internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-03-26 21:33:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix some ansible-lint issues (#907)

Browse Source 
* Fix fqcn[action-core].

* Fix fqcn[action].

* Fix jinja[spacing].
This commit is contained in:
Felix Fontein
2025-05-30 22:03:16 +02:00
committed by GitHub
parent 7241d5543a
commit 8792635bef
142 changed files with 2161 additions and 2164 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.ansible-lint
View File

@@ -13,10 +13,7 @@ skip_list:
- yaml # we're using yamllint ourselves
# To be checked and maybe fixed:
- fqcn[action]
- fqcn[action-core]
- ignore-errors
- jinja[spacing]
- key-order[task]
- name[casing]
- name[missing]

6
tests/ee/all.yml
View File

@@ -6,15 +6,15 @@
- hosts: localhost
tasks:
- name: Show Python info
debug:
ansible.builtin.debug:
var: ansible_python
- name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: cryptography_version
- name: Determine output directory
set_fact:
ansible.builtin.set_fact:
output_path: "{{ 'output-%0x' % ((2**32) | random) }}"
- name: Find all roles

4
tests/ee/roles/crypto_info/tasks/main.yml
View File

@@ -8,11 +8,11 @@
register: result
- name: Dump result
debug:
ansible.builtin.debug:
var: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.openssl_present
- result.python_cryptography_installed

6
tests/ee/roles/luks_device/tasks/main.yml
View File

@@ -24,13 +24,13 @@
when: false
block:
- name: Create lookback device
command: losetup -f {{ cryptfile_path }}
ansible.builtin.command: losetup -f {{ cryptfile_path }}
- name: Determine loop device name
command: losetup -j {{ cryptfile_path }} --output name
ansible.builtin.command: losetup -j {{ cryptfile_path }} --output name
register: cryptfile_device_output
- set_fact:
- ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}"
- name: Create LUKS container

4
tests/ee/roles/smoke/tasks/main.yml
View File

@@ -8,7 +8,7 @@
register: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.msg == 'Everything is ok'
@@ -17,6 +17,6 @@
register: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.msg == 'Everything is ok'

46
tests/integration/targets/acme_account/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
type: ECC
@@ -14,7 +14,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
return_private_key_data: true
@@ -30,7 +30,7 @@
- name: accountkey5
- name: Do not try to create account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -42,7 +42,7 @@
register: account_not_created
- name: Create it now (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -58,7 +58,7 @@
register: account_created_check
- name: Create it now
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -72,7 +72,7 @@
register: account_created
- name: Create it now (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -86,12 +86,12 @@
register: account_created_idempotent
- name: Read account key
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp
- name: Change email address (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -106,7 +106,7 @@
register: account_modified_check
- name: Change email address
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -119,7 +119,7 @@
register: account_modified
- name: Change email address (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri }}"
@@ -133,7 +133,7 @@
register: account_modified_idempotent
- name: Cannot access account with wrong URI
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
@@ -146,7 +146,7 @@
register: account_modified_wrong_uri
- name: Clear contact email addresses (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -160,7 +160,7 @@
register: account_modified_2_check
- name: Clear contact email addresses
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -172,7 +172,7 @@
register: account_modified_2
- name: Clear contact email addresses (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -184,7 +184,7 @@
register: account_modified_2_idempotent
- name: Change account key (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -200,7 +200,7 @@
register: account_change_key_check
- name: Change account key
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -214,7 +214,7 @@
register: account_change_key
- name: Deactivate account (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -227,7 +227,7 @@
register: account_deactivate_check
- name: Deactivate account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -238,7 +238,7 @@
register: account_deactivate
- name: Deactivate account (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -249,7 +249,7 @@
register: account_deactivate_idempotent
- name: Do not try to create account II
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -262,7 +262,7 @@
register: account_not_created_2
- name: Do not try to create account III
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -274,7 +274,7 @@
register: account_not_created_3
- name: Create account with External Account Binding
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem"
acme_version: 2
@@ -304,4 +304,4 @@
kid: kid-3
alg: HS512
key: zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W
- debug: var=account_created_eab
- ansible.builtin.debug: var=account_created_eab

12
tests/integration/targets/acme_account/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

38
tests/integration/targets/acme_account/tests/validate.yml
View File

@@ -4,13 +4,13 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't created in the first step
assert:
ansible.builtin.assert:
that:
- account_not_created is failed
- account_not_created.msg == 'Account does not exist or is deactivated.'
- name: Validate that account was created in the second step (check mode)
assert:
ansible.builtin.assert:
that:
- account_created_check is changed
- account_created_check.account_uri is none
@@ -21,19 +21,19 @@
- account_created_check.diff.after.contact[0] in ['mailto:example@example.org', 'mailto:********@********.org']
- name: Validate that account was created in the second step
assert:
ansible.builtin.assert:
that:
- account_created is changed
- account_created.account_uri is not none
- name: Validate that account was created in the second step (idempotency)
assert:
ansible.builtin.assert:
that:
- account_created_idempotent is not changed
- account_created_idempotent.account_uri is not none
- name: Validate that email address was changed (check mode)
assert:
ansible.builtin.assert:
that:
- account_modified_check is changed
- account_modified_check.account_uri is not none
@@ -44,24 +44,24 @@
- account_modified_check.diff.after.contact[0] in ['mailto:example@example.com', 'mailto:********@********.com']
- name: Validate that email address was changed
assert:
ansible.builtin.assert:
that:
- account_modified is changed
- account_modified.account_uri is not none
- name: Validate that email address was not changed a second time (idempotency)
assert:
ansible.builtin.assert:
that:
- account_modified_idempotent is not changed
- account_modified_idempotent.account_uri is not none
- name: Make sure that with the wrong account URI, the account cannot be changed
assert:
ansible.builtin.assert:
that:
- account_modified_wrong_uri is failed
- name: Validate that email address was cleared (check mode)
assert:
ansible.builtin.assert:
that:
- account_modified_2_check is changed
- account_modified_2_check.account_uri is not none
@@ -71,19 +71,19 @@
- account_modified_2_check.diff.after.contact | length == 0
- name: Validate that email address was cleared
assert:
ansible.builtin.assert:
that:
- account_modified_2 is changed
- account_modified_2.account_uri is not none
- name: Validate that email address was not cleared a second time (idempotency)
assert:
ansible.builtin.assert:
that:
- account_modified_2_idempotent is not changed
- account_modified_2_idempotent.account_uri is not none
- name: Validate that the account key was changed (check mode)
assert:
ansible.builtin.assert:
that:
- account_change_key_check is changed
- account_change_key_check.account_uri is not none
@@ -91,13 +91,13 @@
- account_change_key_check.diff.before.public_account_key != account_change_key_check.diff.after.public_account_key
- name: Validate that the account key was changed
assert:
ansible.builtin.assert:
that:
- account_change_key is changed
- account_change_key.account_uri is not none
- name: Validate that the account was deactivated (check mode)
assert:
ansible.builtin.assert:
that:
- account_deactivate_check is changed
- account_deactivate_check.account_uri is not none
@@ -106,13 +106,13 @@
- "account_deactivate_check.diff.after == {}"
- name: Validate that the account was deactivated
assert:
ansible.builtin.assert:
that:
- account_deactivate is changed
- account_deactivate.account_uri is not none
- name: Validate that the account was really deactivated (idempotency)
assert:
ansible.builtin.assert:
that:
- account_deactivate_idempotent is not changed
# The next condition should be true for all conforming ACME servers.
@@ -121,19 +121,19 @@
- account_deactivate_idempotent.account_uri is none
- name: Validate that the account is gone (new account key)
assert:
ansible.builtin.assert:
that:
- account_not_created_2 is failed
- account_not_created_2.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account is gone (old account key)
assert:
ansible.builtin.assert:
that:
- account_not_created_3 is failed
- account_not_created_3.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account with External Account Binding has been created
assert:
ansible.builtin.assert:
that:
- account_created_eab.results[0] is changed
- account_created_eab.results[1] is changed

20
tests/integration/targets/acme_account_info/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC
curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true
loop: "{{ account_keys }}"
@@ -24,7 +24,7 @@
- accountkey2
- name: Check that account does not exist
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -33,7 +33,7 @@
register: account_not_created
- name: Create it now
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -46,7 +46,7 @@
- mailto:example@example.org
- name: Check that account exists
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -55,12 +55,12 @@
register: account_created
- name: Read account key
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp
- name: Clear email address
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -71,7 +71,7 @@
contact: []
- name: Check that account was modified
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -81,7 +81,7 @@
register: account_modified
- name: Check with wrong account URI
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -91,7 +91,7 @@
register: account_not_exist
- name: Check with wrong account key
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
acme_version: 2

12
tests/integration/targets/acme_account_info/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

10
tests/integration/targets/acme_account_info/tests/validate.yml
View File

@@ -4,14 +4,14 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't there
assert:
ansible.builtin.assert:
that:
- not account_not_created.exists
- account_not_created.account_uri is none
- "'account' not in account_not_created"
- name: Validate that account was created
assert:
ansible.builtin.assert:
that:
- account_created.exists
- account_created.account_uri is not none
@@ -22,7 +22,7 @@
- "account_created.account.contact[0] == 'mailto:example@example.org'"
- name: Validate that account email was removed
assert:
ansible.builtin.assert:
that:
- account_modified.exists
- account_modified.account_uri is not none
@@ -32,13 +32,13 @@
- account_modified.account.contact | length == 0
- name: Validate that account does not exist with wrong account URI
assert:
ansible.builtin.assert:
that:
- not account_not_exist.exists
- account_not_exist.account_uri is none
- "'account' not in account_not_exist"
- name: Validate that account cannot be accessed with wrong key
assert:
ansible.builtin.assert:
that:
- account_wrong_key is failed

12
tests/integration/targets/acme_ari_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -21,7 +21,7 @@
curve: secp256r1
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for renewal check
certificate_name: cert-1
@@ -39,18 +39,18 @@
account_email: "example@example.org"
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
command:
ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Read certificate
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1
- name: Obtain certificate information
acme_ari_info:
community.crypto.acme_ari_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2

12
tests/integration/targets/acme_ari_info/tasks/main.yml
View File

@@ -14,31 +14,31 @@
block:
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: 1 is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

2
tests/integration/targets/acme_ari_info/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate results
assert:
ansible.builtin.assert:
that:
- cert_1 is not changed
- cert_1.renewal_info.explanationURL is not defined or cert_1.renewal_info.explanationURL is string

116
tests/integration/targets/acme_certificate/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -28,7 +28,7 @@
## SET UP ACCOUNTS ############################################################################
- name: Make sure ECC256 account hasn't been created yet
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -36,11 +36,11 @@
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
state: absent
- name: Read account key (EC384)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp
- name: Create ECC384 account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -53,7 +53,7 @@
- mailto:example@example.org
- mailto:example@example.com
- name: Create RSA account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -66,7 +66,7 @@
## OBTAIN CERTIFICATES ########################################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1
certificate_name: cert-1
@@ -89,11 +89,11 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 1
set_fact:
ansible.builtin.set_fact:
cert_1_obtain_results: "{{ certificate_obtain_result }}"
cert_1_alternate: "{{ 1 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 2
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 2
certificate_name: cert-2
@@ -122,15 +122,15 @@
issuer: "{{ acme_roots[2].subject }}"
use_csr_content: false
- name: Store obtain results for cert 2
set_fact:
ansible.builtin.set_fact:
cert_2_obtain_results: "{{ certificate_obtain_result }}"
cert_2_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Read account key (RSA)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key
- name: Obtain cert 3
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 3
certificate_name: cert-3
@@ -152,11 +152,11 @@
subject: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 3
set_fact:
ansible.builtin.set_fact:
cert_3_obtain_results: "{{ certificate_obtain_result }}"
cert_3_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 4
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 4
certificate_name: cert-4
@@ -181,11 +181,11 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: false
- name: Store obtain results for cert 4
set_fact:
ansible.builtin.set_fact:
cert_4_obtain_results: "{{ certificate_obtain_result }}"
cert_4_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 1/4
certificate_name: cert-5
@@ -202,11 +202,11 @@
account_email: ""
use_csr_content: true
- name: Store obtain results for cert 5a
set_fact:
ansible.builtin.set_fact:
cert_5a_obtain_results: "{{ certificate_obtain_result }}"
cert_5_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5 (should not, since already there and valid for more than 1 days)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 2/4
certificate_name: cert-5
@@ -223,10 +223,10 @@
account_email: ""
use_csr_content: false
- name: Store obtain results for cert 5b
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_1: "{{ challenge_data is changed }}"
- name: Obtain cert 5 (should again by less days)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 3/4
certificate_name: cert-5
@@ -245,15 +245,15 @@
acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}"
acme_certificate_include_renewal_cert_id: when_ari_supported
- name: Store obtain results for cert 5c
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_2: "{{ challenge_data is changed }}"
cert_5c_obtain_results: "{{ certificate_obtain_result }}"
- name: Read account key (EC384)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp_account_key
- name: Obtain cert 5 (should again by force)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 4/4
certificate_name: cert-5
@@ -270,12 +270,12 @@
account_email: ""
use_csr_content: false
- name: Store obtain results for cert 5d
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_3: "{{ challenge_data is changed }}"
cert_5d_obtain_results: "{{ certificate_obtain_result }}"
- block:
- name: Obtain cert 6
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 6
certificate_name: cert-6
@@ -303,13 +303,13 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 6
set_fact:
ansible.builtin.set_fact:
cert_6_obtain_results: "{{ certificate_obtain_result }}"
cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_intermediates[0].subject_key_identifier is defined
- block:
- name: Obtain cert 7
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 7
certificate_name: cert-7
@@ -333,13 +333,13 @@
authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}"
use_csr_content: false
- name: Store obtain results for cert 7
set_fact:
ansible.builtin.set_fact:
cert_7_obtain_results: "{{ certificate_obtain_result }}"
cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_roots[2].subject_key_identifier is defined
- block:
- name: Obtain cert 8
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 8
certificate_name: cert-8
@@ -361,114 +361,114 @@
account_email: "example@example.org"
use_csr_content: true
- name: Store obtain results for cert 8
set_fact:
ansible.builtin.set_fact:
cert_8_obtain_results: "{{ certificate_obtain_result }}"
cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
## DISSECT CERTIFICATES #######################################################################
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
- name: Verifying cert 1
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ignore_errors: true
register: cert_1_valid
- name: Verifying cert 2
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ignore_errors: true
register: cert_2_valid
- name: Verifying cert 3
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ignore_errors: true
register: cert_3_valid
- name: Verifying cert 4
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ignore_errors: true
register: cert_4_valid
- name: Verifying cert 5
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ignore_errors: true
register: cert_5_valid
- name: Verifying cert 6
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ignore_errors: true
register: cert_6_valid
when: acme_intermediates[0].subject_key_identifier is defined
- name: Verifying cert 7
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ignore_errors: true
register: cert_7_valid
when: acme_roots[2].subject_key_identifier is defined
- name: Verifying cert 8
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ignore_errors: true
register: cert_8_valid
# Dump certificate info
- name: Dumping cert 1
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
register: cert_1_text
- name: Dumping cert 2
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
register: cert_2_text
- name: Dumping cert 3
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
register: cert_3_text
- name: Dumping cert 4
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
register: cert_4_text
- name: Dumping cert 5
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
register: cert_5_text
- name: Dumping cert 6
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
register: cert_6_text
when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
register: cert_7_text
when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
register: cert_8_text
# Dump certificate info
- name: Dumping cert 1
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Dumping cert 2
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-2.pem"
register: cert_2_info
- name: Dumping cert 3
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-3.pem"
register: cert_3_info
- name: Dumping cert 4
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-4.pem"
register: cert_4_info
- name: Dumping cert 5
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-5.pem"
register: cert_5_info
- name: Dumping cert 6
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-6.pem"
register: cert_6_info
when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-7.pem"
register: cert_7_info
when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-8.pem"
register: cert_8_info
## GET ACCOUNT ORDERS #########################################################################
- name: Don't retrieve orders
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -477,7 +477,7 @@
retrieve_orders: ignore
register: account_orders_not
- name: Retrieve orders as URL list (1/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -486,7 +486,7 @@
retrieve_orders: url_list
register: account_orders_urls
- name: Retrieve orders as URL list (2/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2
@@ -495,7 +495,7 @@
retrieve_orders: url_list
register: account_orders_urls2
- name: Retrieve orders as object list (1/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -504,7 +504,7 @@
retrieve_orders: object_list
register: account_orders_full
- name: Retrieve orders as object list (2/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2

36
tests/integration/targets/acme_certificate/tasks/main.yml
View File

@@ -10,46 +10,46 @@
- block:
- name: Obtain root and intermediate certificates
get_url:
ansible.builtin.get_url:
url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}"
dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
loop: "{{ query('nested', types, root_numbers) }}"
- name: Analyze root certificates
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem"
loop: "{{ root_numbers }}"
register: acme_roots
- name: Analyze intermediate certificates
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem"
loop: "{{ root_numbers }}"
register: acme_intermediates
- name: Read root certificates
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}"
register: slurp_roots
- set_fact:
- ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_roots.results }}"
register: acme_roots_tmp
- name: Read intermediate certificates
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}"
register: slurp_intermediates
- set_fact:
- ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_intermediates.results }}"
register: acme_intermediates_tmp
- set_fact:
- ansible.builtin.set_fact:
acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}"
acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}"
acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}"
@@ -74,48 +74,48 @@
# - public_key_fingerprints
- name: ACME root certificate info
debug:
ansible.builtin.debug:
var: acme_roots
# - name: ACME root certificates as PEM
# debug:
# ansible.builtin.debug:
# var: acme_root_certs
- name: ACME intermediate certificate info
debug:
ansible.builtin.debug:
var: acme_intermediates
# - name: ACME intermediate certificates as PEM
# debug:
# ansible.builtin.debug:
# var: acme_intermediate_certs
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

62
tests/integration/targets/acme_certificate/tests/validate.yml
View File

@@ -4,15 +4,15 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 is valid
assert:
ansible.builtin.assert:
that:
- cert_1_valid is not failed
- name: Check that certificate 1 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.com' in cert_1_text.stdout"
- name: Read certificate 1 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-1.pem
@@ -20,7 +20,7 @@
- cert-1-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_1_obtain_results"
- "cert_1_obtain_results.all_chains | length > 1"
@@ -32,16 +32,16 @@
- "(slurp.results[2].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain"
- name: Check that certificate 2 is valid
assert:
ansible.builtin.assert:
that:
- cert_2_valid is not failed
- name: Check that certificate 2 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:*.example.com' in cert_2_text.stdout"
- "'DNS:example.com' in cert_2_text.stdout"
- name: Read certificate 2 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-2.pem
@@ -49,7 +49,7 @@
- cert-2-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_2_obtain_results"
- "cert_2_obtain_results.all_chains | length > 1"
@@ -61,17 +61,17 @@
- "(slurp.results[2].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain"
- name: Check that certificate 3 is valid
assert:
ansible.builtin.assert:
that:
- cert_3_valid is not failed
- name: Check that certificate 3 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:*.example.com' in cert_3_text.stdout"
- "'DNS:example.org' in cert_3_text.stdout"
- "'DNS:t1.example.com' in cert_3_text.stdout"
- name: Read certificate 3 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-3.pem
@@ -79,7 +79,7 @@
- cert-3-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_3_obtain_results"
- "cert_3_obtain_results.all_chains | length > 1"
@@ -91,11 +91,11 @@
- "(slurp.results[2].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain"
- name: Check that certificate 4 is valid
assert:
ansible.builtin.assert:
that:
- cert_4_valid is not failed
- name: Check that certificate 4 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.com' in cert_4_text.stdout"
- "'DNS:t1.example.com' in cert_4_text.stdout"
@@ -103,71 +103,71 @@
- "'DNS:example.org' in cert_4_text.stdout"
- "'DNS:TesT.example.org' in cert_4_text.stdout"
- name: Check that certificate 4 retrieval did not get all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' not in cert_4_obtain_results"
- name: Check that certificate 5 is valid
assert:
ansible.builtin.assert:
that:
- cert_5_valid is not failed
- name: Check that certificate 5 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:t2.example.com' in cert_5_text.stdout"
- name: Check that certificate 5 was not recreated on the first try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_1 == false
- name: Check that certificate 5 was recreated on the second try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_2 == true
- name: Check that certificate 5 was recreated on the third try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_3 == true
- block:
- name: Check that certificate 6 is valid
assert:
ansible.builtin.assert:
that:
- cert_6_valid is not failed
- name: Check that certificate 6 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.org' in cert_6_text.stdout"
when: acme_intermediates[0].subject_key_identifier is defined
- block:
- name: Check that certificate 7 is valid
assert:
ansible.builtin.assert:
that:
- cert_7_valid is not failed
- name: Check that certificate 7 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: acme_roots[2].subject_key_identifier is defined
- block:
- name: Check that certificate 8 is valid
assert:
ansible.builtin.assert:
that:
- cert_8_valid is not failed
- name: Check that certificate 8 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
- name: Validate that orders were not retrieved
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_not"
- "'orders' not in account_orders_not"
- name: Validate that orders were retrieved as list of URLs (1/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_urls"
- "'orders' not in account_orders_urls"
@@ -175,7 +175,7 @@
- "account_orders_urls.order_uris[0] is string"
- name: Validate that orders were retrieved as list of URLs (2/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_urls2"
- "'orders' not in account_orders_urls2"
@@ -183,7 +183,7 @@
- "account_orders_urls2.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (1/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_full"
- "'orders' in account_orders_full"
@@ -192,7 +192,7 @@
- "account_orders_full.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (2/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_full2"
- "'orders' in account_orders_full2"

36
tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml
View File

@@ -9,24 +9,24 @@
account_email: example@example.org
block:
- name: Generate account key
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
curve: secp256r1
force: true
- name: Create cert private key
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
type: ECC
curve: secp256r1
force: true
- name: Create cert CSR
openssl_csr:
community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.csr"
privatekey_path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
subject_alt_name: "{{ subject_alt_name }}"
- name: Start process of obtaining certificate
acme_certificate:
community.crypto.acme_certificate:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -42,7 +42,7 @@
register: certificate_data
- name: Inspect order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -52,11 +52,11 @@
method: get
register: order_1
- name: Show order
debug:
ansible.builtin.debug:
var: order_1.output_json
- name: Deactivate order (check mode)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -67,7 +67,7 @@
register: deactivate_1
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -77,11 +77,11 @@
method: get
register: order_2
- name: Show order
debug:
ansible.builtin.debug:
var: order_2.output_json
- name: Deactivate order
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -91,7 +91,7 @@
register: deactivate_2
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -101,11 +101,11 @@
method: get
register: order_3
- name: Show order
debug:
ansible.builtin.debug:
var: order_3.output_json
- name: Deactivate order (check mode, idempotent)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -116,7 +116,7 @@
register: deactivate_3
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -126,11 +126,11 @@
method: get
register: order_4
- name: Show order
debug:
ansible.builtin.debug:
var: order_4.output_json
- name: Deactivate order (idempotent)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -140,7 +140,7 @@
register: deactivate_4
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -150,5 +150,5 @@
method: get
register: order_5
- name: Show order
debug:
ansible.builtin.debug:
var: order_5.output_json

12
tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

2
tests/integration/targets/acme_certificate_deactivate_authz/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Checks
assert:
ansible.builtin.assert:
that:
- order_1.output_json.status == 'pending'
- deactivate_1 is changed

110
tests/integration/targets/acme_certificate_order/tasks/impl.yml
View File

@@ -4,23 +4,23 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate random domain name"
set_fact:
ansible.builtin.set_fact:
domain_name: "host{{ '%0x' % ((2**32) | random) }}.example.com"
- name: "({{ select_crypto_backend }}) Generate account key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/accountkey.pem"
type: ECC
curve: secp256r1
force: true
- name: "({{ select_crypto_backend }}) Parse account keys (to ease debugging some test failures)"
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/accountkey.pem"
return_private_key_data: true
- name: "({{ select_crypto_backend }}) Create ACME account"
acme_account:
community.crypto.acme_account:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -31,14 +31,14 @@
register: account
- name: "({{ select_crypto_backend }}) Generate certificate key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/cert.key"
type: ECC
curve: secp256r1
force: true
- name: "({{ select_crypto_backend }}) Generate certificate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/cert.csr"
privatekey_path: "{{ remote_tmp_dir }}/cert.key"
subject:
@@ -47,7 +47,7 @@
register: csr
- name: "({{ select_crypto_backend }}) Create certificate order"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -57,11 +57,11 @@
register: order_1
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_1
- name: "({{ select_crypto_backend }}) Check order"
assert:
ansible.builtin.assert:
that:
- order_1 is changed
- order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -81,7 +81,7 @@
- order_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -91,11 +91,11 @@
register: order_info_1
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_1
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_1 is not changed
- order_info_1.authorizations_by_identifier | length == 1
@@ -120,8 +120,8 @@
- order_info_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Create HTTP challenges"
uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT
body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}"
@@ -142,13 +142,13 @@
register: validate_1
- name: "({{ select_crypto_backend }}) Check validation result"
assert:
ansible.builtin.assert:
that:
- validate_1 is changed
- validate_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -158,11 +158,11 @@
register: order_info_2
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_2
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_2 is not changed
- order_info_2.authorizations_by_identifier | length == 1
@@ -198,7 +198,7 @@
register: validate_2
- name: "({{ select_crypto_backend }}) Check validation result"
assert:
ansible.builtin.assert:
that:
- validate_2 is not changed
- validate_2.account_uri == account.account_uri
@@ -220,7 +220,7 @@
register: finalize_1
- name: "({{ select_crypto_backend }}) Check finalization result"
assert:
ansible.builtin.assert:
that:
- finalize_1 is changed
- finalize_1.account_uri == account.account_uri
@@ -231,7 +231,7 @@
- finalize_1.selected_chain.full_chain == finalize_1.selected_chain.cert + finalize_1.selected_chain.chain
- name: "({{ select_crypto_backend }}) Read files from disk"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/{{ item }}.pem"
loop:
- cert
@@ -240,14 +240,14 @@
register: slurp
- name: "({{ select_crypto_backend }}) Compare finalization result with files on disk"
assert:
ansible.builtin.assert:
that:
- finalize_1.selected_chain.cert == slurp.results[0].content | b64decode
- finalize_1.selected_chain.chain == slurp.results[1].content | b64decode
- finalize_1.selected_chain.full_chain == slurp.results[2].content | b64decode
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -257,11 +257,11 @@
register: order_info_3
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_3
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_3 is not changed
- order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -299,7 +299,7 @@
register: finalize_2
- name: "({{ select_crypto_backend }}) Check finalization result"
assert:
ansible.builtin.assert:
that:
- finalize_2 is not changed
- finalize_2.account_uri == account.account_uri
@@ -311,7 +311,7 @@
- finalize_2.selected_chain == finalize_1.selected_chain
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -321,11 +321,11 @@
register: order_info_4
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_4
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_4 is not changed
- order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -351,7 +351,7 @@
- when: acme_supports_ari
block:
- name: "({{ select_crypto_backend }}) Get certificate renewal information"
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -361,14 +361,14 @@
register: cert_info
- name: "({{ select_crypto_backend }}) Verify information"
assert:
ansible.builtin.assert:
that:
- cert_info.supports_ari == true
- cert_info.should_renew == false
- cert_info.cert_id is string
- name: "({{ select_crypto_backend }}) Create replacement order 1"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -381,7 +381,7 @@
register: replacement_order_1
- name: "({{ select_crypto_backend }}) Get replacement order 1 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -391,7 +391,7 @@
register: order_info_5
- name: "({{ select_crypto_backend }}) Check replacement order 1"
assert:
ansible.builtin.assert:
that:
- replacement_order_1 is changed
- replacement_order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -412,7 +412,7 @@
- replacement_order_1.order_uri not in [order_1.order_uri]
- name: "({{ select_crypto_backend }}) Check replacement order 1 information"
assert:
ansible.builtin.assert:
that:
- order_info_5 is not changed
- order_info_5.authorizations_by_identifier | length == 1
@@ -441,7 +441,7 @@
- when: false # TODO get Pebble improved
block:
- name: "({{ select_crypto_backend }}) Create replacement order 2 (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -454,7 +454,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 2"
assert:
ansible.builtin.assert:
that:
- replacement_order_2 is failed
- >-
@@ -465,7 +465,7 @@
)
- name: "({{ select_crypto_backend }}) Create replacement order 3 with error handling"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -477,7 +477,7 @@
register: replacement_order_3
- name: "({{ select_crypto_backend }}) Get replacement order 3 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -487,7 +487,7 @@
register: order_info_6
- name: "({{ select_crypto_backend }}) Check replacement order 3"
assert:
ansible.builtin.assert:
that:
- replacement_order_3 is changed
- replacement_order_3.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -510,7 +510,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_3.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 3 information"
assert:
ansible.builtin.assert:
that:
- order_info_6 is not changed
- order_info_6.authorizations_by_identifier | length == 1
@@ -535,7 +535,7 @@
- order_info_6.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 3"
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -546,8 +546,8 @@
# Complete replacement order 1
- name: "({{ select_crypto_backend }}) Create HTTP challenges (replacement order 1)"
uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT
body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}"
@@ -585,7 +585,7 @@
- when: true
block:
- name: "({{ select_crypto_backend }}) Create replacement order 4 (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -598,7 +598,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 4"
assert:
ansible.builtin.assert:
that:
- replacement_order_4 is failed
- replacement_order_4.msg.startswith('Failed to start new order for https://' ~ acme_host)
@@ -606,7 +606,7 @@
' with status 409 Conflict. Error urn:ietf:params:acme:error:malformed: ' in replacement_order_4.msg
- name: "({{ select_crypto_backend }}) Create replacement order 5 with error handling"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -618,7 +618,7 @@
register: replacement_order_5
- name: "({{ select_crypto_backend }}) Get replacement order 5 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -628,7 +628,7 @@
register: order_info_7
- name: "({{ select_crypto_backend }}) Check replacement order 5"
assert:
ansible.builtin.assert:
that:
- replacement_order_5 is changed
- replacement_order_5.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -651,7 +651,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_5.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 5 information"
assert:
ansible.builtin.assert:
that:
- order_info_7 is not changed
- order_info_7.authorizations_by_identifier | length == 1
@@ -676,7 +676,7 @@
- order_info_7.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 5"
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -689,7 +689,7 @@
- when: acme_supports_profiles
block:
- name: "({{ select_crypto_backend }}) Create order with invalid profile (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -702,7 +702,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check invalid profile order"
assert:
ansible.builtin.assert:
that:
- invalid_profile_order is failed
- invalid_profile_order.msg == "The ACME CA does not support selected profile 'does-not-exist'."
@@ -712,7 +712,7 @@
- when: not acme_supports_profiles
block:
- name: "({{ select_crypto_backend }}) Create order with profile when server does not support it (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -724,7 +724,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check profile without server support order"
assert:
ansible.builtin.assert:
that:
- profile_without_server_support is failed
- profile_without_server_support.msg == 'The ACME CA does not support profiles. Please omit the "profile" option.'

8
tests/integration/targets/acme_certificate_order/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
@@ -18,18 +18,18 @@
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

34
tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -22,7 +22,7 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for renewal check
certificate_name: cert-1
@@ -41,18 +41,18 @@
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
command:
ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Read certificate
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1
- name: Obtain certificate information (1/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -60,7 +60,7 @@
validate_certs: false
register: cert_1_renewal_1
- name: Obtain certificate information (2/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -70,7 +70,7 @@
remaining_percentage: 0.5
register: cert_1_renewal_2
- name: Obtain certificate information (3/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_content: "{{ slurp_cert_1.content | b64decode }}"
acme_version: 2
@@ -79,7 +79,7 @@
now: +1800d
register: cert_1_renewal_3
- name: Obtain certificate information (4/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -90,7 +90,7 @@
remaining_percentage: 0.1
register: cert_1_renewal_4
- name: Obtain certificate information (5/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -101,7 +101,7 @@
remaining_percentage: 0.01
register: cert_1_renewal_5
- name: Obtain certificate information (6/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -112,7 +112,7 @@
remaining_percentage: 0.03
register: cert_1_renewal_6
- name: Obtain certificate information (7/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -121,7 +121,7 @@
now: +1830d
register: cert_1_renewal_7
- name: Obtain certificate information (8/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -129,7 +129,7 @@
now: +1830d
register: cert_1_renewal_8
- name: Obtain certificate information (9/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
acme_version: 2
@@ -137,12 +137,12 @@
validate_certs: false
register: cert_1_renewal_9
- name: Create broken file
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/cert-is-broken.pem"
content: |
--- THIS IS NOT A CERT ---
- name: Obtain certificate information (10/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: false
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
@@ -152,7 +152,7 @@
register: cert_1_renewal_10
ignore_errors: true
- name: Obtain certificate information (11/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: true
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"

12
tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
View File

@@ -13,31 +13,31 @@
block:
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

6
tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
View File

@@ -9,7 +9,7 @@
block:
- name: Validate results (generic)
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.should_renew == false
- cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
@@ -64,7 +64,7 @@
when: not acme_supports_ari
- name: Validate results without ARI
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.supports_ari == false
- cert_1_renewal_2.supports_ari == false
@@ -84,7 +84,7 @@
when: not acme_supports_ari
- name: Validate results with ARI
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.supports_ari == true
- cert_1_renewal_2.supports_ari == true

18
tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -28,11 +28,11 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Read account key (EC256)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec256.pem'
register: slurp_account_key
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for revocation
certificate_name: cert-1
@@ -49,7 +49,7 @@
terms_agreed: true
account_email: "example@example.org"
- name: Obtain cert 2
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 2 for revocation
certificate_name: cert-2
@@ -66,7 +66,7 @@
terms_agreed: true
account_email: "example@example.org"
- name: Obtain cert 3
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 3 for revocation
certificate_name: cert-3
@@ -84,7 +84,7 @@
## REVOKE CERTIFICATES ########################################################################
- name: Revoke certificate 1 via account key
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
certificate: "{{ remote_tmp_dir }}/cert-1.pem"
@@ -94,7 +94,7 @@
ignore_errors: true
register: cert_1_revoke
- name: Revoke certificate 2 via certificate private key
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
private_key_src: "{{ remote_tmp_dir }}/cert-2.key"
private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -105,11 +105,11 @@
ignore_errors: true
register: cert_2_revoke
- name: Read account key (RSA)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key
- name: Revoke certificate 3 via account key (fullchain)
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp_account_key.content | b64decode }}"
certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem"

12
tests/integration/targets/acme_certificate_revoke/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

6
tests/integration/targets/acme_certificate_revoke/tests/validate.yml
View File

@@ -4,17 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 was revoked
assert:
ansible.builtin.assert:
that:
- cert_1_revoke is changed
- cert_1_revoke is not failed
- name: Check that certificate 2 was revoked
assert:
ansible.builtin.assert:
that:
- cert_2_revoke is changed
- cert_2_revoke is not failed
- name: Check that certificate 3 was revoked
assert:
ansible.builtin.assert:
that:
- cert_3_revoke is changed
- cert_3_revoke is not failed

4
tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
View File

@@ -10,13 +10,13 @@
- block:
- name: Generate ECC256 account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
curve: secp256r1
force: true
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
select_crypto_backend: auto
certgen_title: Certificate 1

46
tests/integration/targets/acme_inspect/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC
curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true
loop: "{{ account_keys }}"
@@ -23,32 +23,32 @@
- accountkey
- name: Get directory
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
method: directory-only
select_crypto_backend: "{{ select_crypto_backend }}"
register: directory
- debug: var=directory
- ansible.builtin.debug: var=directory
- name: Create an account
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
url: "{{ directory.directory.newAccount}}"
url: "{{ directory.directory.newAccount }}"
method: post
content: '{"termsOfServiceAgreed":true}'
select_crypto_backend: "{{ select_crypto_backend }}"
register: account_creation
# account_creation.headers.location contains the account URI
# if creation was successful
- debug: var=account_creation
- ansible.builtin.debug: var=account_creation
- name: Get account information
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -58,10 +58,10 @@
method: get
select_crypto_backend: "{{ select_crypto_backend }}"
register: account_get
- debug: var=account_get
- ansible.builtin.debug: var=account_get
- name: Update account contacts
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -78,10 +78,10 @@
contact:
- mailto:me@example.com
register: account_update
- debug: var=account_update
- ansible.builtin.debug: var=account_update
- name: Create certificate order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -102,10 +102,10 @@
- type: dns
value: example.org
register: new_order
- debug: var=new_order
- ansible.builtin.debug: var=new_order
- name: Get order information
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -115,10 +115,10 @@
method: get
select_crypto_backend: "{{ select_crypto_backend }}"
register: order
- debug: var=order
- ansible.builtin.debug: var=order
- name: Get authzs for order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -129,10 +129,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
loop: "{{ order.output_json.authorizations }}"
register: authz
- debug: var=authz
- ansible.builtin.debug: var=authz
- name: Get HTTP-01 challenge for authz
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -143,10 +143,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: http01challenge
loop: "{{ authz.results | map(attribute='output_json') | list }}"
- debug: var=http01challenge
- ansible.builtin.debug: var=http01challenge
- name: Activate HTTP-01 challenge manually
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -158,10 +158,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: activation
loop: "{{ http01challenge.results | map(attribute='output_json') | list }}"
- debug: var=activation
- ansible.builtin.debug: var=activation
- name: Get HTTP-01 challenge results
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -175,4 +175,4 @@
until: "validation_result.output_json.status not in ['pending', 'processing']"
retries: 20
delay: 1
- debug: var=validation_result
- ansible.builtin.debug: var=validation_result

12
tests/integration/targets/acme_inspect/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version is version('3.3', '>=')

20
tests/integration/targets/acme_inspect/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check directory output
assert:
ansible.builtin.assert:
that:
- directory is not changed
- "'directory' in directory"
@@ -16,7 +16,7 @@
- "'output_json' not in directory"
- name: Check account creation output
assert:
ansible.builtin.assert:
that:
- account_creation is changed
- "'directory' in account_creation"
@@ -30,7 +30,7 @@
- account_creation.output_text | from_json == account_creation.output_json
- name: Check account get output
assert:
ansible.builtin.assert:
that:
- account_get is not changed
- "'directory' in account_get"
@@ -41,7 +41,7 @@
- account_get.output_json == account_creation.output_json
- name: Check account update output
assert:
ansible.builtin.assert:
that:
- account_update is changed
- "'directory' in account_update"
@@ -53,7 +53,7 @@
- account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com']
- name: Check certificate request output
assert:
ansible.builtin.assert:
that:
- new_order is changed
- "'directory' in new_order"
@@ -66,7 +66,7 @@
- "'finalize' in new_order.output_json"
- name: Check get order output
assert:
ansible.builtin.assert:
that:
- order is not changed
- "'directory' in order"
@@ -77,7 +77,7 @@
# - new_order.output_json == order.output_json
- name: Check get authz output
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"
@@ -90,7 +90,7 @@
loop: "{{ authz.results }}"
- name: Check get challenge output
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"
@@ -104,7 +104,7 @@
loop: "{{ http01challenge.results }}"
- name: Check challenge activation output
assert:
ansible.builtin.assert:
that:
- item is changed
- "'directory' in item"
@@ -118,7 +118,7 @@
loop: "{{ activation.results }}"
- name: Check validation result
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"

4
tests/integration/targets/certificate_complete_chain/tasks/create-single-certificate.yml
View File

@@ -9,14 +9,14 @@
####################################################################
- name: Generate CSR for {{ certificate.name }}
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'
subject: '{{ certificate.subject }}'
useCommonNameForSAN: false
- name: Generate certificate for {{ certificate.name }}
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'

8
tests/integration/targets/certificate_complete_chain/tasks/create.yml
View File

@@ -10,25 +10,25 @@
- block:
- name: Create private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
size: '{{ default_rsa_key_size_certificates }}'
loop: '{{ certificates }}'
- name: Generate certificates
include_tasks: create-single-certificate.yml
ansible.builtin.include_tasks: create-single-certificate.yml
loop: '{{ certificates }}'
loop_control:
loop_var: certificate
- name: Read certificates
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
loop: '{{ certificates }}'
register: certificates_read
- name: Store read certificates
set_fact:
ansible.builtin.set_fact:
read_certificates: >-
{{ certificates_read.results | map(attribute='content') | map('b64decode')
| zip(certificates | map(attribute='name'))

10
tests/integration/targets/certificate_complete_chain/tasks/created.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Case A => works
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem'
@@ -19,7 +19,7 @@
- name: Case B => doesn't work, but this is expected
failed_when: false
register: caseb
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -27,11 +27,11 @@
- '{{ remote_tmp_dir }}/a-root.pem'
- name: Assert that case B failed
assert:
ansible.builtin.assert:
that: "'Cannot complete chain' in caseb.msg"
- name: Case C => works
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -40,7 +40,7 @@
- '{{ remote_tmp_dir }}/a-root.pem'
- name: Case D => works as well after PR 403
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem'

32
tests/integration/targets/certificate_complete_chain/tasks/existing.yml
View File

@@ -10,13 +10,13 @@
- block:
- name: Find root for cert 1 using directory
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ fullchain | trim }}'
root_certificates:
- '{{ remote_tmp_dir }}/files/roots/'
register: cert1_root
- name: Verify root for cert 1
assert:
ansible.builtin.assert:
that:
- cert1_root.complete_chain | join('') == (fullchain ~ root)
- cert1_root.root == root
@@ -26,7 +26,7 @@
- block:
- name: Find rootchain for cert 1 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -34,7 +34,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert1_rootchain
- name: Verify rootchain for cert 1
assert:
ansible.builtin.assert:
that:
- cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert1_rootchain.chain[:-1] | join('') == chain
@@ -46,13 +46,13 @@
- block:
- name: Find root for cert 2 using directory
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ fullchain | trim }}"
root_certificates:
- '{{ remote_tmp_dir }}/files/roots/'
register: cert2_root
- name: Verify root for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_root.complete_chain | join('') == (fullchain ~ root)
- cert2_root.root == root
@@ -62,7 +62,7 @@
- block:
- name: Find rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-chain.pem'
@@ -70,7 +70,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain.chain[:-1] | join('') == chain
@@ -82,7 +82,7 @@
- block:
- name: Find alternate rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
@@ -90,7 +90,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain_alt
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain_alt.chain[:-1] | join('') == chain
@@ -102,13 +102,13 @@
- block:
- name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert ~ chain ~ root }}'
root_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_complete_chain
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_complete_chain.chain == []
@@ -119,7 +119,7 @@
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
- name: Check failure when no intermediate certificate can be found
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert2.pem", rstrip=true) }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -128,13 +128,13 @@
register: cert2_no_intermediate
ignore_errors: true
- name: Verify failure
assert:
ansible.builtin.assert:
that:
- cert2_no_intermediate is failed
- "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
- name: Check failure when infinite loop is found
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=true) }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem'
@@ -143,7 +143,7 @@
register: cert2_infinite_loop
ignore_errors: true
- name: Verify failure
assert:
ansible.builtin.assert:
that:
- cert2_infinite_loop is failed
- "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"

8
tests/integration/targets/certificate_complete_chain/tasks/main.yml
View File

@@ -11,17 +11,17 @@
- block:
- name: Copy test files to testhost
copy:
ansible.builtin.copy:
src: '{{ role_path }}/files/'
dest: '{{ remote_tmp_dir }}/files/'
- name: Run tests with copied certificates
import_tasks: existing.yml
ansible.builtin.import_tasks: existing.yml
- name: Create more certificates
import_tasks: create.yml
ansible.builtin.import_tasks: create.yml
- name: Run tests with created certificates
import_tasks: created.yml
ansible.builtin.import_tasks: created.yml
when: cryptography_version is version('3.3', '>=')

18
tests/integration/targets/crypto_info/tasks/main.yml
View File

@@ -9,23 +9,23 @@
####################################################################
- name: Retrieve information
crypto_info:
community.crypto.crypto_info:
register: result
- name: Display information
debug:
ansible.builtin.debug:
var: result
- name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: local_cryptography_version
- name: Set cryptography version
set_fact:
ansible.builtin.set_fact:
local_cryptography_version: "{{ local_cryptography_version.stdout }}"
- name: Determine complex version-based capabilities
set_fact:
ansible.builtin.set_fact:
supports_ed25519: >-
{{
local_cryptography_version is version("2.6", ">=")
@@ -46,7 +46,7 @@
}}
- name: Verify cryptography information
assert:
ansible.builtin.assert:
that:
- result.python_cryptography_installed
- "'python_cryptography_import_error' not in result"
@@ -67,15 +67,15 @@
- result.python_cryptography_capabilities.has_x448 == (local_cryptography_version is version('2.5', '>='))
- name: Find OpenSSL binary
command: which openssl
ansible.builtin.command: which openssl
register: local_openssl_path
- name: Find OpenSSL version
command: openssl version
ansible.builtin.command: openssl version
register: local_openssl_version_full
- name: Verify OpenSSL information
assert:
ansible.builtin.assert:
that:
- result.openssl_present
- result.openssl.path == local_openssl_path.stdout

32
tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info }}
result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='unicode') }}
- name: "Check whether subject and extensions behaves as expected"
assert:
ansible.builtin.assert:
that:
- result.subject.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
@@ -40,7 +40,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: "Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -56,17 +56,17 @@
- "IP:1.2.3.4"
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_2.csr') | community.crypto.openssl_csr_info }}
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_3.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -77,65 +77,65 @@
- "IP:1.2.3.4"
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_4.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
- result.authority_cert_serial_number is none
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.openssl_csr_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.openssl_csr_info input must be a text type, not ")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_csr_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Unable to load (?:request|PEM file)(?:\.|$)")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_csr_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.openssl_csr_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

16
tests/integration/targets/filter_openssl_csr_info/tasks/main.yml
View File

@@ -9,23 +9,23 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -94,7 +94,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -103,7 +103,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -121,12 +121,12 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: "44:55:66:77"
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version is version('3.3', '>=')

24
tests/integration/targets/filter_openssl_privatekey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_1.pem') | community.crypto.openssl_privatekey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -21,12 +21,12 @@
- "'private_data' not in result"
- name: Get key 2 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_2.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -41,26 +41,26 @@
- "result.private_data.exponent > 5"
- name: Get key 3 info (without passphrase)
set_fact:
ansible.builtin.set_fact:
result_: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
ignore_errors: true
register: result
- name: Check that loading passphrase protected key without passphrase failed
assert:
ansible.builtin.assert:
that:
- result is failed
- >-
'Wrong or empty passphrase provided for private key' in result.msg
- name: Get key 3 info (with passphrase)
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(passphrase='hunter2', return_private_key_data=true) }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -74,12 +74,12 @@
- "result.private_data.exponent > 5"
- name: Get key 4 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_4.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -94,12 +94,12 @@
- "result.private_data.multiplier > 1024"
- name: Get key 5 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_5.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"

12
tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml
View File

@@ -9,34 +9,34 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (with password)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 4 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
# ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead
- name: Generate privatekey 5 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_5.pem'
type: DSA
size: 1024
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version is version('3.3', '>=')

24
tests/integration/targets/filter_openssl_publickey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_1.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -19,12 +19,12 @@
- "result.public_data.exponent > 5"
- name: Get key 2 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_2.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -35,12 +35,12 @@
- "result.public_data.exponent > 5"
- name: Get key 3 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_3.pem') | community.crypto.openssl_publickey_info }}
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -52,12 +52,12 @@
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- name: Get key 4 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_4.pem') | community.crypto.openssl_publickey_info }}
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -69,27 +69,27 @@
- "result.public_data.y > 2"
- name: Get invalid key info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.openssl_publickey_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.openssl_publickey_info input must be a text type, not ")
- name: Get invalid key info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_publickey_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- 'output.msg is search("Error while deserializing key: ")'

12
tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml
View File

@@ -9,17 +9,17 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
@@ -27,13 +27,13 @@
select_crypto_backend: cryptography
- name: Generate privatekey 4 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: DSA
size: 1024
- name: Generate public keys
openssl_publickey:
community.crypto.openssl_publickey:
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
path: '{{ remote_tmp_dir }}/publickey_{{ item }}.pem'
loop:
@@ -43,5 +43,5 @@
- 4
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version is version('3.3', '>=')

12
tests/integration/targets/filter_parse_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test parse_serial filter
assert:
ansible.builtin.assert:
that:
- >-
'0' | community.crypto.parse_serial == 0
@@ -22,35 +22,35 @@
'1:2:3' | community.crypto.parse_serial == 66051
- name: "Test error 1: empty string"
debug:
ansible.builtin.debug:
msg: >-
{{ '' | community.crypto.parse_serial }}
ignore_errors: true
register: error_1
- name: "Test error 2: invalid type"
debug:
ansible.builtin.debug:
msg: >-
{{ [] | community.crypto.parse_serial }}
ignore_errors: true
register: error_2
- name: "Test error 3: invalid values (range)"
debug:
ansible.builtin.debug:
msg: >-
{{ '100' | community.crypto.parse_serial }}
ignore_errors: true
register: error_3
- name: "Test error 4: invalid values (digits)"
debug:
ansible.builtin.debug:
msg: >-
{{ 'abcdefg' | community.crypto.parse_serial }}
ignore_errors: true
register: error_4
- name: Validate errors
assert:
ansible.builtin.assert:
that:
- >-
error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg

6
tests/integration/targets/filter_split_pem/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Run tests that raise no errors
assert:
ansible.builtin.assert:
that:
- >-
'' | community.crypto.split_pem == []
@@ -49,13 +49,13 @@
AAb=
- name: Invalid input
debug:
ansible.builtin.debug:
msg: "{{ [] | community.crypto.split_pem }}"
ignore_errors: true
register: output
- name: Validate error
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.split_pem input must be a text type, not ")

8
tests/integration/targets/filter_to_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test to_serial filter
assert:
ansible.builtin.assert:
that:
- 0 | community.crypto.to_serial == '00'
- 1 | community.crypto.to_serial == '01'
@@ -13,21 +13,21 @@
- 65536 | community.crypto.to_serial == '01:00:00'
- name: "Test error 1: negative number"
debug:
ansible.builtin.debug:
msg: >-
{{ (-1) | community.crypto.to_serial }}
ignore_errors: true
register: error_1
- name: "Test error 2: invalid type"
debug:
ansible.builtin.debug:
msg: >-
{{ [] | community.crypto.to_serial }}
ignore_errors: true
register: error_2
- name: Validate error
assert:
ansible.builtin.assert:
that:
- >-
error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg

38
tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info }}
result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info(name_encoding='unicode') }}
- name: Check whether issuer and subject and extensions behave as expected
assert:
ansible.builtin.assert:
that:
- result.issuer.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered"
@@ -70,7 +70,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -86,17 +86,17 @@
- "IP:1.2.3.4"
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_2.pem') | community.crypto.x509_certificate_info }}
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_3.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -107,23 +107,23 @@
- "IP:1.2.3.4"
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_4.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
- result.authority_cert_serial_number is none
- name: Get certificate info for packaged cert 1
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', role_path ~ '/../x509_certificate_info/files/cert1.pem') | community.crypto.x509_certificate_info }}
- name: Check extensions
assert:
ansible.builtin.assert:
that:
- "'ocsp_uri' in result"
- "result.ocsp_uri == 'http://ocsp.foobarbaz.example.com'"
@@ -160,59 +160,59 @@
- result.extensions_by_oid['2.5.29.37'].critical == false
- result.extensions_by_oid['2.5.29.37'].value == 'MBQGCCsGAQUFBwMBBggrBgEFBQcDAg=='
- name: Check fingerprints
assert:
ansible.builtin.assert:
that:
- (result.fingerprints.sha256 == '08:26:60:3d:29:11:f2:88:09:3f:40:71:bb:67:cb:59:9c:6e:cf:e0:49:22:ab:e8:60:bd:f6:9a:01:e3:0e:2c' if result.fingerprints.sha256 is defined else true)
- (result.fingerprints.sha1 == '5a:32:7f:22:61:f3:2e:ad:a7:d8:77:07:1c:7f:08:cd:ab:7f:bc:11' if result.fingerprints.sha1 is defined else true)
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.x509_certificate_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.x509_certificate_info input must be a text type, not ")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_certificate_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Unable to load (?:certificate|PEM file)(?:\.|$)")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_certificate_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_certificate_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

18
tests/integration/targets/filter_x509_certificate_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size_certificates }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size_certificates }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -96,7 +96,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -105,7 +105,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -123,14 +123,14 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: "44:55:66:77"
- name: Generate selfsigned certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
@@ -145,5 +145,5 @@
- 4
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version is version('3.3', '>=')

56
tests/integration/targets/filter_x509_crl_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create CRL 1
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -23,17 +23,17 @@
revocation_date: 20191001000000Z
- name: Retrieve CRL 1 infos
set_fact:
ansible.builtin.set_fact:
crl_1_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | community.crypto.x509_crl_info }}
- name: Retrieve CRL 1 infos
set_fact:
ansible.builtin.set_fact:
crl_1_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | b64encode | community.crypto.x509_crl_info }}
- name: Validate CRL 1 info
assert:
ansible.builtin.assert:
that:
- crl_1_info_1.format == 'pem'
- crl_1_info_1.digest == 'ecdsa-with-SHA256'
@@ -70,7 +70,7 @@
- crl_1_info_1 == crl_1_info_2
- name: Recreate CRL 1 as DER file
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
@@ -90,22 +90,22 @@
revocation_date: 20191001000000Z
- name: Read ca-crl1.crl
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/ca-crl1.crl"
register: content
- name: Retrieve CRL 1 infos from DER (Base64 encoded)
set_fact:
ansible.builtin.set_fact:
crl_1_info_5: >-
{{ content.content | community.crypto.x509_crl_info }}
- name: Validate CRL 1
assert:
ansible.builtin.assert:
that:
- crl_1_info_5.format == 'der'
- name: Create CRL 2
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
@@ -126,12 +126,12 @@
register: crl_2_change
- name: Retrieve CRL 2 infos
set_fact:
ansible.builtin.set_fact:
crl_2_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Create CRL 2 (changed order)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
@@ -152,12 +152,12 @@
register: crl_2_change_order
- name: Retrieve CRL 2 infos again
set_fact:
ansible.builtin.set_fact:
crl_2_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Validate CRL 2 info
assert:
ansible.builtin.assert:
that:
- "'revoked_certificates' not in crl_2_info_1"
- >
@@ -176,7 +176,7 @@
]
- name: Create CRL 3
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -199,7 +199,7 @@
register: crl_3
- name: Create CRL 3 (IDNA encoding)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -224,7 +224,7 @@
register: crl_3_idna
- name: Create CRL 3 (Unicode encoding)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -249,7 +249,7 @@
register: crl_3_unicode
- name: Retrieve CRL 3 infos
set_fact:
ansible.builtin.set_fact:
crl_3_info: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true) }}
crl_3_info_idna: >-
@@ -258,73 +258,73 @@
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true, name_encoding='unicode') }}
- name: Validate CRL 3 info
assert:
ansible.builtin.assert:
that:
- crl_3.revoked_certificates == crl_3_info.revoked_certificates
- crl_3_idna.revoked_certificates == crl_3_info_idna.revoked_certificates
- crl_3_unicode.revoked_certificates == crl_3_info_unicode.revoked_certificates
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.x509_crl_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.x509_crl_info input must be a text type, not ")
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_crl_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Error while decoding CRL")
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_crl_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_crl_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")
- name: Get invalid list_revoked_certificates parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_crl_info(list_revoked_certificates=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The list_revoked_certificates option must be a boolean, not ")

16
tests/integration/targets/filter_x509_crl_info/tasks/main.yml
View File

@@ -9,11 +9,11 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- set_fact:
- ansible.builtin.set_fact:
certificates:
- name: ca
subject:
@@ -39,14 +39,14 @@
- DNS:b64.ansible.com
- name: Generate private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
type: ECC
curve: secp256r1
loop: "{{ certificates }}"
- name: Generate CSRs
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
subject: "{{ item.subject | default(omit) }}"
@@ -56,7 +56,7 @@
loop: "{{ certificates }}"
- name: Generate CA certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
@@ -65,7 +65,7 @@
when: item.is_ca | default(false)
- name: Generate other certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
provider: ownca
@@ -75,7 +75,7 @@
when: not (item.is_ca | default(false))
- name: Get certificate infos
x509_certificate_info:
community.crypto.x509_certificate_info:
path: '{{ remote_tmp_dir }}/{{ item }}.pem'
loop:
- cert-1
@@ -86,6 +86,6 @@
- block:
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version is version('3.3', '>=')

10
tests/integration/targets/get_certificate/tasks/main.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
skip_tests: false
has_get_certificate_chain: >-
{{ ansible_facts.python_version is version('3.10.0', '>=') }}
@@ -16,14 +16,14 @@
- block:
- name: Get servers certificate with backend auto-detection
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}"
ignore_errors: true
register: result
- set_fact:
- ansible.builtin.set_fact:
skip_tests: |
{{
result is failed and (
@@ -33,7 +33,7 @@
)
}}
- assert:
- ansible.builtin.assert:
that:
- result is success or skip_tests
@@ -41,7 +41,7 @@
- block:
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

52
tests/integration/targets/get_certificate/tests/validate.yml
View File

@@ -4,16 +4,16 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get servers certificate for SNI test part 1
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
server_name: "{{ sni_host }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -22,16 +22,16 @@
- "'{{ sni_host }}' == result.subject.CN"
- name: Get servers certificate for SNI test part 2
get_certificate:
community.crypto.get_certificate:
host: "{{ sni_host }}"
port: 443
server_name: "{{ httpbin_host }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -40,16 +40,16 @@
- "'{{ httpbin_host }}' == result.subject.CN"
- name: Get servers certificate
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
select_crypto_backend: "{{ select_crypto_backend }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -58,7 +58,7 @@
- "'North Carolina' == result.subject.ST"
- name: Connect to http port (will fail because there is no SSL cert to get)
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 80
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -66,7 +66,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -78,7 +78,7 @@
or 'record layer failure' in result.msg
- name: Test timeout option
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 1234
timeout: 1
@@ -87,7 +87,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -95,7 +95,7 @@
- "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"
- name: Test failure if ca_cert is not a valid file
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
ca_cert: dn.e
@@ -104,7 +104,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -112,12 +112,12 @@
- "'ca_cert file does not exist' == result.msg"
- name: Download CA Cert as pem from server
get_url:
ansible.builtin.get_url:
url: "http://ansible.http.tests/cacert.pem"
dest: "{{ remote_tmp_dir }}/temp.pem"
- name: Get servers certificate comparing it to its own ca_cert file
get_certificate:
community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/temp.pem'
host: "{{ httpbin_host }}"
port: 443
@@ -126,19 +126,19 @@
get_certificate_chain: "{{ has_get_certificate_chain }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is not failed
- name: Read CA cert
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/temp.pem'
register: cacert
when: has_get_certificate_chain
- name: Validate get_certificate_chain=true results
assert:
ansible.builtin.assert:
that:
- result.verified_chain is sequence
- result.unverified_chain is sequence
@@ -149,20 +149,20 @@
when: has_get_certificate_chain
- name: Validate get_certificate_chain=false results
assert:
ansible.builtin.assert:
that:
- result.verified_chain is undefined
- result.unverified_chain is undefined
when: not has_get_certificate_chain
- name: Generate bogus CA privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/bogus_ca.key'
type: ECC
curve: secp256r1
- name: Generate bogus CA CSR
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
subject:
@@ -173,7 +173,7 @@
basic_constraints_critical: true
- name: Generate selfsigned bogus CA certificate
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/bogus_ca.pem'
csr_path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
@@ -181,7 +181,7 @@
selfsigned_digest: sha256
- name: Get servers certificate comparing it to an invalid ca_cert file
get_certificate:
community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/bogus_ca.pem'
host: "{{ httpbin_host }}"
port: 443
@@ -190,7 +190,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed

28
tests/integration/targets/luks_device/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Copy keyfiles
copy:
ansible.builtin.copy:
src: '{{ item }}'
dest: '{{ remote_tmp_dir }}/{{ item }}'
loop:
@@ -17,7 +17,7 @@
- keyfile2
- name: Include OS-specific variables
include_vars: '{{ lookup("first_found", search) }}'
ansible.builtin.include_vars: '{{ lookup("first_found", search) }}'
vars:
search:
files:
@@ -30,62 +30,62 @@
- vars
- name: Make sure cryptsetup is installed
package:
ansible.builtin.package:
name: '{{ cryptsetup_package }}'
state: present
become: true
- name: Install additionally required packages
package:
ansible.builtin.package:
name: '{{ luks_extra_packages }}'
state: present
become: true
when: luks_extra_packages | length > 0
- name: Determine cryptsetup version
command: cryptsetup --version
ansible.builtin.command: cryptsetup --version
register: cryptsetup_version
- name: Extract cryptsetup version
set_fact:
ansible.builtin.set_fact:
cryptsetup_version: >-
{{ cryptsetup_version.stdout_lines[0] | regex_search('cryptsetup ([0-9]+\.[0-9]+\.[0-9]+)') | split | last }}
- name: Create cryptfile
command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
ansible.builtin.command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
- name: Figure out next loopback device
command: losetup -f
ansible.builtin.command: losetup -f
become: true
register: cryptfile_device_output
- name: Create lookback device
command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
ansible.builtin.command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
become: true
- name: Store some common data for tests
set_fact:
ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[0] }}"
cryptfile_passphrase1: "uNiJ9vKG2mUOEWDiQVuBHJlfMHE"
cryptfile_passphrase2: "HW4Ak2HtE2vvne0qjJMPTtmbV4M"
cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM"
- block:
- include_tasks: run-test.yml
- ansible.builtin.include_tasks: run-test.yml
with_fileglob:
- "tests/*.yml"
always:
- name: Make sure LUKS device is gone
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
ignore_errors: true
- command: losetup -d "{{ cryptfile_device }}"
- ansible.builtin.command: losetup -d "{{ cryptfile_device }}"
become: true
- file:
- ansible.builtin.file:
dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile"
state: absent

4
tests/integration/targets/luks_device/tasks/run-test.yml
View File

@@ -4,9 +4,9 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Make sure LUKS device is gone
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
- name: "Loading tasks from {{ item }}"
include_tasks: "{{ item }}"
ansible.builtin.include_tasks: "{{ item }}"

54
tests/integration/targets/luks_device/tasks/tests/create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -14,7 +14,7 @@
become: true
register: create_check
- name: Create
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -23,7 +23,7 @@
become: true
register: create
- name: Create (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -32,7 +32,7 @@
become: true
register: create_idem
- name: Create (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -41,7 +41,7 @@
check_mode: true
become: true
register: create_idem_check
- assert:
- ansible.builtin.assert:
that:
- create_check is changed
- create is changed
@@ -49,7 +49,7 @@
- create_idem_check is not changed
- name: Open (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -57,28 +57,28 @@
become: true
register: open_check
- name: Open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
register: open
- name: Open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
register: open_idem
- name: Open (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
check_mode: true
become: true
register: open_idem_check
- assert:
- ansible.builtin.assert:
that:
- open_check is changed
- open is changed
@@ -86,32 +86,32 @@
- open_idem_check is not changed
- name: Closed (via name, check)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
check_mode: true
become: true
register: close_check
- name: Closed (via name)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
become: true
register: close
- name: Closed (via name, idempotent)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
become: true
register: close_idem
- name: Closed (via name, idempotent, check)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
check_mode: true
become: true
register: close_idem_check
- assert:
- ansible.builtin.assert:
that:
- close_check is changed
- close is changed
@@ -119,39 +119,39 @@
- close_idem_check is not changed
- name: Re-open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
- name: Closed (via device, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
check_mode: true
become: true
register: close_check
- name: Closed (via device)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
register: close
- name: Closed (via device, idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
register: close_idem
- name: Closed (via device, idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
check_mode: true
become: true
register: close_idem_check
- assert:
- ansible.builtin.assert:
that:
- close_check is changed
- close is changed
@@ -159,39 +159,39 @@
- close_idem_check is not changed
- name: Re-opened
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
- name: Absent (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
check_mode: true
become: true
register: absent_check
- name: Absent
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
register: absent
- name: Absent (idempotence)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
register: absent_idem
- name: Absent (idempotence, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
check_mode: true
become: true
register: absent_idem_check
- assert:
- ansible.builtin.assert:
that:
- absent_check is changed
- absent is changed

16
tests/integration/targets/luks_device/tasks/tests/cryptname.yml
View File

@@ -4,11 +4,11 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Fix name
set_fact:
ansible.builtin.set_fact:
cryptname: "crypt{{ '%0x' % ((2**32) | random) }}"
- name: Create
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: present
@@ -18,7 +18,7 @@
become: true
register: create
- name: Open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: opened
@@ -26,7 +26,7 @@
become: true
register: open
- name: Open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: opened
@@ -34,25 +34,25 @@
become: true
register: open_idem
- name: Closed (via name)
luks_device:
community.crypto.luks_device:
name: "{{ cryptname }}"
state: closed
become: true
register: close
- name: Closed (via name, idempotent)
luks_device:
community.crypto.luks_device:
name: "{{ cryptname }}"
state: closed
become: true
register: close_idem
- name: Absent
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: absent
become: true
register: absent
- assert:
- ansible.builtin.assert:
that:
- create is changed
- open is changed

12
tests/integration/targets/luks_device/tasks/tests/device-check.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with invalid device name (check)
luks_device:
community.crypto.luks_device:
device: /dev/asdfasdfasdf
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_check
- name: Create with invalid device name
luks_device:
community.crypto.luks_device:
device: /dev/asdfasdfasdf
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -24,7 +24,7 @@
ignore_errors: true
become: true
register: create
- assert:
- ansible.builtin.assert:
that:
- create_check is failed
- create is failed
@@ -32,7 +32,7 @@
- "'o such file or directory' in create.msg"
- name: Create with something which is not a device (check)
luks_device:
community.crypto.luks_device:
device: /tmp/
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -43,7 +43,7 @@
become: true
register: create_check
- name: Create with something which is not a device
luks_device:
community.crypto.luks_device:
device: /tmp/
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
ignore_errors: true
become: true
register: create
- assert:
- ansible.builtin.assert:
that:
- create_check is failed
- create is failed

60
tests/integration/targets/luks_device/tasks/tests/key-management.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,36 +15,36 @@
# Access: keyfile1
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -55,7 +55,7 @@
register: result_1
- name: Give access to keyfile2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -63,7 +63,7 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
@@ -71,28 +71,28 @@
# Access: keyfile1 and keyfile2
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
- name: Remove access from keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -101,7 +101,7 @@
register: result_1
- name: Remove access from keyfile1 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -109,7 +109,7 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
@@ -117,40 +117,40 @@
# Access: keyfile2
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
- name: Remove access from keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -158,7 +158,7 @@
become: true
ignore_errors: true
register: remove_last_key
- assert:
- ansible.builtin.assert:
that:
- remove_last_key is failed
- "'force_remove_last_key' in remove_last_key.msg"
@@ -166,24 +166,24 @@
# Access: keyfile2
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Remove access from keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -194,13 +194,13 @@
# Access: none
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed

26
tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -21,7 +21,7 @@
register: create_passphrase_1
- name: Create with keyfile3 (without argon2i)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -32,7 +32,7 @@
when: create_passphrase_1 is failed
- name: Open with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ keyfile3 }}"
@@ -40,29 +40,29 @@
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -73,7 +73,7 @@
become: true
- name: Remove access for keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ keyfile3 }}"
@@ -81,25 +81,25 @@
become: true
- name: Try to open with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ keyfile3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed

50
tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create luks with keyslot 4 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_luks_slot4_check
- name: Create luks with keyslot 4
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -25,7 +25,7 @@
become: true
register: create_luks_slot4
- name: Create luks with keyslot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -35,7 +35,7 @@
become: true
register: create_luks_slot4_idem
- name: Create luks with keyslot 4 (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -46,10 +46,10 @@
become: true
register: create_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4
- assert:
- ansible.builtin.assert:
that:
- create_luks_slot4_check is changed
- create_luks_slot4 is changed
@@ -58,7 +58,7 @@
- "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
- name: Add key in slot 2 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -70,7 +70,7 @@
become: true
register: add_luks_slot2_check
- name: Add key in slot 2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -81,7 +81,7 @@
become: true
register: add_luks_slot2
- name: Add key in slot 2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -92,7 +92,7 @@
become: true
register: add_luks_slot2_idem
- name: Add key in slot 2 (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -104,10 +104,10 @@
become: true
register: add_luks_slot2_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot2
- assert:
- ansible.builtin.assert:
that:
- add_luks_slot2_check is changed
- add_luks_slot2 is changed
@@ -116,27 +116,27 @@
- "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
- name: Check remove slot 4 without key
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
ignore_errors: true
become: true
register: kill_slot4_nokey
- name: Check remove slot 4 with slot 4 key
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
keyfile: "{{ remote_tmp_dir }}/keyfile1"
ignore_errors: true
become: true
register: kill_slot4_key_slot4
- assert:
- ansible.builtin.assert:
that:
- kill_slot4_nokey is failed
- kill_slot4_key_slot4 is failed
- name: Remove key in slot 4 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
@@ -144,21 +144,21 @@
become: true
register: kill_luks_slot4_check
- name: Remove key in slot 4
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4
- name: Remove key in slot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4_idem
- name: Remove key in slot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
@@ -166,10 +166,10 @@
become: true
register: kill_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4_removed
- assert:
- ansible.builtin.assert:
that:
- kill_luks_slot4_check is changed
- kill_luks_slot4 is changed
@@ -178,7 +178,7 @@
- "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"
- name: Add key in slot 0
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -189,17 +189,17 @@
become: true
register: add_luks_slot0
- name: Remove key in slot 0
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 0
become: true
register: kill_luks_slot0
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot0_removed
- assert:
- ansible.builtin.assert:
that:
- add_luks_slot0 is changed
- kill_luks_slot0 is changed

8
tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create new luks
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -12,7 +12,7 @@
iteration_time: 0.1
become: true
- name: Add new keyslot with same keyfile (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
new_keyslot: 1
@@ -23,7 +23,7 @@
check_mode: true
register: keyslot_duplicate_check
- name: Add new keyslot with same keyfile
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
new_keyslot: 1
@@ -32,7 +32,7 @@
become: true
ignore_errors: true
register: keyslot_duplicate
- assert:
- ansible.builtin.assert:
that:
- keyslot_duplicate_check is failed
- "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg"

16
tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check invalid slot (luks1, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks1
@@ -16,7 +16,7 @@
become: true
register: create_luks1_slot8
- name: Check invalid slot (luks2, 32)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
@@ -28,7 +28,7 @@
become: true
register: create_luks2_slot32
- name: Check invalid slot (no luks type, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -38,14 +38,14 @@
ignore_errors: true
become: true
register: create_luks_slot8
- assert:
- ansible.builtin.assert:
that:
- create_luks1_slot8 is failed
- create_luks2_slot32 is failed
- create_luks_slot8 is failed
- name: Check valid slot (luks2, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
@@ -57,12 +57,12 @@
ignore_errors: true
register: create_luks2_slot8
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
ansible.builtin.assert:
that:
- "'Unknown option --type' in create_luks2_slot8.msg"
when: create_luks2_slot8 is failed
- name: Check add valid slot (no luks type, 10)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -73,7 +73,7 @@
become: true
register: create_luks_slot10
when: create_luks2_slot8 is changed
- assert:
- ansible.builtin.assert:
that:
- create_luks_slot10 is changed
when: create_luks2_slot8 is changed

10
tests/integration/targets/luks_device/tasks/tests/options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keysize
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_with_keysize
- name: Create with keysize (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -26,7 +26,7 @@
become: true
register: create_idem_with_keysize
- name: Create with different keysize (idempotent since we do not update keysize)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true
register: create_idem_with_diff_keysize
- name: Create with ambiguous arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -49,7 +49,7 @@
become: true
register: create_with_ambiguous
- assert:
- ansible.builtin.assert:
that:
- create_with_keysize is changed
- create_idem_with_keysize is not changed

70
tests/integration/targets/luks_device/tasks/tests/passphrase.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -20,13 +20,13 @@
register: create_passphrase_1
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
ansible.builtin.assert:
that:
- "'Unknown option --type' in create_passphrase_1.msg"
when: create_passphrase_1 is failed
- name: Create with passphrase1 (without argon2i)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -36,7 +36,7 @@
when: create_passphrase_1 is failed
- name: Open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
# Encode passphrase with Base64 to test passphrase_encoding
@@ -45,17 +45,17 @@
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Give access with ambiguous new_ arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -66,24 +66,24 @@
become: true
ignore_errors: true
register: new_try
- assert:
- ansible.builtin.assert:
that:
- new_try is failed
- name: Try to open with passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase2 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -94,7 +94,7 @@
register: result_1
- name: Give access to passphrase2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -102,42 +102,42 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
- name: Open with passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase2 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to keyfile1 from passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -147,7 +147,7 @@
become: true
- name: Remove access with ambiguous remove_ arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -155,29 +155,29 @@
become: true
ignore_errors: true
register: remove_try
- assert:
- ansible.builtin.assert:
that:
- remove_try is failed
- name: Open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Remove access for passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}"
@@ -185,44 +185,44 @@
register: result_1
- name: Remove access for passphrase1 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}"
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
- name: Try to open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Try to open with passphrase3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase3 from keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -232,18 +232,18 @@
become: true
- name: Open with passphrase3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true

20
tests/integration/targets/luks_device/tasks/tests/performance.yml
View File

@@ -6,7 +6,7 @@
- name: On kernel >= 5.9 use performance flags
block:
- name: Create and open (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -22,7 +22,7 @@
become: true
register: create_open_check
- name: Create and open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true
register: create_open
- name: Create and open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
become: true
register: create_open_idem
- name: Create and open (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -67,7 +67,7 @@
check_mode: true
become: true
register: create_open_idem_check
- assert:
- ansible.builtin.assert:
that:
- create_open_check is changed
- create_open is changed
@@ -75,10 +75,10 @@
- create_open_idem_check is not changed
- name: Dump LUKS Header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header
- assert:
- ansible.builtin.assert:
that:
- "'no-read-workqueue' in luks_header.stdout"
- "'no-write-workqueue' in luks_header.stdout"
@@ -87,10 +87,10 @@
- "'allow-discards' in luks_header.stdout"
- name: Dump device mapper table
command: "dmsetup table {{ create_open.name }}"
ansible.builtin.command: "dmsetup table {{ create_open.name }}"
become: true
register: dm_table
- assert:
- ansible.builtin.assert:
that:
- "'no_read_workqueue' in dm_table.stdout"
- "'no_write_workqueue' in dm_table.stdout"
@@ -99,7 +99,7 @@
- "'allow_discards' in dm_table.stdout"
- name: Closed and Removed
luks_device:
community.crypto.luks_device:
name: "{{ cryptfile_device }}"
state: absent
become: true

18
tests/integration/targets/openssh_cert/tasks/main.yml
View File

@@ -9,39 +9,39 @@
####################################################################
- name: Declare global variables
set_fact:
ansible.builtin.set_fact:
signing_key: '{{ remote_tmp_dir }}/id_key'
public_key: '{{ remote_tmp_dir }}/id_key.pub'
certificate_path: '{{ remote_tmp_dir }}/id_cert'
- name: Generate keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ signing_key }}"
type: rsa
size: 1024
- block:
- name: Import idempotency tests
import_tasks: ../tests/idempotency.yml
ansible.builtin.import_tasks: ../tests/idempotency.yml
- name: Import key_idempotency tests
import_tasks: ../tests/key_idempotency.yml
ansible.builtin.import_tasks: ../tests/key_idempotency.yml
- name: Import options tests
import_tasks: ../tests/options_idempotency.yml
ansible.builtin.import_tasks: ../tests/options_idempotency.yml
- name: Import regenerate tests
import_tasks: ../tests/regenerate.yml
ansible.builtin.import_tasks: ../tests/regenerate.yml
- name: Import remove tests
import_tasks: ../tests/remove.yml
ansible.builtin.import_tasks: ../tests/remove.yml
when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6")
- name: Import ssh-agent tests
import_tasks: ../tests/ssh-agent.yml
ansible.builtin.import_tasks: ../tests/ssh-agent.yml
when: openssh_version is version("7.6",">=")
- name: Remove keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ signing_key }}"
state: absent

8
tests/integration/targets/openssh_cert/tests/idempotency.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate cert - force option (check_mode)
force: true
@@ -253,7 +253,7 @@
changed: true
- name: Execute idempotency tests
openssh_cert:
community.crypto.openssh_cert:
force: "{{ test_case.force | default(omit) }}"
identifier: "{{ test_case.identifier | default(omit) }}"
options: "{{ test_case.options | default(omit) }}"
@@ -275,7 +275,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ idempotency_test_output.results }}"
@@ -284,6 +284,6 @@
loop_var: result
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

38
tests/integration/targets/openssh_cert/tests/key_idempotency.yml
View File

@@ -8,16 +8,16 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
new_signing_key: "{{ remote_tmp_dir }}/new_key"
new_public_key: "{{ remote_tmp_dir }}/new_key.pub"
- name: Generate new test key
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ new_signing_key }}"
- name: Generate cert with original keys
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -27,7 +27,7 @@
- block:
- name: Generate cert with updated signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -38,12 +38,12 @@
register: updated_signature_algorithm
- name: Assert signature algorithm update causes change
assert:
ansible.builtin.assert:
that:
- updated_signature_algorithm is changed
- name: Generate cert with updated signature algorithm (idempotent)
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -54,13 +54,13 @@
register: updated_signature_algorithm_idempotent
- name: Assert signature algorithm update is idempotent
assert:
ansible.builtin.assert:
that:
- updated_signature_algorithm_idempotent is not changed
- block:
- name: Generate cert with original signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -71,7 +71,7 @@
register: second_signature_algorithm
- name: Assert second signature algorithm update causes change
assert:
ansible.builtin.assert:
that:
- second_signature_algorithm is changed
# RHEL9, Fedora 41 and Rocky 9 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error.
@@ -81,7 +81,7 @@
- not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41)
- name: Omit signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -91,12 +91,12 @@
register: omitted_signature_algorithm
- name: Assert omitted_signature_algorithm does not cause change
assert:
ansible.builtin.assert:
that:
- omitted_signature_algorithm is not changed
- name: Revert to original certificate
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -107,7 +107,7 @@
when: openssh_version is version("7.3", ">=")
- name: Generate cert with new signing key
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: new_signing_key_output
- name: Generate cert with new public key
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}"
@@ -127,7 +127,7 @@
register: new_public_key_output
- name: Generate cert with new signing key - full idempotency
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -138,7 +138,7 @@
register: new_signing_key_full_idempotency_output
- name: Generate cert with new pubic key - full idempotency
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}"
@@ -149,7 +149,7 @@
register: new_public_key_full_idempotency_output
- name: Assert changes to public key or signing key results in no change unless idempotency=full
assert:
ansible.builtin.assert:
that:
- new_signing_key_output is not changed
- new_public_key_output is not changed
@@ -157,11 +157,11 @@
- new_public_key_full_idempotency_output is changed
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent
- name: Remove new keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ new_signing_key }}"
state: absent

28
tests/integration/targets/openssh_cert/tests/options_idempotency.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Generate cert with no options
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -22,7 +22,7 @@
register: no_options
- name: Generate cert with no options with explicit directives
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -39,7 +39,7 @@
register: no_options_explicit_directives
- name: Generate cert with explicit extension
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -53,7 +53,7 @@
register: explicit_extension_before
- name: Generate cert with explicit extension (idempotency)
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -67,7 +67,7 @@
register: explicit_extension_after
- name: Generate cert with explicit extension and corresponding directive
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -81,7 +81,7 @@
register: explicit_extension_and_directive
- name: Generate cert with default options
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -92,7 +92,7 @@
register: default_options
- name: Generate cert with relative timestamp
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -104,7 +104,7 @@
register: relative_timestamp
- name: Generate cert with ignore_timestamp true
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: relative_timestamp_true
- name: Generate cert with ignore_timestamp false
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -130,7 +130,7 @@
register: relative_timestamp_false
- name: Generate cert with ignore_timestamp true
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -143,7 +143,7 @@
register: relative_timestamp_invalid_at
- name: Generate host cert full_idempotence
openssh_cert:
community.crypto.openssh_cert:
type: host
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -153,7 +153,7 @@
regenerate: full_idempotence
- name: Generate host cert full_idempotence again
openssh_cert:
community.crypto.openssh_cert:
type: host
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -164,7 +164,7 @@
register: host_cert_full_idempotence
- name: Assert options results
assert:
ansible.builtin.assert:
that:
- no_options is changed
- no_options_explicit_directives is not changed
@@ -179,6 +179,6 @@
- host_cert_full_idempotence is not changed
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

8
tests/integration/targets/openssh_cert/tests/regenerate.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate certificate
type: user
@@ -104,7 +104,7 @@
changed: true
- name: Execute regenerate tests
openssh_cert:
community.crypto.openssh_cert:
force: "{{ test_case.force | default(omit) }}"
options: "{{ test_case.options | default(omit) }}"
path: "{{ test_case.path | default(omit) }}"
@@ -126,7 +126,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ regenerate_tests_output.results }}"
@@ -135,6 +135,6 @@
loop_var: result
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

6
tests/integration/targets/openssh_cert/tests/remove.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate certificate
type: user
@@ -38,7 +38,7 @@
changed: false
- name: Execute remove tests
openssh_cert:
community.crypto.openssh_cert:
options: "{{ test_case.options | default(omit) }}"
path: "{{ test_case.path | default(omit) }}"
public_key: "{{ test_case.public_key | default(omit) }}"
@@ -57,7 +57,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ remove_test_output.results }}"

18
tests/integration/targets/openssh_cert/tests/ssh-agent.yml
View File

@@ -14,7 +14,7 @@
block:
- name: Generate always valid cert using agent without key in agent (should fail)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -26,16 +26,16 @@
ignore_errors: true
- name: Make sure cert creation with agent fails if key not in agent
assert:
ansible.builtin.assert:
that:
- rc_no_key_in_agent is failed
- "'agent contains no identities' in rc_no_key_in_agent.msg or 'not found in agent' in rc_no_key_in_agent.msg"
- name: Add key to agent
command: 'ssh-add {{ signing_key }}'
ansible.builtin.command: 'ssh-add {{ signing_key }}'
- name: Generate always valid cert with agent (check mode)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -46,7 +46,7 @@
check_mode: true
- name: Generate always valid cert with agent
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -56,7 +56,7 @@
valid_to: forever
- name: Generate always valid cert with agent (idempotent)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -67,13 +67,13 @@
register: rc_cert_with_agent_idempotent
- name: Check agent idempotency
assert:
ansible.builtin.assert:
that:
- rc_cert_with_agent_idempotent is not changed
msg: OpenSSH certificate generation without serial number is idempotent.
- name: Generate always valid cert with agent (idempotent, check mode)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -84,6 +84,6 @@
check_mode: true
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
state: absent
path: '{{ remote_tmp_dir }}/id_cert_with_agent'

18
tests/integration/targets/openssh_keypair/tasks/main.yml
View File

@@ -9,42 +9,42 @@
####################################################################
- name: Backend auto-detection test
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/auto_backend_key'
state: "{{ item }}"
loop: ['present', 'absent']
- set_fact:
- ansible.builtin.set_fact:
backends: ['opensshbin']
- set_fact:
- ansible.builtin.set_fact:
backends: "{{ backends + ['cryptography'] }}"
when: cryptography_version is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
- include_tasks: ../tests/core.yml
- ansible.builtin.include_tasks: ../tests/core.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/invalid.yml
- ansible.builtin.include_tasks: ../tests/invalid.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/options.yml
- ansible.builtin.include_tasks: ../tests/options.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/regenerate.yml
- ansible.builtin.include_tasks: ../tests/regenerate.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/state.yml
- ansible.builtin.include_tasks: ../tests/state.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/cryptography_backend.yml
- ansible.builtin.include_tasks: ../tests/cryptography_backend.yml
when: cryptography_version is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

30
tests/integration/targets/openssh_keypair/tests/core.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: "({{ backend }}) Generate key (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/core"
size: 1280
backend: "{{ backend }}"
@@ -17,14 +17,14 @@
check_mode: true
- name: "({{ backend }}) Generate key"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/core"
size: 1280
backend: "{{ backend }}"
register: core_output
- name: "({{ backend }}) Generate key (check mode idempotent)"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/core"
size: 1280
backend: "{{ backend }}"
@@ -32,18 +32,18 @@
check_mode: true
- name: "({{ backend }}) Generate key (idempotent)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/core'
size: 1280
backend: "{{ backend }}"
register: idempotency_core_output
- name: "({{ backend }}) Log key return values"
debug:
ansible.builtin.debug:
msg: "{{ core_output }}"
- name: "({{ backend }}) Assert core behavior"
assert:
ansible.builtin.assert:
that:
- check_core_output is changed
- core_output is changed
@@ -52,7 +52,7 @@
- idempotency_core_output is not changed
- name: "({{ backend }}) Assert key returns fingerprint"
assert:
ansible.builtin.assert:
that:
- core_output['fingerprint'] is string
- core_output['fingerprint'].startswith('SHA256:')
@@ -60,44 +60,44 @@
when: not (backend == 'opensshbin' and openssh_version is version('6.8', '<'))
- name: "({{ backend }}) Assert key returns public_key"
assert:
ansible.builtin.assert:
that:
- core_output['public_key'] is string
- core_output['public_key'].startswith('ssh-rsa ')
- name: "({{ backend }}) Assert key returns size value"
assert:
ansible.builtin.assert:
that:
- core_output['size']|type_debug == 'int'
- core_output['size'] == 1280
- name: "({{ backend }}) Assert key returns key type"
assert:
ansible.builtin.assert:
that:
- core_output['type'] is string
- core_output['type'] == 'rsa'
- name: "({{ backend }}) Retrieve key size from 'ssh-keygen'"
shell: "ssh-keygen -lf {{ remote_tmp_dir }}/core | grep -o -E '^[0-9]+'"
ansible.builtin.shell: "ssh-keygen -lf {{ remote_tmp_dir }}/core | grep -o -E '^[0-9]+'"
register: core_size_ssh_keygen
- name: "({{ backend }}) Assert key size matches 'ssh-keygen' output"
assert:
ansible.builtin.assert:
that:
- core_size_ssh_keygen.stdout == '1280'
- name: "({{ backend }}) Read core.pub"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/core.pub'
register: slurp
- name: "({{ backend }}) Assert public key module return equal to the public key content"
assert:
ansible.builtin.assert:
that:
- "core_output.public_key == (slurp.content | b64decode).strip('\n ')"
- name: "({{ backend }}) Remove key"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/core'
backend: "{{ backend }}"
state: absent

54
tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml
View File

@@ -4,10 +4,10 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Generate a password protected key
command: 'ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}'
- name: Modify the password protected key with passphrase
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/password_protected'
size: 1024
passphrase: "{{ passphrase }}"
@@ -15,7 +15,7 @@
register: password_protected_output
- name: Check password protected key idempotency
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/password_protected'
size: 1024
passphrase: "{{ passphrase }}"
@@ -23,29 +23,29 @@
register: password_protected_idempotency_output
- name: Ensure that ssh-keygen can read keys generated with passphrase
command: 'ssh-keygen -yf {{ remote_tmp_dir }}/password_protected -P {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -yf {{ remote_tmp_dir }}/password_protected -P {{ passphrase }}'
register: password_protected_ssh_keygen_output
- name: Check that password protected key with passphrase was regenerated
assert:
ansible.builtin.assert:
that:
- password_protected_output is changed
- password_protected_idempotency_output is not changed
- password_protected_ssh_keygen_output is success
- name: Remove password protected key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/password_protected'
backend: cryptography
state: absent
- name: Generate an unprotected key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
backend: cryptography
- name: Modify unprotected key with passphrase
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
size: 1280
passphrase: "{{ passphrase }}"
@@ -54,7 +54,7 @@
register: unprotected_modification_output
- name: Modify unprotected key with passphrase (force)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
size: 1280
passphrase: "{{ passphrase }}"
@@ -63,22 +63,22 @@
register: force_unprotected_modification_output
- name: Check that unprotected key was modified
assert:
ansible.builtin.assert:
that:
- unprotected_modification_output is failed
- force_unprotected_modification_output is changed
- name: Remove unprotected key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
backend: cryptography
state: absent
- name: Generate PEM encoded key with passphrase
command: 'ssh-keygen -t rsa -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
ansible.builtin.command: 'ssh-keygen -t rsa -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
- name: Try to verify a PEM encoded key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/pem_encoded'
passphrase: "{{ passphrase }}"
backend: cryptography
@@ -86,84 +86,84 @@
register: pem_encoded_output
- name: Check that PEM encoded file is read without errors
assert:
ansible.builtin.assert:
that:
- pem_encoded_output is not changed
- name: Remove PEM encoded key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/pem_encoded'
backend: cryptography
state: absent
- name: Generate a private key with specified format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs1
backend: cryptography
- name: Generate a private key with specified format (Idempotent)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs1
backend: cryptography
register: private_key_format_idempotent
- name: Check that private key with specified format is idempotent
assert:
ansible.builtin.assert:
that:
- private_key_format_idempotent is not changed
- name: Change to PKCS8 format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs8
backend: cryptography
register: private_key_format_pkcs8
- name: Check that format change causes regeneration
assert:
ansible.builtin.assert:
that:
- private_key_format_pkcs8 is changed
- name: Change to PKCS8 format (Idempotent)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs8
backend: cryptography
register: private_key_format_pkcs8_idempotent
- name: Check that private key with PKCS8 format is idempotent
assert:
ansible.builtin.assert:
that:
- private_key_format_pkcs8_idempotent is not changed
- name: Change to SSH format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: ssh
backend: cryptography
register: private_key_format_ssh
- name: Check that format change causes regeneration
assert:
ansible.builtin.assert:
that:
- private_key_format_ssh is changed
- name: Change to SSH format (Idempotent)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: ssh
backend: cryptography
register: private_key_format_ssh_idempotent
- name: Check that private key with SSH format is idempotent
assert:
ansible.builtin.assert:
that:
- private_key_format_ssh_idempotent is not changed
- name: Remove private key with specified format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
backend: cryptography
state: absent

42
tests/integration/targets/openssh_keypair/tests/invalid.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: "({{ backend }}) Generate key - broken"
copy:
ansible.builtin.copy:
dest: '{{ item }}'
content: ''
mode: '0700'
@@ -18,91 +18,91 @@
- "{{ remote_tmp_dir }}/broken.pub"
- name: "({{ backend }}) Regenerate key - broken"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/broken"
backend: "{{ backend }}"
register: broken_output
ignore_errors: true
- name: "({{ backend }}) Assert broken key causes failure - broken"
assert:
ansible.builtin.assert:
that:
- broken_output is failed
- "'Unable to read the key. The key is protected with a passphrase or broken.' in broken_output.msg"
- name: "({{ backend }}) Regenerate key with force - broken"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/broken"
backend: "{{ backend }}"
force: true
register: force_broken_output
- name: "({{ backend }}) Assert broken key regenerated when 'force=true' - broken"
assert:
ansible.builtin.assert:
that:
- force_broken_output is changed
- name: "({{ backend }}) Remove key - broken"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/broken"
backend: "{{ backend }}"
state: absent
- name: "({{ backend }}) Generate key - write-only"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/write-only"
mode: "0200"
backend: "{{ backend }}"
- name: "({{ backend }}) Check private key status - write-only"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/write-only'
register: write_only_private_key
- name: "({{ backend }}) Check public key status - write-only"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/write-only.pub'
register: write_only_public_key
- name: "({{ backend }}) Assert that private and public keys match permissions - write-only"
assert:
ansible.builtin.assert:
that:
- write_only_private_key.stat.mode == '0200'
- write_only_public_key.stat.mode == '0200'
- name: "({{ backend }}) Regenerate key with force - write-only"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/write-only"
backend: "{{ backend }}"
force: true
register: write_only_output
- name: "({{ backend }}) Check private key status after regeneration - write-only"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/write-only'
register: write_only_private_key_after
- name: "({{ backend }}) Assert key is regenerated - write-only"
assert:
ansible.builtin.assert:
that:
- write_only_output is changed
- name: "({{ backend }}) Assert key permissions are preserved with 'opensshbin'"
assert:
ansible.builtin.assert:
that:
- write_only_private_key_after.stat.mode == '0200'
- name: "({{ backend }}) Remove key - write-only"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/write-only"
backend: "{{ backend }}"
state: absent
- name: "({{ backend }}) Generate key with ssh-keygen - password_protected"
command: "ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}"
ansible.builtin.command: "ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}"
- name: "({{ backend }}) Modify key - password_protected"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/password_protected"
size: 1280
backend: "{{ backend }}"
@@ -110,13 +110,13 @@
ignore_errors: true
- name: "({{ backend }}) Assert key cannot be read - password_protected"
assert:
ansible.builtin.assert:
that:
- password_protected_output is failed
- "'Unable to read the key. The key is protected with a passphrase or broken.' in password_protected_output.msg"
- name: "({{ backend }}) Modify key with 'force=true' - password_protected"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/password_protected"
size: 1280
backend: "{{ backend }}"
@@ -124,12 +124,12 @@
register: force_password_protected_output
- name: "({{ backend }}) Assert key regenerated with 'force=true' - password_protected"
assert:
ansible.builtin.assert:
that:
- force_password_protected_output is changed
- name: "({{ backend }}) Remove key - password_protected"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/password_protected"
backend: "{{ backend }}"
state: absent

38
tests/integration/targets/openssh_keypair/tests/options.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
key_types: "{{ key_types_src | reject('equalto', '') | list }}"
vars:
key_types_src:
@@ -17,61 +17,61 @@
- ecdsa
- name: "({{ backend }}) Generate keys with default size - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_{{ item }}"
type: "{{ item }}"
backend: "{{ backend }}"
loop: "{{ key_types }}"
- name: "({{ backend }}) Retrieve key size from 'ssh-keygen' - size"
shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_{{ item }} | grep -o -E '^[0-9]+'"
ansible.builtin.shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_{{ item }} | grep -o -E '^[0-9]+'"
loop: "{{ key_types }}"
register: key_size_output
- name: "({{ backend }}) Assert key sizes match default size - size"
assert:
ansible.builtin.assert:
that:
- (key_size_output.results | selectattr('item', 'equalto', 'rsa') | first).stdout == '4096'
- not openssh_supports_dsa or (key_size_output.results | selectattr('item', 'equalto', 'dsa') | first).stdout == '1024'
- (key_size_output.results | selectattr('item', 'equalto', 'ecdsa') | first).stdout == '256'
- name: "({{ backend }}) Remove keys - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_{{ item }}"
state: absent
loop: "{{ key_types }}"
- block:
- name: "({{ backend }}) Generate ed25519 key with default size - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_ed25519"
type: ed25519
backend: "{{ backend }}"
- name: "({{ backend }}) Retrieve ed25519 key size from 'ssh-keygen' - size"
shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_ed25519 | grep -o -E '^[0-9]+'"
ansible.builtin.shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_ed25519 | grep -o -E '^[0-9]+'"
register: ed25519_key_size_output
- name: "({{ backend }}) Assert ed25519 key size matches default size - size"
assert:
ansible.builtin.assert:
that:
- ed25519_key_size_output.stdout == '256'
- name: "({{ backend }}) Remove ed25519 key - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_ed25519"
state: absent
# Support for ed25519 keys was added in OpenSSH 6.5
when: not (backend == 'opensshbin' and openssh_version is version('6.5', '<'))
- name: "({{ backend }}) Generate key - force"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/force"
type: rsa
backend: "{{ backend }}"
- name: "({{ backend }}) Regenerate key - force"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/force"
type: rsa
force: true
@@ -79,25 +79,25 @@
register: force_output
- name: "({{ backend }}) Assert key regenerated - force"
assert:
ansible.builtin.assert:
that:
- force_output is changed
- name: "({{ backend }}) Remove key - force"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/force"
state: absent
backend: "{{ backend }}"
- name: "({{ backend }}) Generate key - comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
comment: "test@comment"
backend: "{{ backend }}"
register: comment_output
- name: "({{ backend }}) Modify comment - comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
comment: "test_modified@comment"
backend: "{{ backend }}"
@@ -106,13 +106,13 @@
- name: "({{ backend }}) Assert comment preserved public key - comment"
when: modified_comment_output is succeeded
assert:
ansible.builtin.assert:
that:
- comment_output.public_key == modified_comment_output.public_key
- comment_output.comment == 'test@comment'
- name: "({{ backend }}) Assert comment changed - comment"
assert:
ansible.builtin.assert:
that:
- modified_comment_output.comment == 'test_modified@comment'
- modified_comment_output is succeeded
@@ -120,14 +120,14 @@
when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
- name: "({{ backend }}) Assert comment not changed - comment"
assert:
ansible.builtin.assert:
that:
- modified_comment_output is failed
# Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
when: backend == 'opensshbin' and openssh_version is version('7.2', '<')
- name: "({{ backend }}) Remove key - comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
state: absent
backend: "{{ backend }}"

68
tests/integration/targets/openssh_keypair/tests/regenerate.yml
View File

@@ -23,7 +23,7 @@
loop: "{{ old_test_artifacts.files }}"
- name: "({{ backend }}) Regenerate - setup simple keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1024
@@ -31,11 +31,11 @@
regenerate: "{{ item }}"
loop: "{{ regenerate_values }}"
- name: "({{ backend }}) Regenerate - setup password protected keys"
command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
loop: "{{ regenerate_values }}"
- name: "({{ backend }}) Regenerate - setup broken keys"
copy:
ansible.builtin.copy:
dest: '{{ remote_tmp_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
content: 'broken key'
mode: '0700'
@@ -44,11 +44,11 @@
- ['', '.pub']
- name: "({{ backend }}) Regenerate - setup password protected keys for passphrse test"
command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
loop: "{{ regenerate_values }}"
- name: "({{ backend }}) Regenerate - modify broken keys (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}'
type: rsa
size: 1024
@@ -58,7 +58,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -70,7 +70,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify broken keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}'
type: rsa
size: 1024
@@ -79,7 +79,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -91,7 +91,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify password protected keys (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
type: rsa
size: 1024
@@ -101,7 +101,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -113,7 +113,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify password protected keys with passphrase (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
type: rsa
size: 1024
@@ -126,7 +126,7 @@
register: result
when: backend == 'cryptography'
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success
- result.results[1] is failed
@@ -137,7 +137,7 @@
when: backend == 'cryptography'
- name: "({{ backend }}) Regenerate - modify password protected keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
type: rsa
size: 1024
@@ -146,7 +146,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -158,7 +158,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify password protected keys with passphrase"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-d-{{ item }}'
type: rsa
size: 1024
@@ -170,7 +170,7 @@
register: result
when: backend == 'cryptography'
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success
- result.results[1] is failed
@@ -181,7 +181,7 @@
when: backend == 'cryptography'
- name: "({{ backend }}) Regenerate - not modify regular keys (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1024
@@ -190,7 +190,7 @@
check_mode: true
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
@@ -199,7 +199,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - not modify regular keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1024
@@ -207,7 +207,7 @@
backend: "{{ backend }}"
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
@@ -216,7 +216,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - adjust key size (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1048
@@ -226,7 +226,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -236,7 +236,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - adjust key size"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1048
@@ -245,7 +245,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -255,7 +255,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
remote_src: true
@@ -270,7 +270,7 @@
block:
- name: "({{ backend }}) Regenerate - adjust key type (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -280,7 +280,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -290,7 +290,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - adjust key type"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -299,7 +299,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -309,7 +309,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
remote_src: true
@@ -319,7 +319,7 @@
when: "item.0 != 'always'"
- name: "({{ backend }}) Regenerate - adjust comment (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -330,7 +330,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result is changed
@@ -338,7 +338,7 @@
- when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
block:
- name: "({{ backend }}) Regenerate - adjust comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -347,7 +347,7 @@
backend: "{{ backend }}"
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result is changed
# for all values but 'always', the key should not be regenerated.

14
tests/integration/targets/openssh_keypair/tests/state.yml
View File

@@ -9,41 +9,41 @@
####################################################################
- name: "({{ backend }}) Generate key"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
state: present
- name: "({{ backend }}) Generate key (idempotency)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
state: present
- name: "({{ backend }}) Remove key"
openssh_keypair:
community.crypto.openssh_keypair:
state: absent
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
- name: "({{ backend }}) Remove key (idempotency)"
openssh_keypair:
community.crypto.openssh_keypair:
state: absent
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
- name: "({{ backend }}) Check private key status"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/removed'
register: removed_private_key
- name: "({{ backend }}) Check public key status"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/removed.pub'
register: removed_public_key
- name: "({{ backend }}) Assert key pair files are removed"
assert:
ansible.builtin.assert:
that:
- not removed_private_key.stat.exists
- not removed_public_key.stat.exists

134
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@@ -4,17 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate privatekey"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Read privatekey"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekey.pem'
register: privatekey
- name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -25,7 +25,7 @@
register: generate_csr_check
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -35,7 +35,7 @@
register: generate_csr
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_content: '{{ privatekey.content | b64decode }}'
subject_ordered:
@@ -45,7 +45,7 @@
register: generate_csr_idempotent
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -56,7 +56,7 @@
register: generate_csr_idempotent_check
- name: "({{ select_crypto_backend }}) Generate CSR without SAN (check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -67,7 +67,7 @@
register: generate_csr_nosan_check
- name: "({{ select_crypto_backend }}) Generate CSR without SAN"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -77,7 +77,7 @@
register: generate_csr_nosan
- name: "({{ select_crypto_backend }}) Generate CSR without SAN (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -87,7 +87,7 @@
register: generate_csr_nosan_check_idempotent
- name: "({{ select_crypto_backend }}) Generate CSR without SAN (idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -102,7 +102,7 @@
# but the short name is used to test idempotency for ipsecuser
# and vice-versa for biometricInfo
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -118,7 +118,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -135,7 +135,7 @@
register: csr_ku_xku
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test XKU change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -151,7 +151,7 @@
register: csr_ku_xku_change
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test KU change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -166,14 +166,14 @@
register: csr_ku_xku_change_2
- name: "({{ select_crypto_backend }}) Generate CSR with old API"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_oldapi.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with invalid SAN (1/2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csrinvsan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: invalid-san.example.com
@@ -182,7 +182,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate CSR with invalid SAN (2/2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csrinvsan2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: "DNS:system:kube-controller-manager"
@@ -191,7 +191,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate CSR with OCSP Must Staple"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ocsp.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: "DNS:www.ansible.com"
@@ -199,7 +199,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with OCSP Must Staple (test idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ocsp.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: "DNS:www.ansible.com"
@@ -208,13 +208,13 @@
register: csr_ocsp_idempotency
- name: "({{ select_crypto_backend }}) Generate ECC privatekey"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey2.pem'
type: ECC
curve: secp384r1
- name: "({{ select_crypto_backend }}) Generate CSR with ECC privatekey"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -222,7 +222,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with text common name"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -231,7 +231,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with country name"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
country_name: de
@@ -239,7 +239,7 @@
register: country_idempotent_1
- name: "({{ select_crypto_backend }}) Generate CSR with country name (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
country_name: de
@@ -247,7 +247,7 @@
register: country_idempotent_2
- name: "({{ select_crypto_backend }}) Generate CSR with country name (idempotent 2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -256,7 +256,7 @@
register: country_idempotent_3
- name: "({{ select_crypto_backend }}) Generate CSR with country name (bad country name)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -266,19 +266,19 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate privatekey with password"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Read privatekey"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekeypw.pem'
register: privatekeypw
- name: "({{ select_crypto_backend }}) Generate CSR with privatekey passphrase"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -286,7 +286,7 @@
register: passphrase_1
- name: "({{ select_crypto_backend }}) Generate CSR with privatekey passphrase and private key content"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw.csr'
privatekey_content: '{{ privatekeypw.content | b64decode }}'
privatekey_passphrase: hunter2
@@ -294,7 +294,7 @@
register: passphrase_1_content
- name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 1)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
privatekey_passphrase: hunter2
@@ -303,7 +303,7 @@
register: passphrase_error_1
- name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: wrong_password
@@ -312,7 +312,7 @@
register: passphrase_error_2
- name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 3)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -320,11 +320,11 @@
register: passphrase_error_3
- name: "({{ select_crypto_backend }}) Create broken CSR"
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/csrbroken.csr"
content: "broken"
- name: "({{ select_crypto_backend }}) Regenerate broken CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csrbroken.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -334,7 +334,7 @@
register: output_broken
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -343,7 +343,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_1
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -352,7 +352,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_2
- name: "({{ select_crypto_backend }}) Generate CSR (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -361,7 +361,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_3
- name: "({{ select_crypto_backend }}) Generate CSR (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
state: absent
backup: true
@@ -369,7 +369,7 @@
return_content: true
register: csr_backup_4
- name: "({{ select_crypto_backend }}) Generate CSR (remove, idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
state: absent
backup: true
@@ -377,7 +377,7 @@
register: csr_backup_5
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -387,7 +387,7 @@
register: subject_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -397,7 +397,7 @@
register: subject_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -407,7 +407,7 @@
register: subject_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -417,7 +417,7 @@
register: subject_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -427,7 +427,7 @@
register: subject_key_identifier_5
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -436,7 +436,7 @@
register: subject_key_identifier_6
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -446,7 +446,7 @@
register: authority_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -456,7 +456,7 @@
register: authority_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -466,7 +466,7 @@
register: authority_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -475,7 +475,7 @@
register: authority_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -488,7 +488,7 @@
register: authority_cert_issuer_sn_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -501,7 +501,7 @@
register: authority_cert_issuer_sn_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change issuer)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -514,7 +514,7 @@
register: authority_cert_issuer_sn_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change serial number)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -527,7 +527,7 @@
register: authority_cert_issuer_sn_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -535,7 +535,7 @@
register: authority_cert_issuer_sn_5
- name: "({{ select_crypto_backend }}) Generate CSR with everything"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_ordered:
@@ -620,7 +620,7 @@
register: everything_1
- name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_ordered:
@@ -706,7 +706,7 @@
register: everything_2
- name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -792,7 +792,7 @@
register: everything_3
- name: "({{ select_crypto_backend }}) Generate CSR with everything (not idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_ordered:
@@ -887,7 +887,7 @@
- name: "({{ select_crypto_backend }}) Ed25519 and Ed448 tests"
block:
- name: "({{ select_crypto_backend }}) Generate privatekeys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
type: '{{ item }}'
loop:
@@ -901,7 +901,7 @@
block:
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
subject:
@@ -914,7 +914,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
subject:
@@ -931,7 +931,7 @@
- name: "({{ select_crypto_backend }}) CRL distribution endpoints"
block:
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -953,7 +953,7 @@
register: crl_distribution_endpoints_1
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (idempotence)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -975,7 +975,7 @@
register: crl_distribution_endpoints_2
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -995,7 +995,7 @@
register: crl_distribution_endpoints_3
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (no endpoints)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -1004,7 +1004,7 @@
register: crl_distribution_endpoints_4
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:

8
tests/integration/targets/openssl_csr/tasks/main.yml
View File

@@ -10,22 +10,22 @@
- block:
- name: Prepare private key for backend autodetection test
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

68
tests/integration/targets/openssl_csr/tests/validate.yml
View File

@@ -4,25 +4,25 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
ansible.builtin.command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
register: privatekey_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
register: csr_cn
- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
ansible.builtin.command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
register: csr_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_modulus.stdout == privatekey_modulus.stdout
- name: "({{ select_crypto_backend }}) Validate CSR (check mode, idempotency)"
assert:
ansible.builtin.assert:
that:
- generate_csr_check is changed
- generate_csr is changed
@@ -30,12 +30,12 @@
- generate_csr_idempotent_check is not changed
- name: "({{ select_crypto_backend }}) Read CSR"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/csr.csr'
register: slurp
- name: "({{ select_crypto_backend }}) Validate CSR (data retrieval)"
assert:
ansible.builtin.assert:
that:
- generate_csr_check.csr is none
- generate_csr.csr == (slurp.content | b64decode)
@@ -43,7 +43,7 @@
- generate_csr.csr == generate_csr_idempotent_check.csr
- name: "({{ select_crypto_backend }}) Validate CSR without SAN (check mode, idempotency)"
assert:
ansible.builtin.assert:
that:
- generate_csr_nosan_check is changed
- generate_csr_nosan is changed
@@ -51,76 +51,76 @@
- generate_csr_nosan_check_idempotent_check is not changed
- name: "({{ select_crypto_backend }}) Validate CSR_KU_XKU (assert idempotency, change)"
assert:
ansible.builtin.assert:
that:
- csr_ku_xku is not changed
- csr_ku_xku_change is changed
- csr_ku_xku_change_2 is changed
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
register: csr_oldapi_cn
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)"
command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
ansible.builtin.command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
register: csr_oldapi_modulus
- name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout
- name: "({{ select_crypto_backend }}) Validate invalid SAN (1/2)"
assert:
ansible.builtin.assert:
that:
- generate_csr_invalid_san is failed
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
command: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
ansible.builtin.command: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
register: csr_ocsp
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)"
assert:
ansible.builtin.assert:
that:
- "(csr_ocsp.stdout is search('\\s+TLS Feature:\\s*\\n\\s+status_request\\s+')) or
(csr_ocsp.stdout is search('\\s+1.3.6.1.5.5.7.1.24:\\s*\\n\\s+0\\.\\.\\.\\.\\s+'))"
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert idempotency)"
assert:
ansible.builtin.assert:
that:
- csr_ocsp_idempotency is not changed
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)"
command: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
ansible.builtin.command: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
register: privatekey_ecc_key
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)"
command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
register: csr_ecc_cn
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)"
command: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
ansible.builtin.command: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
register: csr_ecc_pubkey
- name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
- name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)"
command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
register: csr3_cn
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr3_cn.stdout.split('=')[-1] == 'This is for Ansible'
- name: "({{ select_crypto_backend }}) Validate country name idempotency and validation"
assert:
ansible.builtin.assert:
that:
- country_idempotent_1 is changed
- country_idempotent_2 is not changed
@@ -128,13 +128,13 @@
- country_fail_4 is failed
- name: "({{ select_crypto_backend }}) Validate idempotency of privatekey_passphrase"
assert:
ansible.builtin.assert:
that:
- passphrase_1 is changed
- passphrase_1_content is not changed
- name: "({{ select_crypto_backend }}) Validate private key passphrase errors"
assert:
ansible.builtin.assert:
that:
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
@@ -144,12 +144,12 @@
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: "({{ select_crypto_backend }}) Verify that broken CSR will be regenerated"
assert:
ansible.builtin.assert:
that:
- output_broken is changed
- name: "({{ select_crypto_backend }}) Verify that subject key identifier handling works"
assert:
ansible.builtin.assert:
that:
- subject_key_identifier_1 is changed
- subject_key_identifier_2 is not changed
@@ -159,7 +159,7 @@
- subject_key_identifier_6 is changed
- name: "({{ select_crypto_backend }}) Verify that authority key identifier handling works"
assert:
ansible.builtin.assert:
that:
- authority_key_identifier_1 is changed
- authority_key_identifier_2 is not changed
@@ -167,7 +167,7 @@
- authority_key_identifier_4 is changed
- name: "({{ select_crypto_backend }}) Verify that authority cert issuer / serial number handling works"
assert:
ansible.builtin.assert:
that:
- authority_cert_issuer_sn_1 is changed
- authority_cert_issuer_sn_2 is not changed
@@ -176,7 +176,7 @@
- authority_cert_issuer_sn_5 is changed
- name: "({{ select_crypto_backend }}) Check backup"
assert:
ansible.builtin.assert:
that:
- csr_backup_1 is changed
- csr_backup_1.backup_file is undefined
@@ -191,7 +191,7 @@
- csr_backup_4.csr is none
- name: "({{ select_crypto_backend }}) Check CSR with everything"
assert:
ansible.builtin.assert:
that:
- everything_1 is changed
- everything_2 is not changed
@@ -262,7 +262,7 @@
- everything_info.name_constraints_critical == true
- name: "({{ select_crypto_backend }}) Check CSR with everything"
assert:
ansible.builtin.assert:
that:
- everything_info.authority_cert_issuer == [
"DNS:ca.example.org",
@@ -305,7 +305,7 @@
]
- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests"
assert:
ansible.builtin.assert:
that:
- generate_csr_ed25519_ed448 is succeeded
- generate_csr_ed25519_ed448.results[0] is changed
@@ -316,7 +316,7 @@
when: select_crypto_backend == 'cryptography' and generate_csr_ed25519_ed448_privatekey is not failed
- name: "({{ select_crypto_backend }}) Verify CRL distribution endpoints"
assert:
ansible.builtin.assert:
that:
- crl_distribution_endpoints_1 is changed
- crl_distribution_endpoints_2 is not changed

28
tests/integration/targets/openssl_csr_info/tasks/impl.yml
View File

@@ -3,31 +3,31 @@
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- debug:
- ansible.builtin.debug:
msg: "Executing tests with backend {{ select_crypto_backend }}"
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_1.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Get CSR info (IDNA encoding)"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_1.csr'
name_encoding: idna
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_idna
- name: "({{ select_crypto_backend }}) Get CSR info (Unicode encoding)"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_1.csr'
name_encoding: unicode
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_unicode
- name: "({{ select_crypto_backend }}) Check whether subject and extensions behaves as expected"
assert:
ansible.builtin.assert:
that:
- result.subject.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
@@ -54,7 +54,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: "({{ select_crypto_backend }}) Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -70,18 +70,18 @@
- "IP:1.2.3.4"
- name: "({{ select_crypto_backend }}) Read CSR"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/csr_1.csr'
register: slurp
- name: "({{ select_crypto_backend }}) Get CSR info directly"
openssl_csr_info:
community.crypto.openssl_csr_info:
content: '{{ slurp.content | b64decode }}'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_direct
- name: "({{ select_crypto_backend }}) Compare output of direct and loaded info"
assert:
ansible.builtin.assert:
that:
- >-
(result | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
@@ -89,19 +89,19 @@
(result_direct | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_2.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_3.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -112,13 +112,13 @@
- "IP:1.2.3.4"
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_4.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none

16
tests/integration/targets/openssl_csr_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -95,7 +95,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -104,7 +104,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -122,14 +122,14 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: "44:55:66:77"
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version is version('3.3', '>=')

24
tests/integration/targets/openssl_csr_pipe/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate privatekey"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
@@ -18,7 +18,7 @@
register: generate_csr_check
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
@@ -26,7 +26,7 @@
register: generate_csr
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -35,7 +35,7 @@
register: generate_csr_idempotent
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -45,7 +45,7 @@
register: generate_csr_idempotent_check
- name: "({{ select_crypto_backend }}) Generate CSR (changed)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -54,7 +54,7 @@
register: generate_csr_changed
- name: "({{ select_crypto_backend }}) Generate CSR (changed, check mode)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -64,29 +64,29 @@
register: generate_csr_changed_check
- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
ansible.builtin.command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
register: privatekey_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
command: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
args:
stdin: "{{ generate_csr.csr }}"
register: csr_cn
- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
command: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
ansible.builtin.command: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
args:
stdin: "{{ generate_csr.csr }}"
register: csr_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_modulus.stdout == privatekey_modulus.stdout
- name: "({{ select_crypto_backend }}) Validate CSR (check mode, idempotency)"
assert:
ansible.builtin.assert:
that:
- generate_csr_check is changed
- generate_csr is changed

6
tests/integration/targets/openssl_csr_pipe/tasks/main.yml
View File

@@ -9,18 +9,18 @@
####################################################################
- name: Prepare private key for backend autodetection test
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

32
tests/integration/targets/openssl_dhparam/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
# The tests for this module generate unsafe parameters for testing purposes;
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
- name: "[{{ select_crypto_backend }}] Generate parameter (check mode)"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -15,7 +15,7 @@
register: dhparam_check
- name: "[{{ select_crypto_backend }}] Generate parameter"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -23,7 +23,7 @@
register: dhparam
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change (check mode)"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -32,7 +32,7 @@
register: dhparam_changed_check
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -40,32 +40,32 @@
register: dhparam_changed
- name: "[{{ select_crypto_backend }}] Generate parameters with size option"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
select_crypto_backend: "{{ select_crypto_backend }}"
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with size option and no change"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_changed_512
- copy:
- ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/dh768.pem'
remote_src: true
dest: '{{ remote_tmp_dir }}/dh512.pem'
- name: "[{{ select_crypto_backend }}] Re-generate if size is different"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_changed_to_512
- name: "[{{ select_crypto_backend }}] Force re-generate parameters with size option"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
force: true
@@ -73,11 +73,11 @@
register: dhparam_changed_force
- name: "[{{ select_crypto_backend }}] Create broken params"
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/dhbroken.pem"
content: "broken"
- name: "[{{ select_crypto_backend }}] Regenerate broken params"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dhbroken.pem'
size: 512
force: true
@@ -85,21 +85,21 @@
register: output_broken
- name: "[{{ select_crypto_backend }}] Generate params"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
size: 512
backup: true
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_backup_1
- name: "[{{ select_crypto_backend }}] Generate params (idempotent)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
size: 512
backup: true
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_backup_2
- name: "[{{ select_crypto_backend }}] Generate params (change)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
size: 512
force: true
@@ -107,7 +107,7 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_backup_3
- name: "[{{ select_crypto_backend }}] Generate params (remove)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
state: absent
backup: true
@@ -115,7 +115,7 @@
return_content: true
register: dhparam_backup_4
- name: "[{{ select_crypto_backend }}] Generate params (remove, idempotent)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
state: absent
backup: true

14
tests/integration/targets/openssl_dhparam/tasks/main.yml
View File

@@ -12,35 +12,35 @@
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
- name: Run module with backend autodetection
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backend_selection.pem'
size: 512
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: openssl
# when: openssl_version is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

20
tests/integration/targets/openssl_dhparam/tests/validate.yml
View File

@@ -4,31 +4,31 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "[{{ select_crypto_backend }}] Validate generated params"
command: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check'
ansible.builtin.command: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check'
with_items:
- dh768
- dh512
- name: "[{{ select_crypto_backend }}] Get bit size of 768"
shell: '{{ openssl_binary }} dhparam -noout -in {{ remote_tmp_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
ansible.builtin.shell: '{{ openssl_binary }} dhparam -noout -in {{ remote_tmp_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
register: bit_size_dhparam
- name: "[{{ select_crypto_backend }}] Check bit size of default"
assert:
ansible.builtin.assert:
that:
- bit_size_dhparam.stdout == "768"
- name: "[{{ select_crypto_backend }}] Get bit size of 512"
shell: '{{ openssl_binary }} dhparam -noout -in {{ remote_tmp_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
ansible.builtin.shell: '{{ openssl_binary }} dhparam -noout -in {{ remote_tmp_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"'
register: bit_size_dhparam_512
- name: "[{{ select_crypto_backend }}] Check bit size of default"
assert:
ansible.builtin.assert:
that:
- bit_size_dhparam_512.stdout == "512"
- name: "[{{ select_crypto_backend }}] Check if changed works correctly"
assert:
ansible.builtin.assert:
that:
- dhparam_check is changed
- dhparam is changed
@@ -39,23 +39,23 @@
- dhparam_changed_force is changed
- name: "[{{ select_crypto_backend }}] Read result"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/dh768.pem'
register: slurp
- name: "[{{ select_crypto_backend }}] Make sure correct values are returned"
assert:
ansible.builtin.assert:
that:
- dhparam.dhparams == (slurp.content | b64decode)
- dhparam.dhparams == dhparam_changed.dhparams
- name: "[{{ select_crypto_backend }}] Verify that broken params will be regenerated"
assert:
ansible.builtin.assert:
that:
- output_broken is changed
- name: "[{{ select_crypto_backend }}] Check backup"
assert:
ansible.builtin.assert:
that:
- dhparam_backup_1 is changed
- dhparam_backup_1.backup_file is undefined

78
tests/integration/targets/openssl_pkcs12/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (check mode)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -17,7 +17,7 @@
register: p12_standard_check
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -28,7 +28,7 @@
register: p12_standard
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (check mode)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -40,7 +40,7 @@
register: p12_standard_idempotency_check
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -51,7 +51,7 @@
register: p12_standard_idempotency
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (empty other_certificates)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -63,17 +63,17 @@
register: p12_standard_idempotency_no_certs
- name: "({{ select_crypto_backend }}) Read ansible_pkey1.pem"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
register: ansible_pkey_content
- name: "({{ select_crypto_backend }}) Read ansible1.crt"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/ansible1.crt'
register: ansible_crt_content
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (private key from file)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -84,18 +84,18 @@
register: p12_standard_idempotency_2
- name: "({{ select_crypto_backend }}) Read ansible.p12"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/ansible.p12'
register: ansible_p12_content
- name: "({{ select_crypto_backend }}) Validate PKCS#12"
assert:
ansible.builtin.assert:
that:
- p12_standard.pkcs12 == ansible_p12_content.content
- p12_standard_idempotency.pkcs12 == p12_standard.pkcs12
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -106,7 +106,7 @@
register: p12_force
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (force + change mode)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
@@ -118,7 +118,7 @@
register: p12_force_and_mode
- name: "({{ select_crypto_backend }}) Dump PKCS#12"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
src: '{{ remote_tmp_dir }}/ansible.p12'
path: '{{ remote_tmp_dir }}/ansible_parse.pem'
@@ -127,7 +127,7 @@
register: p12_dumped
- name: "({{ select_crypto_backend }}) Dump PKCS#12 file again, idempotency"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
src: '{{ remote_tmp_dir }}/ansible.p12'
path: '{{ remote_tmp_dir }}/ansible_parse.pem'
@@ -136,7 +136,7 @@
register: p12_dumped_idempotency
- name: "({{ select_crypto_backend }}) Dump PKCS#12, check mode"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
src: '{{ remote_tmp_dir }}/ansible.p12'
path: '{{ remote_tmp_dir }}/ansible_parse.pem'
@@ -146,7 +146,7 @@
register: p12_dumped_check_mode
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12'
friendly_name: abracadabra
@@ -160,7 +160,7 @@
register: p12_multiple_certs
- name: "({{ select_crypto_backend }}) Read ansible2.crt / ansible3.crt.crt"
slurp:
ansible.builtin.slurp:
src: "{{ item }}"
loop:
- "{{ remote_tmp_dir ~ '/ansible2.crt' }}"
@@ -168,7 +168,7 @@
register: ansible_other_content
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file with multiple certs and passphrase, again (idempotency)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_multi_certs.p12'
friendly_name: abracadabra
@@ -182,7 +182,7 @@
register: p12_multiple_certs_idempotency
- name: "({{ select_crypto_backend }}) Dump PKCS#12 with multiple certs and passphrase"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
src: '{{ remote_tmp_dir }}/ansible_multi_certs.p12'
path: '{{ remote_tmp_dir }}/ansible_parse_multi_certs.pem'
@@ -191,7 +191,7 @@
state: present
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 1)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_pw1.p12'
friendly_name: abracadabra
@@ -203,7 +203,7 @@
register: passphrase_error_1
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 2)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_pw2.p12'
friendly_name: abracadabra
@@ -215,7 +215,7 @@
register: passphrase_error_2
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (password fail 3)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_pw3.p12'
friendly_name: abracadabra
@@ -226,7 +226,7 @@
register: passphrase_error_3
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file, no privatekey"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_no_pkey.p12'
friendly_name: abracadabra
@@ -235,12 +235,12 @@
register: p12_no_pkey
- name: "({{ select_crypto_backend }}) Create broken PKCS#12"
copy:
ansible.builtin.copy:
dest: '{{ remote_tmp_dir }}/broken.p12'
content: broken
- name: "({{ select_crypto_backend }}) Regenerate broken PKCS#12"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/broken.p12'
friendly_name: abracadabra
@@ -252,7 +252,7 @@
register: output_broken
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_backup.p12'
friendly_name: abracadabra
@@ -263,7 +263,7 @@
register: p12_backup_1
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (idempotent)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_backup.p12'
friendly_name: abracadabra
@@ -274,7 +274,7 @@
register: p12_backup_2
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (change)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_backup.p12'
friendly_name: abra
@@ -286,7 +286,7 @@
register: p12_backup_3
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_backup.p12'
state: absent
@@ -295,7 +295,7 @@
register: p12_backup_4
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file (remove, idempotent)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_backup.p12'
state: absent
@@ -303,7 +303,7 @@
register: p12_backup_5
- name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_empty.p12'
friendly_name: abracadabra
@@ -315,7 +315,7 @@
- name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_empty.p12'
friendly_name: abracadabra
@@ -326,7 +326,7 @@
register: p12_empty_idem
- name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_empty.p12'
friendly_name: abracadabra
@@ -337,12 +337,12 @@
register: p12_empty_concat_idem
- name: "({{ select_crypto_backend }}) Read ansible23.crt"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/ansible23.crt' }}"
register: ansible_other_content_concat
- name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (idempotent, concatenated other certificates)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_empty.p12'
friendly_name: abracadabra
@@ -353,14 +353,14 @@
register: p12_empty_concat_content_idem
- name: "({{ select_crypto_backend }}) Generate 'empty' PKCS#12 file (parse)"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
src: '{{ remote_tmp_dir }}/ansible_empty.p12'
path: '{{ remote_tmp_dir }}/ansible_empty.pem'
action: parse
- name: "({{ select_crypto_backend }}) Generate PKCS#12 file passphrase and compatibility encryption"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
select_crypto_backend: '{{ select_crypto_backend }}'
path: '{{ remote_tmp_dir }}/ansible_compatibility2022.p12'
friendly_name: compat_fn
@@ -378,11 +378,11 @@
- select_crypto_backend == 'cryptography'
- cryptography_version is version('38.0.0', '>=')
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
always:
- name: "({{ select_crypto_backend }}) Delete PKCS#12 file"
openssl_pkcs12:
community.crypto.openssl_pkcs12:
state: absent
path: '{{ remote_tmp_dir }}/{{ item }}.p12'
loop:

18
tests/integration/targets/openssl_pkcs12/tasks/main.yml
View File

@@ -10,26 +10,26 @@
- block:
- name: Generate private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem'
size: '{{ default_rsa_key_size_certificates }}'
loop: "{{ range(1, 4) | list }}"
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate CSRs
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem'
commonName: www{{ item }}.ansible.com
loop: "{{ range(1, 4) | list }}"
- name: Generate certificate
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/ansible{{ item }}.crt'
privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/ansible{{ item }}.csr'
@@ -37,7 +37,7 @@
loop: "{{ range(1, 4) | list }}"
- name: Read files
slurp:
ansible.builtin.slurp:
src: '{{ item }}'
loop:
- "{{ remote_tmp_dir ~ '/ansible2.crt' }}"
@@ -45,12 +45,12 @@
register: slurp
- name: Generate concatenated PEM file
copy:
ansible.builtin.copy:
dest: '{{ remote_tmp_dir }}/ansible23.crt'
content: '{{ slurp.results[0].content | b64decode }}{{ slurp.results[1].content | b64decode }}'
- name: Generate PKCS#12 file with backend autodetection
openssl_pkcs12:
community.crypto.openssl_pkcs12:
path: '{{ remote_tmp_dir }}/ansible.p12'
friendly_name: abracadabra
privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
@@ -58,12 +58,12 @@
state: present
- name: Delete result
file:
ansible.builtin.file:
path: '{{ remote_tmp_dir }}/ansible.p12'
state: absent
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

24
tests/integration/targets/openssl_pkcs12/tests/validate.yml
View File

@@ -4,19 +4,19 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: '({{ select_crypto_backend }}) Validate PKCS#12'
command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible.p12 -nodes -passin pass:''"
ansible.builtin.command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible.p12 -nodes -passin pass:''"
register: p12
- name: '({{ select_crypto_backend }}) Validate PKCS#12 with no private key'
command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''"
ansible.builtin.command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''"
register: p12_validate_no_pkey
- name: '({{ select_crypto_backend }}) Validate PKCS#12 with multiple certs'
shell: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'hunter3' | grep subject"
ansible.builtin.shell: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'hunter3' | grep subject"
register: p12_validate_multi_certs
- name: '({{ select_crypto_backend }}) Validate PKCS#12 (assert)'
assert:
ansible.builtin.assert:
that:
- p12_standard_check is changed
- p12_standard is changed
@@ -40,7 +40,7 @@
- "'www3.' in p12_validate_multi_certs.stdout"
- name: '({{ select_crypto_backend }}) Check passphrase on private key'
assert:
ansible.builtin.assert:
that:
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
@@ -50,12 +50,12 @@
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: '({{ select_crypto_backend }}) Verify that broken PKCS#12 will be regenerated'
assert:
ansible.builtin.assert:
that:
- output_broken is changed
- name: '({{ select_crypto_backend }}) Check backup'
assert:
ansible.builtin.assert:
that:
- p12_backup_1 is changed
- p12_backup_1.backup_file is undefined
@@ -70,7 +70,7 @@
- p12_backup_4.pkcs12 is none
- name: '({{ select_crypto_backend }}) Read files'
slurp:
ansible.builtin.slurp:
src: '{{ item }}'
loop:
- "{{ remote_tmp_dir ~ '/ansible_empty.pem' }}"
@@ -79,12 +79,12 @@
register: slurp
- name: '({{ select_crypto_backend }}) Load "empty" file'
set_fact:
ansible.builtin.set_fact:
empty_contents: "{{ slurp.results[0].content | b64decode }}"
empty_expected: "{{ (slurp.results[1].content | b64decode) ~ (slurp.results[2].content | b64decode) }}"
- name: '({{ select_crypto_backend }}) Check "empty" file'
assert:
ansible.builtin.assert:
that:
- p12_empty is changed
- p12_empty_idem is not changed
@@ -98,11 +98,11 @@
- cryptography_version is version('38.0.0', '>=')
block:
- name: '({{ select_crypto_backend }}) Validate PKCS#12 with compatibility2022 settings'
command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_compatibility2022.p12 -nodes -passin pass:'magicpassword'"
ansible.builtin.command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_compatibility2022.p12 -nodes -passin pass:'magicpassword'"
register: p12_validate_compatibility2022
- name: '({{ select_crypto_backend }}) Check PKCS#12 with compatibility2022 settings'
assert:
ansible.builtin.assert:
that:
- p12_compatibility2022 is changed
- >-

180
tests/integration/targets/openssl_privatekey/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate privatekey1 - standard (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
@@ -12,14 +12,14 @@
register: privatekey1_check
- name: "({{ select_crypto_backend }}) Generate privatekey1 - standard"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
register: privatekey1
- name: "({{ select_crypto_backend }}) Generate privatekey1 - standard (idempotence, check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
@@ -27,33 +27,33 @@
register: privatekey1_idempotence_check
- name: "({{ select_crypto_backend }}) Generate privatekey1 - standard (idempotence)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
return_content: true
register: privatekey1_idempotence
- name: "({{ select_crypto_backend }}) Generate privatekey2 - size 2048"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey2.pem'
size: 2048
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate privatekey3 - type DSA"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey3.pem'
type: DSA
size: 3072
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate privatekey4 - standard"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey4.pem'
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Delete privatekey4 - standard"
openssl_privatekey:
community.crypto.openssl_privatekey:
state: absent
path: '{{ remote_tmp_dir }}/privatekey4.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -61,14 +61,14 @@
register: privatekey4_delete
- name: "({{ select_crypto_backend }}) Delete privatekey4 - standard (idempotence)"
openssl_privatekey:
community.crypto.openssl_privatekey:
state: absent
path: '{{ remote_tmp_dir }}/privatekey4.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey4_delete_idempotence
- name: "({{ select_crypto_backend }}) Generate privatekey5 - standard - with passphrase"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey5.pem'
passphrase: ansible
cipher: auto
@@ -76,7 +76,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate privatekey5 - standard - idempotence"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey5.pem'
passphrase: ansible
cipher: auto
@@ -85,13 +85,13 @@
register: privatekey5_idempotence
- name: "({{ select_crypto_backend }}) Generate privatekey6 - standard - with non-ASCII passphrase"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey6.pem'
passphrase: ànsïblé
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
- set_fact:
- ansible.builtin.set_fact:
ecc_types:
- curve: secp384r1
openssl_name: secp384r1
@@ -152,7 +152,7 @@
min_cryptography_version: "0.5"
- name: "({{ select_crypto_backend }}) Test ECC key generation"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey-{{ item.curve }}.pem'
type: ECC
curve: "{{ item.curve }}"
@@ -166,7 +166,7 @@
register: privatekey_ecc_generate
- name: "({{ select_crypto_backend }}) Test ECC key generation (idempotency)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey-{{ item.curve }}.pem'
type: ECC
curve: "{{ item.curve }}"
@@ -181,7 +181,7 @@
- block:
- name: "({{ select_crypto_backend }}) Test other type generation"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem'
type: "{{ item.type }}"
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -193,7 +193,7 @@
register: privatekey_t1_generate
- name: "({{ select_crypto_backend }}) Test other type generation (idempotency)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem'
type: "{{ item.type }}"
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -217,7 +217,7 @@
min_version: '2.6'
- name: "({{ select_crypto_backend }}) Generate privatekey with passphrase"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
@@ -226,7 +226,7 @@
register: passphrase_1
- name: "({{ select_crypto_backend }}) Generate privatekey with passphrase (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: auto
@@ -236,7 +236,7 @@
register: passphrase_2
- name: "({{ select_crypto_backend }}) Regenerate privatekey without passphrase"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -244,7 +244,7 @@
register: passphrase_3
- name: "({{ select_crypto_backend }}) Regenerate privatekey without passphrase (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -252,7 +252,7 @@
register: passphrase_4
- name: "({{ select_crypto_backend }}) Regenerate privatekey with passphrase"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
@@ -261,18 +261,18 @@
register: passphrase_5
- name: "({{ select_crypto_backend }}) Create broken key"
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/broken"
content: "broken"
- name: "({{ select_crypto_backend }}) Regenerate broken key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/broken.pem'
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
register: output_broken
- name: "({{ select_crypto_backend }}) Remove module"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
@@ -282,7 +282,7 @@
register: remove_1
- name: "({{ select_crypto_backend }}) Remove module (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
cipher: auto
@@ -293,7 +293,7 @@
register: remove_2
- name: "({{ select_crypto_backend }}) Generate privatekey_mode (mode 0400)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
mode: '0400'
size: '{{ default_rsa_key_size }}'
@@ -301,7 +301,7 @@
register: privatekey_mode_1
- name: "({{ select_crypto_backend }}) Stat for privatekey_mode"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
register: privatekey_mode_1_stat
@@ -312,7 +312,7 @@
register: privatekey_mode_1_fileinfo
- name: "({{ select_crypto_backend }}) Generate privatekey_mode (mode 0400, idempotency)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
mode: '0400'
size: '{{ default_rsa_key_size }}'
@@ -320,7 +320,7 @@
register: privatekey_mode_2
- name: "({{ select_crypto_backend }}) Generate privatekey_mode (mode 0400, force)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
mode: '0400'
force: true
@@ -329,7 +329,7 @@
register: privatekey_mode_3
- name: "({{ select_crypto_backend }}) Stat for privatekey_mode"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
register: privatekey_mode_3_stat
@@ -340,7 +340,7 @@
- block:
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: auto
size: '{{ default_rsa_key_size }}'
@@ -348,7 +348,7 @@
register: privatekey_fmt_1_step_1
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: auto
size: '{{ default_rsa_key_size }}'
@@ -356,7 +356,7 @@
register: privatekey_fmt_1_step_2
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS1 format"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: pkcs1
size: '{{ default_rsa_key_size }}'
@@ -364,7 +364,7 @@
register: privatekey_fmt_1_step_3
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: pkcs8
size: '{{ default_rsa_key_size }}'
@@ -372,7 +372,7 @@
register: privatekey_fmt_1_step_4
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: pkcs8
size: '{{ default_rsa_key_size }}'
@@ -380,7 +380,7 @@
register: privatekey_fmt_1_step_5
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (ignore)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: auto_ignore
size: '{{ default_rsa_key_size }}'
@@ -388,7 +388,7 @@
register: privatekey_fmt_1_step_6
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format (no ignore)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: auto
size: '{{ default_rsa_key_size }}'
@@ -396,7 +396,7 @@
register: privatekey_fmt_1_step_7
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - raw format (fail)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: raw
size: '{{ default_rsa_key_size }}'
@@ -405,13 +405,13 @@
register: privatekey_fmt_1_step_8
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)"
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_9_before
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
format: pkcs8
format_mismatch: convert
@@ -420,7 +420,7 @@
register: privatekey_fmt_1_step_9
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - PKCS8 format (convert)"
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_fmt_1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: privatekey_fmt_1_step_9_after
@@ -429,7 +429,7 @@
- block:
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - PKCS8 format"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
type: X448
format: pkcs8
@@ -438,7 +438,7 @@
register: privatekey_fmt_2_step_1
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - PKCS8 format (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
type: X448
format: pkcs8
@@ -447,7 +447,7 @@
register: privatekey_fmt_2_step_2
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - raw format"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
type: X448
format: raw
@@ -457,19 +457,19 @@
register: privatekey_fmt_2_step_3
- name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem"
ignore_errors: true
register: content
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded"
assert:
ansible.builtin.assert:
that:
- privatekey_fmt_2_step_3.privatekey == content.content
when: privatekey_fmt_2_step_1 is not failed
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - raw format (idempotent)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
type: X448
format: raw
@@ -479,19 +479,19 @@
register: privatekey_fmt_2_step_4
- name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem"
ignore_errors: true
register: content
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded"
assert:
ansible.builtin.assert:
that:
- privatekey_fmt_2_step_4.privatekey == content.content
when: privatekey_fmt_2_step_1 is not failed
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - auto format (ignore)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
type: X448
format: auto_ignore
@@ -501,19 +501,19 @@
register: privatekey_fmt_2_step_5
- name: "({{ select_crypto_backend }}) Read privatekey_fmt_2.pem"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/privatekey_fmt_2.pem"
ignore_errors: true
register: content
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is base64 encoded"
assert:
ansible.builtin.assert:
that:
- privatekey_fmt_2_step_5.privatekey == content.content
when: privatekey_fmt_2_step_1 is not failed
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - auto format (no ignore)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
type: X448
format: auto
@@ -523,13 +523,13 @@
register: privatekey_fmt_2_step_6
- name: "({{ select_crypto_backend }}) Read private key"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekey_fmt_2.pem'
register: slurp
when: privatekey_fmt_2_step_1 is not failed
- name: "({{ select_crypto_backend }}) Generate privatekey_fmt_2 - verify that returned content is not base64 encoded"
assert:
ansible.builtin.assert:
that:
- privatekey_fmt_2_step_6.privatekey == (slurp.content | b64decode)
when: privatekey_fmt_2_step_1 is not failed
@@ -540,14 +540,14 @@
# Test regenerate option
- name: "({{ select_crypto_backend }}) Regenerate - setup simple keys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
- name: "({{ select_crypto_backend }}) Regenerate - setup password protected keys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -556,14 +556,14 @@
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
- name: "({{ select_crypto_backend }}) Regenerate - setup broken keys"
copy:
ansible.builtin.copy:
dest: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}.pem'
content: 'broken key'
mode: '0700'
loop: "{{ regenerate_values }}"
- name: "({{ select_crypto_backend }}) Regenerate - modify broken keys (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -573,7 +573,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg or 'Cannot load raw key' in result.results[0].msg"
@@ -585,7 +585,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - modify broken keys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -594,7 +594,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg or 'Cannot load raw key' in result.results[0].msg"
@@ -606,7 +606,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - modify password protected keys (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -616,7 +616,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -628,7 +628,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - modify password protected keys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -637,7 +637,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a another passphrase / no passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -649,7 +649,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - not modify regular keys (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -658,7 +658,7 @@
check_mode: true
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
@@ -667,7 +667,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - not modify regular keys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
@@ -675,7 +675,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
@@ -684,7 +684,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - adjust key size (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size + 20 }}'
@@ -694,7 +694,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -704,7 +704,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - adjust key size"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: RSA
size: '{{ default_rsa_key_size + 20 }}'
@@ -713,7 +713,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -723,7 +723,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always.pem'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
remote_src: true
@@ -731,7 +731,7 @@
when: "item != 'always'"
- name: "({{ select_crypto_backend }}) Regenerate - adjust key type (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: '{{ default_rsa_key_size }}'
@@ -741,7 +741,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -751,7 +751,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - adjust key type"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: '{{ default_rsa_key_size }}'
@@ -760,7 +760,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -771,7 +771,7 @@
- block:
- name: "({{ select_crypto_backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always.pem'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
remote_src: true
@@ -779,7 +779,7 @@
when: "item != 'always'"
- name: "({{ select_crypto_backend }}) Regenerate - format mismatch (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: '{{ default_rsa_key_size }}'
@@ -790,7 +790,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -800,7 +800,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - format mismatch"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: '{{ default_rsa_key_size }}'
@@ -810,7 +810,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -820,7 +820,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always.pem'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
remote_src: true
@@ -828,7 +828,7 @@
when: "item != 'always'"
- name: "({{ select_crypto_backend }}) Regenerate - convert format (check mode)"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: '{{ default_rsa_key_size }}'
@@ -839,7 +839,7 @@
check_mode: true
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is changed
- result.results[1] is changed
@@ -848,7 +848,7 @@
- result.results[4] is changed
- name: "({{ select_crypto_backend }}) Regenerate - convert format"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}.pem'
type: DSA
size: '{{ default_rsa_key_size }}'
@@ -858,7 +858,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is changed
- result.results[1] is changed

14
tests/integration/targets/openssl_privatekey/tasks/main.yml
View File

@@ -9,11 +9,11 @@
####################################################################
- name: Find out which elliptic curves are supported by installed OpenSSL
command: "{{ openssl_binary }} ecparam -list_curves"
ansible.builtin.command: "{{ openssl_binary }} ecparam -list_curves"
register: openssl_ecc
- name: Compile list of elliptic curves supported by OpenSSL
set_fact:
ansible.builtin.set_fact:
openssl_ecc_list: |
{{
openssl_ecc.stdout_lines
@@ -25,7 +25,7 @@
when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6'
# CentOS comes with a very old jinja2 which does not include the map() filter...
- name: Compile list of elliptic curves supported by OpenSSL (CentOS 6)
set_fact:
ansible.builtin.set_fact:
openssl_ecc_list:
- secp384r1
- secp521r1
@@ -33,20 +33,20 @@
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- name: List of elliptic curves supported by OpenSSL
debug: var=openssl_ecc_list
ansible.builtin.debug: var=openssl_ecc_list
- name: Run module with backend autodetection
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

60
tests/integration/targets/openssl_privatekey/tests/validate.yml
View File

@@ -3,16 +3,16 @@
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- set_fact:
- ansible.builtin.set_fact:
system_potentially_has_no_algorithm_support: "{{ ansible_os_family == 'FreeBSD' }}"
- name: "({{ select_crypto_backend }}) Read private key"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekey1.pem'
register: slurp
- name: "({{ select_crypto_backend }}) Validate privatekey1 idempotency and content returned"
assert:
ansible.builtin.assert:
that:
- privatekey1_check is changed
- privatekey1 is changed
@@ -23,47 +23,47 @@
- name: "({{ select_crypto_backend }}) Validate privatekey1 (test - RSA key with size 4096 bits)"
shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
ansible.builtin.shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey1
- name: "({{ select_crypto_backend }}) Validate privatekey1 (assert - RSA key with size 4096 bits)"
assert:
ansible.builtin.assert:
that:
- privatekey1.stdout == '4096'
- name: "({{ select_crypto_backend }}) Validate privatekey2 (test - RSA key with size 2048 bits)"
shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
ansible.builtin.shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey2
- name: "({{ select_crypto_backend }}) Validate privatekey2 (assert - RSA key with size 2048 bits)"
assert:
ansible.builtin.assert:
that:
- privatekey2.stdout == '2048'
- name: "({{ select_crypto_backend }}) Validate privatekey3 (test - DSA key with size 3072 bits)"
shell: "{{ openssl_binary }} dsa -noout -text -in {{ remote_tmp_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
ansible.builtin.shell: "{{ openssl_binary }} dsa -noout -text -in {{ remote_tmp_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey3
- name: Validate privatekey3 (assert - DSA key with size 3072 bits)
assert:
ansible.builtin.assert:
that:
- privatekey3.stdout == '3072'
- name: "({{ select_crypto_backend }}) Validate privatekey4 (test - Ensure key has been removed)"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/privatekey4.pem'
register: privatekey4
- name: "({{ select_crypto_backend }}) Validate privatekey4 (assert - Ensure key has been removed)"
assert:
ansible.builtin.assert:
that:
- privatekey4.stat.exists == False
- name: "({{ select_crypto_backend }}) Validate privatekey4 removal behavior"
assert:
ansible.builtin.assert:
that:
- privatekey4_delete is changed
- privatekey4_delete.privatekey is none
@@ -71,37 +71,37 @@
- name: "({{ select_crypto_backend }}) Validate privatekey5 (test - Passphrase protected key + idempotence)"
shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
ansible.builtin.shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey5
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
# leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned successfully.
when: openssl_version is version('0.9.8zh', '>=')
- name: "({{ select_crypto_backend }}) Validate privatekey5 (assert - Passphrase protected key + idempotence)"
assert:
ansible.builtin.assert:
that:
- privatekey5.stdout == (default_rsa_key_size | string)
when: openssl_version is version('0.9.8zh', '>=')
- name: "({{ select_crypto_backend }}) Validate privatekey5 idempotence (assert - Passphrase protected key + idempotence)"
assert:
ansible.builtin.assert:
that:
- privatekey5_idempotence is not changed
- name: "({{ select_crypto_backend }}) Validate privatekey6 (test - Passphrase protected key with non ascii character)"
shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
ansible.builtin.shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey6
when: openssl_version is version('0.9.8zh', '>=')
- name: "({{ select_crypto_backend }}) Validate privatekey6 (assert - Passphrase protected key with non ascii character)"
assert:
ansible.builtin.assert:
that:
- privatekey6.stdout == (default_rsa_key_size | string)
when: openssl_version is version('0.9.8zh', '>=')
- name: "({{ select_crypto_backend }}) Validate ECC generation (dump with OpenSSL)"
shell: "{{ openssl_binary }} ec -in {{ remote_tmp_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
ansible.builtin.shell: "{{ openssl_binary }} ec -in {{ remote_tmp_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
loop: "{{ privatekey_ecc_generate.results }}"
register: privatekey_ecc_dump
when: openssl_version is version('0.9.8zh', '>=') and 'skip_reason' not in item
@@ -109,7 +109,7 @@
label: "{{ item.item.curve }}"
- name: "({{ select_crypto_backend }}) Validate ECC generation"
assert:
ansible.builtin.assert:
that:
- item is changed
loop: "{{ privatekey_ecc_generate.results }}"
@@ -118,7 +118,7 @@
label: "{{ item.item.curve }}"
- name: "({{ select_crypto_backend }}) Validate ECC generation (curve type)"
assert:
ansible.builtin.assert:
that:
- "'skip_reason' in item or item.item.item.openssl_name == item.stdout"
loop: "{{ privatekey_ecc_dump.results }}"
@@ -127,7 +127,7 @@
label: "{{ item.item.item }} - {{ item.stdout if 'stdout' in item else '<unsupported>' }}"
- name: "({{ select_crypto_backend }}) Validate ECC generation idempotency"
assert:
ansible.builtin.assert:
that:
- item is not changed
loop: "{{ privatekey_ecc_idempotency.results }}"
@@ -136,7 +136,7 @@
label: "{{ item.item.curve }}"
- name: "({{ select_crypto_backend }}) Validate other type generation (just check changed)"
assert:
ansible.builtin.assert:
that:
- (item is succeeded and item is changed) or
(item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support)
@@ -146,7 +146,7 @@
label: "{{ item.item.type }}"
- name: "({{ select_crypto_backend }}) Validate other type generation idempotency"
assert:
ansible.builtin.assert:
that:
- (item is succeeded and item is not changed) or
(item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support)
@@ -156,7 +156,7 @@
label: "{{ item.item.type }}"
- name: "({{ select_crypto_backend }}) Validate passphrase changing"
assert:
ansible.builtin.assert:
that:
- passphrase_1 is changed
- passphrase_2 is not changed
@@ -170,12 +170,12 @@
- passphrase_5.backup_file is string
- name: "({{ select_crypto_backend }}) Verify that broken key will be regenerated"
assert:
ansible.builtin.assert:
that:
- output_broken is changed
- name: "({{ select_crypto_backend }}) Validate remove"
assert:
ansible.builtin.assert:
that:
- remove_1 is changed
- remove_2 is not changed
@@ -183,7 +183,7 @@
- remove_2.backup_file is undefined
- name: "({{ select_crypto_backend }}) Validate mode"
assert:
ansible.builtin.assert:
that:
- privatekey_mode_1 is changed
- privatekey_mode_1_stat.stat.mode == '0400'
@@ -193,7 +193,7 @@
- privatekey_mode_3_file_change is changed
- name: "({{ select_crypto_backend }}) Validate format 1"
assert:
ansible.builtin.assert:
that:
- privatekey_fmt_1_step_1 is changed
- privatekey_fmt_1_step_2 is not changed
@@ -208,7 +208,7 @@
when: 'select_crypto_backend == "cryptography"'
- name: "({{ select_crypto_backend }}) Validate format 2 (failed)"
assert:
ansible.builtin.assert:
that:
- system_potentially_has_no_algorithm_support
- privatekey_fmt_2_step_1 is failed
@@ -216,7 +216,7 @@
when: 'select_crypto_backend == "cryptography" and privatekey_fmt_2_step_1 is failed'
- name: "({{ select_crypto_backend }}) Validate format 2"
assert:
ansible.builtin.assert:
that:
- privatekey_fmt_2_step_1 is succeeded and privatekey_fmt_2_step_1 is changed
- privatekey_fmt_2_step_2 is succeeded and privatekey_fmt_2_step_2 is not changed

72
tests/integration/targets/openssl_privatekey_convert/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Convert (check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -15,7 +15,7 @@
check_mode: true
- name: Convert
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -24,7 +24,7 @@
# select_crypto_backend: '{{ select_crypto_backend }}'
register: convert
- assert:
- ansible.builtin.assert:
that:
- convert_check is changed
- convert is changed
@@ -36,7 +36,7 @@
register: convert_file_info_data
- name: Convert (idempotent, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -47,7 +47,7 @@
check_mode: true
- name: Convert (idempotent)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -61,14 +61,14 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_idem_check is not changed
- convert_idem is not changed
- convert_file_info is not changed
- name: Convert (change format, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -79,7 +79,7 @@
check_mode: true
- name: Convert (change format)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -93,7 +93,7 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_not_idem_check is changed
- convert_not_idem is changed
@@ -106,7 +106,7 @@
register: convert_file_info_data
- name: Convert (idempotent, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -117,7 +117,7 @@
check_mode: true
- name: Convert (idempotent)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -131,14 +131,14 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_idem_check is not changed
- convert_idem is not changed
- convert_file_info is not changed
- name: Convert (change password, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -149,7 +149,7 @@
check_mode: true
- name: Convert (change password)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -163,7 +163,7 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_not_idem_check is changed
- convert_not_idem is changed
@@ -176,7 +176,7 @@
register: convert_file_info_data
- name: Convert (idempotent, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -187,7 +187,7 @@
check_mode: true
- name: Convert (idempotent)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -201,14 +201,14 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_idem_check is not changed
- convert_idem is not changed
- convert_file_info is not changed
- name: Convert (remove password, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -218,7 +218,7 @@
check_mode: true
- name: Convert (remove password)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -231,7 +231,7 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_not_idem_check is changed
- convert_not_idem is changed
@@ -244,7 +244,7 @@
register: convert_file_info_data
- name: Convert (idempotent, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -254,7 +254,7 @@
check_mode: true
- name: Convert (idempotent)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_1.pem'
@@ -267,7 +267,7 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_idem_check is not changed
- convert_idem is not changed
@@ -276,7 +276,7 @@
- when: supports_ed25519 | bool
block:
- name: Convert (change format to raw, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_ed25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_2.pem'
format: raw
@@ -285,14 +285,14 @@
check_mode: true
- name: Convert (change format to raw)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_ed25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_2.pem'
format: raw
# select_crypto_backend: '{{ select_crypto_backend }}'
register: convert_not_idem
- assert:
- ansible.builtin.assert:
that:
- convert_not_idem_check is changed
- convert_not_idem is changed
@@ -304,7 +304,7 @@
register: convert_file_info_data
- name: Convert (idempotent, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_ed25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_2.pem'
format: raw
@@ -313,7 +313,7 @@
check_mode: true
- name: Convert (idempotent)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_ed25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_2.pem'
format: raw
@@ -325,14 +325,14 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_idem_check is not changed
- convert_idem is not changed
- convert_file_info is not changed
- name: Convert (change format to raw, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_3.pem'
format: raw
@@ -341,14 +341,14 @@
check_mode: true
- name: Convert (change format to raw)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_3.pem'
format: raw
# select_crypto_backend: '{{ select_crypto_backend }}'
register: convert_not_idem
- assert:
- ansible.builtin.assert:
that:
- convert_not_idem_check is changed
- convert_not_idem is changed
@@ -360,7 +360,7 @@
register: convert_file_info_data
- name: Convert (idempotent, check mode)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_3.pem'
format: raw
@@ -369,7 +369,7 @@
check_mode: true
- name: Convert (idempotent)
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
dest_path: '{{ remote_tmp_dir }}/output_3.pem'
format: raw
@@ -381,7 +381,7 @@
state: '{{ convert_file_info_data }}'
register: convert_file_info
- assert:
- ansible.builtin.assert:
that:
- convert_idem_check is not changed
- convert_idem is not changed

8
tests/integration/targets/openssl_privatekey_convert/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Determine capabilities
set_fact:
ansible.builtin.set_fact:
supports_ed25519: >-
{{
not (
@@ -20,7 +20,7 @@
}}
- name: Create keys
openssl_privatekey:
community.crypto.openssl_privatekey:
size: '{{ item.size | default(omit) }}'
path: '{{ remote_tmp_dir }}/privatekey_{{ item.name }}.pem'
type: '{{ item.type | default(omit) }}'
@@ -45,7 +45,7 @@
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_privatekey_convert:
community.crypto.openssl_privatekey_convert:
src_path: '{{ remote_tmp_dir }}/privatekey_rsa_pass1.pem'
src_passphrase: secret
dest_path: '{{ remote_tmp_dir }}/output_backend_selection.pem'
@@ -54,7 +54,7 @@
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

50
tests/integration/targets/openssl_privatekey_info/tasks/impl.yml
View File

@@ -3,17 +3,17 @@
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- debug:
- ansible.builtin.debug:
msg: "Executing tests with backend {{ select_crypto_backend }}"
- name: ({{select_crypto_backend}}) Get key 1 info
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 1 info
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -24,34 +24,34 @@
- "result.public_data.exponent > 5"
- "'private_data' not in result"
- name: ({{select_crypto_backend}}) Read private key
slurp:
- name: ({{ select_crypto_backend }}) Read private key
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekey_1.pem'
register: slurp
- name: ({{select_crypto_backend}}) Get key 1 info directly
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 1 info directly
community.crypto.openssl_privatekey_info:
content: '{{ slurp.content | b64decode }}'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_direct
- name: ({{select_crypto_backend}}) Compare output of direct and loaded info
assert:
- name: ({{ select_crypto_backend }}) Compare output of direct and loaded info
ansible.builtin.assert:
that:
- >-
(result | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
==
(result_direct | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
- name: ({{select_crypto_backend}}) Get key 2 info
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 2 info
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -65,8 +65,8 @@
- "result.public_data.modulus == result.private_data.p * result.private_data.q"
- "result.private_data.exponent > 5"
- name: ({{select_crypto_backend}}) Get key 3 info (without passphrase)
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 3 info (without passphrase)
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -74,7 +74,7 @@
register: result
- name: Check that loading passphrase protected key without passphrase failed
assert:
ansible.builtin.assert:
that:
- result is failed
# Check that return values are there
@@ -90,8 +90,8 @@
- "'public_data' not in result"
- "'private_data' not in result"
- name: ({{select_crypto_backend}}) Get key 3 info (with passphrase)
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 3 info (with passphrase)
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
passphrase: hunter2
return_private_key_data: true
@@ -99,7 +99,7 @@
register: result
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -112,15 +112,15 @@
- "result.public_data.modulus == result.private_data.p * result.private_data.q"
- "result.private_data.exponent > 5"
- name: ({{select_crypto_backend}}) Get key 4 info
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 4 info
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -134,15 +134,15 @@
- "'private_data' in result"
- "result.private_data.multiplier > 1024"
- name: ({{select_crypto_backend}}) Get key 5 info
openssl_privatekey_info:
- name: ({{ select_crypto_backend }}) Get key 5 info
community.crypto.openssl_privatekey_info:
path: '{{ remote_tmp_dir }}/privatekey_5.pem'
return_private_key_data: true
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"

12
tests/integration/targets/openssl_privatekey_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (with password)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
select_crypto_backend: cryptography
- name: Generate privatekey 4 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
@@ -34,13 +34,13 @@
select_crypto_backend: cryptography
- name: Generate privatekey 5 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_5.pem'
type: DSA
size: 1024
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version is version('3.3', '>=')

Some files were not shown because too many files have changed in this diff Show More