From 4ab45e8c210896c3752e2c3c7254f730d523ddf1 Mon Sep 17 00:00:00 2001
From: Andrew Pantuso <apantuso@redhat.com>
Date: Sat, 21 May 2022 10:43:54 -0400
Subject: [PATCH] ci: enable rhel9.0 tests for openssh_cert (#463)

* ci: enable rhel9.0 tests for openssh_cert

* ci: allow openssh_cert second signature algorithm test for versions >8.7

* ci: narrowing condition to not attempt RSA1 signing exclusively on RHEL >=9

* ci: grouping and documenting condition
---
 .../integration/targets/openssh_cert/aliases  |  1 -
 .../openssh_cert/tests/key_idempotency.yml    | 32 +++++++++++--------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/tests/integration/targets/openssh_cert/aliases b/tests/integration/targets/openssh_cert/aliases
index d84d0772..6eae8bd8 100644
--- a/tests/integration/targets/openssh_cert/aliases
+++ b/tests/integration/targets/openssh_cert/aliases
@@ -1,3 +1,2 @@
 shippable/posix/group1
 destructive
-skip/rhel9.0  # TODO figure out why and fix
diff --git a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml
index 8d3157d2..1d005dcc 100644
--- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml
+++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml
@@ -53,21 +53,25 @@
         that:
           - updated_signature_algorithm_idempotent is not changed
 
-    - name: Generate cert with original signature algorithm
-      openssh_cert:
-        type: user
-        path: "{{ certificate_path }}"
-        public_key: "{{ public_key }}"
-        signing_key: "{{ signing_key }}"
-        signature_algorithm: ssh-rsa
-        valid_from: always
-        valid_to: forever
-      register: second_signature_algorithm
+    - block:
+      - name: Generate cert with original signature algorithm
+        openssh_cert:
+          type: user
+          path: "{{ certificate_path }}"
+          public_key: "{{ public_key }}"
+          signing_key: "{{ signing_key }}"
+          signature_algorithm: ssh-rsa
+          valid_from: always
+          valid_to: forever
+        register: second_signature_algorithm
 
-    - name: Assert second signature algorithm update causes change
-      assert:
-        that:
-          - second_signature_algorithm is changed
+      - name: Assert second signature algorithm update causes change
+        assert:
+          that:
+            - second_signature_algorithm is changed
+      # RHEL9 disables SHA-1 algorithms by default making this test fail with a 'libcrypt' error. Other systems which
+      # impose a similar restriction may also need to skip this block in the future.
+      when: not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9)
 
     - name: Omit signature algorithm
       openssh_cert: