version('1.3', '>=') + ## GET ACCOUNT ORDERS ######################################################################### - name: Don't retrieve orders acme_account_info: diff --git a/tests/integration/targets/acme_certificate/tasks/main.yml b/tests/integration/targets/acme_certificate/tasks/main.yml index e715c7aa..f7c99bff 100644 --- a/tests/integration/targets/acme_certificate/tasks/main.yml +++ b/tests/integration/targets/acme_certificate/tasks/main.yml @@ -9,51 +9,51 @@ #################################################################### - block: - - name: Obtain root and intermediate certificates - get_url: - url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}" - dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem" - loop: "{{ query('nested', types, root_numbers) }}" + - name: Obtain root and intermediate certificates + get_url: + url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}" + dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem" + loop: "{{ query('nested', types, root_numbers) }}" - - name: Analyze root certificates - x509_certificate_info: - path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem" - loop: "{{ root_numbers }}" - register: acme_roots + - name: Analyze root certificates + x509_certificate_info: + path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem" + loop: "{{ root_numbers }}" + register: acme_roots - - name: Analyze intermediate certificates - x509_certificate_info: - path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem" - loop: "{{ root_numbers }}" - register: acme_intermediates + - name: Analyze intermediate certificates + x509_certificate_info: + path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem" + loop: "{{ root_numbers }}" + register: acme_intermediates - - name: Read root certificates - slurp: - src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}" - loop: "{{ root_numbers }}" - register: slurp_roots + - name: Read root certificates + slurp: + src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}" + loop: "{{ root_numbers }}" + register: slurp_roots - - set_fact: - x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" - loop: "{{ acme_roots.results }}" - register: acme_roots_tmp + - set_fact: + x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" + loop: "{{ acme_roots.results }}" + register: acme_roots_tmp - - name: Read intermediate certificates - slurp: - src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}" - loop: "{{ root_numbers }}" - register: slurp_intermediates + - name: Read intermediate certificates + slurp: + src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}" + loop: "{{ root_numbers }}" + register: slurp_intermediates - - set_fact: - x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" - loop: "{{ acme_intermediates.results }}" - register: acme_intermediates_tmp + - set_fact: + x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" + loop: "{{ acme_intermediates.results }}" + register: acme_intermediates_tmp - - set_fact: - acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}" - acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}" - acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}" - acme_intermediate_certs: "{{ slurp_intermediates.results | map(attribute='content') | map('b64decode') | list }}" + - set_fact: + acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}" + acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}" + acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}" + acme_intermediate_certs: "{{ slurp_intermediates.results | map(attribute='content') | map('b64decode') | list }}" vars: types: @@ -70,32 +70,32 @@ - subject_key_identifier - issuer - subject - #- serial_number - #- public_key_fingerprints + # - serial_number + # - public_key_fingerprints - name: ACME root certificate info debug: var: acme_roots -#- name: ACME root certificates as PEM -# debug: -# var: acme_root_certs +# - name: ACME root certificates as PEM +# debug: +# var: acme_root_certs - name: ACME intermediate certificate info debug: var: acme_intermediates -#- name: ACME intermediate certificates as PEM -# debug: -# var: acme_intermediate_certs +# - name: ACME intermediate certificates as PEM +# debug: +# var: acme_intermediate_certs - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -111,11 +111,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_certificate/tests/validate.yml b/tests/integration/targets/acme_certificate/tests/validate.yml index a7058164..c4db7d90 100644 --- a/tests/integration/targets/acme_certificate/tests/validate.yml +++ b/tests/integration/targets/acme_certificate/tests/validate.yml @@ -129,36 +129,36 @@ - cert_5_recreate_3 == true - block: - - name: Check that certificate 6 is valid - assert: - that: - - cert_6_valid is not failed - - name: Check that certificate 6 contains correct SANs - assert: - that: - - "'DNS:example.org' in cert_6_text.stdout" + - name: Check that certificate 6 is valid + assert: + that: + - cert_6_valid is not failed + - name: Check that certificate 6 contains correct SANs + assert: + that: + - "'DNS:example.org' in cert_6_text.stdout" when: acme_intermediates[0].subject_key_identifier is defined - block: - - name: Check that certificate 7 is valid - assert: - that: - - cert_7_valid is not failed - - name: Check that certificate 7 contains correct SANs - assert: - that: - - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout" + - name: Check that certificate 7 is valid + assert: + that: + - cert_7_valid is not failed + - name: Check that certificate 7 contains correct SANs + assert: + that: + - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout" when: acme_roots[2].subject_key_identifier is defined - block: - - name: Check that certificate 8 is valid - assert: - that: - - cert_8_valid is not failed - - name: Check that certificate 8 contains correct SANs - assert: - that: - - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout" + - name: Check that certificate 8 is valid + assert: + that: + - cert_8_valid is not failed + - name: Check that certificate 8 contains correct SANs + assert: + that: + - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout" when: cryptography_version.stdout is version('1.3', '>=') - name: Validate that orders were not retrieved diff --git a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml index 68d47973..ae702a4f 100644 --- a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml @@ -9,12 +9,12 @@ #################################################################### - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -30,11 +30,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_certificate_order/tasks/main.yml b/tests/integration/targets/acme_certificate_order/tasks/main.yml index 32f32c5e..272d7667 100644 --- a/tests/integration/targets/acme_certificate_order/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_order/tasks/main.yml @@ -9,10 +9,10 @@ #################################################################### - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -28,9 +28,9 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml index c868f7a4..73eed907 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml @@ -5,20 +5,21 @@ ## SET UP ACCOUNT KEYS ######################################################################## - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" - type: "{{ item.type }}" - size: "{{ item.size | default(omit) }}" - curve: "{{ item.curve | default(omit) }}" - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + type: "{{ item.type }}" + size: "{{ item.size | default(omit) }}" + curve: "{{ item.curve | default(omit) }}" + force: true + loop: "{{ account_keys }}" vars: account_keys: - name: account-ec256 type: ECC curve: secp256r1 + ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### - name: Obtain cert 1 include_tasks: obtain-cert.yml @@ -37,6 +38,7 @@ remaining_days: "{{ omit }}" terms_agreed: true account_email: "example@example.org" + ## OBTAIN CERTIFICATE INFOS ################################################################### - name: Dump OpenSSL x509 info command: diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml index 35ca6485..13ebdb4e 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml @@ -12,12 +12,12 @@ acme_certificate_profile: "{{ 'default' if acme_supports_profiles else omit }}" block: - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -33,11 +33,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml index 4d777af1..e7d6bd3c 100644 --- a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml @@ -5,14 +5,14 @@ ## SET UP ACCOUNT KEYS ######################################################################## - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" - type: "{{ item.type }}" - size: "{{ item.size | default(omit) }}" - curve: "{{ item.curve | default(omit) }}" - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" + type: "{{ item.type }}" + size: "{{ item.size | default(omit) }}" + curve: "{{ item.curve | default(omit) }}" + force: true + loop: "{{ account_keys }}" vars: account_keys: @@ -25,6 +25,7 @@ - name: account-rsa type: RSA size: "{{ default_rsa_key_size }}" + ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### - name: Read account key (EC256) slurp: @@ -80,6 +81,7 @@ remaining_days: 10 terms_agreed: true account_email: "example@example.org" + ## REVOKE CERTIFICATES ######################################################################## - name: Revoke certificate 1 via account key acme_certificate_revoke: diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/main.yml b/tests/integration/targets/acme_certificate_revoke/tasks/main.yml index 68d47973..ae702a4f 100644 --- a/tests/integration/targets/acme_certificate_revoke/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_revoke/tasks/main.yml @@ -9,12 +9,12 @@ #################################################################### - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -30,11 +30,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml index 12f3f23d..68b49314 100644 --- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml +++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml @@ -9,30 +9,30 @@ #################################################################### - block: - - name: Generate ECC256 account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/account-ec256.pem" - type: ECC - curve: secp256r1 - force: true - - name: Obtain cert 1 - include_tasks: obtain-cert.yml - vars: - select_crypto_backend: auto - certgen_title: Certificate 1 - certificate_name: cert-1 - key_type: rsa - rsa_bits: "{{ default_rsa_key_size_certificates }}" - subject_alt_name: "DNS:example.com" - subject_alt_name_critical: false - account_key: account-ec256 - challenge: tls-alpn-01 - challenge_alpn_tls: acme_challenge_cert_helper - modify_account: true - deactivate_authzs: false - force: false - remaining_days: 10 - terms_agreed: true - account_email: "example@example.org" + - name: Generate ECC256 account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/account-ec256.pem" + type: ECC + curve: secp256r1 + force: true + - name: Obtain cert 1 + include_tasks: obtain-cert.yml + vars: + select_crypto_backend: auto + certgen_title: Certificate 1 + certificate_name: cert-1 + key_type: rsa + rsa_bits: "{{ default_rsa_key_size_certificates }}" + subject_alt_name: "DNS:example.com" + subject_alt_name_critical: false + account_key: account-ec256 + challenge: tls-alpn-01 + challenge_alpn_tls: acme_challenge_cert_helper + modify_account: true + deactivate_authzs: false + force: false + remaining_days: 10 + terms_agreed: true + account_email: "example@example.org" when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_inspect/tasks/impl.yml b/tests/integration/targets/acme_inspect/tasks/impl.yml index feede906..79b53dd8 100644 --- a/tests/integration/targets/acme_inspect/tasks/impl.yml +++ b/tests/integration/targets/acme_inspect/tasks/impl.yml @@ -4,19 +4,19 @@ # SPDX-License-Identifier: GPL-3.0-or-later - block: - - name: Generate account keys - openssl_privatekey: - path: "{{ remote_tmp_dir }}/{{ item }}.pem" - type: ECC - curve: secp256r1 - force: true - loop: "{{ account_keys }}" + - name: Generate account keys + openssl_privatekey: + path: "{{ remote_tmp_dir }}/{{ item }}.pem" + type: ECC + curve: secp256r1 + force: true + loop: "{{ account_keys }}" - - name: Parse account keys (to ease debugging some test failures) - openssl_privatekey_info: - path: "{{ remote_tmp_dir }}/{{ item }}.pem" - return_private_key_data: true - loop: "{{ account_keys }}" + - name: Parse account keys (to ease debugging some test failures) + openssl_privatekey_info: + path: "{{ remote_tmp_dir }}/{{ item }}.pem" + return_private_key_data: true + loop: "{{ account_keys }}" vars: account_keys: @@ -76,7 +76,7 @@ # For valid values, see # https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3 contact: - - mailto:me@example.com + - mailto:me@example.com register: account_update - debug: var=account_update @@ -97,10 +97,10 @@ # https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4 and # https://www.rfc-editor.org/rfc/rfc8738.html identifiers: - - type: dns - value: example.com - - type: dns - value: example.org + - type: dns + value: example.com + - type: dns + value: example.org register: new_order - debug: var=new_order diff --git a/tests/integration/targets/acme_inspect/tasks/main.yml b/tests/integration/targets/acme_inspect/tasks/main.yml index 68d47973..ae702a4f 100644 --- a/tests/integration/targets/acme_inspect/tasks/main.yml +++ b/tests/integration/targets/acme_inspect/tasks/main.yml @@ -9,12 +9,12 @@ #################################################################### - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys when: openssl_version.stdout is version('1.0.0', '>=') @@ -30,11 +30,11 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_inspect/tests/validate.yml b/tests/integration/targets/acme_inspect/tests/validate.yml index 967ca3d6..b3519233 100644 --- a/tests/integration/targets/acme_inspect/tests/validate.yml +++ b/tests/integration/targets/acme_inspect/tests/validate.yml @@ -6,130 +6,130 @@ - name: Check directory output assert: that: - - directory is not changed - - "'directory' in directory" - - "'newAccount' in directory.directory" - - "'newOrder' in directory.directory" - - "'newNonce' in directory.directory" - - "'headers' not in directory" - - "'output_text' not in directory" - - "'output_json' not in directory" + - directory is not changed + - "'directory' in directory" + - "'newAccount' in directory.directory" + - "'newOrder' in directory.directory" + - "'newNonce' in directory.directory" + - "'headers' not in directory" + - "'output_text' not in directory" + - "'output_json' not in directory" - name: Check account creation output assert: that: - - account_creation is changed - - "'directory' in account_creation" - - "'headers' in account_creation" - - "'output_text' in account_creation" - - "'output_json' in account_creation" - - account_creation.headers.status == 201 - - "'location' in account_creation.headers" - - account_creation.output_json.status == 'valid' - - not (account_creation.output_json.contact | default([])) - - account_creation.output_text | from_json == account_creation.output_json + - account_creation is changed + - "'directory' in account_creation" + - "'headers' in account_creation" + - "'output_text' in account_creation" + - "'output_json' in account_creation" + - account_creation.headers.status == 201 + - "'location' in account_creation.headers" + - account_creation.output_json.status == 'valid' + - not (account_creation.output_json.contact | default([])) + - account_creation.output_text | from_json == account_creation.output_json - name: Check account get output assert: that: - - account_get is not changed - - "'directory' in account_get" - - "'headers' in account_get" - - "'output_text' in account_get" - - "'output_json' in account_get" - - account_get.headers.status == 200 - - account_get.output_json == account_creation.output_json + - account_get is not changed + - "'directory' in account_get" + - "'headers' in account_get" + - "'output_text' in account_get" + - "'output_json' in account_get" + - account_get.headers.status == 200 + - account_get.output_json == account_creation.output_json - name: Check account update output assert: that: - - account_update is changed - - "'directory' in account_update" - - "'headers' in account_update" - - "'output_text' in account_update" - - "'output_json' in account_update" - - account_update.output_json.status == 'valid' - - account_update.output_json.contact | length == 1 - - account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com'] + - account_update is changed + - "'directory' in account_update" + - "'headers' in account_update" + - "'output_text' in account_update" + - "'output_json' in account_update" + - account_update.output_json.status == 'valid' + - account_update.output_json.contact | length == 1 + - account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com'] - name: Check certificate request output assert: that: - - new_order is changed - - "'directory' in new_order" - - "'headers' in new_order" - - "'output_text' in new_order" - - "'output_json' in new_order" - - new_order.output_json.authorizations | length == 2 - - new_order.output_json.identifiers | length == 2 - - new_order.output_json.status == 'pending' - - "'finalize' in new_order.output_json" + - new_order is changed + - "'directory' in new_order" + - "'headers' in new_order" + - "'output_text' in new_order" + - "'output_json' in new_order" + - new_order.output_json.authorizations | length == 2 + - new_order.output_json.identifiers | length == 2 + - new_order.output_json.status == 'pending' + - "'finalize' in new_order.output_json" - name: Check get order output assert: that: - - order is not changed - - "'directory' in order" - - "'headers' in order" - - "'output_text' in order" - - "'output_json' in order" - # The order of identifiers and authorizations is randomized! - # - new_order.output_json == order.output_json + - order is not changed + - "'directory' in order" + - "'headers' in order" + - "'output_text' in order" + - "'output_json' in order" + # The order of identifiers and authorizations is randomized! + # - new_order.output_json == order.output_json - name: Check get authz output assert: that: - - item is not changed - - "'directory' in item" - - "'headers' in item" - - "'output_text' in item" - - "'output_json' in item" - - item.output_json.challenges | length >= 3 - - item.output_json.identifier.type == 'dns' - - item.output_json.status == 'pending' + - item is not changed + - "'directory' in item" + - "'headers' in item" + - "'output_text' in item" + - "'output_json' in item" + - item.output_json.challenges | length >= 3 + - item.output_json.identifier.type == 'dns' + - item.output_json.status == 'pending' loop: "{{ authz.results }}" - name: Check get challenge output assert: that: - - item is not changed - - "'directory' in item" - - "'headers' in item" - - "'output_text' in item" - - "'output_json' in item" - - item.output_json.status == 'pending' - - item.output_json.type == 'http-01' - - item.output_json.url == item.invocation.module_args.url - - "'token' in item.output_json" + - item is not changed + - "'directory' in item" + - "'headers' in item" + - "'output_text' in item" + - "'output_json' in item" + - item.output_json.status == 'pending' + - item.output_json.type == 'http-01' + - item.output_json.url == item.invocation.module_args.url + - "'token' in item.output_json" loop: "{{ http01challenge.results }}" - name: Check challenge activation output assert: that: - - item is changed - - "'directory' in item" - - "'headers' in item" - - "'output_text' in item" - - "'output_json' in item" - - item.output_json.status in ['pending', 'processing'] - - item.output_json.type == 'http-01' - - item.output_json.url == item.invocation.module_args.url - - "'token' in item.output_json" + - item is changed + - "'directory' in item" + - "'headers' in item" + - "'output_text' in item" + - "'output_json' in item" + - item.output_json.status in ['pending', 'processing'] + - item.output_json.type == 'http-01' + - item.output_json.url == item.invocation.module_args.url + - "'token' in item.output_json" loop: "{{ activation.results }}" - name: Check validation result assert: that: - - item is not changed - - "'directory' in item" - - "'headers' in item" - - "'output_text' in item" - - "'output_json' in item" - - item.output_json.status == 'invalid' - - item.output_json.type == 'http-01' - - item.output_json.url == item.invocation.module_args.url - - "'token' in item.output_json" - - "'validated' in item.output_json" - - "'error' in item.output_json" - - item.output_json.error.type == 'urn:ietf:params:acme:error:unauthorized' + - item is not changed + - "'directory' in item" + - "'headers' in item" + - "'output_text' in item" + - "'output_json' in item" + - item.output_json.status == 'invalid' + - item.output_json.type == 'http-01' + - item.output_json.url == item.invocation.module_args.url + - "'token' in item.output_json" + - "'validated' in item.output_json" + - "'error' in item.output_json" + - item.output_json.error.type == 'urn:ietf:params:acme:error:unauthorized' loop: "{{ validation_result.results }}" diff --git a/tests/integration/targets/certificate_complete_chain/tasks/create.yml b/tests/integration/targets/certificate_complete_chain/tasks/create.yml index 8b110d0d..5f41aca5 100644 --- a/tests/integration/targets/certificate_complete_chain/tasks/create.yml +++ b/tests/integration/targets/certificate_complete_chain/tasks/create.yml @@ -9,31 +9,31 @@ #################################################################### - block: - - name: Create private keys - openssl_privatekey: - path: '{{ remote_tmp_dir }}/{{ item.name }}.key' - size: '{{ default_rsa_key_size_certificates }}' - loop: '{{ certificates }}' + - name: Create private keys + openssl_privatekey: + path: '{{ remote_tmp_dir }}/{{ item.name }}.key' + size: '{{ default_rsa_key_size_certificates }}' + loop: '{{ certificates }}' - - name: Generate certificates - include_tasks: create-single-certificate.yml - loop: '{{ certificates }}' - loop_control: - loop_var: certificate + - name: Generate certificates + include_tasks: create-single-certificate.yml + loop: '{{ certificates }}' + loop_control: + loop_var: certificate - - name: Read certificates - slurp: - src: '{{ remote_tmp_dir }}/{{ item.name }}.pem' - loop: '{{ certificates }}' - register: certificates_read + - name: Read certificates + slurp: + src: '{{ remote_tmp_dir }}/{{ item.name }}.pem' + loop: '{{ certificates }}' + register: certificates_read - - name: Store read certificates - set_fact: - read_certificates: >- - {{ certificates_read.results | map(attribute='content') | map('b64decode') - | zip(certificates | map(attribute='name')) - | list - | items2dict(key_name=1, value_name=0) }} + - name: Store read certificates + set_fact: + read_certificates: >- + {{ certificates_read.results | map(attribute='content') | map('b64decode') + | zip(certificates | map(attribute='name')) + | list + | items2dict(key_name=1, value_name=0) }} vars: certificates: diff --git a/tests/integration/targets/certificate_complete_chain/tasks/created.yml b/tests/integration/targets/certificate_complete_chain/tasks/created.yml index bbd86c6a..373b8b92 100644 --- a/tests/integration/targets/certificate_complete_chain/tasks/created.yml +++ b/tests/integration/targets/certificate_complete_chain/tasks/created.yml @@ -12,9 +12,9 @@ certificate_complete_chain: input_chain: "{{ read_certificates['d-leaf'] }}" intermediate_certificates: - - '{{ remote_tmp_dir }}/b-intermediate.pem' + - '{{ remote_tmp_dir }}/b-intermediate.pem' root_certificates: - - '{{ remote_tmp_dir }}/a-root.pem' + - '{{ remote_tmp_dir }}/a-root.pem' - name: Case B => doesn't work, but this is expected failed_when: false @@ -22,9 +22,9 @@ certificate_complete_chain: input_chain: "{{ read_certificates['d-leaf'] }}" intermediate_certificates: - - '{{ remote_tmp_dir }}/c-intermediate.pem' + - '{{ remote_tmp_dir }}/c-intermediate.pem' root_certificates: - - '{{ remote_tmp_dir }}/a-root.pem' + - '{{ remote_tmp_dir }}/a-root.pem' - name: Assert that case B failed assert: @@ -34,16 +34,16 @@ certificate_complete_chain: input_chain: "{{ read_certificates['d-leaf'] }}" intermediate_certificates: - - '{{ remote_tmp_dir }}/c-intermediate.pem' - - '{{ remote_tmp_dir }}/b-intermediate.pem' + - '{{ remote_tmp_dir }}/c-intermediate.pem' + - '{{ remote_tmp_dir }}/b-intermediate.pem' root_certificates: - - '{{ remote_tmp_dir }}/a-root.pem' + - '{{ remote_tmp_dir }}/a-root.pem' - name: Case D => works as well after PR 403 certificate_complete_chain: input_chain: "{{ read_certificates['d-leaf'] }}" intermediate_certificates: - - '{{ remote_tmp_dir }}/b-intermediate.pem' - - '{{ remote_tmp_dir }}/c-intermediate.pem' + - '{{ remote_tmp_dir }}/b-intermediate.pem' + - '{{ remote_tmp_dir }}/c-intermediate.pem' root_certificates: - - '{{ remote_tmp_dir }}/a-root.pem' + - '{{ remote_tmp_dir }}/a-root.pem' diff --git a/tests/integration/targets/certificate_complete_chain/tasks/existing.yml b/tests/integration/targets/certificate_complete_chain/tasks/existing.yml index 88200f4b..03effefb 100644 --- a/tests/integration/targets/certificate_complete_chain/tasks/existing.yml +++ b/tests/integration/targets/certificate_complete_chain/tasks/existing.yml @@ -9,110 +9,110 @@ #################################################################### - block: - - name: Find root for cert 1 using directory - certificate_complete_chain: - input_chain: '{{ fullchain | trim }}' - root_certificates: - - '{{ remote_tmp_dir }}/files/roots/' - register: cert1_root - - name: Verify root for cert 1 - assert: - that: - - cert1_root.complete_chain | join('') == (fullchain ~ root) - - cert1_root.root == root + - name: Find root for cert 1 using directory + certificate_complete_chain: + input_chain: '{{ fullchain | trim }}' + root_certificates: + - '{{ remote_tmp_dir }}/files/roots/' + register: cert1_root + - name: Verify root for cert 1 + assert: + that: + - cert1_root.complete_chain | join('') == (fullchain ~ root) + - cert1_root.root == root vars: fullchain: "{{ lookup('file', 'cert1-fullchain.pem', rstrip=False) }}" root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}" - block: - - name: Find rootchain for cert 1 using intermediate and root PEM - certificate_complete_chain: - input_chain: '{{ cert }}' - intermediate_certificates: - - '{{ remote_tmp_dir }}/files/cert1-chain.pem' - root_certificates: - - '{{ remote_tmp_dir }}/files/roots.pem' - register: cert1_rootchain - - name: Verify rootchain for cert 1 - assert: - that: - - cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root) - - cert1_rootchain.chain[:-1] | join('') == chain - - cert1_rootchain.root == root + - name: Find rootchain for cert 1 using intermediate and root PEM + certificate_complete_chain: + input_chain: '{{ cert }}' + intermediate_certificates: + - '{{ remote_tmp_dir }}/files/cert1-chain.pem' + root_certificates: + - '{{ remote_tmp_dir }}/files/roots.pem' + register: cert1_rootchain + - name: Verify rootchain for cert 1 + assert: + that: + - cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root) + - cert1_rootchain.chain[:-1] | join('') == chain + - cert1_rootchain.root == root vars: cert: "{{ lookup('file', 'cert1.pem', rstrip=False) }}" chain: "{{ lookup('file', 'cert1-chain.pem', rstrip=False) }}" root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}" - block: - - name: Find root for cert 2 using directory - certificate_complete_chain: - input_chain: "{{ fullchain | trim }}" - root_certificates: - - '{{ remote_tmp_dir }}/files/roots/' - register: cert2_root - - name: Verify root for cert 2 - assert: - that: - - cert2_root.complete_chain | join('') == (fullchain ~ root) - - cert2_root.root == root + - name: Find root for cert 2 using directory + certificate_complete_chain: + input_chain: "{{ fullchain | trim }}" + root_certificates: + - '{{ remote_tmp_dir }}/files/roots/' + register: cert2_root + - name: Verify root for cert 2 + assert: + that: + - cert2_root.complete_chain | join('') == (fullchain ~ root) + - cert2_root.root == root vars: fullchain: "{{ lookup('file', 'cert2-fullchain.pem', rstrip=False) }}" root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}" - block: - - name: Find rootchain for cert 2 using intermediate and root PEM - certificate_complete_chain: - input_chain: '{{ cert }}' - intermediate_certificates: - - '{{ remote_tmp_dir }}/files/cert2-chain.pem' - root_certificates: - - '{{ remote_tmp_dir }}/files/roots.pem' - register: cert2_rootchain - - name: Verify rootchain for cert 2 - assert: - that: - - cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root) - - cert2_rootchain.chain[:-1] | join('') == chain - - cert2_rootchain.root == root + - name: Find rootchain for cert 2 using intermediate and root PEM + certificate_complete_chain: + input_chain: '{{ cert }}' + intermediate_certificates: + - '{{ remote_tmp_dir }}/files/cert2-chain.pem' + root_certificates: + - '{{ remote_tmp_dir }}/files/roots.pem' + register: cert2_rootchain + - name: Verify rootchain for cert 2 + assert: + that: + - cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root) + - cert2_rootchain.chain[:-1] | join('') == chain + - cert2_rootchain.root == root vars: cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}" chain: "{{ lookup('file', 'cert2-chain.pem', rstrip=False) }}" root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}" - block: - - name: Find alternate rootchain for cert 2 using intermediate and root PEM - certificate_complete_chain: - input_chain: '{{ cert }}' - intermediate_certificates: - - '{{ remote_tmp_dir }}/files/cert2-altchain.pem' - root_certificates: - - '{{ remote_tmp_dir }}/files/roots.pem' - register: cert2_rootchain_alt - - name: Verify rootchain for cert 2 - assert: - that: - - cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root) - - cert2_rootchain_alt.chain[:-1] | join('') == chain - - cert2_rootchain_alt.root == root + - name: Find alternate rootchain for cert 2 using intermediate and root PEM + certificate_complete_chain: + input_chain: '{{ cert }}' + intermediate_certificates: + - '{{ remote_tmp_dir }}/files/cert2-altchain.pem' + root_certificates: + - '{{ remote_tmp_dir }}/files/roots.pem' + register: cert2_rootchain_alt + - name: Verify rootchain for cert 2 + assert: + that: + - cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root) + - cert2_rootchain_alt.chain[:-1] | join('') == chain + - cert2_rootchain_alt.root == root vars: cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}" chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}" root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}" - block: - - name: Find alternate rootchain for cert 2 when complete chain is already presented to the module - certificate_complete_chain: - input_chain: '{{ cert ~ chain ~ root }}' - root_certificates: - - '{{ remote_tmp_dir }}/files/roots.pem' - register: cert2_complete_chain - - name: Verify rootchain for cert 2 - assert: - that: - - cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root) - - cert2_complete_chain.chain == [] - - cert2_complete_chain.root == root + - name: Find alternate rootchain for cert 2 when complete chain is already presented to the module + certificate_complete_chain: + input_chain: '{{ cert ~ chain ~ root }}' + root_certificates: + - '{{ remote_tmp_dir }}/files/roots.pem' + register: cert2_complete_chain + - name: Verify rootchain for cert 2 + assert: + that: + - cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root) + - cert2_complete_chain.chain == [] + - cert2_complete_chain.root == root vars: cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}" chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}" @@ -122,28 +122,28 @@ certificate_complete_chain: input_chain: '{{ lookup("file", "cert2.pem", rstrip=true) }}' intermediate_certificates: - - '{{ remote_tmp_dir }}/files/cert1-chain.pem' + - '{{ remote_tmp_dir }}/files/cert1-chain.pem' root_certificates: - - '{{ remote_tmp_dir }}/files/roots.pem' + - '{{ remote_tmp_dir }}/files/roots.pem' register: cert2_no_intermediate ignore_errors: true - name: Verify failure assert: that: - - cert2_no_intermediate is failed - - "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')" + - cert2_no_intermediate is failed + - "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')" - name: Check failure when infinite loop is found certificate_complete_chain: input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=true) }}' intermediate_certificates: - - '{{ remote_tmp_dir }}/files/roots.pem' + - '{{ remote_tmp_dir }}/files/roots.pem' root_certificates: - - '{{ remote_tmp_dir }}/files/cert2-chain.pem' + - '{{ remote_tmp_dir }}/files/cert2-chain.pem' register: cert2_infinite_loop ignore_errors: true - name: Verify failure assert: that: - - cert2_infinite_loop is failed - - "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'" + - cert2_infinite_loop is failed + - "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'" diff --git a/tests/integration/targets/certificate_complete_chain/tasks/main.yml b/tests/integration/targets/certificate_complete_chain/tasks/main.yml index fbb8553d..f3d9eaff 100644 --- a/tests/integration/targets/certificate_complete_chain/tasks/main.yml +++ b/tests/integration/targets/certificate_complete_chain/tasks/main.yml @@ -10,23 +10,23 @@ - block: - - name: Make sure testhost directory exists - file: - path: '{{ remote_tmp_dir }}/files/' - state: directory - when: ansible_version.string is version('2.10', '<') - - name: Copy test files to testhost - copy: - src: '{{ role_path }}/files/' - dest: '{{ remote_tmp_dir }}/files/' + - name: Make sure testhost directory exists + file: + path: '{{ remote_tmp_dir }}/files/' + state: directory + when: ansible_version.string is version('2.10', '<') + - name: Copy test files to testhost + copy: + src: '{{ role_path }}/files/' + dest: '{{ remote_tmp_dir }}/files/' - - name: Run tests with copied certificates - import_tasks: existing.yml + - name: Run tests with copied certificates + import_tasks: existing.yml - - name: Create more certificates - import_tasks: create.yml + - name: Create more certificates + import_tasks: create.yml - - name: Run tests with created certificates - import_tasks: created.yml + - name: Run tests with created certificates + import_tasks: created.yml when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/ecs_certificate/tasks/main.yml b/tests/integration/targets/ecs_certificate/tasks/main.yml index 4d51f2ff..54cd3f62 100644 --- a/tests/integration/targets/ecs_certificate/tasks/main.yml +++ b/tests/integration/targets/ecs_certificate/tasks/main.yml @@ -9,16 +9,15 @@ #################################################################### ## Verify that integration_config was specified -- block: - - assert: - that: - - entrust_api_user is defined - - entrust_api_key is defined - - entrust_api_ip_address is defined - - entrust_cloud_ip_address is defined - - entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined - - entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents - - cacerts_bundle_path_local is defined +- assert: + that: + - entrust_api_user is defined + - entrust_api_key is defined + - entrust_api_ip_address is defined + - entrust_cloud_ip_address is defined + - entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined + - entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents + - cacerts_bundle_path_local is defined ## SET UP TEST ENVIRONMENT ######################################################################## - name: copy the files needed for verifying test server certificate to the host @@ -84,137 +83,137 @@ digest: sha256 - block: - - name: Have ECS generate a signed certificate - ecs_certificate: - backup: true - path: '{{ example1_cert_path }}' - full_chain_path: '{{ example1_chain_path }}' - csr: '{{ csr_path }}' - cert_type: '{{ example1_cert_type }}' - requester_name: '{{ entrust_requester_name }}' - requester_email: '{{ entrust_requester_email }}' - requester_phone: '{{ entrust_requester_phone }}' - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: example1_result + - name: Have ECS generate a signed certificate + ecs_certificate: + backup: true + path: '{{ example1_cert_path }}' + full_chain_path: '{{ example1_chain_path }}' + csr: '{{ csr_path }}' + cert_type: '{{ example1_cert_type }}' + requester_name: '{{ entrust_requester_name }}' + requester_email: '{{ entrust_requester_email }}' + requester_phone: '{{ entrust_requester_phone }}' + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: example1_result - - assert: - that: - - example1_result is not failed - - example1_result.changed - - example1_result.tracking_id > 0 - - example1_result.serial_number is string + - assert: + that: + - example1_result is not failed + - example1_result.changed + - example1_result.tracking_id > 0 + - example1_result.serial_number is string - # Internal CA refuses to issue certificates with the same DN in a short time frame - - name: Sleep for 5 seconds so we don't run into duplicate-request errors - pause: - seconds: 5 + # Internal CA refuses to issue certificates with the same DN in a short time frame + - name: Sleep for 5 seconds so we don't run into duplicate-request errors + pause: + seconds: 5 - - name: Attempt to have ECS generate a signed certificate, but existing one is valid - ecs_certificate: - backup: true - path: '{{ example1_cert_path }}' - full_chain_path: '{{ example1_chain_path }}' - csr: '{{ csr_path }}' - cert_type: '{{ example1_cert_type }}' - requester_name: '{{ entrust_requester_name }}' - requester_email: '{{ entrust_requester_email }}' - requester_phone: '{{ entrust_requester_phone }}' - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: example2_result + - name: Attempt to have ECS generate a signed certificate, but existing one is valid + ecs_certificate: + backup: true + path: '{{ example1_cert_path }}' + full_chain_path: '{{ example1_chain_path }}' + csr: '{{ csr_path }}' + cert_type: '{{ example1_cert_type }}' + requester_name: '{{ entrust_requester_name }}' + requester_email: '{{ entrust_requester_email }}' + requester_phone: '{{ entrust_requester_phone }}' + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: example2_result - - assert: - that: - - example2_result is not failed - - not example2_result.changed - - example2_result.backup_file is undefined - - example2_result.backup_full_chain_file is undefined - - example2_result.serial_number == example1_result.serial_number - - example2_result.tracking_id == example1_result.tracking_id + - assert: + that: + - example2_result is not failed + - not example2_result.changed + - example2_result.backup_file is undefined + - example2_result.backup_full_chain_file is undefined + - example2_result.serial_number == example1_result.serial_number + - example2_result.tracking_id == example1_result.tracking_id - # Internal CA refuses to issue certificates with the same DN in a short time frame - - name: Sleep for 5 seconds so we don't run into duplicate-request errors - pause: - seconds: 5 + # Internal CA refuses to issue certificates with the same DN in a short time frame + - name: Sleep for 5 seconds so we don't run into duplicate-request errors + pause: + seconds: 5 - - name: Force a reissue with no CSR, verify that contents changed - ecs_certificate: - backup: true - force: true - path: '{{ example1_cert_path }}' - full_chain_path: '{{ example1_chain_path }}' - cert_type: '{{ example1_cert_type }}' - request_type: reissue - requester_name: '{{ entrust_requester_name }}' - requester_email: '{{ entrust_requester_email }}' - requester_phone: '{{ entrust_requester_phone }}' - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: example3_result + - name: Force a reissue with no CSR, verify that contents changed + ecs_certificate: + backup: true + force: true + path: '{{ example1_cert_path }}' + full_chain_path: '{{ example1_chain_path }}' + cert_type: '{{ example1_cert_type }}' + request_type: reissue + requester_name: '{{ entrust_requester_name }}' + requester_email: '{{ entrust_requester_email }}' + requester_phone: '{{ entrust_requester_phone }}' + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: example3_result - - assert: - that: - - example3_result is not failed - - example3_result.changed - - example3_result.backup_file is string - - example3_result.backup_full_chain_file is string - - example3_result.tracking_id > 0 - - example3_result.tracking_id != example1_result.tracking_id - - example3_result.serial_number != example1_result.serial_number + - assert: + that: + - example3_result is not failed + - example3_result.changed + - example3_result.backup_file is string + - example3_result.backup_full_chain_file is string + - example3_result.tracking_id > 0 + - example3_result.tracking_id != example1_result.tracking_id + - example3_result.serial_number != example1_result.serial_number - # Internal CA refuses to issue certificates with the same DN in a short time frame - - name: Sleep for 5 seconds so we don't run into duplicate-request errors - pause: - seconds: 5 + # Internal CA refuses to issue certificates with the same DN in a short time frame + - name: Sleep for 5 seconds so we don't run into duplicate-request errors + pause: + seconds: 5 - - name: Test a request with all of the various optional possible fields populated - ecs_certificate: - path: '{{ example4_cert_path }}' - full_chain_path: '{{ example4_full_chain_path }}' - csr: '{{ csr_path }}' - subject_alt_name: '{{ example4_subject_alt_name }}' - eku: '{{ example4_eku }}' - ct_log: true - cert_type: '{{ example4_cert_type }}' - org: '{{ example4_org }}' - ou: '{{ example4_ou }}' - tracking_info: '{{ example4_tracking_info }}' - additional_emails: '{{ example4_additional_emails }}' - custom_fields: '{{ example4_custom_fields }}' - cert_expiry: '{{ example4_cert_expiry }}' - requester_name: '{{ entrust_requester_name }}' - requester_email: '{{ entrust_requester_email }}' - requester_phone: '{{ entrust_requester_phone }}' - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: example4_result + - name: Test a request with all of the various optional possible fields populated + ecs_certificate: + path: '{{ example4_cert_path }}' + full_chain_path: '{{ example4_full_chain_path }}' + csr: '{{ csr_path }}' + subject_alt_name: '{{ example4_subject_alt_name }}' + eku: '{{ example4_eku }}' + ct_log: true + cert_type: '{{ example4_cert_type }}' + org: '{{ example4_org }}' + ou: '{{ example4_ou }}' + tracking_info: '{{ example4_tracking_info }}' + additional_emails: '{{ example4_additional_emails }}' + custom_fields: '{{ example4_custom_fields }}' + cert_expiry: '{{ example4_cert_expiry }}' + requester_name: '{{ entrust_requester_name }}' + requester_email: '{{ entrust_requester_email }}' + requester_phone: '{{ entrust_requester_phone }}' + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: example4_result - - assert: - that: - - example4_result is not failed - - example4_result.changed - - example4_result.backup_file is undefined - - example4_result.backup_full_chain_file is undefined - - example4_result.tracking_id > 0 - - example4_result.serial_number is string + - assert: + that: + - example4_result is not failed + - example4_result.changed + - example4_result.backup_file is undefined + - example4_result.backup_full_chain_file is undefined + - example4_result.tracking_id > 0 + - example4_result.serial_number is string - # For bug 61738, verify that the full chain is valid - - name: Verify that the full chain path can be successfully imported - command: '{{ openssl_binary }} verify "{{ example4_full_chain_path }}"' - register: openssl_result + # For bug 61738, verify that the full chain is valid + - name: Verify that the full chain path can be successfully imported + command: '{{ openssl_binary }} verify "{{ example4_full_chain_path }}"' + register: openssl_result - - assert: - that: - - "' OK' in openssl_result.stdout_lines[0]" + - assert: + that: + - "' OK' in openssl_result.stdout_lines[0]" always: - name: clean-up temporary folder diff --git a/tests/integration/targets/ecs_domain/tasks/main.yml b/tests/integration/targets/ecs_domain/tasks/main.yml index f1191098..5ff84189 100644 --- a/tests/integration/targets/ecs_domain/tasks/main.yml +++ b/tests/integration/targets/ecs_domain/tasks/main.yml @@ -9,16 +9,15 @@ #################################################################### ## Verify that integration_config was specified -- block: - - assert: - that: - - entrust_api_user is defined - - entrust_api_key is defined - - entrust_api_ip_address is defined - - entrust_cloud_ip_address is defined - - entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined - - entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents - - cacerts_bundle_path_local is defined +- assert: + that: + - entrust_api_user is defined + - entrust_api_key is defined + - entrust_api_ip_address is defined + - entrust_cloud_ip_address is defined + - entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined + - entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents + - cacerts_bundle_path_local is defined ## SET UP TEST ENVIRONMENT ######################################################################## - name: copy the files needed for verifying test server certificate to the host @@ -64,213 +63,212 @@ dest: '{{ entrust_api_cert_key }}' - block: - - name: Have ECS request a domain validation via dns - ecs_domain: - domain_name: dns.{{ common_name }} - verification_method: dns - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: dns_result + - name: Have ECS request a domain validation via dns + ecs_domain: + domain_name: dns.{{ common_name }} + verification_method: dns + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: dns_result - - assert: - that: - - dns_result is not failed - - dns_result.changed - - dns_result.domain_status == 'INITIAL_VERIFICATION' - - dns_result.verification_method == 'dns' - - dns_result.dns_location is string - - dns_result.dns_contents is string - - dns_result.dns_resource_type is string - - dns_result.file_location is undefined - - dns_result.file_contents is undefined - - dns_result.emails is undefined + - assert: + that: + - dns_result is not failed + - dns_result.changed + - dns_result.domain_status == 'INITIAL_VERIFICATION' + - dns_result.verification_method == 'dns' + - dns_result.dns_location is string + - dns_result.dns_contents is string + - dns_result.dns_resource_type is string + - dns_result.file_location is undefined + - dns_result.file_contents is undefined + - dns_result.emails is undefined - - name: Have ECS request a domain validation via web_server - ecs_domain: - domain_name: FILE.{{ common_name }} - verification_method: web_server - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: file_result + - name: Have ECS request a domain validation via web_server + ecs_domain: + domain_name: FILE.{{ common_name }} + verification_method: web_server + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: file_result - - assert: - that: - - file_result is not failed - - file_result.changed - - file_result.domain_status == 'INITIAL_VERIFICATION' - - file_result.verification_method == 'web_server' - - file_result.dns_location is undefined - - file_result.dns_contents is undefined - - file_result.dns_resource_type is undefined - - file_result.file_location is string - - file_result.file_contents is string - - file_result.emails is undefined + - assert: + that: + - file_result is not failed + - file_result.changed + - file_result.domain_status == 'INITIAL_VERIFICATION' + - file_result.verification_method == 'web_server' + - file_result.dns_location is undefined + - file_result.dns_contents is undefined + - file_result.dns_resource_type is undefined + - file_result.file_location is string + - file_result.file_contents is string + - file_result.emails is undefined - - name: Have ECS request a domain validation via email - ecs_domain: - domain_name: email.{{ common_name }} - verification_method: email - verification_email: admin@testcertificates.com - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: email_result + - name: Have ECS request a domain validation via email + ecs_domain: + domain_name: email.{{ common_name }} + verification_method: email + verification_email: admin@testcertificates.com + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: email_result - - assert: - that: - - email_result is not failed - - email_result.changed - - email_result.domain_status == 'INITIAL_VERIFICATION' - - email_result.verification_method == 'email' - - email_result.dns_location is undefined - - email_result.dns_contents is undefined - - email_result.dns_resource_type is undefined - - email_result.file_location is undefined - - email_result.file_contents is undefined - - email_result.emails[0] == 'admin@testcertificates.com' + - assert: + that: + - email_result is not failed + - email_result.changed + - email_result.domain_status == 'INITIAL_VERIFICATION' + - email_result.verification_method == 'email' + - email_result.dns_location is undefined + - email_result.dns_contents is undefined + - email_result.dns_resource_type is undefined + - email_result.file_location is undefined + - email_result.file_contents is undefined + - email_result.emails[0] == 'admin@testcertificates.com' - - name: Have ECS request a domain validation via email with no address provided - ecs_domain: - domain_name: email2.{{ common_name }} - verification_method: email - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: email_result2 + - name: Have ECS request a domain validation via email with no address provided + ecs_domain: + domain_name: email2.{{ common_name }} + verification_method: email + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: email_result2 - - assert: - that: - - email_result2 is not failed - - email_result2.changed - - email_result2.domain_status == 'INITIAL_VERIFICATION' - - email_result2.verification_method == 'email' - - email_result2.dns_location is undefined - - email_result2.dns_contents is undefined - - email_result2.dns_resource_type is undefined - - email_result2.file_location is undefined - - email_result2.file_contents is undefined - - email_result2.emails is defined + - assert: + that: + - email_result2 is not failed + - email_result2.changed + - email_result2.domain_status == 'INITIAL_VERIFICATION' + - email_result2.verification_method == 'email' + - email_result2.dns_location is undefined + - email_result2.dns_contents is undefined + - email_result2.dns_resource_type is undefined + - email_result2.file_location is undefined + - email_result2.file_contents is undefined + - email_result2.emails is defined - - name: Have ECS request a domain validation via manual - ecs_domain: - domain_name: manual.{{ common_name }} - verification_method: manual - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: manual_result + - name: Have ECS request a domain validation via manual + ecs_domain: + domain_name: manual.{{ common_name }} + verification_method: manual + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: manual_result - - assert: - that: - - manual_result is not failed - - manual_result.changed - - manual_result.domain_status == 'INITIAL_VERIFICATION' - - manual_result.verification_method == 'manual' - - manual_result.dns_location is undefined - - manual_result.dns_contents is undefined - - manual_result.dns_resource_type is undefined - - manual_result.file_location is undefined - - manual_result.file_contents is undefined - - manual_result.emails is undefined + - assert: + that: + - manual_result is not failed + - manual_result.changed + - manual_result.domain_status == 'INITIAL_VERIFICATION' + - manual_result.verification_method == 'manual' + - manual_result.dns_location is undefined + - manual_result.dns_contents is undefined + - manual_result.dns_resource_type is undefined + - manual_result.file_location is undefined + - manual_result.file_contents is undefined + - manual_result.emails is undefined - - name: Have ECS request a domain validation via dns that remains unchanged - ecs_domain: - domain_name: dns.{{ common_name }} - verification_method: dns - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: dns_result2 + - name: Have ECS request a domain validation via dns that remains unchanged + ecs_domain: + domain_name: dns.{{ common_name }} + verification_method: dns + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: dns_result2 - - assert: - that: - - dns_result2 is not failed - - not dns_result2.changed - - dns_result2.domain_status == 'INITIAL_VERIFICATION' - - dns_result2.verification_method == 'dns' - - dns_result2.dns_location is string - - dns_result2.dns_contents is string - - dns_result2.dns_resource_type is string - - dns_result2.file_location is undefined - - dns_result2.file_contents is undefined - - dns_result2.emails is undefined + - assert: + that: + - dns_result2 is not failed + - not dns_result2.changed + - dns_result2.domain_status == 'INITIAL_VERIFICATION' + - dns_result2.verification_method == 'dns' + - dns_result2.dns_location is string + - dns_result2.dns_contents is string + - dns_result2.dns_resource_type is string + - dns_result2.file_location is undefined + - dns_result2.file_contents is undefined + - dns_result2.emails is undefined - - name: Have ECS request a domain validation via FILE for dns, to change verification method - ecs_domain: - domain_name: dns.{{ common_name }} - verification_method: web_server - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: dns_result_now_file + - name: Have ECS request a domain validation via FILE for dns, to change verification method + ecs_domain: + domain_name: dns.{{ common_name }} + verification_method: web_server + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: dns_result_now_file - - assert: - that: - - dns_result_now_file is not failed - - dns_result_now_file.changed - - dns_result_now_file.domain_status == 'INITIAL_VERIFICATION' - - dns_result_now_file.verification_method == 'web_server' - - dns_result_now_file.dns_location is undefined - - dns_result_now_file.dns_contents is undefined - - dns_result_now_file.dns_resource_type is undefined - - dns_result_now_file.file_location is string - - dns_result_now_file.file_contents is string - - dns_result_now_file.emails is undefined + - assert: + that: + - dns_result_now_file is not failed + - dns_result_now_file.changed + - dns_result_now_file.domain_status == 'INITIAL_VERIFICATION' + - dns_result_now_file.verification_method == 'web_server' + - dns_result_now_file.dns_location is undefined + - dns_result_now_file.dns_contents is undefined + - dns_result_now_file.dns_resource_type is undefined + - dns_result_now_file.file_location is string + - dns_result_now_file.file_contents is string + - dns_result_now_file.emails is undefined - - name: Request revalidation of an approved domain - ecs_domain: - domain_name: '{{ existing_domain_common_name }}' - verification_method: manual - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: manual_existing_domain + - name: Request revalidation of an approved domain + ecs_domain: + domain_name: '{{ existing_domain_common_name }}' + verification_method: manual + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: manual_existing_domain - - assert: - that: - - manual_existing_domain is not failed - - not manual_existing_domain.changed - - manual_existing_domain.domain_status == 'RE_VERIFICATION' - - manual_existing_domain.dns_location is undefined - - manual_existing_domain.dns_contents is undefined - - manual_existing_domain.dns_resource_type is undefined - - manual_existing_domain.file_location is undefined - - manual_existing_domain.file_contents is undefined - - manual_existing_domain.emails is undefined + - assert: + that: + - manual_existing_domain is not failed + - not manual_existing_domain.changed + - manual_existing_domain.domain_status == 'RE_VERIFICATION' + - manual_existing_domain.dns_location is undefined + - manual_existing_domain.dns_contents is undefined + - manual_existing_domain.dns_resource_type is undefined + - manual_existing_domain.file_location is undefined + - manual_existing_domain.file_contents is undefined + - manual_existing_domain.emails is undefined - - name: Request revalidation of an approved domain - ecs_domain: - domain_name: '{{ existing_domain_common_name }}' - verification_method: web_server - entrust_api_user: '{{ entrust_api_user }}' - entrust_api_key: '{{ entrust_api_key }}' - entrust_api_client_cert_path: '{{ entrust_api_cert }}' - entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' - register: file_existing_domain_revalidate - - - assert: - that: - - file_existing_domain_revalidate is not failed - - file_existing_domain_revalidate.changed - - file_existing_domain_revalidate.domain_status == 'RE_VERIFICATION' - - file_existing_domain_revalidate.verification_method == 'web_server' - - file_existing_domain_revalidate.dns_location is undefined - - file_existing_domain_revalidate.dns_contents is undefined - - file_existing_domain_revalidate.dns_resource_type is undefined - - file_existing_domain_revalidate.file_location is string - - file_existing_domain_revalidate.file_contents is string - - file_existing_domain_revalidate.emails is undefined + - name: Request revalidation of an approved domain + ecs_domain: + domain_name: '{{ existing_domain_common_name }}' + verification_method: web_server + entrust_api_user: '{{ entrust_api_user }}' + entrust_api_key: '{{ entrust_api_key }}' + entrust_api_client_cert_path: '{{ entrust_api_cert }}' + entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}' + register: file_existing_domain_revalidate + - assert: + that: + - file_existing_domain_revalidate is not failed + - file_existing_domain_revalidate.changed + - file_existing_domain_revalidate.domain_status == 'RE_VERIFICATION' + - file_existing_domain_revalidate.verification_method == 'web_server' + - file_existing_domain_revalidate.dns_location is undefined + - file_existing_domain_revalidate.dns_contents is undefined + - file_existing_domain_revalidate.dns_resource_type is undefined + - file_existing_domain_revalidate.file_location is string + - file_existing_domain_revalidate.file_contents is string + - file_existing_domain_revalidate.emails is undefined always: - name: clean-up temporary folder diff --git a/tests/integration/targets/filter_split_pem/tasks/main.yml b/tests/integration/targets/filter_split_pem/tasks/main.yml index f6f25f10..069b37db 100644 --- a/tests/integration/targets/filter_split_pem/tasks/main.yml +++ b/tests/integration/targets/filter_split_pem/tasks/main.yml @@ -33,10 +33,7 @@ Baz Bam -----END PRIVATE KEY----- - pem_3: | - -----BEGIN - foo - -----END + pem_3: "-----BEGIN \nfoo\n-----END \n" crap_1: | # Comment crap_2: | diff --git a/tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml b/tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml index 1e17544f..c9520c4d 100644 --- a/tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml +++ b/tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml @@ -137,7 +137,9 @@ - result.extensions_by_oid | length == 9 # Precert Signed Certificate Timestamps - result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].critical == false - - result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].value == 'BIHvAO0AdADd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZYL7QgtAAAEAwBFMEMCIAXku/W4fMbkoOkHguRt8RfxVy6dgwpi9A8IDTRkOn1XAh9g9RjiBvMJdM/+UQS+WNXaxOqA5JzUfvCFjbYLbEZ5AHUADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGWC+0H2AAABAMARjBEAiB26F5G8YPuZ11gAfEXqAFpVk01VcbOsS6w3dn2CJf6zgIgeEWCpg9tsQ8dB7/hU1zOmkZom62VDXvk8Cs+yscbQq4=' + - >- + result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].value == + 'BIHvAO0AdADd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZYL7QgtAAAEAwBFMEMCIAXku/W4fMbkoOkHguRt8RfxVy6dgwpi9A8IDTRkOn1XAh9g9RjiBvMJdM/+UQS+WNXaxOqA5JzUfvCFjbYLbEZ5AHUADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGWC+0H2AAABAMARjBEAiB26F5G8YPuZ11gAfEXqAFpVk01VcbOsS6w3dn2CJf6zgIgeEWCpg9tsQ8dB7/hU1zOmkZom62VDXvk8Cs+yscbQq4=' # Authority Information Access - result.extensions_by_oid['1.3.6.1.5.5.7.1.1'].critical == false - result.extensions_by_oid['1.3.6.1.5.5.7.1.1'].value == 'MGgwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmZvb2JhcmJhei5leGFtcGxlLmNvbTA3BggrBgEFBQcwAoYraHR0cDovL2NlcnQuZm9vYmFyYmF6LmV4YW1wbGUuY29tL2ludGVyLnBlbQ==' diff --git a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml index 2da3f3eb..4872453f 100644 --- a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml @@ -140,10 +140,10 @@ selfsigned_not_after: "+10d" selfsigned_not_before: "-3d" loop: - - 1 - - 2 - - 3 - - 4 + - 1 + - 2 + - 3 + - 4 - name: Running tests include_tasks: impl.yml diff --git a/tests/integration/targets/filter_x509_crl_info/tasks/main.yml b/tests/integration/targets/filter_x509_crl_info/tasks/main.yml index 0270b07d..0eeab2cc 100644 --- a/tests/integration/targets/filter_x509_crl_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_crl_info/tasks/main.yml @@ -78,14 +78,14 @@ x509_certificate_info: path: '{{ remote_tmp_dir }}/{{ item }}.pem' loop: - - cert-1 - - cert-2 - - cert-3 - - cert-4 + - cert-1 + - cert-2 + - cert-3 + - cert-4 register: certificate_infos - block: - - name: Running tests - include_tasks: impl.yml + - name: Running tests + include_tasks: impl.yml when: cryptography_version.stdout is version('1.2', '>=') diff --git a/tests/integration/targets/get_certificate/tasks/main.yml b/tests/integration/targets/get_certificate/tasks/main.yml index 108691ca..c472026f 100644 --- a/tests/integration/targets/get_certificate/tasks/main.yml +++ b/tests/integration/targets/get_certificate/tasks/main.yml @@ -15,35 +15,35 @@ - block: - - name: Get servers certificate with backend auto-detection - get_certificate: - host: "{{ httpbin_host }}" - port: 443 - asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}" - ignore_errors: true - register: result + - name: Get servers certificate with backend auto-detection + get_certificate: + host: "{{ httpbin_host }}" + port: 443 + asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}" + ignore_errors: true + register: result - - set_fact: - skip_tests: | - {{ - result is failed and ( - 'error: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' in result.msg - or - 'error: _ssl.c:314: Invalid SSL protocol variant specified.' in result.msg - ) - }} + - set_fact: + skip_tests: | + {{ + result is failed and ( + 'error: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' in result.msg + or + 'error: _ssl.c:314: Invalid SSL protocol variant specified.' in result.msg + ) + }} - - assert: - that: - - result is success or skip_tests + - assert: + that: + - result is success or skip_tests when: cryptography_version.stdout is version('1.6', '>=') - block: - - include_tasks: ../tests/validate.yml - vars: - select_crypto_backend: cryptography + - include_tasks: ../tests/validate.yml + vars: + select_crypto_backend: cryptography # The module doesn't work with CentOS 6. Since the pyOpenSSL installed there is too old, # we never noticed before. This becomes a problem with the new cryptography backend, diff --git a/tests/integration/targets/get_certificate/tests/validate.yml b/tests/integration/targets/get_certificate/tests/validate.yml index 8835f010..deec3fa1 100644 --- a/tests/integration/targets/get_certificate/tests/validate.yml +++ b/tests/integration/targets/get_certificate/tests/validate.yml @@ -76,7 +76,7 @@ or 'unknown protocol' in result.msg or 'wrong version number' in result.msg or 'record layer failure' in result.msg - + - name: Test timeout option get_certificate: host: "{{ httpbin_host }}" diff --git a/tests/integration/targets/luks_device/tasks/main.yml b/tests/integration/targets/luks_device/tasks/main.yml index 7fa8fe7a..516499f6 100644 --- a/tests/integration/targets/luks_device/tasks/main.yml +++ b/tests/integration/targets/luks_device/tasks/main.yml @@ -21,13 +21,13 @@ vars: search: files: - - '{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml' - - '{{ ansible_distribution | lower }}.yml' - - '{{ ansible_os_family | lower }}.yml' - - default.yml + - '{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml' + - '{{ ansible_distribution | lower }}.yml' + - '{{ ansible_os_family | lower }}.yml' + - default.yml paths: - - vars + - vars - name: Make sure cryptsetup is installed package: @@ -71,21 +71,21 @@ cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM" - block: - - include_tasks: run-test.yml - with_fileglob: - - "tests/*.yml" + - include_tasks: run-test.yml + with_fileglob: + - "tests/*.yml" always: - - name: Make sure LUKS device is gone - luks_device: - device: "{{ cryptfile_device }}" - state: absent - become: true - ignore_errors: true + - name: Make sure LUKS device is gone + luks_device: + device: "{{ cryptfile_device }}" + state: absent + become: true + ignore_errors: true - - command: losetup -d "{{ cryptfile_device }}" - become: true + - command: losetup -d "{{ cryptfile_device }}" + become: true - - file: - dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile" - state: absent + - file: + dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile" + state: absent diff --git a/tests/integration/targets/luks_device/tasks/tests/create-destroy.yml b/tests/integration/targets/luks_device/tasks/tests/create-destroy.yml index 7210b9e3..ab95a43e 100644 --- a/tests/integration/targets/luks_device/tasks/tests/create-destroy.yml +++ b/tests/integration/targets/luks_device/tasks/tests/create-destroy.yml @@ -43,10 +43,10 @@ register: create_idem_check - assert: that: - - create_check is changed - - create is changed - - create_idem is not changed - - create_idem_check is not changed + - create_check is changed + - create is changed + - create_idem is not changed + - create_idem_check is not changed - name: Open (check) luks_device: @@ -80,10 +80,10 @@ register: open_idem_check - assert: that: - - open_check is changed - - open is changed - - open_idem is not changed - - open_idem_check is not changed + - open_check is changed + - open is changed + - open_idem is not changed + - open_idem_check is not changed - name: Closed (via name, check) luks_device: @@ -113,10 +113,10 @@ register: close_idem_check - assert: that: - - close_check is changed - - close is changed - - close_idem is not changed - - close_idem_check is not changed + - close_check is changed + - close is changed + - close_idem is not changed + - close_idem_check is not changed - name: Re-open luks_device: @@ -153,10 +153,10 @@ register: close_idem_check - assert: that: - - close_check is changed - - close is changed - - close_idem is not changed - - close_idem_check is not changed + - close_check is changed + - close is changed + - close_idem is not changed + - close_idem_check is not changed - name: Re-opened luks_device: @@ -193,7 +193,7 @@ register: absent_idem_check - assert: that: - - absent_check is changed - - absent is changed - - absent_idem is not changed - - absent_idem_check is not changed + - absent_check is changed + - absent is changed + - absent_idem is not changed + - absent_idem_check is not changed diff --git a/tests/integration/targets/luks_device/tasks/tests/cryptname.yml b/tests/integration/targets/luks_device/tasks/tests/cryptname.yml index 74afd9ed..2db304e8 100644 --- a/tests/integration/targets/luks_device/tasks/tests/cryptname.yml +++ b/tests/integration/targets/luks_device/tasks/tests/cryptname.yml @@ -54,9 +54,9 @@ register: absent - assert: that: - - create is changed - - open is changed - - open_idem is not changed - - close is changed - - close_idem is not changed - - absent is changed + - create is changed + - open is changed + - open_idem is not changed + - close is changed + - close_idem is not changed + - absent is changed diff --git a/tests/integration/targets/luks_device/tasks/tests/key-management.yml b/tests/integration/targets/luks_device/tasks/tests/key-management.yml index 302509de..8d85fd49 100644 --- a/tests/integration/targets/luks_device/tasks/tests/key-management.yml +++ b/tests/integration/targets/luks_device/tasks/tests/key-management.yml @@ -24,7 +24,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -41,7 +41,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Give access to keyfile2 luks_device: @@ -80,7 +80,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -126,7 +126,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Try to open with keyfile2 luks_device: @@ -138,7 +138,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -160,8 +160,8 @@ register: remove_last_key - assert: that: - - remove_last_key is failed - - "'force_remove_last_key' in remove_last_key.msg" + - remove_last_key is failed + - "'force_remove_last_key' in remove_last_key.msg" # Access: keyfile2 @@ -175,7 +175,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -203,4 +203,4 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed diff --git a/tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml b/tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml index 97e83d04..d74fa993 100644 --- a/tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml +++ b/tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml @@ -42,7 +42,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -59,7 +59,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Give access to passphrase1 luks_device: @@ -90,7 +90,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Open with passphrase1 luks_device: @@ -102,4 +102,4 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed diff --git a/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml b/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml index 51a3db36..b2230a13 100644 --- a/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml +++ b/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml @@ -51,11 +51,11 @@ register: luks_header_slot4 - assert: that: - - create_luks_slot4_check is changed - - create_luks_slot4 is changed - - create_luks_slot4_idem is not changed - - create_luks_slot4_idem_check is not changed - - "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout" + - create_luks_slot4_check is changed + - create_luks_slot4 is changed + - create_luks_slot4_idem is not changed + - create_luks_slot4_idem_check is not changed + - "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout" - name: Add key in slot 2 (check) luks_device: @@ -109,11 +109,11 @@ register: luks_header_slot2 - assert: that: - - add_luks_slot2_check is changed - - add_luks_slot2 is changed - - add_luks_slot2_idem is not changed - - add_luks_slot2_idem_check is not changed - - "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout" + - add_luks_slot2_check is changed + - add_luks_slot2 is changed + - add_luks_slot2_idem is not changed + - add_luks_slot2_idem_check is not changed + - "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout" - name: Check remove slot 4 without key luks_device: @@ -132,8 +132,8 @@ register: kill_slot4_key_slot4 - assert: that: - - kill_slot4_nokey is failed - - kill_slot4_key_slot4 is failed + - kill_slot4_nokey is failed + - kill_slot4_key_slot4 is failed - name: Remove key in slot 4 (check) luks_device: @@ -171,11 +171,11 @@ register: luks_header_slot4_removed - assert: that: - - kill_luks_slot4_check is changed - - kill_luks_slot4 is changed - - kill_luks_slot4_idem is not changed - - kill_luks_slot4_idem_check is not changed - - "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout" + - kill_luks_slot4_check is changed + - kill_luks_slot4 is changed + - kill_luks_slot4_idem is not changed + - kill_luks_slot4_idem_check is not changed + - "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout" - name: Add key in slot 0 luks_device: @@ -201,6 +201,6 @@ register: luks_header_slot0_removed - assert: that: - - add_luks_slot0 is changed - - kill_luks_slot0 is changed - - "'Key Slot 0: DISABLED' in luks_header_slot0_removed.stdout or not '0: luks' in luks_header_slot0_removed.stdout" + - add_luks_slot0 is changed + - kill_luks_slot0 is changed + - "'Key Slot 0: DISABLED' in luks_header_slot0_removed.stdout or not '0: luks' in luks_header_slot0_removed.stdout" diff --git a/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml b/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml index cb9e559a..fedc77de 100644 --- a/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml +++ b/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml @@ -34,7 +34,7 @@ register: keyslot_duplicate - assert: that: - - keyslot_duplicate_check is failed - - "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg" - - keyslot_duplicate is failed - - "'Trying to add key that is already present in another slot' in keyslot_duplicate.msg" + - keyslot_duplicate_check is failed + - "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg" + - keyslot_duplicate is failed + - "'Trying to add key that is already present in another slot' in keyslot_duplicate.msg" diff --git a/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml b/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml index 8a1ca14b..2b40bded 100644 --- a/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml +++ b/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml @@ -40,9 +40,9 @@ register: create_luks_slot8 - assert: that: - - create_luks1_slot8 is failed - - create_luks2_slot32 is failed - - create_luks_slot8 is failed + - create_luks1_slot8 is failed + - create_luks2_slot32 is failed + - create_luks_slot8 is failed - name: Check valid slot (luks2, 8) luks_device: @@ -59,7 +59,7 @@ - name: Make sure that the previous task only fails if LUKS2 is not supported assert: that: - - "'Unknown option --type' in create_luks2_slot8.msg" + - "'Unknown option --type' in create_luks2_slot8.msg" when: create_luks2_slot8 is failed - name: Check add valid slot (no luks type, 10) luks_device: @@ -75,5 +75,5 @@ when: create_luks2_slot8 is changed - assert: that: - - create_luks_slot10 is changed + - create_luks_slot10 is changed when: create_luks2_slot8 is changed \ No newline at end of file diff --git a/tests/integration/targets/luks_device/tasks/tests/passphrase.yml b/tests/integration/targets/luks_device/tasks/tests/passphrase.yml index 5aca1064..244900fa 100644 --- a/tests/integration/targets/luks_device/tasks/tests/passphrase.yml +++ b/tests/integration/targets/luks_device/tasks/tests/passphrase.yml @@ -47,7 +47,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -80,7 +80,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Give access to passphrase2 luks_device: @@ -117,7 +117,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -134,7 +134,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Give access to keyfile1 from passphrase1 luks_device: @@ -169,7 +169,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" @@ -207,7 +207,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Try to open with passphrase3 luks_device: @@ -219,7 +219,7 @@ register: open_try - assert: that: - - open_try is failed + - open_try is failed - name: Give access to passphrase3 from keyfile1 luks_device: @@ -241,7 +241,7 @@ register: open_try - assert: that: - - open_try is not failed + - open_try is not failed - name: Close luks_device: device: "{{ cryptfile_device }}" diff --git a/tests/integration/targets/luks_device/tasks/tests/performance.yml b/tests/integration/targets/luks_device/tasks/tests/performance.yml index 85f28ae4..d3379bec 100644 --- a/tests/integration/targets/luks_device/tasks/tests/performance.yml +++ b/tests/integration/targets/luks_device/tasks/tests/performance.yml @@ -69,10 +69,10 @@ register: create_open_idem_check - assert: that: - - create_open_check is changed - - create_open is changed - - create_open_idem is not changed - - create_open_idem_check is not changed + - create_open_check is changed + - create_open is changed + - create_open_idem is not changed + - create_open_idem_check is not changed - name: Dump LUKS Header command: "cryptsetup luksDump {{ cryptfile_device }}" diff --git a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml index f0ff9955..df6d9d17 100644 --- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml @@ -59,21 +59,21 @@ - updated_signature_algorithm_idempotent is not changed - block: - - name: Generate cert with original signature algorithm - openssh_cert: - type: user - path: "{{ certificate_path }}" - public_key: "{{ public_key }}" - signing_key: "{{ signing_key }}" - signature_algorithm: ssh-rsa - valid_from: always - valid_to: forever - register: second_signature_algorithm + - name: Generate cert with original signature algorithm + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + signature_algorithm: ssh-rsa + valid_from: always + valid_to: forever + register: second_signature_algorithm - - name: Assert second signature algorithm update causes change - assert: - that: - - second_signature_algorithm is changed + - name: Assert second signature algorithm update causes change + assert: + that: + - second_signature_algorithm is changed # RHEL9, Fedora 41 and Rocky 9 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error. # Other systems which impose a similar restriction may also need to skip this block in the future. when: diff --git a/tests/integration/targets/openssh_keypair/tests/regenerate.yml b/tests/integration/targets/openssh_keypair/tests/regenerate.yml index 7d9e0b11..9784b19a 100644 --- a/tests/integration/targets/openssh_keypair/tests/regenerate.yml +++ b/tests/integration/targets/openssh_keypair/tests/regenerate.yml @@ -41,7 +41,7 @@ mode: '0700' with_nested: - "{{ regenerate_values }}" - - [ '', '.pub' ] + - ['', '.pub'] - name: "({{ backend }}) Regenerate - setup password protected keys for passphrse test" command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}' @@ -261,7 +261,7 @@ remote_src: true with_nested: - "{{ regenerate_values }}" - - [ '', '.pub' ] + - ['', '.pub'] when: "item.0 != 'always'" - vars: @@ -269,75 +269,56 @@ ssh_size: '{{ 1024 if openssh_supports_dsa else omit }}' block: - - name: "({{ backend }}) Regenerate - adjust key type (check mode)" - openssh_keypair: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' - type: '{{ ssh_type }}' - size: '{{ ssh_size }}' - regenerate: '{{ item }}' - backend: "{{ backend }}" - check_mode: true - loop: "{{ regenerate_values }}" - ignore_errors: true - register: result - - assert: - that: - - result.results[0] is success and result.results[0] is not changed - - result.results[1] is failed - - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - - result.results[2] is changed - - result.results[3] is changed - - result.results[4] is changed + - name: "({{ backend }}) Regenerate - adjust key type (check mode)" + openssh_keypair: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' + type: '{{ ssh_type }}' + size: '{{ ssh_size }}' + regenerate: '{{ item }}' + backend: "{{ backend }}" + check_mode: true + loop: "{{ regenerate_values }}" + ignore_errors: true + register: result + - assert: + that: + - result.results[0] is success and result.results[0] is not changed + - result.results[1] is failed + - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" + - result.results[2] is changed + - result.results[3] is changed + - result.results[4] is changed - - name: "({{ backend }}) Regenerate - adjust key type" - openssh_keypair: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' - type: '{{ ssh_type }}' - size: '{{ ssh_size }}' - regenerate: '{{ item }}' - backend: "{{ backend }}" - loop: "{{ regenerate_values }}" - ignore_errors: true - register: result - - assert: - that: - - result.results[0] is success and result.results[0] is not changed - - result.results[1] is failed - - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - - result.results[2] is changed - - result.results[3] is changed - - result.results[4] is changed + - name: "({{ backend }}) Regenerate - adjust key type" + openssh_keypair: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' + type: '{{ ssh_type }}' + size: '{{ ssh_size }}' + regenerate: '{{ item }}' + backend: "{{ backend }}" + loop: "{{ regenerate_values }}" + ignore_errors: true + register: result + - assert: + that: + - result.results[0] is success and result.results[0] is not changed + - result.results[1] is failed + - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" + - result.results[2] is changed + - result.results[3] is changed + - result.results[4] is changed - - name: "({{ backend }}) Regenerate - redistribute keys" - copy: - src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}' - dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}' - remote_src: true - with_nested: - - "{{ regenerate_values }}" - - [ '', '.pub' ] - when: "item.0 != 'always'" + - name: "({{ backend }}) Regenerate - redistribute keys" + copy: + src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}' + dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}' + remote_src: true + with_nested: + - "{{ regenerate_values }}" + - ['', '.pub'] + when: "item.0 != 'always'" - - name: "({{ backend }}) Regenerate - adjust comment (check mode)" - openssh_keypair: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' - type: '{{ ssh_type }}' - size: '{{ ssh_size }}' - comment: test comment - regenerate: '{{ item }}' - backend: "{{ backend }}" - check_mode: true - loop: "{{ regenerate_values }}" - ignore_errors: true - register: result - - assert: - that: - - result is changed - - # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2 - - when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<')) - block: - - name: "({{ backend }}) Regenerate - adjust comment" + - name: "({{ backend }}) Regenerate - adjust comment (check mode)" openssh_keypair: path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' type: '{{ ssh_type }}' @@ -345,14 +326,33 @@ comment: test comment regenerate: '{{ item }}' backend: "{{ backend }}" + check_mode: true loop: "{{ regenerate_values }}" + ignore_errors: true register: result - assert: that: - result is changed - # for all values but 'always', the key should not be regenerated. - # verify this by comparing fingerprints: - - result.results[0].fingerprint == result.results[1].fingerprint - - result.results[0].fingerprint == result.results[2].fingerprint - - result.results[0].fingerprint == result.results[3].fingerprint - - result.results[0].fingerprint != result.results[4].fingerprint + + # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2 + - when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<')) + block: + - name: "({{ backend }}) Regenerate - adjust comment" + openssh_keypair: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' + type: '{{ ssh_type }}' + size: '{{ ssh_size }}' + comment: test comment + regenerate: '{{ item }}' + backend: "{{ backend }}" + loop: "{{ regenerate_values }}" + register: result + - assert: + that: + - result is changed + # for all values but 'always', the key should not be regenerated. + # verify this by comparing fingerprints: + - result.results[0].fingerprint == result.results[1].fingerprint + - result.results[0].fingerprint == result.results[2].fingerprint + - result.results[0].fingerprint == result.results[3].fingerprint + - result.results[0].fingerprint != result.results[4].fingerprint diff --git a/tests/integration/targets/openssl_csr/tasks/main.yml b/tests/integration/targets/openssl_csr/tasks/main.yml index cd68e915..e5c09c0d 100644 --- a/tests/integration/targets/openssl_csr/tasks/main.yml +++ b/tests/integration/targets/openssl_csr/tasks/main.yml @@ -9,24 +9,24 @@ #################################################################### - block: - - name: Prepare private key for backend autodetection test - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem' - size: '{{ default_rsa_key_size }}' - - name: Run module with backend autodetection - openssl_csr: - path: '{{ remote_tmp_dir }}/csr_backend_selection.csr' - privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem' - subject: - commonName: www.ansible.com + - name: Prepare private key for backend autodetection test + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem' + size: '{{ default_rsa_key_size }}' + - name: Run module with backend autodetection + openssl_csr: + path: '{{ remote_tmp_dir }}/csr_backend_selection.csr' + privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem' + subject: + commonName: www.ansible.com - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml - vars: - select_crypto_backend: cryptography + - import_tasks: ../tests/validate.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('1.3', '>=') diff --git a/tests/integration/targets/openssl_csr_pipe/tasks/main.yml b/tests/integration/targets/openssl_csr_pipe/tasks/main.yml index ecf238d7..abfa33ac 100644 --- a/tests/integration/targets/openssl_csr_pipe/tasks/main.yml +++ b/tests/integration/targets/openssl_csr_pipe/tasks/main.yml @@ -19,9 +19,9 @@ commonName: www.ansible.com - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('1.3', '>=') diff --git a/tests/integration/targets/openssl_dhparam/tasks/main.yml b/tests/integration/targets/openssl_dhparam/tasks/main.yml index e68169e5..283db290 100644 --- a/tests/integration/targets/openssl_dhparam/tasks/main.yml +++ b/tests/integration/targets/openssl_dhparam/tasks/main.yml @@ -17,10 +17,10 @@ size: 512 - block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml + - name: Running tests with OpenSSL backend + include_tasks: impl.yml - - include_tasks: ../tests/validate.yml + - include_tasks: ../tests/validate.yml vars: select_crypto_backend: openssl @@ -37,10 +37,10 @@ state: directory - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml + - name: Running tests with cryptography backend + include_tasks: impl.yml - - include_tasks: ../tests/validate.yml + - include_tasks: ../tests/validate.yml vars: select_crypto_backend: cryptography diff --git a/tests/integration/targets/openssl_pkcs12/tasks/impl.yml b/tests/integration/targets/openssl_pkcs12/tasks/impl.yml index fe94ed19..09f96716 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/impl.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/impl.yml @@ -4,393 +4,393 @@ # SPDX-License-Identifier: GPL-3.0-or-later - block: - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (check mode)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - return_content: true - check_mode: true - register: p12_standard_check + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (check mode)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + return_content: true + check_mode: true + register: p12_standard_check - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - return_content: true - register: p12_standard + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + return_content: true + register: p12_standard - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (check mode)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - return_content: true - check_mode: true - register: p12_standard_idempotency_check + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (check mode)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + return_content: true + check_mode: true + register: p12_standard_idempotency_check - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - return_content: true - register: p12_standard_idempotency + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + return_content: true + register: p12_standard_idempotency - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (empty other_certificates)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - return_content: true - other_certificates: [] - register: p12_standard_idempotency_no_certs + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (empty other_certificates)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + return_content: true + other_certificates: [] + register: p12_standard_idempotency_no_certs - - name: "({{ select_crypto_backend }}) Read ansible_pkey1.pem" - slurp: - src: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - register: ansible_pkey_content + - name: "({{ select_crypto_backend }}) Read ansible_pkey1.pem" + slurp: + src: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + register: ansible_pkey_content - - name: "({{ select_crypto_backend }}) Read ansible1.crt" - slurp: - src: '{{ remote_tmp_dir }}/ansible1.crt' - register: ansible_crt_content + - name: "({{ select_crypto_backend }}) Read ansible1.crt" + slurp: + src: '{{ remote_tmp_dir }}/ansible1.crt' + register: ansible_crt_content - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (private key from file)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_content: '{{ ansible_pkey_content.content | b64decode }}' - certificate_content: '{{ ansible_crt_content.content | b64decode }}' - state: present - return_content: true - register: p12_standard_idempotency_2 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (private key from file)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_content: '{{ ansible_pkey_content.content | b64decode }}' + certificate_content: '{{ ansible_crt_content.content | b64decode }}' + state: present + return_content: true + register: p12_standard_idempotency_2 - - name: "({{ select_crypto_backend }}) Read ansible.p12" - slurp: - src: '{{ remote_tmp_dir }}/ansible.p12' - register: ansible_p12_content + - name: "({{ select_crypto_backend }}) Read ansible.p12" + slurp: + src: '{{ remote_tmp_dir }}/ansible.p12' + register: ansible_p12_content - - name: "({{ select_crypto_backend }}) Validate PKCS#12" - assert: - that: - - p12_standard.pkcs12 == ansible_p12_content.content - - p12_standard_idempotency.pkcs12 == p12_standard.pkcs12 + - name: "({{ select_crypto_backend }}) Validate PKCS#12" + assert: + that: + - p12_standard.pkcs12 == ansible_p12_content.content + - p12_standard_idempotency.pkcs12 == p12_standard.pkcs12 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - force: true - register: p12_force + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + force: true + register: p12_force - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force + change mode)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - force: true - mode: '0644' - register: p12_force_and_mode + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force + change mode)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + force: true + mode: '0644' + register: p12_force_and_mode - - name: "({{ select_crypto_backend }}) Dump PKCS#12" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - src: '{{ remote_tmp_dir }}/ansible.p12' - path: '{{ remote_tmp_dir }}/ansible_parse.pem' - action: parse - state: present - register: p12_dumped + - name: "({{ select_crypto_backend }}) Dump PKCS#12" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + src: '{{ remote_tmp_dir }}/ansible.p12' + path: '{{ remote_tmp_dir }}/ansible_parse.pem' + action: parse + state: present + register: p12_dumped - - name: "({{ select_crypto_backend }}) Dump PKCS#12 file again, idempotency" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - src: '{{ remote_tmp_dir }}/ansible.p12' - path: '{{ remote_tmp_dir }}/ansible_parse.pem' - action: parse - state: present - register: p12_dumped_idempotency + - name: "({{ select_crypto_backend }}) Dump PKCS#12 file again, idempotency" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + src: '{{ remote_tmp_dir }}/ansible.p12' + path: '{{ remote_tmp_dir }}/ansible_parse.pem' + action: parse + state: present + register: p12_dumped_idempotency - - name: "({{ select_crypto_backend }}) Dump PKCS#12, check mode" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - src: '{{ remote_tmp_dir }}/ansible.p12' - path: '{{ remote_tmp_dir }}/ansible_parse.pem' - action: parse - state: present - check_mode: true - register: p12_dumped_check_mode + - name: "({{ select_crypto_backend }}) Dump PKCS#12, check mode" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + src: '{{ remote_tmp_dir }}/ansible.p12' + path: '{{ remote_tmp_dir }}/ansible_parse.pem' + action: parse + state: present + check_mode: true + register: p12_dumped_check_mode - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12' - friendly_name: abracadabra - passphrase: hunter3 - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - other_certificates: - - '{{ remote_tmp_dir }}/ansible2.crt' - - '{{ remote_tmp_dir }}/ansible3.crt' - state: present - register: p12_multiple_certs + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12' + friendly_name: abracadabra + passphrase: hunter3 + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + other_certificates: + - '{{ remote_tmp_dir }}/ansible2.crt' + - '{{ remote_tmp_dir }}/ansible3.crt' + state: present + register: p12_multiple_certs - - name: "({{ select_crypto_backend }}) Read ansible2.crt / ansible3.crt.crt" - slurp: - src: "{{ item }}" - loop: - - "{{ remote_tmp_dir ~ '/ansible2.crt' }}" - - "{{ remote_tmp_dir ~ '/ansible3.crt' }}" - register: ansible_other_content + - name: "({{ select_crypto_backend }}) Read ansible2.crt / ansible3.crt.crt" + slurp: + src: "{{ item }}" + loop: + - "{{ remote_tmp_dir ~ '/ansible2.crt' }}" + - "{{ remote_tmp_dir ~ '/ansible3.crt' }}" + register: ansible_other_content - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase, again (idempotency)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12' - friendly_name: abracadabra - passphrase: hunter3 - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - other_certificates_content: - - "{{ ansible_other_content.results[0].content | b64decode }}" - - "{{ ansible_other_content.results[1].content | b64decode }}" - state: present - register: p12_multiple_certs_idempotency + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase, again (idempotency)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12' + friendly_name: abracadabra + passphrase: hunter3 + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + other_certificates_content: + - "{{ ansible_other_content.results[0].content | b64decode }}" + - "{{ ansible_other_content.results[1].content | b64decode }}" + state: present + register: p12_multiple_certs_idempotency - - name: "({{ select_crypto_backend }}) Dump PKCS#12 with multiple certs and passphrase" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - src: '{{ remote_tmp_dir }}/ansible_multi_certs.p12' - path: '{{ remote_tmp_dir }}/ansible_parse_multi_certs.pem' - passphrase: hunter3 - action: parse - state: present + - name: "({{ select_crypto_backend }}) Dump PKCS#12 with multiple certs and passphrase" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + src: '{{ remote_tmp_dir }}/ansible_multi_certs.p12' + path: '{{ remote_tmp_dir }}/ansible_parse_multi_certs.pem' + passphrase: hunter3 + action: parse + state: present - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 1)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_pw1.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - privatekey_passphrase: hunter2 - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - ignore_errors: true - register: passphrase_error_1 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 1)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_pw1.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + privatekey_passphrase: hunter2 + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + ignore_errors: true + register: passphrase_error_1 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 2)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_pw2.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' - privatekey_passphrase: wrong_password - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - ignore_errors: true - register: passphrase_error_2 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 2)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_pw2.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' + privatekey_passphrase: wrong_password + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + ignore_errors: true + register: passphrase_error_2 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 3)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_pw3.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - ignore_errors: true - register: passphrase_error_3 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 3)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_pw3.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + ignore_errors: true + register: passphrase_error_3 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file, no privatekey" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_no_pkey.p12' - friendly_name: abracadabra - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - register: p12_no_pkey + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file, no privatekey" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_no_pkey.p12' + friendly_name: abracadabra + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + register: p12_no_pkey - - name: "({{ select_crypto_backend }}) Create broken PKCS#12" - copy: - dest: '{{ remote_tmp_dir }}/broken.p12' - content: broken + - name: "({{ select_crypto_backend }}) Create broken PKCS#12" + copy: + dest: '{{ remote_tmp_dir }}/broken.p12' + content: broken - - name: "({{ select_crypto_backend }}) Regenerate broken PKCS#12" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/broken.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - force: true - mode: '0644' - register: output_broken + - name: "({{ select_crypto_backend }}) Regenerate broken PKCS#12" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/broken.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + force: true + mode: '0644' + register: output_broken - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_backup.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - backup: true - register: p12_backup_1 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_backup.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + backup: true + register: p12_backup_1 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (idempotent)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_backup.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - backup: true - register: p12_backup_2 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (idempotent)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_backup.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + backup: true + register: p12_backup_2 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (change)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_backup.p12' - friendly_name: abra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present - force: true - backup: true - register: p12_backup_3 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (change)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_backup.p12' + friendly_name: abra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present + force: true + backup: true + register: p12_backup_3 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_backup.p12' - state: absent - backup: true - return_content: true - register: p12_backup_4 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_backup.p12' + state: absent + backup: true + return_content: true + register: p12_backup_4 - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove, idempotent)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_backup.p12' - state: absent - backup: true - register: p12_backup_5 + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove, idempotent)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_backup.p12' + state: absent + backup: true + register: p12_backup_5 - - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_empty.p12' - friendly_name: abracadabra - other_certificates: - - '{{ remote_tmp_dir }}/ansible2.crt' - - '{{ remote_tmp_dir }}/ansible3.crt' - state: present - register: p12_empty + - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_empty.p12' + friendly_name: abracadabra + other_certificates: + - '{{ remote_tmp_dir }}/ansible2.crt' + - '{{ remote_tmp_dir }}/ansible3.crt' + state: present + register: p12_empty - - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_empty.p12' - friendly_name: abracadabra - other_certificates: - - '{{ remote_tmp_dir }}/ansible3.crt' - - '{{ remote_tmp_dir }}/ansible2.crt' - state: present - register: p12_empty_idem + - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_empty.p12' + friendly_name: abracadabra + other_certificates: + - '{{ remote_tmp_dir }}/ansible3.crt' + - '{{ remote_tmp_dir }}/ansible2.crt' + state: present + register: p12_empty_idem - - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_empty.p12' - friendly_name: abracadabra - other_certificates: - - '{{ remote_tmp_dir }}/ansible23.crt' - other_certificates_parse_all: true - state: present - register: p12_empty_concat_idem + - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_empty.p12' + friendly_name: abracadabra + other_certificates: + - '{{ remote_tmp_dir }}/ansible23.crt' + other_certificates_parse_all: true + state: present + register: p12_empty_concat_idem - - name: "({{ select_crypto_backend }}) Read ansible23.crt" - slurp: - src: "{{ remote_tmp_dir ~ '/ansible23.crt' }}" - register: ansible_other_content_concat + - name: "({{ select_crypto_backend }}) Read ansible23.crt" + slurp: + src: "{{ remote_tmp_dir ~ '/ansible23.crt' }}" + register: ansible_other_content_concat - - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_empty.p12' - friendly_name: abracadabra - other_certificates_content: - - "{{ ansible_other_content_concat.content | b64decode }}" - other_certificates_parse_all: true - state: present - register: p12_empty_concat_content_idem + - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_empty.p12' + friendly_name: abracadabra + other_certificates_content: + - "{{ ansible_other_content_concat.content | b64decode }}" + other_certificates_parse_all: true + state: present + register: p12_empty_concat_content_idem - - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (parse)" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - src: '{{ remote_tmp_dir }}/ansible_empty.p12' - path: '{{ remote_tmp_dir }}/ansible_empty.pem' - action: parse + - name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (parse)" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + src: '{{ remote_tmp_dir }}/ansible_empty.p12' + path: '{{ remote_tmp_dir }}/ansible_empty.pem' + action: parse - - name: "({{ select_crypto_backend }}) Generate PKCS#12 file passphrase and compatibility encryption" - openssl_pkcs12: - select_crypto_backend: '{{ select_crypto_backend }}' - path: '{{ remote_tmp_dir }}/ansible_compatibility2022.p12' - friendly_name: compat_fn - encryption_level: compatibility2022 - iter_size: 3210 - passphrase: magicpassword - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - other_certificates: - - '{{ remote_tmp_dir }}/ansible2.crt' - - '{{ remote_tmp_dir }}/ansible3.crt' - state: present - register: p12_compatibility2022 - when: - - select_crypto_backend == 'cryptography' - - cryptography_version.stdout is version('38.0.0', '>=') + - name: "({{ select_crypto_backend }}) Generate PKCS#12 file passphrase and compatibility encryption" + openssl_pkcs12: + select_crypto_backend: '{{ select_crypto_backend }}' + path: '{{ remote_tmp_dir }}/ansible_compatibility2022.p12' + friendly_name: compat_fn + encryption_level: compatibility2022 + iter_size: 3210 + passphrase: magicpassword + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + other_certificates: + - '{{ remote_tmp_dir }}/ansible2.crt' + - '{{ remote_tmp_dir }}/ansible3.crt' + state: present + register: p12_compatibility2022 + when: + - select_crypto_backend == 'cryptography' + - cryptography_version.stdout is version('38.0.0', '>=') - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml always: - - name: "({{ select_crypto_backend }}) Delete PKCS#12 file" - openssl_pkcs12: - state: absent - path: '{{ remote_tmp_dir }}/{{ item }}.p12' - loop: - - ansible - - ansible_no_pkey - - ansible_multi_certs - - ansible_pw1 - - ansible_pw2 - - ansible_pw3 - - ansible_empty - - ansible_compatibility2022 + - name: "({{ select_crypto_backend }}) Delete PKCS#12 file" + openssl_pkcs12: + state: absent + path: '{{ remote_tmp_dir }}/{{ item }}.p12' + loop: + - ansible + - ansible_no_pkey + - ansible_multi_certs + - ansible_pw1 + - ansible_pw2 + - ansible_pw3 + - ansible_empty + - ansible_compatibility2022 diff --git a/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/tests/integration/targets/openssl_pkcs12/tasks/main.yml index a49888df..26673bea 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/main.yml @@ -9,77 +9,77 @@ #################################################################### - block: - - name: Generate private keys - openssl_privatekey: - path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem' - size: '{{ default_rsa_key_size_certificates }}' - loop: "{{ range(1, 4) | list }}" + - name: Generate private keys + openssl_privatekey: + path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem' + size: '{{ default_rsa_key_size_certificates }}' + loop: "{{ range(1, 4) | list }}" - - name: Generate privatekey with password - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekeypw.pem' - passphrase: hunter2 - size: '{{ default_rsa_key_size }}' + - name: Generate privatekey with password + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekeypw.pem' + passphrase: hunter2 + size: '{{ default_rsa_key_size }}' - - name: Generate CSRs - openssl_csr: - path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr' - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem' - commonName: www{{ item }}.ansible.com - loop: "{{ range(1, 4) | list }}" + - name: Generate CSRs + openssl_csr: + path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr' + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem' + commonName: www{{ item }}.ansible.com + loop: "{{ range(1, 4) | list }}" - - name: Generate certificate - x509_certificate: - path: '{{ remote_tmp_dir }}/ansible{{ item }}.crt' - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem' - csr_path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr' - provider: selfsigned - loop: "{{ range(1, 4) | list }}" + - name: Generate certificate + x509_certificate: + path: '{{ remote_tmp_dir }}/ansible{{ item }}.crt' + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem' + csr_path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr' + provider: selfsigned + loop: "{{ range(1, 4) | list }}" - - name: Read files - slurp: - src: '{{ item }}' - loop: - - "{{ remote_tmp_dir ~ '/ansible2.crt' }}" - - "{{ remote_tmp_dir ~ '/ansible3.crt' }}" - register: slurp + - name: Read files + slurp: + src: '{{ item }}' + loop: + - "{{ remote_tmp_dir ~ '/ansible2.crt' }}" + - "{{ remote_tmp_dir ~ '/ansible3.crt' }}" + register: slurp - - name: Generate concatenated PEM file - copy: - dest: '{{ remote_tmp_dir }}/ansible23.crt' - content: '{{ slurp.results[0].content | b64decode }}{{ slurp.results[1].content | b64decode }}' + - name: Generate concatenated PEM file + copy: + dest: '{{ remote_tmp_dir }}/ansible23.crt' + content: '{{ slurp.results[0].content | b64decode }}{{ slurp.results[1].content | b64decode }}' - - name: Generate PKCS#12 file with backend autodetection - openssl_pkcs12: - path: '{{ remote_tmp_dir }}/ansible.p12' - friendly_name: abracadabra - privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' - certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' - state: present + - name: Generate PKCS#12 file with backend autodetection + openssl_pkcs12: + path: '{{ remote_tmp_dir }}/ansible.p12' + friendly_name: abracadabra + privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem' + certificate_path: '{{ remote_tmp_dir }}/ansible1.crt' + state: present - - name: Delete result - file: - path: '{{ remote_tmp_dir }}/ansible.p12' - state: absent + - name: Delete result + file: + path: '{{ remote_tmp_dir }}/ansible.p12' + state: absent - - block: - - name: Running tests with pyOpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: pyopenssl + - block: + - name: Running tests with pyOpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: pyopenssl - when: >- - (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') - and - (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<') + when: >- + (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + and + (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<') - - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - block: + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.0', '>=') + when: cryptography_version.stdout is version('3.0', '>=') when: >- ( diff --git a/tests/integration/targets/openssl_privatekey/tasks/impl.yml b/tests/integration/targets/openssl_privatekey/tasks/impl.yml index b617ebc9..34e19c32 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/impl.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/impl.yml @@ -93,63 +93,63 @@ - set_fact: ecc_types: - - curve: secp384r1 - openssl_name: secp384r1 - min_cryptography_version: "0.5" - - curve: secp521r1 - openssl_name: secp521r1 - min_cryptography_version: "0.5" - - curve: secp224r1 - openssl_name: secp224r1 - min_cryptography_version: "0.5" - - curve: secp192r1 - openssl_name: prime192v1 - min_cryptography_version: "0.5" - - curve: secp256r1 - openssl_name: secp256r1 - min_cryptography_version: "0.5" - - curve: secp256k1 - openssl_name: secp256k1 - min_cryptography_version: "0.9" - - curve: brainpoolP256r1 - openssl_name: brainpoolP256r1 - min_cryptography_version: "2.2" - - curve: brainpoolP384r1 - openssl_name: brainpoolP384r1 - min_cryptography_version: "2.2" - - curve: brainpoolP512r1 - openssl_name: brainpoolP512r1 - min_cryptography_version: "2.2" - - curve: sect571k1 - openssl_name: sect571k1 - min_cryptography_version: "0.5" - - curve: sect409k1 - openssl_name: sect409k1 - min_cryptography_version: "0.5" - - curve: sect283k1 - openssl_name: sect283k1 - min_cryptography_version: "0.5" - - curve: sect233k1 - openssl_name: sect233k1 - min_cryptography_version: "0.5" - - curve: sect163k1 - openssl_name: sect163k1 - min_cryptography_version: "0.5" - - curve: sect571r1 - openssl_name: sect571r1 - min_cryptography_version: "0.5" - - curve: sect409r1 - openssl_name: sect409r1 - min_cryptography_version: "0.5" - - curve: sect283r1 - openssl_name: sect283r1 - min_cryptography_version: "0.5" - - curve: sect233r1 - openssl_name: sect233r1 - min_cryptography_version: "0.5" - - curve: sect163r2 - openssl_name: sect163r2 - min_cryptography_version: "0.5" + - curve: secp384r1 + openssl_name: secp384r1 + min_cryptography_version: "0.5" + - curve: secp521r1 + openssl_name: secp521r1 + min_cryptography_version: "0.5" + - curve: secp224r1 + openssl_name: secp224r1 + min_cryptography_version: "0.5" + - curve: secp192r1 + openssl_name: prime192v1 + min_cryptography_version: "0.5" + - curve: secp256r1 + openssl_name: secp256r1 + min_cryptography_version: "0.5" + - curve: secp256k1 + openssl_name: secp256k1 + min_cryptography_version: "0.9" + - curve: brainpoolP256r1 + openssl_name: brainpoolP256r1 + min_cryptography_version: "2.2" + - curve: brainpoolP384r1 + openssl_name: brainpoolP384r1 + min_cryptography_version: "2.2" + - curve: brainpoolP512r1 + openssl_name: brainpoolP512r1 + min_cryptography_version: "2.2" + - curve: sect571k1 + openssl_name: sect571k1 + min_cryptography_version: "0.5" + - curve: sect409k1 + openssl_name: sect409k1 + min_cryptography_version: "0.5" + - curve: sect283k1 + openssl_name: sect283k1 + min_cryptography_version: "0.5" + - curve: sect233k1 + openssl_name: sect233k1 + min_cryptography_version: "0.5" + - curve: sect163k1 + openssl_name: sect163k1 + min_cryptography_version: "0.5" + - curve: sect571r1 + openssl_name: sect571r1 + min_cryptography_version: "0.5" + - curve: sect409r1 + openssl_name: sect409r1 + min_cryptography_version: "0.5" + - curve: sect283r1 + openssl_name: sect283r1 + min_cryptography_version: "0.5" + - curve: sect233r1 + openssl_name: sect233r1 + min_cryptography_version: "0.5" + - curve: sect163r2 + openssl_name: sect163r2 + min_cryptography_version: "0.5" - name: "({{ select_crypto_backend }}) Test ECC key generation" openssl_privatekey: @@ -180,29 +180,29 @@ register: privatekey_ecc_idempotency - block: - - name: "({{ select_crypto_backend }}) Test other type generation" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem' - type: "{{ item.type }}" - select_crypto_backend: '{{ select_crypto_backend }}' - when: cryptography_version.stdout is version(item.min_version, '>=') - loop: "{{ types }}" - loop_control: - label: "{{ item.type }}" - ignore_errors: true - register: privatekey_t1_generate + - name: "({{ select_crypto_backend }}) Test other type generation" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem' + type: "{{ item.type }}" + select_crypto_backend: '{{ select_crypto_backend }}' + when: cryptography_version.stdout is version(item.min_version, '>=') + loop: "{{ types }}" + loop_control: + label: "{{ item.type }}" + ignore_errors: true + register: privatekey_t1_generate - - name: "({{ select_crypto_backend }}) Test other type generation (idempotency)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem' - type: "{{ item.type }}" - select_crypto_backend: '{{ select_crypto_backend }}' - when: cryptography_version.stdout is version(item.min_version, '>=') - loop: "{{ types }}" - loop_control: - label: "{{ item.type }}" - ignore_errors: true - register: privatekey_t1_idempotency + - name: "({{ select_crypto_backend }}) Test other type generation (idempotency)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem' + type: "{{ item.type }}" + select_crypto_backend: '{{ select_crypto_backend }}' + when: cryptography_version.stdout is version(item.min_version, '>=') + loop: "{{ types }}" + loop_control: + label: "{{ item.type }}" + ignore_errors: true + register: privatekey_t1_idempotency when: select_crypto_backend == 'cryptography' vars: @@ -339,205 +339,204 @@ register: privatekey_mode_3_file_change - block: - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: auto - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_1 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: auto + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_1 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (idempotent)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: auto - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_2 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (idempotent)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: auto + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_2 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS1 format" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: pkcs1 - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_3 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS1 format" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: pkcs1 + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_3 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: pkcs8 - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_4 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: pkcs8 + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_4 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (idempotent)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: pkcs8 - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_5 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (idempotent)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: pkcs8 + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_5 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (ignore)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: auto_ignore - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_6 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (ignore)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: auto_ignore + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_6 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (no ignore)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: auto - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_7 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (no ignore)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: auto + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_7 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - raw format (fail)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: raw - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - ignore_errors: true - register: privatekey_fmt_1_step_8 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - raw format (fail)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: raw + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + ignore_errors: true + register: privatekey_fmt_1_step_8 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)" - openssl_privatekey_info: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_9_before + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)" + openssl_privatekey_info: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_9_before - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - format: pkcs8 - format_mismatch: convert - size: '{{ default_rsa_key_size }}' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_9 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + format: pkcs8 + format_mismatch: convert + size: '{{ default_rsa_key_size }}' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_9 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)" - openssl_privatekey_info: - path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' - select_crypto_backend: '{{ select_crypto_backend }}' - register: privatekey_fmt_1_step_9_after + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)" + openssl_privatekey_info: + path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem' + select_crypto_backend: '{{ select_crypto_backend }}' + register: privatekey_fmt_1_step_9_after when: 'select_crypto_backend == "cryptography"' - block: - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - PKCS8 format" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - type: X448 - format: pkcs8 - select_crypto_backend: '{{ select_crypto_backend }}' - ignore_errors: true - register: privatekey_fmt_2_step_1 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - PKCS8 format" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + type: X448 + format: pkcs8 + select_crypto_backend: '{{ select_crypto_backend }}' + ignore_errors: true + register: privatekey_fmt_2_step_1 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - PKCS8 format (idempotent)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - type: X448 - format: pkcs8 - select_crypto_backend: '{{ select_crypto_backend }}' - ignore_errors: true - register: privatekey_fmt_2_step_2 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - PKCS8 format (idempotent)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + type: X448 + format: pkcs8 + select_crypto_backend: '{{ select_crypto_backend }}' + ignore_errors: true + register: privatekey_fmt_2_step_2 - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - raw format" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - type: X448 - format: raw - select_crypto_backend: '{{ select_crypto_backend }}' - return_content: true - ignore_errors: true - register: privatekey_fmt_2_step_3 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - raw format" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + type: X448 + format: raw + select_crypto_backend: '{{ select_crypto_backend }}' + return_content: true + ignore_errors: true + register: privatekey_fmt_2_step_3 - - name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem" - slurp: - src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem" - ignore_errors: true - register: content + - name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem" + slurp: + src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem" + ignore_errors: true + register: content - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded" - assert: - that: - - privatekey_fmt_2_step_3.privatekey == content.content - when: privatekey_fmt_2_step_1 is not failed + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded" + assert: + that: + - privatekey_fmt_2_step_3.privatekey == content.content + when: privatekey_fmt_2_step_1 is not failed - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - raw format (idempotent)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - type: X448 - format: raw - select_crypto_backend: '{{ select_crypto_backend }}' - return_content: true - ignore_errors: true - register: privatekey_fmt_2_step_4 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - raw format (idempotent)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + type: X448 + format: raw + select_crypto_backend: '{{ select_crypto_backend }}' + return_content: true + ignore_errors: true + register: privatekey_fmt_2_step_4 - - name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem" - slurp: - src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem" - ignore_errors: true - register: content + - name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem" + slurp: + src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem" + ignore_errors: true + register: content - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded" - assert: - that: - - privatekey_fmt_2_step_4.privatekey == content.content - when: privatekey_fmt_2_step_1 is not failed + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded" + assert: + that: + - privatekey_fmt_2_step_4.privatekey == content.content + when: privatekey_fmt_2_step_1 is not failed - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - auto format (ignore)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - type: X448 - format: auto_ignore - select_crypto_backend: '{{ select_crypto_backend }}' - return_content: true - ignore_errors: true - register: privatekey_fmt_2_step_5 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - auto format (ignore)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + type: X448 + format: auto_ignore + select_crypto_backend: '{{ select_crypto_backend }}' + return_content: true + ignore_errors: true + register: privatekey_fmt_2_step_5 - - name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem" - slurp: - src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem" - ignore_errors: true - register: content + - name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem" + slurp: + src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem" + ignore_errors: true + register: content - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded" - assert: - that: - - privatekey_fmt_2_step_5.privatekey == content.content - when: privatekey_fmt_2_step_1 is not failed + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded" + assert: + that: + - privatekey_fmt_2_step_5.privatekey == content.content + when: privatekey_fmt_2_step_1 is not failed - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - auto format (no ignore)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - type: X448 - format: auto - select_crypto_backend: '{{ select_crypto_backend }}' - return_content: true - ignore_errors: true - register: privatekey_fmt_2_step_6 + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - auto format (no ignore)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + type: X448 + format: auto + select_crypto_backend: '{{ select_crypto_backend }}' + return_content: true + ignore_errors: true + register: privatekey_fmt_2_step_6 - - name: "({{ select_crypto_backend }}) Read private key" - slurp: - src: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' - register: slurp - when: privatekey_fmt_2_step_1 is not failed + - name: "({{ select_crypto_backend }}) Read private key" + slurp: + src: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem' + register: slurp + when: privatekey_fmt_2_step_1 is not failed - - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is not base64 encoded" - assert: - that: - - privatekey_fmt_2_step_6.privatekey == (slurp.content | b64decode) - when: privatekey_fmt_2_step_1 is not failed + - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is not base64 encoded" + assert: + that: + - privatekey_fmt_2_step_6.privatekey == (slurp.content | b64decode) + when: privatekey_fmt_2_step_1 is not failed when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")' - # Test regenerate option - name: "({{ select_crypto_backend }}) Regenerate - setup simple keys" @@ -771,105 +770,105 @@ - result.results[4] is changed - block: - - name: "({{ select_crypto_backend }}) Regenerate - redistribute keys" - copy: - src: '{{ remote_tmp_dir }}/regenerate-a-always.pem' - dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' - remote_src: true - loop: "{{ regenerate_values }}" - when: "item != 'always'" + - name: "({{ select_crypto_backend }}) Regenerate - redistribute keys" + copy: + src: '{{ remote_tmp_dir }}/regenerate-a-always.pem' + dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' + remote_src: true + loop: "{{ regenerate_values }}" + when: "item != 'always'" - - name: "({{ select_crypto_backend }}) Regenerate - format mismatch (check mode)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' - type: DSA - size: '{{ default_rsa_key_size }}' - format: pkcs8 - regenerate: '{{ item }}' - select_crypto_backend: '{{ select_crypto_backend }}' - check_mode: true - loop: "{{ regenerate_values }}" - ignore_errors: true - register: result - - assert: - that: - - result.results[0] is success and result.results[0] is not changed - - result.results[1] is failed - - "'Key has wrong format. Will not proceed.' in result.results[1].msg" - - result.results[2] is changed - - result.results[3] is changed - - result.results[4] is changed + - name: "({{ select_crypto_backend }}) Regenerate - format mismatch (check mode)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' + type: DSA + size: '{{ default_rsa_key_size }}' + format: pkcs8 + regenerate: '{{ item }}' + select_crypto_backend: '{{ select_crypto_backend }}' + check_mode: true + loop: "{{ regenerate_values }}" + ignore_errors: true + register: result + - assert: + that: + - result.results[0] is success and result.results[0] is not changed + - result.results[1] is failed + - "'Key has wrong format. Will not proceed.' in result.results[1].msg" + - result.results[2] is changed + - result.results[3] is changed + - result.results[4] is changed - - name: "({{ select_crypto_backend }}) Regenerate - format mismatch" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' - type: DSA - size: '{{ default_rsa_key_size }}' - format: pkcs8 - regenerate: '{{ item }}' - select_crypto_backend: '{{ select_crypto_backend }}' - loop: "{{ regenerate_values }}" - ignore_errors: true - register: result - - assert: - that: - - result.results[0] is success and result.results[0] is not changed - - result.results[1] is failed - - "'Key has wrong format. Will not proceed.' in result.results[1].msg" - - result.results[2] is changed - - result.results[3] is changed - - result.results[4] is changed + - name: "({{ select_crypto_backend }}) Regenerate - format mismatch" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' + type: DSA + size: '{{ default_rsa_key_size }}' + format: pkcs8 + regenerate: '{{ item }}' + select_crypto_backend: '{{ select_crypto_backend }}' + loop: "{{ regenerate_values }}" + ignore_errors: true + register: result + - assert: + that: + - result.results[0] is success and result.results[0] is not changed + - result.results[1] is failed + - "'Key has wrong format. Will not proceed.' in result.results[1].msg" + - result.results[2] is changed + - result.results[3] is changed + - result.results[4] is changed - - name: "({{ select_crypto_backend }}) Regenerate - redistribute keys" - copy: - src: '{{ remote_tmp_dir }}/regenerate-a-always.pem' - dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' - remote_src: true - loop: "{{ regenerate_values }}" - when: "item != 'always'" + - name: "({{ select_crypto_backend }}) Regenerate - redistribute keys" + copy: + src: '{{ remote_tmp_dir }}/regenerate-a-always.pem' + dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' + remote_src: true + loop: "{{ regenerate_values }}" + when: "item != 'always'" - - name: "({{ select_crypto_backend }}) Regenerate - convert format (check mode)" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' - type: DSA - size: '{{ default_rsa_key_size }}' - format: pkcs1 - format_mismatch: convert - regenerate: '{{ item }}' - select_crypto_backend: '{{ select_crypto_backend }}' - check_mode: true - loop: "{{ regenerate_values }}" - register: result - - assert: - that: - - result.results[0] is changed - - result.results[1] is changed - - result.results[2] is changed - - result.results[3] is changed - - result.results[4] is changed + - name: "({{ select_crypto_backend }}) Regenerate - convert format (check mode)" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' + type: DSA + size: '{{ default_rsa_key_size }}' + format: pkcs1 + format_mismatch: convert + regenerate: '{{ item }}' + select_crypto_backend: '{{ select_crypto_backend }}' + check_mode: true + loop: "{{ regenerate_values }}" + register: result + - assert: + that: + - result.results[0] is changed + - result.results[1] is changed + - result.results[2] is changed + - result.results[3] is changed + - result.results[4] is changed - - name: "({{ select_crypto_backend }}) Regenerate - convert format" - openssl_privatekey: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' - type: DSA - size: '{{ default_rsa_key_size }}' - format: pkcs1 - format_mismatch: convert - regenerate: '{{ item }}' - select_crypto_backend: '{{ select_crypto_backend }}' - loop: "{{ regenerate_values }}" - register: result - - assert: - that: - - result.results[0] is changed - - result.results[1] is changed - - result.results[2] is changed - - result.results[3] is changed - - result.results[4] is changed - # for all values but 'always', the key should have not been regenerated. - # verify this by comparing fingerprints: - - result.results[0].fingerprint == result.results[1].fingerprint - - result.results[0].fingerprint == result.results[2].fingerprint - - result.results[0].fingerprint == result.results[3].fingerprint - - result.results[0].fingerprint != result.results[4].fingerprint + - name: "({{ select_crypto_backend }}) Regenerate - convert format" + openssl_privatekey: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem' + type: DSA + size: '{{ default_rsa_key_size }}' + format: pkcs1 + format_mismatch: convert + regenerate: '{{ item }}' + select_crypto_backend: '{{ select_crypto_backend }}' + loop: "{{ regenerate_values }}" + register: result + - assert: + that: + - result.results[0] is changed + - result.results[1] is changed + - result.results[2] is changed + - result.results[3] is changed + - result.results[4] is changed + # for all values but 'always', the key should have not been regenerated. + # verify this by comparing fingerprints: + - result.results[0].fingerprint == result.results[1].fingerprint + - result.results[0].fingerprint == result.results[2].fingerprint + - result.results[0].fingerprint == result.results[3].fingerprint + - result.results[0].fingerprint != result.results[4].fingerprint when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")' diff --git a/tests/integration/targets/openssl_privatekey/tasks/main.yml b/tests/integration/targets/openssl_privatekey/tasks/main.yml index 9154bf9e..008b451f 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/main.yml @@ -27,9 +27,9 @@ - name: Compile list of elliptic curves supported by OpenSSL (CentOS 6) set_fact: openssl_ecc_list: - - secp384r1 - - secp521r1 - - prime256v1 + - secp384r1 + - secp521r1 + - prime256v1 when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6' - name: List of elliptic curves supported by OpenSSL @@ -41,13 +41,13 @@ size: '{{ default_rsa_key_size }}' - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml - vars: - select_crypto_backend: cryptography + - import_tasks: ../tests/validate.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('0.5', '>=') diff --git a/tests/integration/targets/openssl_privatekey/tests/validate.yml b/tests/integration/targets/openssl_privatekey/tests/validate.yml index 6cae2195..4452714e 100644 --- a/tests/integration/targets/openssl_privatekey/tests/validate.yml +++ b/tests/integration/targets/openssl_privatekey/tests/validate.yml @@ -111,7 +111,7 @@ - name: "({{ select_crypto_backend }}) Validate ECC generation" assert: that: - - item is changed + - item is changed loop: "{{ privatekey_ecc_generate.results }}" when: "'skip_reason' not in item" loop_control: @@ -120,7 +120,7 @@ - name: "({{ select_crypto_backend }}) Validate ECC generation (curve type)" assert: that: - - "'skip_reason' in item or item.item.item.openssl_name == item.stdout" + - "'skip_reason' in item or item.item.item.openssl_name == item.stdout" loop: "{{ privatekey_ecc_dump.results }}" when: "'skip_reason' not in item" loop_control: @@ -129,7 +129,7 @@ - name: "({{ select_crypto_backend }}) Validate ECC generation idempotency" assert: that: - - item is not changed + - item is not changed loop: "{{ privatekey_ecc_idempotency.results }}" when: "'skip_reason' not in item" loop_control: @@ -138,8 +138,8 @@ - name: "({{ select_crypto_backend }}) Validate other type generation (just check changed)" assert: that: - - (item is succeeded and item is changed) or - (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) + - (item is succeeded and item is changed) or + (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) loop: "{{ privatekey_t1_generate.results }}" when: "'skip_reason' not in item" loop_control: @@ -148,8 +148,8 @@ - name: "({{ select_crypto_backend }}) Validate other type generation idempotency" assert: that: - - (item is succeeded and item is not changed) or - (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) + - (item is succeeded and item is not changed) or + (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) loop: "{{ privatekey_t1_idempotency.results }}" when: "'skip_reason' not in item" loop_control: diff --git a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml index bfba7258..0e9eab80 100644 --- a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml @@ -56,9 +56,9 @@ format: pkcs8 - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('1.2.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml b/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml index 39a2d0eb..0f1fd5c1 100644 --- a/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml @@ -13,9 +13,9 @@ size: '{{ default_rsa_key_size }}' - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('0.5', '>=') diff --git a/tests/integration/targets/openssl_publickey/tasks/main.yml b/tests/integration/targets/openssl_publickey/tasks/main.yml index 50eb74db..ea425d9c 100644 --- a/tests/integration/targets/openssl_publickey/tasks/main.yml +++ b/tests/integration/targets/openssl_publickey/tasks/main.yml @@ -9,23 +9,23 @@ #################################################################### - block: - - name: Generate privatekey1 - standard - openssl_privatekey: - path: '{{ remote_tmp_dir }}/privatekey_autodetect.pem' - size: '{{ default_rsa_key_size }}' + - name: Generate privatekey1 - standard + openssl_privatekey: + path: '{{ remote_tmp_dir }}/privatekey_autodetect.pem' + size: '{{ default_rsa_key_size }}' - - name: Run module with backend autodetection - openssl_publickey: - path: '{{ remote_tmp_dir }}/privatekey_autodetect_public.pem' - privatekey_path: '{{ remote_tmp_dir }}/privatekey_autodetect.pem' + - name: Run module with backend autodetection + openssl_publickey: + path: '{{ remote_tmp_dir }}/privatekey_autodetect_public.pem' + privatekey_path: '{{ remote_tmp_dir }}/privatekey_autodetect.pem' - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography - - import_tasks: ../tests/validate.yml - vars: - select_crypto_backend: cryptography + - import_tasks: ../tests/validate.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('1.2.3', '>=') diff --git a/tests/integration/targets/prepare_http_tests/tasks/main.yml b/tests/integration/targets/prepare_http_tests/tasks/main.yml index bd5be7db..ac005966 100644 --- a/tests/integration/targets/prepare_http_tests/tasks/main.yml +++ b/tests/integration/targets/prepare_http_tests/tasks/main.yml @@ -29,4 +29,4 @@ - "{{ ansible_os_family | lower }}.yml" - "default.yml" when: - - has_httptester|bool + - has_httptester|bool diff --git a/tests/integration/targets/setup_openssl/tasks/main.yml b/tests/integration/targets/setup_openssl/tasks/main.yml index 3fa0224e..d1fb81f3 100644 --- a/tests/integration/targets/setup_openssl/tasks/main.yml +++ b/tests/integration/targets/setup_openssl/tasks/main.yml @@ -88,32 +88,32 @@ - when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6'] block: - - name: Install from system packages - when: ansible_os_family != "Darwin" and target_system_python - block: + - name: Install from system packages + when: ansible_os_family != "Darwin" and target_system_python + block: - - name: Install cryptography (Python 3 from system packages) - become: true - package: - name: '{{ cryptography_package_name_python3 }}' - when: ansible_python_version is version('3.0', '>=') + - name: Install cryptography (Python 3 from system packages) + become: true + package: + name: '{{ cryptography_package_name_python3 }}' + when: ansible_python_version is version('3.0', '>=') - - name: Install cryptography (Python 2 from system packages) - become: true - package: - name: '{{ cryptography_package_name }}' - when: ansible_python_version is version('3.0', '<') + - name: Install cryptography (Python 2 from system packages) + become: true + package: + name: '{{ cryptography_package_name }}' + when: ansible_python_version is version('3.0', '<') - - name: Install from PyPi - when: ansible_os_family == "Darwin" or not target_system_python - block: + - name: Install from PyPi + when: ansible_os_family == "Darwin" or not target_system_python + block: - - name: Install cryptography (PyPi) - become: true - pip: - name: 'cryptography{% if ansible_os_family == "Darwin" %}>=3.3{% endif %}' - state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}" - extra_args: "-c {{ remote_constraints }}" + - name: Install cryptography (PyPi) + become: true + pip: + name: 'cryptography{% if ansible_os_family == "Darwin" %}>=3.3{% endif %}' + state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}" + extra_args: "-c {{ remote_constraints }}" - name: Register cryptography version command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" diff --git a/tests/integration/targets/setup_pyopenssl/tasks/main.yml b/tests/integration/targets/setup_pyopenssl/tasks/main.yml index cd5a5260..aed2fe0a 100644 --- a/tests/integration/targets/setup_pyopenssl/tasks/main.yml +++ b/tests/integration/targets/setup_pyopenssl/tasks/main.yml @@ -12,55 +12,55 @@ when: ansible_os_family != "Darwin" and target_system_python block: - - name: Include OS-specific variables - include_vars: '{{ lookup("first_found", search) }}' - vars: - search: - files: - - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml' - - '{{ ansible_distribution }}.yml' - - '{{ ansible_os_family }}.yml' - paths: - - vars + - name: Include OS-specific variables + include_vars: '{{ lookup("first_found", search) }}' + vars: + search: + files: + - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml' + - '{{ ansible_distribution }}.yml' + - '{{ ansible_os_family }}.yml' + paths: + - vars - - when: has_pyopenssl - block: + - when: has_pyopenssl + block: - - name: Install pyOpenSSL (Python 3 from system packages) - become: true - package: - name: '{{ pyopenssl_package_name_python3 }}' - when: ansible_python_version is version('3.0', '>=') + - name: Install pyOpenSSL (Python 3 from system packages) + become: true + package: + name: '{{ pyopenssl_package_name_python3 }}' + when: ansible_python_version is version('3.0', '>=') - - name: Install pyOpenSSL (Python 2 from system packages) - become: true - package: - name: '{{ pyopenssl_package_name }}' - when: ansible_python_version is version('3.0', '<') + - name: Install pyOpenSSL (Python 2 from system packages) + become: true + package: + name: '{{ pyopenssl_package_name }}' + when: ansible_python_version is version('3.0', '<') - name: Install from PyPi when: ansible_os_family == "Darwin" or not target_system_python block: - - name: Install pyOpenSSL (PyPi) - become: true - pip: - name: pyOpenSSL - state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}" - extra_args: "-c {{ remote_constraints }}" + - name: Install pyOpenSSL (PyPi) + become: true + pip: + name: pyOpenSSL + state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}" + extra_args: "-c {{ remote_constraints }}" - when: has_pyopenssl block: - - name: Register pyOpenSSL version - command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'" - register: pyopenssl_version + - name: Register pyOpenSSL version + command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'" + register: pyopenssl_version - - name: Register pyOpenSSL debug details - command: "{{ ansible_python.executable }} -m OpenSSL.debug" - register: pyopenssl_debug_version - ignore_errors: true + - name: Register pyOpenSSL debug details + command: "{{ ansible_python.executable }} -m OpenSSL.debug" + register: pyopenssl_debug_version + ignore_errors: true # Depending on which pyOpenSSL version has been installed, it could be that cryptography has # been upgraded to a newer version. Make sure to register cryptography_version another time here diff --git a/tests/integration/targets/setup_ssh_agent/tasks/main.yml b/tests/integration/targets/setup_ssh_agent/tasks/main.yml index 2e224fb8..70699002 100644 --- a/tests/integration/targets/setup_ssh_agent/tasks/main.yml +++ b/tests/integration/targets/setup_ssh_agent/tasks/main.yml @@ -33,7 +33,7 @@ - name: Assert agent socket file is a socket assert: - that: + that: - openssh_agent_socket_stat.stat.issock is defined - openssh_agent_socket_stat.stat.issock fail_msg: "{{ openssh_agent_sock }} is not a socket" diff --git a/tests/integration/targets/x509_certificate-acme/tasks/impl.yml b/tests/integration/targets/x509_certificate-acme/tasks/impl.yml index c83c19ee..cef59660 100644 --- a/tests/integration/targets/x509_certificate-acme/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate-acme/tasks/impl.yml @@ -19,13 +19,13 @@ path: '{{ remote_tmp_dir }}/{{ item.name }}.csr' subject_alt_name: '{{ item.sans }}' loop: - - name: cert-1 - sans: - - DNS:example.com - - name: cert-2 - sans: - - DNS:example.com - - DNS:example.org + - name: cert-1 + sans: + - DNS:example.com + - name: cert-2 + sans: + - DNS:example.com + - DNS:example.org - name: Retrieve certificate 1 x509_certificate: diff --git a/tests/integration/targets/x509_certificate-acme/tasks/main.yml b/tests/integration/targets/x509_certificate-acme/tasks/main.yml index e8f2fff8..5a3702bc 100644 --- a/tests/integration/targets/x509_certificate-acme/tasks/main.yml +++ b/tests/integration/targets/x509_certificate-acme/tasks/main.yml @@ -9,51 +9,51 @@ #################################################################### - block: - - name: Obtain root and intermediate certificates - get_url: - url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}" - dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem" - loop: "{{ query('nested', types, root_numbers) }}" + - name: Obtain root and intermediate certificates + get_url: + url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}" + dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem" + loop: "{{ query('nested', types, root_numbers) }}" - - name: Analyze root certificates - x509_certificate_info: - path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem" - loop: "{{ root_numbers }}" - register: acme_roots + - name: Analyze root certificates + x509_certificate_info: + path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem" + loop: "{{ root_numbers }}" + register: acme_roots - - name: Analyze intermediate certificates - x509_certificate_info: - path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem" - loop: "{{ root_numbers }}" - register: acme_intermediates + - name: Analyze intermediate certificates + x509_certificate_info: + path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem" + loop: "{{ root_numbers }}" + register: acme_intermediates - - name: Read root certificates - slurp: - src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}" - loop: "{{ root_numbers }}" - register: slurp_roots + - name: Read root certificates + slurp: + src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}" + loop: "{{ root_numbers }}" + register: slurp_roots - - set_fact: - x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" - loop: "{{ acme_roots.results }}" - register: acme_roots_tmp + - set_fact: + x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" + loop: "{{ acme_roots.results }}" + register: acme_roots_tmp - - name: Read intermediate certificates - slurp: - src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}" - loop: "{{ root_numbers }}" - register: slurp_intermediates + - name: Read intermediate certificates + slurp: + src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}" + loop: "{{ root_numbers }}" + register: slurp_intermediates - - set_fact: - x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" - loop: "{{ acme_intermediates.results }}" - register: acme_intermediates_tmp + - set_fact: + x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" + loop: "{{ acme_intermediates.results }}" + register: acme_intermediates_tmp - - set_fact: - acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}" - acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}" - acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}" - acme_intermediate_certs: "{{ slurp_intermediates.results | map(attribute='content') | map('b64decode') | list }}" + - set_fact: + acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}" + acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}" + acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}" + acme_intermediate_certs: "{{ slurp_intermediates.results | map(attribute='content') | map('b64decode') | list }}" vars: types: diff --git a/tests/integration/targets/x509_certificate/tasks/ownca.yml b/tests/integration/targets/x509_certificate/tasks/ownca.yml index a9396e8a..18a2352e 100644 --- a/tests/integration/targets/x509_certificate/tasks/ownca.yml +++ b/tests/integration/targets/x509_certificate/tasks/ownca.yml @@ -22,7 +22,7 @@ subject: '{{ item.subject }}' useCommonNameForSAN: false basic_constraints: - - 'CA:TRUE' + - 'CA:TRUE' basic_constraints_critical: true loop: - path: '{{ remote_tmp_dir }}/ca_csr.csr' @@ -41,7 +41,7 @@ commonName: Example CA useCommonNameForSAN: false basic_constraints: - - 'CA:TRUE' + - 'CA:TRUE' basic_constraints_critical: true - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (check mode) @@ -603,11 +603,11 @@ commonName: Example CA useCommonNameForSAN: false basic_constraints: - - 'CA:TRUE' + - 'CA:TRUE' basic_constraints_critical: true key_usage: - - cRLSign - - keyCertSign + - cRLSign + - keyCertSign loop: - Ed25519 - Ed448 diff --git a/tests/integration/targets/x509_certificate/tasks/removal.yml b/tests/integration/targets/x509_certificate/tasks/removal.yml index 2b93da0a..d7bdbfcb 100644 --- a/tests/integration/targets/x509_certificate/tasks/removal.yml +++ b/tests/integration/targets/x509_certificate/tasks/removal.yml @@ -50,8 +50,8 @@ - name: (Removal, {{select_crypto_backend}}) Ensure removal worked assert: that: - - removal_1_prestat.stat.exists - - removal_1 is changed - - not removal_1_poststat.stat.exists - - removal_2 is not changed - - removal_1.certificate is none + - removal_1_prestat.stat.exists + - removal_1 is changed + - not removal_1_poststat.stat.exists + - removal_2 is not changed + - removal_1.certificate is none diff --git a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml index ade7e6f5..5b36b1fb 100644 --- a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml +++ b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml @@ -53,14 +53,14 @@ - ownca_certificate.certificate == ownca_certificate_idempotence.certificate - block: - - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2) - shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' - register: ownca_cert_v2_version + - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2) + shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + register: ownca_cert_v2_version - - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert) - assert: - that: - - ownca_cert_v2_version.stdout == '2' + - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert) + assert: + that: + - ownca_cert_v2_version.stdout == '2' when: "select_crypto_backend != 'cryptography'" - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2) diff --git a/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml b/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml index c7254eb3..74d74173 100644 --- a/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml +++ b/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml @@ -90,22 +90,22 @@ - selfsigned_certificate_csr_minimal_change is changed - block: - - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2) - shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' - register: cert_v2_version + - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2) + shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + register: cert_v2_version - - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert) - assert: - that: - - cert_v2_version.stdout == '2' + - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert) + assert: + that: + - cert_v2_version.stdout == '2' when: select_crypto_backend != 'cryptography' - block: - - name: (Selfsigned validateion, {{ select_crypto_backend }} Validate certificate v2 is failed - assert: - that: - - selfsigned_v2_cert is failed - - "'The cryptography backend does not support v2 certificates' in selfsigned_v2_cert.msg" + - name: (Selfsigned validateion, {{ select_crypto_backend }} Validate certificate v2 is failed + assert: + that: + - selfsigned_v2_cert is failed + - "'The cryptography backend does not support v2 certificates' in selfsigned_v2_cert.msg" when: select_crypto_backend == 'cryptography' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus) diff --git a/tests/integration/targets/x509_certificate_convert/tasks/main.yml b/tests/integration/targets/x509_certificate_convert/tasks/main.yml index 10192965..967284b4 100644 --- a/tests/integration/targets/x509_certificate_convert/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_convert/tasks/main.yml @@ -125,17 +125,17 @@ selfsigned_not_after: "+10d" selfsigned_not_before: "-3d" loop: - - 1 - - 2 - - 3 + - 1 + - 2 + - 3 - name: Convert PEM files to DER command: cmd: openssl x509 -inform PEM -outform DER -in {{ remote_tmp_dir }}/cert_{{ item }}.pem -out {{ remote_tmp_dir }}/cert_{{ item }}.der loop: - - 1 - - 2 - - 3 + - 1 + - 2 + - 3 - name: Running tests include_tasks: impl.yml diff --git a/tests/integration/targets/x509_certificate_info/tasks/impl.yml b/tests/integration/targets/x509_certificate_info/tasks/impl.yml index 1da6177d..65a79c09 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/impl.yml @@ -132,9 +132,9 @@ register: result - assert: that: - - result.valid_at.today - - not result.valid_at.past - - not result.valid_at.twentydays + - result.valid_at.today + - not result.valid_at.past + - not result.valid_at.twentydays - name: ({{select_crypto_backend}}) Get certificate info x509_certificate_info: @@ -188,7 +188,9 @@ - result.extensions_by_oid | length == 9 # Precert Signed Certificate Timestamps - result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].critical == false - - result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].value == 'BIHvAO0AdADd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZYL7QgtAAAEAwBFMEMCIAXku/W4fMbkoOkHguRt8RfxVy6dgwpi9A8IDTRkOn1XAh9g9RjiBvMJdM/+UQS+WNXaxOqA5JzUfvCFjbYLbEZ5AHUADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGWC+0H2AAABAMARjBEAiB26F5G8YPuZ11gAfEXqAFpVk01VcbOsS6w3dn2CJf6zgIgeEWCpg9tsQ8dB7/hU1zOmkZom62VDXvk8Cs+yscbQq4=' + - >- + result.extensions_by_oid['1.3.6.1.4.1.11129.2.4.2'].value == + 'BIHvAO0AdADd3Mo0ldfhFgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZYL7QgtAAAEAwBFMEMCIAXku/W4fMbkoOkHguRt8RfxVy6dgwpi9A8IDTRkOn1XAh9g9RjiBvMJdM/+UQS+WNXaxOqA5JzUfvCFjbYLbEZ5AHUADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGWC+0H2AAABAMARjBEAiB26F5G8YPuZ11gAfEXqAFpVk01VcbOsS6w3dn2CJf6zgIgeEWCpg9tsQ8dB7/hU1zOmkZom62VDXvk8Cs+yscbQq4=' # Authority Information Access - result.extensions_by_oid['1.3.6.1.5.5.7.1.1'].critical == false - result.extensions_by_oid['1.3.6.1.5.5.7.1.1'].value == 'MGgwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmZvb2JhcmJhei5leGFtcGxlLmNvbTA3BggrBgEFBQcwAoYraHR0cDovL2NlcnQuZm9vYmFyYmF6LmV4YW1wbGUuY29tL2ludGVyLnBlbQ==' diff --git a/tests/integration/targets/x509_certificate_info/tasks/main.yml b/tests/integration/targets/x509_certificate_info/tasks/main.yml index 45d91a25..f9bcbe6e 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/main.yml @@ -140,10 +140,10 @@ selfsigned_not_after: "+10d" selfsigned_not_before: "-3d" loop: - - 1 - - 2 - - 3 - - 4 + - 1 + - 2 + - 3 + - 4 - name: Running tests with cryptography backend include_tasks: impl.yml diff --git a/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml b/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml index 1c4bad26..f0b75be2 100644 --- a/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml @@ -19,18 +19,18 @@ commonName: '{{ item.cn }}' select_crypto_backend: '{{ select_crypto_backend }}' loop: - - name: cert - key: privatekey - cn: www.ansible.com - - name: cert-2 - key: privatekey - cn: ansible.com - - name: cert-3 - key: privatekey2 - cn: example.com - - name: cert-4 - key: privatekey2 - cn: example.org + - name: cert + key: privatekey + cn: www.ansible.com + - name: cert-2 + key: privatekey + cn: ansible.com + - name: cert-3 + key: privatekey2 + cn: example.com + - name: cert-4 + key: privatekey2 + cn: example.org ## Self Signed diff --git a/tests/integration/targets/x509_certificate_pipe/tasks/main.yml b/tests/integration/targets/x509_certificate_pipe/tasks/main.yml index c077d78a..635ed5a1 100644 --- a/tests/integration/targets/x509_certificate_pipe/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_pipe/tasks/main.yml @@ -18,9 +18,9 @@ privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem' - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography when: cryptography_version.stdout is version('1.6', '>=') diff --git a/tests/integration/targets/x509_crl/tasks/main.yml b/tests/integration/targets/x509_crl/tasks/main.yml index 6014722f..ee10f186 100644 --- a/tests/integration/targets/x509_crl/tasks/main.yml +++ b/tests/integration/targets/x509_crl/tasks/main.yml @@ -78,16 +78,16 @@ x509_certificate_info: path: '{{ remote_tmp_dir }}/{{ item }}.pem' loop: - - cert-1 - - cert-2 - - cert-3 - - cert-4 + - cert-1 + - cert-2 + - cert-3 + - cert-4 register: certificate_infos - block: - - name: Running tests - include_tasks: impl.yml + - name: Running tests + include_tasks: impl.yml - - import_tasks: ../tests/validate.yml + - import_tasks: ../tests/validate.yml when: cryptography_version.stdout is version('1.2', '>=')