Avoid crash in check mode (#243)

* Do not let AnsibleModule crash when setting permissions on not yet existing files in check mode. * Add tests. * Fix bugs.
2026-05-08 06:13:03 +00:00 · 2021-06-02 16:44:26 +02:00
parent a466df9c52
commit 376d7cde12
21 changed files with 181 additions and 18 deletions
--- a/tests/integration/targets/openssl_dhparam/tasks/impl.yml
+++ b/tests/integration/targets/openssl_dhparam/tasks/impl.yml
@@ -1,6 +1,15 @@
 ---
 # The tests for this module generate unsafe parameters for testing purposes;
 # otherwise tests would be too slow. Use sizes of at least 2048 in production!
+- name: "[{{ select_crypto_backend }}] Generate parameter (check mode)"
+  openssl_dhparam:
+    size: 768
+    path: '{{ output_dir }}/dh768.pem'
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    return_content: yes
+  check_mode: true
+  register: dhparam_check
+
 - name: "[{{ select_crypto_backend }}] Generate parameter"
  openssl_dhparam:
    size: 768
@@ -9,6 +18,15 @@
    return_content: yes
  register: dhparam

+- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change (check mode)"
+  openssl_dhparam:
+    size: 768
+    path: '{{ output_dir }}/dh768.pem'
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    return_content: yes
+  check_mode: true
+  register: dhparam_changed_check
+
 - name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change"
  openssl_dhparam:
    size: 768
--- a/tests/integration/targets/openssl_dhparam/tests/validate.yml
+++ b/tests/integration/targets/openssl_dhparam/tests/validate.yml
@@ -26,6 +26,9 @@
 - name: "[{{ select_crypto_backend }}] Check if changed works correctly"
  assert:
    that:
+      - dhparam_check is changed
+      - dhparam is changed
+      - dhparam_changed_check is not changed
      - dhparam_changed is not changed
      - dhparam_changed_512 is not changed
      - dhparam_changed_to_512 is changed
--- a/tests/integration/targets/openssl_pkcs12/tasks/impl.yml
+++ b/tests/integration/targets/openssl_pkcs12/tasks/impl.yml
@@ -1,4 +1,16 @@
 - block:
+  - name: "({{ select_crypto_backend }}) Generate PKCS#12 file (check mode)"
+    openssl_pkcs12:
+      select_crypto_backend: '{{ select_crypto_backend }}'
+      path: '{{ output_dir }}/ansible.p12'
+      friendly_name: abracadabra
+      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      certificate_path: '{{ output_dir }}/ansible1.crt'
+      state: present
+      return_content: true
+    check_mode: true
+    register: p12_standard_check
+
  - name: "({{ select_crypto_backend }}) Generate PKCS#12 file"
    openssl_pkcs12:
      select_crypto_backend: '{{ select_crypto_backend }}'
@@ -10,6 +22,18 @@
      return_content: true
    register: p12_standard

+  - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (check mode)"
+    openssl_pkcs12:
+      select_crypto_backend: '{{ select_crypto_backend }}'
+      path: '{{ output_dir }}/ansible.p12'
+      friendly_name: abracadabra
+      privatekey_path: '{{ output_dir }}/ansible_pkey1.pem'
+      certificate_path: '{{ output_dir }}/ansible1.crt'
+      state: present
+      return_content: true
+    check_mode: true
+    register: p12_standard_idempotency_check
+
  - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency"
    openssl_pkcs12:
      select_crypto_backend: '{{ select_crypto_backend }}'
--- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml
+++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml
@@ -14,17 +14,20 @@
 - name: '({{ select_crypto_backend }}) Validate PKCS#12 (assert)'
  assert:
    that:
+      - p12_standard_check is changed
+      - p12_standard is changed
      - p12.stdout_lines[2].split(':')[-1].strip() == 'abracadabra'
      - p12_standard.mode == '0400'
-      - p12_no_pkey.changed
+      - p12_no_pkey is changed
      - p12_validate_no_pkey.stdout_lines[-1] == '-----END CERTIFICATE-----'
-      - p12_force.changed
+      - p12_force is changed
      - p12_force_and_mode.mode == '0644' and p12_force_and_mode.changed
-      - p12_dumped.changed
-      - not p12_standard_idempotency.changed
-      - not p12_multiple_certs_idempotency.changed
-      - not p12_dumped_idempotency.changed
-      - not p12_dumped_check_mode.changed
+      - p12_dumped is changed
+      - p12_standard_idempotency is not changed
+      - p12_standard_idempotency_check is not changed
+      - p12_multiple_certs_idempotency is not changed
+      - p12_dumped_idempotency is not changed
+      - p12_dumped_check_mode is not changed
      - "'www1.' in p12_validate_multi_certs.stdout"
      - "'www2.' in p12_validate_multi_certs.stdout"
      - "'www3.' in p12_validate_multi_certs.stdout"
--- a/tests/integration/targets/openssl_privatekey/tasks/impl.yml
+++ b/tests/integration/targets/openssl_privatekey/tasks/impl.yml
@@ -1,4 +1,12 @@
 ---
+- name: "({{ select_crypto_backend }}) Generate privatekey1 - standard (check mode)"
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey1.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    return_content: yes
+  check_mode: true
+  register: privatekey1_check
+
 - name: "({{ select_crypto_backend }}) Generate privatekey1 - standard"
  openssl_privatekey:
    path: '{{ output_dir }}/privatekey1.pem'
@@ -6,6 +14,14 @@
    return_content: yes
  register: privatekey1

+- name: "({{ select_crypto_backend }}) Generate privatekey1 - standard (idempotence, check mode)"
+  openssl_privatekey:
+    path: '{{ output_dir }}/privatekey1.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    return_content: yes
+  check_mode: true
+  register: privatekey1_idempotence_check
+
 - name: "({{ select_crypto_backend }}) Generate privatekey1 - standard (idempotence)"
  openssl_privatekey:
    path: '{{ output_dir }}/privatekey1.pem'
--- a/tests/integration/targets/openssl_privatekey/tests/validate.yml
+++ b/tests/integration/targets/openssl_privatekey/tests/validate.yml
@@ -5,6 +5,9 @@
 - name: "({{ select_crypto_backend }}) Validate privatekey1 idempotency and content returned"
  assert:
    that:
+      - privatekey1_check is changed
+      - privatekey1 is changed
+      - privatekey1_idempotence_check is not changed
      - privatekey1_idempotence is not changed
      - privatekey1.privatekey == lookup('file', output_dir ~ '/privatekey1.pem', rstrip=False)
      - privatekey1.privatekey == privatekey1_idempotence.privatekey
--- a/tests/integration/targets/openssl_publickey/tasks/impl.yml
+++ b/tests/integration/targets/openssl_publickey/tasks/impl.yml
@@ -4,6 +4,15 @@
    path: '{{ output_dir }}/privatekey.pem'
    size: '{{ default_rsa_key_size }}'

+- name: "({{ select_crypto_backend }}) Generate publickey - PEM format (check mode)"
+  openssl_publickey:
+    path: '{{ output_dir }}/publickey.pub'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    return_content: yes
+  check_mode: true
+  register: publickey_check
+
 - name: "({{ select_crypto_backend }}) Generate publickey - PEM format"
  openssl_publickey:
    path: '{{ output_dir }}/publickey.pub'
@@ -12,6 +21,15 @@
    return_content: yes
  register: publickey

+- name: "({{ select_crypto_backend }}) Generate publickey - PEM format (check mode, idempotence)"
+  openssl_publickey:
+    path: '{{ output_dir }}/publickey.pub'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+    return_content: yes
+  check_mode: true
+  register: publickey_check2
+
 - name: "({{ select_crypto_backend }}) Generate publickey - PEM format (idempotence)"
  openssl_publickey:
    path: '{{ output_dir }}/publickey.pub'
@@ -20,6 +38,14 @@
    return_content: yes
  register: publickey_idempotence

+- name: "({{ select_crypto_backend }}) Verify check mode"
+  assert:
+    that:
+      - publickey_check is changed
+      - publickey is changed
+      - publickey_check2 is not changed
+      - publickey_idempotence is not changed
+
 - name: "({{ select_crypto_backend }}) Generate publickey - OpenSSH format"
  openssl_publickey:
    path: '{{ output_dir }}/publickey-ssh.pub'
--- a/tests/integration/targets/x509_certificate/tasks/ownca.yml
+++ b/tests/integration/targets/x509_certificate/tasks/ownca.yml
@@ -35,6 +35,17 @@
    - 'CA:TRUE'
    basic_constraints_critical: yes

+- name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (check mode)
+  x509_certificate:
+    path: '{{ output_dir }}/ca_cert.pem'
+    csr_path: '{{ output_dir }}/ca_csr.csr'
+    privatekey_path: '{{ output_dir }}/ca_privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  check_mode: true
+  register: result_check_mode
+
 - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate
  x509_certificate:
    path: '{{ output_dir }}/ca_cert.pem'
@@ -43,6 +54,13 @@
    provider: selfsigned
    selfsigned_digest: sha256
    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+
+- name: (OwnCA, {{select_crypto_backend}}) Verify changed
+  assert:
+    that:
+      - result_check_mode is changed
+      - result is changed

 - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate (privatekey passphrase)
  x509_certificate:
--- a/tests/integration/targets/x509_crl/tasks/impl.yml
+++ b/tests/integration/targets/x509_crl/tasks/impl.yml
@@ -20,6 +20,27 @@
  check_mode: yes
  register: crl_1_check

+- name: Create CRL 1 (check mode)
+  x509_crl:
+    path: '{{ output_dir }}/ca-crl1.crl'
+    privatekey_path: '{{ output_dir }}/ca.key'
+    issuer:
+      CN: Ansible
+    last_update: 20191013000000Z
+    next_update: 20191113000000Z
+    revoked_certificates:
+      - path: '{{ output_dir }}/cert-1.pem'
+        revocation_date: 20191013000000Z
+      - path: '{{ output_dir }}/cert-2.pem'
+        revocation_date: 20191013000000Z
+        reason: key_compromise
+        reason_critical: yes
+        invalidity_date: 20191012000000Z
+      - serial_number: 1234
+        revocation_date: 20191001000000Z
+  check_mode: true
+  register: crl_1_check
+
 - name: Create CRL 1
  x509_crl:
    path: '{{ output_dir }}/ca-crl1.crl'
@@ -40,6 +61,11 @@
        revocation_date: 20191001000000Z
  register: crl_1

+- assert:
+    that:
+      - crl_1_check is changed
+      - crl_1 is changed
+
 - name: Retrieve CRL 1 infos
  x509_crl_info:
    path: '{{ output_dir }}/ca-crl1.crl'