Add EE support (#440)

* Add EE files.

* Install cryptography and PyOpenSSL from PyPi.

* Revert "Install cryptography and PyOpenSSL from PyPi."

This reverts commit 6b90a1efae.

* Only run test when cryptography has a new enough version.

* And another one.

* Extend changelog.

tests/ee/all.yml

@@ -0,0 +1,34 @@
+- hosts: localhost
+  tasks:
+    - name: Register cryptography version
+      command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
+      register: cryptography_version
+
+    - name: Determine output directory
+      set_fact:
+        output_path: "{{ 'output-%0x' % ((2**32) | random) }}"
+
+    - name: Find all roles
+      ansible.builtin.find:
+        paths:
+          - "{{ (playbook_dir | default('.')) ~ '/roles' }}"
+        file_type: directory
+        depth: 1
+      register: result
+
+    - name: Create output directory
+      ansible.builtin.file:
+        path: "{{ output_path }}"
+        state: directory
+
+    - block:
+      - name: Include all roles
+        ansible.builtin.include_role:
+          name: "{{ item }}"
+        loop: "{{ result.files | map(attribute='path') | map('regex_replace', '.*/', '') | sort }}"
+
+      always:
+      - name: Remove output directory
+        ansible.builtin.file:
+          path: "{{ output_path }}"
+          state: absent

tests/ee/roles/crypto_info/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Run crypto_info
+  community.crypto.crypto_info:
+  register: result
+
+- name: Dump result
+  debug:
+    var: result
+
+- name: Validate result
+  assert:
+    that:
+      - result.openssl_present
+      - result.python_cryptography_installed
+      - result.python_cryptography_capabilities.has_dsa
+      - result.python_cryptography_capabilities.has_dsa_sign
+      - result.python_cryptography_capabilities.has_ec
+      - result.python_cryptography_capabilities.has_ec_sign
+      - result.python_cryptography_capabilities.has_ed25519
+      - result.python_cryptography_capabilities.has_ed25519_sign
+      - result.python_cryptography_capabilities.has_ed448
+      - result.python_cryptography_capabilities.has_ed448_sign
+      - result.python_cryptography_capabilities.has_rsa
+      - result.python_cryptography_capabilities.has_rsa_sign
+      - result.python_cryptography_capabilities.has_x25519
+      - result.python_cryptography_capabilities.has_x25519_serialization
+      - result.python_cryptography_capabilities.has_x448

tests/ee/roles/luks_device/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: Run cryptsetup (smoke test)
+  ansible.builtin.command: cryptsetup --version
+
+- name: Determine cryptfile path
+  ansible.builtin.set_fact:
+    cryptfile_path: "{{ output_path }}/cryptfile"
+    keyfile_path: "{{ output_path }}/keyfile"
+
+- name: Create cryptfile
+  ansible.builtin.command: dd if=/dev/zero of={{ cryptfile_path }} bs=1M count=32
+
+- name: Create keyfile
+  ansible.builtin.copy:
+    dest: "{{ keyfile_path }}"
+    content: hunter2
+
+- # Creating devices doesn't work well. We will have to try this again when luks_device
+  # supports working with container files directly.
+  when: false
+  block:
+  - name: Create lookback device
+    command: losetup -f {{ cryptfile_path }}
+
+  - name: Determine loop device name
+    command: losetup -j {{ cryptfile_path }} --output name
+    register: cryptfile_device_output
+
+  - set_fact:
+      cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}"
+
+  - name: Create LUKS container
+    community.crypto.luks_device:
+      device: "{{ cryptfile_device }}"
+      # device: "{{ cryptfile_path }}"
+      state: present
+      keyfile: "{{ keyfile_path }}"
+      pbkdf:
+        iteration_time: 0.1
+
+  - name: Destroy LUKS container
+    community.crypto.luks_device:
+      device: "{{ cryptfile_device }}"
+      # device: "{{ cryptfile_path }}"
+      state: absent

tests/ee/roles/openssh_keypair/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Generate key with OpenSSH binary backend
+  community.crypto.openssh_keypair:
+    path: "{{ output_path }}/openssh-key-1"
+    size: 2048
+    backend: opensshbin
+
+- name: Generate key with cryptography backend
+  community.crypto.openssh_keypair:
+    path: "{{ output_path }}/openssh-key-2"
+    size: 2048
+    backend: cryptography
+  when: cryptography_version.stdout is ansible.builtin.version('3.0', '>=')

tests/ee/roles/openssl_pkcs12/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Create private key
+  community.crypto.openssl_privatekey:
+    path: "{{ output_path }}/pkcs12-cert.key"
+    type: ECC
+    curve: secp256r1
+
+- name: Create CSR
+  community.crypto.openssl_csr:
+    path: "{{ output_path }}/pkcs12-cert.csr"
+    privatekey_path: "{{ output_path }}/pkcs12-cert.key"
+
+- name: Create certificate
+  community.crypto.x509_certificate:
+    path: "{{ output_path }}/pkcs12-cert.pem"
+    csr_path: "{{ output_path }}/pkcs12-cert.csr"
+    privatekey_path: "{{ output_path }}/pkcs12-cert.key"
+    provider: selfsigned
+
+- name: Create PKCS#12 with cryptography backend
+  community.crypto.openssl_pkcs12:
+    action: export
+    path: "{{ output_path }}/pkcs12-1.p12"
+    mode: '0644'
+    friendly_name: foo
+    privatekey_path: "{{ output_path }}/pkcs12-cert.key"
+    certificate_path: "{{ output_path }}/pkcs12-cert.pem"
+    state: present
+    select_crypto_backend: cryptography
+  when: cryptography_version.stdout is ansible.builtin.version('3.0', '>=')
+
+- name: Create PKCS#12 with PyOpenSSL backend
+  community.crypto.openssl_pkcs12:
+    action: export
+    path: "{{ output_path }}/pkcs12-2.p12"
+    mode: '0644'
+    friendly_name: foo
+    privatekey_path: "{{ output_path }}/pkcs12-cert.key"
+    certificate_path: "{{ output_path }}/pkcs12-cert.pem"
+    state: present
+    select_crypto_backend: pyopenssl

tests/ee/roles/openssl_privatekey/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Create RSA private key
+  community.crypto.openssl_privatekey:
+    path: "{{ output_path }}/privatekey-1"
+    size: 2048
+
+- name: Create ECC private key
+  community.crypto.openssl_privatekey:
+    path: "{{ output_path }}/privatekey-2"
+    type: ECC
+    curve: secp256r1

tests/ee/roles/smoke/library/smoke_ipaddress.py

@@ -0,0 +1,48 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2022 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+DOCUMENTATION = r'''
+---
+module: smoke_ipaddress
+short_description: Check whether ipaddress is present
+author:
+  - Felix Fontein (@felixfontein)
+description:
+  - Check whether C(ipaddress) is present.
+options: {}
+'''
+
+EXAMPLES = r''' # '''
+
+RETURN = r''' # '''
+
+import traceback
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+
+try:
+    import ipaddress
+    HAS_IPADDRESS = True
+except ImportError as exc:
+    IPADDRESS_IMP_ERR = traceback.format_exc()
+    HAS_IPADDRESS = False
+
+
+def main():
+    module = AnsibleModule(argument_spec=dict(), supports_check_mode=True)
+
+    if not HAS_IPADDRESS:
+        module.fail_json(msg=missing_required_lib('ipaddress'), exception=IPADDRESS_IMP_ERR)
+
+    module.exit_json(msg='Everything is ok')
+
+
+if __name__ == '__main__':  # pragma: no cover
+    main()  # pragma: no cover

tests/ee/roles/smoke/library/smoke_pyyaml.py

@@ -0,0 +1,48 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2022 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+DOCUMENTATION = r'''
+---
+module: smoke_pyyaml
+short_description: Check whether PyYAML is present
+author:
+  - Felix Fontein (@felixfontein)
+description:
+  - Check whether C(yaml) is present.
+options: {}
+'''
+
+EXAMPLES = r''' # '''
+
+RETURN = r''' # '''
+
+import traceback
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+
+try:
+    import yaml
+    HAS_PYYAML = True
+except ImportError as exc:
+    PYYAML_IMP_ERR = traceback.format_exc()
+    HAS_PYYAML = False
+
+
+def main():
+    module = AnsibleModule(argument_spec=dict(), supports_check_mode=True)
+
+    if not HAS_PYYAML:
+        module.fail_json(msg=missing_required_lib('PyYAML'), exception=PYYAML_IMP_ERR)
+
+    module.exit_json(msg='Everything is ok')
+
+
+if __name__ == '__main__':  # pragma: no cover
+    main()  # pragma: no cover

tests/ee/roles/smoke/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Check whether ipaddress is present
+  smoke_ipaddress:
+  register: result
+
+- name: Validate result 
+  assert:
+    that:
+      - result.msg == 'Everything is ok'
+
+- name: Check whether PyYAML is present
+  smoke_pyyaml:
+  register: result
+
+- name: Validate result 
+  assert:
+    that:
+      - result.msg == 'Everything is ok'

tests/ee/roles/x509_certificate/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Create private key
+  community.crypto.openssl_privatekey:
+    path: "{{ output_path }}/cert.key"
+    type: ECC
+    curve: secp256r1
+
+- name: Create CSR
+  community.crypto.openssl_csr:
+    path: "{{ output_path }}/cert.csr"
+    privatekey_path: "{{ output_path }}/cert.key"
+
+- name: Create certificate
+  community.crypto.x509_certificate:
+    path: "{{ output_path }}/cert.pem"
+    csr_path: "{{ output_path }}/cert.csr"
+    privatekey_path: "{{ output_path }}/cert.key"
+    provider: selfsigned