Extend CI (#283)

* Run all tests on all targets. Remove hack in setup_acme.

* Fix some failing tests.

* OpenSSH tests do not work yet with default image on Ansible 2.9. Let's skip them on the cloud target.

* Make tests pass again.

* Make sure to install *latest* versions of cryptography and pyOpenSSL when not installing system packages, whenever possible.

ci_complete

* Update/fix aliases files.

tests/integration/targets/acme_account/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_account_info/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_certificate/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_certificate/meta/main.yml

@@ -1,4 +1,5 @@
 dependencies:
   - setup_acme
+  - setup_pyopenssl  # needed for Ubuntu 16.04
   - setup_remote_tmp_dir
   - prepare_jinja2_compat

tests/integration/targets/acme_certificate_revoke/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_challenge_cert_helper/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/acme_inspect/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/certificate_complete_chain/aliases

@@ -1 +1,2 @@
+shippable/cloud/group1
 shippable/posix/group1

tests/integration/targets/get_certificate/aliases

@@ -1,3 +1,4 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive
 needs/httptester

tests/integration/targets/openssl_csr/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_csr_info/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_csr_pipe/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_dhparam/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_pkcs12/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_privatekey/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_privatekey_info/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_privatekey_pipe/aliases

@@ -1,3 +1,4 @@
 context/controller
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_publickey/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_publickey_info/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/openssl_signature/aliases

@@ -1,3 +1,4 @@
+shippable/cloud/group1
 shippable/posix/group1
 openssl_signature_info
 destructive

tests/integration/targets/setup_acme/meta/main.yml

@@ -1,4 +1,3 @@
 dependencies:
-#  - setup_openssl
-  - setup_remote_constraints
+  - setup_openssl
   - setup_remote_tmp_dir

tests/integration/targets/setup_acme/tasks/main.yml

@@ -4,24 +4,5 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
-# BEGIN HACK: remove whenever we know how to properly detect 'default' docker container !!!!!!!!!!!!!!!!!!!!!
-- name: Default value for OpenSSL binary path
-  set_fact:
-    openssl_binary: openssl
-
-- name: Make sure cryptography is installed
-  pip:
-    name: cryptography
-    extra_args: "-c {{ remote_constraints }}"
-
-- name: Register openssl version
-  shell: "{{ openssl_binary }}  version | cut -d' ' -f2"
-  register: openssl_version
-
-- name: Register cryptography version
-  command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
-  register: cryptography_version
-# END HACK !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
 - debug:
     msg: "ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"

tests/integration/targets/setup_acme/vars/main.yml

@@ -1 +0,0 @@
-../../setup_openssl/vars/main.yml

tests/integration/targets/setup_openssl/tasks/main.yml

@@ -106,6 +106,7 @@
       become: true
       pip:
         name: 'cryptography{% if ansible_os_family == "Darwin" %}>=3.3{% endif %}'
+        state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}"
         extra_args: "-c {{ remote_constraints }}"
 
 - name: Register cryptography version

tests/integration/targets/setup_pyopenssl/tasks/main.yml

@@ -31,6 +31,7 @@
     become: true
     pip:
       name: pyOpenSSL
+      state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}"
       extra_args: "-c {{ remote_constraints }}"
 
 - name: Register pyOpenSSL version

tests/integration/targets/setup_python_info/filter_plugins/version_filter.py

@@ -24,10 +24,31 @@ def get_major_minor_version(version):
     return '.'.join(parts)
 
 
+def version_lookup(data, distribution, os_family, distribution_version, distribution_major_version, python_version, default_value=False):
+    if distribution in data:
+        data = data[distribution]
+    elif os_family in data:
+        data = data[os_family]
+    else:
+        return default_value
+
+    if distribution_version in data:
+        data = data[distribution_version]
+    elif get_major_minor_version(distribution_version) in data:
+        data = data[get_major_minor_version(distribution_version)]
+    elif str(distribution_major_version) in data:
+        data = data[str(distribution_major_version)]
+    else:
+        return default_value
+
+    return python_version in data
+
+
 class FilterModule(object):
     """ IP address and network manipulation filters """
 
     def filters(self):
         return {
             'internal__get_major_minor_version': get_major_minor_version,
+            'internal__version_lookup': version_lookup,
         }

tests/integration/targets/setup_python_info/tasks/main.yml

@@ -25,31 +25,45 @@
   set_fact:
     target_system_python: >-
       {{
-        (ansible_facts.python.version.major ~ '.' ~ ansible_facts.python.version.minor)
-        in
-        (
-          system_python_version_data[ansible_facts.distribution] |
-          default(system_python_version_data[ansible_facts.os_family])
-        )[ansible_facts.distribution_version | internal__get_major_minor_version]
-        | default(
-          (
-            system_python_version_data[ansible_facts.distribution] |
-            default(system_python_version_data[ansible_facts.os_family])
-          )[ansible_facts.distribution_major_version]
+        system_python_version_data |
+        internal__version_lookup(
+          ansible_facts.distribution,
+          ansible_facts.os_family,
+          ansible_facts.distribution_version,
+          ansible_facts.distribution_major_version,
+          ansible_facts.python.version.major ~ '.' ~ ansible_facts.python.version.minor
+        )
+      }}
+    target_system_python_cannot_upgrade_cryptography: >-
+      {{
+        cannot_upgrade_cryptography |
+        internal__version_lookup(
+          ansible_facts.distribution,
+          ansible_facts.os_family,
+          ansible_facts.distribution_version,
+          ansible_facts.distribution_major_version,
+          ansible_facts.python.version.major ~ '.' ~ ansible_facts.python.version.minor
         )
       }}
     controller_system_python: >-
       {{
-        (hostvars['localhost'].ansible_facts.python.version.major ~ '.' ~ hostvars['localhost'].ansible_facts.python.version.minor)
-        in
-        (
-          system_python_version_data[hostvars['localhost'].ansible_facts.distribution] |
-          default(system_python_version_data[hostvars['localhost'].ansible_facts.os_family])
-        )[ansible_facts.distribution_version | internal__get_major_minor_version]
-        | default(
-          (
-            system_python_version_data[hostvars['localhost'].ansible_facts.distribution] |
-            default(system_python_version_data[hostvars['localhost'].ansible_facts.os_family])
-          )[hostvars['localhost'].ansible_facts.distribution_major_version]
+        system_python_version_data |
+        internal__version_lookup(
+          hostvars['localhost'].ansible_facts.distribution,
+          hostvars['localhost'].ansible_facts.os_family,
+          hostvars['localhost'].ansible_facts.distribution_version,
+          hostvars['localhost'].ansible_facts.distribution_major_version,
+          hostvars['localhost'].ansible_facts.python.version.major ~ '.' ~ hostvars['localhost'].ansible_facts.python.version.minor
+        )
+      }}
+    controller_system_python_cannot_upgrade_cryptography: >-
+      {{
+        cannot_upgrade_cryptography |
+        internal__version_lookup(
+          hostvars['localhost'].ansible_facts.distribution,
+          hostvars['localhost'].ansible_facts.os_family,
+          hostvars['localhost'].ansible_facts.distribution_version,
+          hostvars['localhost'].ansible_facts.distribution_major_version,
+          hostvars['localhost'].ansible_facts.python.version.major ~ '.' ~ hostvars['localhost'].ansible_facts.python.version.minor
         )
       }}

tests/integration/targets/setup_python_info/vars/main.yml

@@ -48,3 +48,10 @@ system_python_version_data:
     '15':
       - '2.7'
       - '3.6'
+
+cannot_upgrade_cryptography:
+  FreeBSD:
+    '12.2':
+      - '3.8'  # on the VMs in CI, system packages are used for this version as well
+    '13.0':
+      - '3.8'  # on the VMs in CI, system packages are used for this version as well

tests/integration/targets/x509_certificate-acme/aliases

@@ -1,2 +1,14 @@
 shippable/cloud/group1
 cloud/acme
+
+# Since skipping below fails miserably with ansible-core 2.11 and earlier, we have to skip all POSIX tests...
+# (https://github.com/ansible/ansible/issues/75711)
+# shippable/posix/group1
+
+# Skip all VMs, since we cannot talk to the ACME simulator from these:
+# (TODO: remove when ansible-core 2.12 is the earliest version we support)
+# skip/aix
+# skip/freebsd
+# skip/macos
+# skip/osx
+# skip/rhel

tests/integration/targets/x509_certificate-acme/meta/main.yml

@@ -1,4 +1,5 @@
 dependencies:
   - setup_acme
+  - setup_pyopenssl  # needed for Ubuntu 16.04
   - setup_remote_tmp_dir
   - prepare_jinja2_compat

tests/integration/targets/x509_certificate/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/x509_certificate_info/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/x509_certificate_pipe/aliases

@@ -1,2 +1,3 @@
+shippable/cloud/group1
 shippable/posix/group1
 destructive

tests/integration/targets/x509_crl/aliases

@@ -1,3 +1,4 @@
+shippable/cloud/group1
 shippable/posix/group1
 x509_crl_info
 destructive