From 8156468898d5f77eba74d3b2c5e1bf6453ddacc8 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 3 May 2025 14:42:41 +0200 Subject: [PATCH] Add ansible-lint to CI (#886) * Enable ansible-lint. * Fix broken task name. * Fix command-instead-of-shell instances. * Clean up tasks to eliminate command-instead-of-module. * Skip yaml errors. * Remove .stdout from versions. * Avoid stdin. --- .ansible-lint | 31 ++++++++++++ antsibull-nox.toml | 2 +- .../targets/acme_account/tasks/main.yml | 4 +- .../targets/acme_account_info/tasks/main.yml | 4 +- .../targets/acme_ari_info/tasks/main.yml | 4 +- .../targets/acme_certificate/tasks/main.yml | 4 +- .../tasks/main.yml | 4 +- .../acme_certificate_order/tasks/main.yml | 4 +- .../tasks/main.yml | 4 +- .../acme_certificate_revoke/tasks/main.yml | 4 +- .../acme_challenge_cert_helper/tasks/main.yml | 2 +- .../targets/acme_inspect/tasks/main.yml | 4 +- .../certificate_complete_chain/tasks/main.yml | 2 +- .../targets/crypto_info/tasks/main.yml | 28 ++++++----- .../filter_openssl_csr_info/tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../filter_x509_crl_info/tasks/main.yml | 2 +- .../targets/get_certificate/tasks/main.yml | 4 +- .../targets/openssh_keypair/tasks/main.yml | 4 +- .../targets/openssl_csr/tasks/main.yml | 2 +- .../targets/openssl_csr/tests/validate.yml | 20 ++++---- .../targets/openssl_csr_info/tasks/main.yml | 2 +- .../targets/openssl_csr_pipe/tasks/impl.yml | 6 +-- .../targets/openssl_csr_pipe/tasks/main.yml | 2 +- .../targets/openssl_dhparam/tasks/main.yml | 4 +- .../openssl_dhparam/tests/validate.yml | 2 +- .../targets/openssl_pkcs12/tasks/impl.yml | 2 +- .../targets/openssl_pkcs12/tasks/main.yml | 2 +- .../targets/openssl_pkcs12/tests/validate.yml | 4 +- .../targets/openssl_privatekey/tasks/impl.yml | 8 +-- .../targets/openssl_privatekey/tasks/main.yml | 2 +- .../openssl_privatekey/tests/validate.yml | 10 ++-- .../openssl_privatekey_convert/tasks/main.yml | 2 +- .../openssl_privatekey_info/tasks/main.yml | 2 +- .../openssl_privatekey_pipe/tasks/main.yml | 2 +- .../targets/openssl_publickey/tasks/main.yml | 2 +- .../openssl_publickey/tests/validate.yml | 49 +++++++++++++------ .../openssl_publickey_info/tasks/main.yml | 2 +- .../targets/setup_acme/tasks/main.yml | 4 +- .../targets/setup_openssl/tasks/main.yml | 12 ++++- .../x509_certificate-acme/tasks/main.yml | 13 +---- .../targets/x509_certificate/tasks/main.yml | 2 +- .../targets/x509_certificate/tasks/ownca.yml | 2 +- .../x509_certificate/tasks/selfsigned.yml | 2 +- .../x509_certificate/tests/validate_ownca.yml | 6 +-- .../tests/validate_selfsigned.yml | 14 +++--- .../x509_certificate_info/tasks/main.yml | 2 +- .../x509_certificate_pipe/tasks/impl.yml | 12 ++--- .../x509_certificate_pipe/tasks/main.yml | 2 +- .../targets/x509_crl/tasks/impl.yml | 2 +- .../targets/x509_crl/tasks/main.yml | 2 +- 53 files changed, 186 insertions(+), 133 deletions(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 00000000..3c0a5a33 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,31 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +skip_list: + # Ignore rules that make no sense: + - galaxy[tags] + - galaxy[version-incorrect] + - meta-runtime[unsupported-version] + - no-changed-when + - sanity[cannot-ignore] # some of the rules you cannot ignore actually MUST be ignored, like yamllint:unparsable-with-libyaml + - yaml # we're using yamllint ourselves + + # To be checked and maybe fixed: + - fqcn[action] + - fqcn[action-core] + - ignore-errors + - jinja[spacing] + - key-order[task] + - name[casing] + - name[missing] + - name[play] + - name[template] + - no-free-form + - no-handler + - risky-file-permissions + - risky-shell-pipe + - var-naming[no-reserved] + - var-naming[pattern] + - var-naming[read-only] diff --git a/antsibull-nox.toml b/antsibull-nox.toml index 88e213be..df87fdc6 100644 --- a/antsibull-nox.toml +++ b/antsibull-nox.toml @@ -45,4 +45,4 @@ doc_fragment = "community.crypto.attributes.actiongroup_acme" [sessions.build_import_check] run_galaxy_importer = true -# [sessions.ansible_lint] +[sessions.ansible_lint] diff --git a/tests/integration/targets/acme_account/tasks/main.yml b/tests/integration/targets/acme_account/tasks/main.yml index e69a374c..bcc10397 100644 --- a/tests/integration/targets/acme_account/tasks/main.yml +++ b/tests/integration/targets/acme_account/tasks/main.yml @@ -17,7 +17,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_account_info/tasks/main.yml b/tests/integration/targets/acme_account_info/tasks/main.yml index e69a374c..bcc10397 100644 --- a/tests/integration/targets/acme_account_info/tasks/main.yml +++ b/tests/integration/targets/acme_account_info/tasks/main.yml @@ -17,7 +17,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_ari_info/tasks/main.yml b/tests/integration/targets/acme_ari_info/tasks/main.yml index 200fb0c7..84221e68 100644 --- a/tests/integration/targets/acme_ari_info/tasks/main.yml +++ b/tests/integration/targets/acme_ari_info/tasks/main.yml @@ -21,7 +21,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: 1 is version('1.0.0', '>=') - name: Remove output directory file: @@ -41,4 +41,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate/tasks/main.yml b/tests/integration/targets/acme_certificate/tasks/main.yml index 26876a35..75035501 100644 --- a/tests/integration/targets/acme_certificate/tasks/main.yml +++ b/tests/integration/targets/acme_certificate/tasks/main.yml @@ -98,7 +98,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -118,4 +118,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml index e69a374c..bcc10397 100644 --- a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml @@ -17,7 +17,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_order/tasks/main.yml b/tests/integration/targets/acme_certificate_order/tasks/main.yml index 32fd8429..a6e9b371 100644 --- a/tests/integration/targets/acme_certificate_order/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_order/tasks/main.yml @@ -15,7 +15,7 @@ select_crypto_backend: openssl # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -33,4 +33,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml index 40df2563..245b19a1 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml @@ -20,7 +20,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -40,4 +40,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/main.yml b/tests/integration/targets/acme_certificate_revoke/tasks/main.yml index e69a374c..bcc10397 100644 --- a/tests/integration/targets/acme_certificate_revoke/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_revoke/tasks/main.yml @@ -17,7 +17,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml index d3fdc8ae..8f7ffd3a 100644 --- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml +++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml @@ -35,4 +35,4 @@ terms_agreed: true account_email: "example@example.org" - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/acme_inspect/tasks/main.yml b/tests/integration/targets/acme_inspect/tasks/main.yml index e69a374c..bcc10397 100644 --- a/tests/integration/targets/acme_inspect/tasks/main.yml +++ b/tests/integration/targets/acme_inspect/tasks/main.yml @@ -17,7 +17,7 @@ - import_tasks: ../tests/validate.yml # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/certificate_complete_chain/tasks/main.yml b/tests/integration/targets/certificate_complete_chain/tasks/main.yml index 3dddcee6..e4e1cfc2 100644 --- a/tests/integration/targets/certificate_complete_chain/tasks/main.yml +++ b/tests/integration/targets/certificate_complete_chain/tasks/main.yml @@ -24,4 +24,4 @@ - name: Run tests with created certificates import_tasks: created.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/crypto_info/tasks/main.yml b/tests/integration/targets/crypto_info/tasks/main.yml index defb7411..f8a37f26 100644 --- a/tests/integration/targets/crypto_info/tasks/main.yml +++ b/tests/integration/targets/crypto_info/tasks/main.yml @@ -20,11 +20,15 @@ command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" register: local_cryptography_version +- name: Set cryptography version + set_fact: + local_cryptography_version: "{{ local_cryptography_version.stdout }}" + - name: Determine complex version-based capabilities set_fact: supports_ed25519: >- {{ - local_cryptography_version.stdout is version("2.6", ">=") + local_cryptography_version is version("2.6", ">=") and not ( ansible_os_family == "FreeBSD" and ansible_facts.distribution_version is version("12.1", ">=") and @@ -33,7 +37,7 @@ }} supports_ed448: >- {{ - local_cryptography_version.stdout is version("2.6", ">=") + local_cryptography_version is version("2.6", ">=") and not ( ansible_os_family == "FreeBSD" and ansible_facts.distribution_version is version("12.1", ">=") and @@ -46,21 +50,21 @@ that: - result.python_cryptography_installed - "'python_cryptography_import_error' not in result" - - result.python_cryptography_capabilities.version == local_cryptography_version.stdout + - result.python_cryptography_capabilities.version == local_cryptography_version - "'secp256r1' in result.python_cryptography_capabilities.curves" - - result.python_cryptography_capabilities.has_ec == (local_cryptography_version.stdout is version('0.5', '>=')) - - result.python_cryptography_capabilities.has_ec_sign == (local_cryptography_version.stdout is version('1.5', '>=')) + - result.python_cryptography_capabilities.has_ec == (local_cryptography_version is version('0.5', '>=')) + - result.python_cryptography_capabilities.has_ec_sign == (local_cryptography_version is version('1.5', '>=')) - result.python_cryptography_capabilities.has_ed25519 == supports_ed25519 - result.python_cryptography_capabilities.has_ed25519_sign == supports_ed25519 - result.python_cryptography_capabilities.has_ed448 == supports_ed448 - result.python_cryptography_capabilities.has_ed448_sign == supports_ed448 - - result.python_cryptography_capabilities.has_dsa == (local_cryptography_version.stdout is version('0.5', '>=')) - - result.python_cryptography_capabilities.has_dsa_sign == (local_cryptography_version.stdout is version('1.5', '>=')) - - result.python_cryptography_capabilities.has_rsa == (local_cryptography_version.stdout is version('0.5', '>=')) - - result.python_cryptography_capabilities.has_rsa_sign == (local_cryptography_version.stdout is version('1.4', '>=')) - - result.python_cryptography_capabilities.has_x25519 == (local_cryptography_version.stdout is version('2.0', '>=')) - - result.python_cryptography_capabilities.has_x25519_serialization == (local_cryptography_version.stdout is version('2.5', '>=')) - - result.python_cryptography_capabilities.has_x448 == (local_cryptography_version.stdout is version('2.5', '>=')) + - result.python_cryptography_capabilities.has_dsa == (local_cryptography_version is version('0.5', '>=')) + - result.python_cryptography_capabilities.has_dsa_sign == (local_cryptography_version is version('1.5', '>=')) + - result.python_cryptography_capabilities.has_rsa == (local_cryptography_version is version('0.5', '>=')) + - result.python_cryptography_capabilities.has_rsa_sign == (local_cryptography_version is version('1.4', '>=')) + - result.python_cryptography_capabilities.has_x25519 == (local_cryptography_version is version('2.0', '>=')) + - result.python_cryptography_capabilities.has_x25519_serialization == (local_cryptography_version is version('2.5', '>=')) + - result.python_cryptography_capabilities.has_x448 == (local_cryptography_version is version('2.5', '>=')) - name: Find OpenSSL binary command: which openssl diff --git a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml index 39990abd..27384072 100644 --- a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml @@ -129,4 +129,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml b/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml index 223fd8f0..f208733e 100644 --- a/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml @@ -39,4 +39,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml b/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml index 2029f4c7..87e18149 100644 --- a/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml @@ -44,4 +44,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml index ae013c36..703c3b79 100644 --- a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml @@ -146,4 +146,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/filter_x509_crl_info/tasks/main.yml b/tests/integration/targets/filter_x509_crl_info/tasks/main.yml index 27c68e35..e38931b4 100644 --- a/tests/integration/targets/filter_x509_crl_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_crl_info/tasks/main.yml @@ -88,4 +88,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/get_certificate/tasks/main.yml b/tests/integration/targets/get_certificate/tasks/main.yml index a0f832bb..8c5da1f8 100644 --- a/tests/integration/targets/get_certificate/tasks/main.yml +++ b/tests/integration/targets/get_certificate/tasks/main.yml @@ -37,7 +37,7 @@ that: - result is success or skip_tests - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') - block: @@ -48,4 +48,4 @@ # The module doesn't work with CentOS 6. Since the pyOpenSSL installed there is too old, # we never noticed before. This becomes a problem with the new cryptography backend, # since there is a new enough cryptography version... - when: cryptography_version.stdout is version('1.6', '>=') and not skip_tests + when: cryptography_version is version('1.6', '>=') and not skip_tests diff --git a/tests/integration/targets/openssh_keypair/tasks/main.yml b/tests/integration/targets/openssh_keypair/tasks/main.yml index 3c372ff3..c87c0fe7 100644 --- a/tests/integration/targets/openssh_keypair/tasks/main.yml +++ b/tests/integration/targets/openssh_keypair/tasks/main.yml @@ -19,7 +19,7 @@ - set_fact: backends: "{{ backends + ['cryptography'] }}" - when: cryptography_version.stdout is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') + when: cryptography_version is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - include_tasks: ../tests/core.yml loop: "{{ backends }}" @@ -47,4 +47,4 @@ loop_var: backend - include_tasks: ../tests/cryptography_backend.yml - when: cryptography_version.stdout is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') + when: cryptography_version is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') diff --git a/tests/integration/targets/openssl_csr/tasks/main.yml b/tests/integration/targets/openssl_csr/tasks/main.yml index 556c6608..a2f35696 100644 --- a/tests/integration/targets/openssl_csr/tasks/main.yml +++ b/tests/integration/targets/openssl_csr/tasks/main.yml @@ -29,4 +29,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_csr/tests/validate.yml b/tests/integration/targets/openssl_csr/tests/validate.yml index 98990460..251a3da9 100644 --- a/tests/integration/targets/openssl_csr/tests/validate.yml +++ b/tests/integration/targets/openssl_csr/tests/validate.yml @@ -4,15 +4,15 @@ # SPDX-License-Identifier: GPL-3.0-or-later - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)" - shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq" register: csr_cn - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)" - shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr' + command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr' register: csr_modulus - name: "({{ select_crypto_backend }}) Validate CSR (assert)" @@ -58,11 +58,11 @@ - csr_ku_xku_change_2 is changed - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)" - shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq" register: csr_oldapi_cn - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)" - shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr' + command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr' register: csr_oldapi_modulus - name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)" @@ -78,7 +78,7 @@ - "'Subject Alternative Name' in generate_csr_invalid_san.msg" - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)" - shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text" + command: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text" register: csr_ocsp - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)" @@ -93,15 +93,15 @@ - csr_ocsp_idempotency is not changed - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)" - shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem' + command: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem' register: privatekey_ecc_key - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)" - shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq" register: csr_ecc_cn - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)" - shell: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr' + command: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr' register: csr_ecc_pubkey - name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)" @@ -111,7 +111,7 @@ - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout - name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)" - shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq" register: csr3_cn - name: "({{ select_crypto_backend }}) Validate CSR (assert)" diff --git a/tests/integration/targets/openssl_csr_info/tasks/main.yml b/tests/integration/targets/openssl_csr_info/tasks/main.yml index 2c696fbb..b41b8935 100644 --- a/tests/integration/targets/openssl_csr_info/tasks/main.yml +++ b/tests/integration/targets/openssl_csr_info/tasks/main.yml @@ -132,4 +132,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml b/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml index adf1836b..f4a56741 100644 --- a/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml +++ b/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml @@ -64,17 +64,17 @@ register: generate_csr_changed_check - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)" - shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" args: stdin: "{{ generate_csr.csr }}" register: csr_cn - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)" - shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin' + command: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin' args: stdin: "{{ generate_csr.csr }}" register: csr_modulus diff --git a/tests/integration/targets/openssl_csr_pipe/tasks/main.yml b/tests/integration/targets/openssl_csr_pipe/tasks/main.yml index 01869852..1c49e6ee 100644 --- a/tests/integration/targets/openssl_csr_pipe/tasks/main.yml +++ b/tests/integration/targets/openssl_csr_pipe/tasks/main.yml @@ -24,4 +24,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_dhparam/tasks/main.yml b/tests/integration/targets/openssl_dhparam/tasks/main.yml index 248f2afe..f486f569 100644 --- a/tests/integration/targets/openssl_dhparam/tasks/main.yml +++ b/tests/integration/targets/openssl_dhparam/tasks/main.yml @@ -24,7 +24,7 @@ vars: select_crypto_backend: openssl - # when: openssl_version.stdout is version('1.0.0', '>=') + # when: openssl_version is version('1.0.0', '>=') - name: Remove output directory file: @@ -44,4 +44,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_dhparam/tests/validate.yml b/tests/integration/targets/openssl_dhparam/tests/validate.yml index 37e68d72..708d4b0f 100644 --- a/tests/integration/targets/openssl_dhparam/tests/validate.yml +++ b/tests/integration/targets/openssl_dhparam/tests/validate.yml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later - name: "[{{ select_crypto_backend }}] Validate generated params" - shell: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check' + command: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check' with_items: - dh768 - dh512 diff --git a/tests/integration/targets/openssl_pkcs12/tasks/impl.yml b/tests/integration/targets/openssl_pkcs12/tasks/impl.yml index 09f96716..50e2c2bd 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/impl.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/impl.yml @@ -376,7 +376,7 @@ register: p12_compatibility2022 when: - select_crypto_backend == 'cryptography' - - cryptography_version.stdout is version('38.0.0', '>=') + - cryptography_version is version('38.0.0', '>=') - import_tasks: ../tests/validate.yml diff --git a/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/tests/integration/targets/openssl_pkcs12/tasks/main.yml index 9ea1402e..a48a703e 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/main.yml @@ -68,4 +68,4 @@ select_crypto_backend: cryptography when: >- - cryptography_version.stdout is version('3.3', '>=') + cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_pkcs12/tests/validate.yml b/tests/integration/targets/openssl_pkcs12/tests/validate.yml index bf7a8f0a..9024cdc5 100644 --- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml +++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml @@ -95,10 +95,10 @@ - name: '({{ select_crypto_backend }}) PKCS#12 with compatibility2022 settings' when: - select_crypto_backend == 'cryptography' - - cryptography_version.stdout is version('38.0.0', '>=') + - cryptography_version is version('38.0.0', '>=') block: - name: '({{ select_crypto_backend }}) Validate PKCS#12 with compatibility2022 settings' - shell: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_compatibility2022.p12 -nodes -passin pass:'magicpassword'" + command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_compatibility2022.p12 -nodes -passin pass:'magicpassword'" register: p12_validate_compatibility2022 - name: '({{ select_crypto_backend }}) Check PKCS#12 with compatibility2022 settings' diff --git a/tests/integration/targets/openssl_privatekey/tasks/impl.yml b/tests/integration/targets/openssl_privatekey/tasks/impl.yml index a77fcc2f..44a7f678 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/impl.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/impl.yml @@ -158,7 +158,7 @@ curve: "{{ item.curve }}" select_crypto_backend: '{{ select_crypto_backend }}' when: | - cryptography_version.stdout is version(item.min_cryptography_version, '>=') and + cryptography_version is version(item.min_cryptography_version, '>=') and item.openssl_name in openssl_ecc_list loop: "{{ ecc_types }}" loop_control: @@ -172,7 +172,7 @@ curve: "{{ item.curve }}" select_crypto_backend: '{{ select_crypto_backend }}' when: | - cryptography_version.stdout is version(item.min_cryptography_version, '>=') and + cryptography_version is version(item.min_cryptography_version, '>=') and item.openssl_name in openssl_ecc_list loop: "{{ ecc_types }}" loop_control: @@ -185,7 +185,7 @@ path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem' type: "{{ item.type }}" select_crypto_backend: '{{ select_crypto_backend }}' - when: cryptography_version.stdout is version(item.min_version, '>=') + when: cryptography_version is version(item.min_version, '>=') loop: "{{ types }}" loop_control: label: "{{ item.type }}" @@ -197,7 +197,7 @@ path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem' type: "{{ item.type }}" select_crypto_backend: '{{ select_crypto_backend }}' - when: cryptography_version.stdout is version(item.min_version, '>=') + when: cryptography_version is version(item.min_version, '>=') loop: "{{ types }}" loop_control: label: "{{ item.type }}" diff --git a/tests/integration/targets/openssl_privatekey/tasks/main.yml b/tests/integration/targets/openssl_privatekey/tasks/main.yml index 5e9ec16b..19008c5f 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/main.yml @@ -50,4 +50,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey/tests/validate.yml b/tests/integration/targets/openssl_privatekey/tests/validate.yml index 4dbebb79..d64cbd4b 100644 --- a/tests/integration/targets/openssl_privatekey/tests/validate.yml +++ b/tests/integration/targets/openssl_privatekey/tests/validate.yml @@ -75,13 +75,13 @@ register: privatekey5 # Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned successfully. - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate privatekey5 (assert - Passphrase protected key + idempotence)" assert: that: - privatekey5.stdout == (default_rsa_key_size | string) - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate privatekey5 idempotence (assert - Passphrase protected key + idempotence)" assert: @@ -92,19 +92,19 @@ - name: "({{ select_crypto_backend }}) Validate privatekey6 (test - Passphrase protected key with non ascii character)" shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey6 - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate privatekey6 (assert - Passphrase protected key with non ascii character)" assert: that: - privatekey6.stdout == (default_rsa_key_size | string) - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate ECC generation (dump with OpenSSL)" shell: "{{ openssl_binary }} ec -in {{ remote_tmp_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'" loop: "{{ privatekey_ecc_generate.results }}" register: privatekey_ecc_dump - when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item + when: openssl_version is version('0.9.8zh', '>=') and 'skip_reason' not in item loop_control: label: "{{ item.item.curve }}" diff --git a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml index 64a24f9a..a57ed41a 100644 --- a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml @@ -58,4 +58,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey_info/tasks/main.yml b/tests/integration/targets/openssl_privatekey_info/tasks/main.yml index ebe9dd27..5cbf3ba0 100644 --- a/tests/integration/targets/openssl_privatekey_info/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_info/tasks/main.yml @@ -43,4 +43,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml b/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml index 511895cc..05498225 100644 --- a/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml @@ -18,4 +18,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_publickey/tasks/main.yml b/tests/integration/targets/openssl_publickey/tasks/main.yml index e2623ded..eb789d84 100644 --- a/tests/integration/targets/openssl_publickey/tasks/main.yml +++ b/tests/integration/targets/openssl_publickey/tasks/main.yml @@ -28,4 +28,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_publickey/tests/validate.yml b/tests/integration/targets/openssl_publickey/tests/validate.yml index acca7184..5dad3a1d 100644 --- a/tests/integration/targets/openssl_publickey/tests/validate.yml +++ b/tests/integration/targets/openssl_publickey/tests/validate.yml @@ -17,11 +17,18 @@ - publickey.publickey == publickey_idempotence.publickey - name: "({{ select_crypto_backend }}) Validate public key (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_modulus +- name: "({{ select_crypto_backend }}) Fetch public key" + ansible.builtin.slurp: + src: '{{ remote_tmp_dir }}/publickey.pub' + register: slurp + - name: "({{ select_crypto_backend }}) Validate public key (test - publickey modulus)" - shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ remote_tmp_dir }}/publickey.pub' + command: + cmd: '{{ openssl_binary }} rsa -pubin -noout -modulus' + stdin: '{{ slurp.content | b64decode }}' register: publickey_modulus - name: "({{ select_crypto_backend }}) Validate public key (assert)" @@ -30,7 +37,7 @@ - publickey_modulus.stdout == privatekey_modulus.stdout - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format (test - privatekey's publickey)" - shell: 'ssh-keygen -y -f {{ remote_tmp_dir }}/privatekey.pem' + command: 'ssh-keygen -y -f {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_publickey when: select_crypto_backend == 'cryptography' @@ -71,20 +78,27 @@ - name: "({{ select_crypto_backend }}) Validate publickey3 (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey3.pem -passin pass:ansible' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey3.pem -passin pass:ansible' register: privatekey3_modulus - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') + +- name: "({{ select_crypto_backend }}) Fetch publickey3" + ansible.builtin.slurp: + src: '{{ remote_tmp_dir }}/publickey3.pub' + register: slurp - name: "({{ select_crypto_backend }}) Validate publickey3 (test - publickey modulus)" - shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ remote_tmp_dir }}/publickey3.pub' + command: + cmd: '{{ openssl_binary }} rsa -pubin -noout -modulus' + stdin: '{{ slurp.content | b64decode }}' register: publickey3_modulus - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate publickey3 (assert)" assert: that: - publickey3_modulus.stdout == privatekey3_modulus.stdout - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate publickey3 idempotence (assert)" assert: @@ -92,20 +106,27 @@ - publickey3_idempotence is not changed - name: "({{ select_crypto_backend }}) Validate publickey4 (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey4_modulus - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') + +- name: "({{ select_crypto_backend }}) Fetch publickey4" + ansible.builtin.slurp: + src: '{{ remote_tmp_dir }}/publickey4.pub' + register: slurp - name: "({{ select_crypto_backend }}) Validate publickey4 (test - publickey modulus)" - shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ remote_tmp_dir }}/publickey4.pub' + command: + cmd: '{{ openssl_binary }} rsa -pubin -noout -modulus' + stdin: '{{ slurp.content | b64decode }}' register: publickey4_modulus - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate publickey4 (assert)" assert: that: - publickey4_modulus.stdout == privatekey4_modulus.stdout - when: openssl_version.stdout is version('0.9.8zh', '>=') + when: openssl_version is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate idempotency and backup" assert: @@ -131,7 +152,7 @@ that: - publickey5_pubkey.stdout == privatekey5_pubkey.stdout -- name: +- name: "({{ select_crypto_backend }}) Verify bad passphrase errors" assert: that: - passphrase_error_1 is failed diff --git a/tests/integration/targets/openssl_publickey_info/tasks/main.yml b/tests/integration/targets/openssl_publickey_info/tasks/main.yml index a0e8e35a..c3053ac5 100644 --- a/tests/integration/targets/openssl_publickey_info/tasks/main.yml +++ b/tests/integration/targets/openssl_publickey_info/tasks/main.yml @@ -46,4 +46,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/setup_acme/tasks/main.yml b/tests/integration/targets/setup_acme/tasks/main.yml index a9288723..761a2d1e 100644 --- a/tests/integration/targets/setup_acme/tasks/main.yml +++ b/tests/integration/targets/setup_acme/tasks/main.yml @@ -23,5 +23,5 @@ ACME directory: {{ acme_directory_url }} ACME server supports ARI: {{ acme_supports_ari }} ACME server supports profiles: {{ acme_supports_profiles }} - OpenSSL version is {{ openssl_version.stdout }} - cryptography version is {{ cryptography_version.stdout }} + OpenSSL version is {{ openssl_version }} + cryptography version is {{ cryptography_version }} diff --git a/tests/integration/targets/setup_openssl/tasks/main.yml b/tests/integration/targets/setup_openssl/tasks/main.yml index d1fb81f3..4e964b9c 100644 --- a/tests/integration/targets/setup_openssl/tasks/main.yml +++ b/tests/integration/targets/setup_openssl/tasks/main.yml @@ -85,6 +85,10 @@ shell: "{{ openssl_binary }} version | cut -d' ' -f2" register: openssl_version +- name: Make openssl version a string + set_fact: + openssl_version: "{{ openssl_version.stdout }}" + - when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6'] block: @@ -115,9 +119,13 @@ state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}" extra_args: "-c {{ remote_constraints }}" +- name: Obtain cryptography information + community.crypto.crypto_info: + register: crypto_info + - name: Register cryptography version - command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" - register: cryptography_version + set_fact: + cryptography_version: "{{ crypto_info.python_cryptography_capabilities.version }}" - name: Print default key sizes debug: diff --git a/tests/integration/targets/x509_certificate-acme/tasks/main.yml b/tests/integration/targets/x509_certificate-acme/tasks/main.yml index c61b93b0..c268a80a 100644 --- a/tests/integration/targets/x509_certificate-acme/tasks/main.yml +++ b/tests/integration/targets/x509_certificate-acme/tasks/main.yml @@ -71,17 +71,6 @@ get_url: url: https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py dest: "{{ remote_tmp_dir }}/acme-tiny" - when: ansible_python_version is version('2.7', '>=') - -- name: Get hold of acme-tiny executable (Python 2.6) - command: - cmd: >- - curl https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --output "{{ remote_tmp_dir }}/acme-tiny" - when: ansible_python_version is version('2.7', '<') - -- name: Make sure acme-tiny is executable - file: - path: "{{ remote_tmp_dir }}/acme-tiny" mode: "0755" - name: "Monkey-patch acme-tiny: Disable certificate validation" @@ -141,4 +130,4 @@ - name: Running tests include_tasks: impl.yml # Make x509_certificate module happy - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate/tasks/main.yml b/tests/integration/targets/x509_certificate/tasks/main.yml index 238ccc1b..fdeadb1d 100644 --- a/tests/integration/targets/x509_certificate/tasks/main.yml +++ b/tests/integration/targets/x509_certificate/tasks/main.yml @@ -12,4 +12,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate/tasks/ownca.yml b/tests/integration/targets/x509_certificate/tasks/ownca.yml index e260afef..b80e34e4 100644 --- a/tests/integration/targets/x509_certificate/tasks/ownca.yml +++ b/tests/integration/targets/x509_certificate/tasks/ownca.yml @@ -658,6 +658,6 @@ register: ownca_certificate_ed25519_ed448_2_idempotence ignore_errors: true - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.3', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version is version('3.3', '>=') - import_tasks: ../tests/validate_ownca.yml diff --git a/tests/integration/targets/x509_certificate/tasks/selfsigned.yml b/tests/integration/targets/x509_certificate/tasks/selfsigned.yml index 9d512ea4..f872859d 100644 --- a/tests/integration/targets/x509_certificate/tasks/selfsigned.yml +++ b/tests/integration/targets/x509_certificate/tasks/selfsigned.yml @@ -480,6 +480,6 @@ register: selfsigned_certificate_ed25519_ed448_idempotence ignore_errors: true - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.3', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version is version('3.3', '>=') - import_tasks: ../tests/validate_selfsigned.yml diff --git a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml index f9e6299c..d4f5564a 100644 --- a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml +++ b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml @@ -8,7 +8,7 @@ register: ownca_verify_ca - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus) - shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert.pem' + command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert.pem' register: ownca_cert_modulus - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value) @@ -72,7 +72,7 @@ - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus) - shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert2.pem' + command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert2.pem' register: ownca_cert2_modulus - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert) @@ -104,7 +104,7 @@ - ownca_cert3_idem is not changed - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey) - shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/ownca_cert_ecc.pem' + command: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/ownca_cert_ecc.pem' register: ownca_cert_ecc_pubkey - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value) diff --git a/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml b/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml index 72829628..65806bfe 100644 --- a/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml +++ b/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus) - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate behavior for no CSR @@ -15,7 +15,7 @@ - selfsigned_certificate_no_csr_idempotence_check is not changed - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate modulus) - shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert_no_csr.pem' + command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert_no_csr.pem' register: cert_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate version == default == 3) @@ -47,7 +47,7 @@ - selfsigned_certificate_no_csr.certificate == selfsigned_certificate_no_csr_idempotence.certificate - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus) - shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert.pem' + command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert.pem' register: cert_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value) @@ -109,11 +109,11 @@ when: select_crypto_backend == 'cryptography' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus) - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem' register: privatekey2_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus) - shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert2.pem' + command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert2.pem' register: cert2_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert) @@ -145,11 +145,11 @@ - cert3_selfsigned_idem is not changed - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey) - shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey_ecc.pem' + command: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey_ecc.pem' register: privatekey_ecc_pubkey - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey) - shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/cert_ecc.pem' + command: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/cert_ecc.pem' register: cert_ecc_pubkey - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert) diff --git a/tests/integration/targets/x509_certificate_info/tasks/main.yml b/tests/integration/targets/x509_certificate_info/tasks/main.yml index cdaa5e20..9f9892c0 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/main.yml @@ -149,4 +149,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml b/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml index f0b75be2..99bf61cd 100644 --- a/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml +++ b/tests/integration/targets/x509_certificate_pipe/tasks/impl.yml @@ -102,17 +102,17 @@ register: generate_certificate_changed_check - name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)" - shell: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" args: stdin: "{{ generate_certificate.certificate }}" register: certificate_cn - name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)" - shell: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin' + command: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin' args: stdin: "{{ generate_certificate.certificate }}" register: certificate_modulus @@ -209,17 +209,17 @@ register: ownca_generate_certificate_changed_check - name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)" - shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem' + command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)" - shell: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" + command: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" args: stdin: "{{ ownca_generate_certificate.certificate }}" register: certificate_cn - name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)" - shell: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin' + command: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin' args: stdin: "{{ ownca_generate_certificate.certificate }}" register: certificate_modulus diff --git a/tests/integration/targets/x509_certificate_pipe/tasks/main.yml b/tests/integration/targets/x509_certificate_pipe/tasks/main.yml index 0f93c771..b7762ba1 100644 --- a/tests/integration/targets/x509_certificate_pipe/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_pipe/tasks/main.yml @@ -23,4 +23,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/x509_crl/tasks/impl.yml b/tests/integration/targets/x509_crl/tasks/impl.yml index 02517852..966cdfdb 100644 --- a/tests/integration/targets/x509_crl/tasks/impl.yml +++ b/tests/integration/targets/x509_crl/tasks/impl.yml @@ -694,4 +694,4 @@ - Ed448 ignore_errors: true - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=') diff --git a/tests/integration/targets/x509_crl/tasks/main.yml b/tests/integration/targets/x509_crl/tasks/main.yml index df9775ae..b7b48426 100644 --- a/tests/integration/targets/x509_crl/tasks/main.yml +++ b/tests/integration/targets/x509_crl/tasks/main.yml @@ -90,4 +90,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.3', '>=') + when: cryptography_version is version('3.3', '>=')