mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-06 13:22:58 +00:00
openssh_keypair - Adding backend option and refactoring backend code (#236)
* Refactoring openssh_keypair for multiple backends * Fixing cryptography backend validations * Simplifying conditionals and excess variable assignments * Fixing docs and adding cleanup for integration tests * Fixing docs and public key validation bugs in crypto backend * Enhancing cryptogagraphy utils to raise OpenSSHErrors when file not found * Adding missed copyright and cleanup for idempotency test keys * Fixing doc style * Readding crypto/openssh for backwards compatibility * Adding changelog fragment and final simplifications of conditional statements * Applied initial review suggestions
This commit is contained in:
Ajpantuso
GitHub
@@ -1,3 +1,4 @@
|
||||
dependencies:
|
||||
- setup_ssh_keygen
|
||||
- setup_openssl
|
||||
- setup_bcrypt
|
||||
557
tests/integration/targets/openssh_keypair/tasks/impl.yml
Normal file
557
tests/integration/targets/openssh_keypair/tasks/impl.yml
Normal file
@@ -0,0 +1,557 @@
|
||||
---
|
||||
####################################################################
|
||||
# WARNING: These are designed specifically for Ansible tests #
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
# Ensures no conflicts from previous test runs
|
||||
- name: "({{ backend }}) Cleanup Output Directory"
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_fileglob:
|
||||
- "{{ output_dir }}/privatekey*"
|
||||
- "{{ output_dir }}/regenerate*"
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey1 - standard (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey1_result_check
|
||||
check_mode: true
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey1 - standard"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey1_result
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey1 - standard (check mode idempotent)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey1_idem_result_check
|
||||
check_mode: true
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey1 - standard (idempotent)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey1_idem_result
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey2 - default size"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey2'
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey3 - type dsa"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey3'
|
||||
type: dsa
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey4 - standard"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey4'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Delete privatekey4 - standard"
|
||||
openssh_keypair:
|
||||
state: absent
|
||||
path: '{{ output_dir }}/privatekey4'
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey5 - standard"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey5'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: publickey_gen
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey6"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey6'
|
||||
type: rsa
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Regenerate privatekey6 via force"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey6'
|
||||
type: rsa
|
||||
size: 2048
|
||||
force: yes
|
||||
backend: "{{ backend }}"
|
||||
register: output_regenerated_via_force
|
||||
|
||||
- name: "({{ backend }}) Create broken key"
|
||||
copy:
|
||||
dest: '{{ item }}'
|
||||
content: ''
|
||||
mode: '0700'
|
||||
loop:
|
||||
- '{{ output_dir }}/privatekeybroken'
|
||||
- '{{ output_dir }}/privatekeybroken.pub'
|
||||
|
||||
- name: "({{ backend }}) Regenerate broken key - should fail"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: output_broken
|
||||
ignore_errors: yes
|
||||
|
||||
- name: "({{ backend }}) Regenerate broken key with force"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
force: yes
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: output_broken_force
|
||||
|
||||
- name: "({{ backend }}) Generate read-only private key"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeyreadonly'
|
||||
type: rsa
|
||||
mode: '0200'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Regenerate read-only private key via force"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeyreadonly'
|
||||
type: rsa
|
||||
force: yes
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: output_read_only
|
||||
|
||||
- name: "({{ backend }}) Generate privatekey7 - standard with comment"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey7'
|
||||
comment: 'test@privatekey7'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey7_result
|
||||
|
||||
- name: "({{ backend }}) Modify privatekey7 comment"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey7'
|
||||
comment: 'test_modified@privatekey7'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey7_modified_result
|
||||
|
||||
- name: "({{ backend }}) Generate password protected key"
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N {{ passphrase }}'
|
||||
|
||||
- name: "({{ backend }}) Try to modify the password protected key - should fail"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey8'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey8_result
|
||||
ignore_errors: yes
|
||||
|
||||
- name: "({{ backend }}) Try to modify the password protected key with force=yes"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey8'
|
||||
force: yes
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey8_result_force
|
||||
|
||||
- name: "({{ backend }}) Generate another password protected key"
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey9 -N {{ passphrase }}'
|
||||
|
||||
- name: "({{ backend }}) Try to modify the password protected key with passphrase"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey9'
|
||||
size: 1024
|
||||
passphrase: "{{ passphrase }}"
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey9_modified_result
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- name: "({{ backend }}) Generate another unprotected key"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey10'
|
||||
size: 2048
|
||||
backend: "{{ backend }}"
|
||||
|
||||
- name: "({{ backend }}) Try to Modify unprotected key with passphrase"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey10'
|
||||
size: 2048
|
||||
passphrase: "{{ passphrase }}"
|
||||
backend: "{{ backend }}"
|
||||
ignore_errors: true
|
||||
register: privatekey10_result
|
||||
when: backend == 'cryptography'
|
||||
|
||||
|
||||
- name: "({{ backend }}) Try to force modify the password protected key with force=true"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey10'
|
||||
size: 2048
|
||||
passphrase: "{{ passphrase }}"
|
||||
force: true
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey10_result_force
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- name: "({{ backend }}) Ensure that ssh-keygen can read keys generated with passphrase"
|
||||
command: 'ssh-keygen -yf {{ output_dir }}/privatekey10 -P {{ passphrase }}'
|
||||
register: privatekey10_result_sshkeygen
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- name: "({{ backend }}) Generate PEM encoded key with passphrase"
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey11 -N {{ passphrase }} -m PEM'
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- name: "({{ backend }}) Try to verify a PEM encoded key"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey11'
|
||||
size: 2048
|
||||
passphrase: "{{ passphrase }}"
|
||||
backend: "{{ backend }}"
|
||||
register: privatekey11_result
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- import_tasks: ../tests/validate.yml
|
||||
|
||||
|
||||
# Test regenerate option
|
||||
|
||||
- name: "({{ backend }}) Regenerate - setup simple keys"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
- name: "({{ backend }}) Regenerate - setup password protected keys"
|
||||
command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
|
||||
- name: "({{ backend }}) Regenerate - setup broken keys"
|
||||
copy:
|
||||
dest: '{{ output_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
|
||||
content: 'broken key'
|
||||
mode: '0700'
|
||||
with_nested:
|
||||
- "{{ regenerate_values }}"
|
||||
- [ '', '.pub' ]
|
||||
-
|
||||
- name: "({{ backend }}) Regenerate - setup password protected keys for passphrse test"
|
||||
command: 'ssh-keygen -f {{ output_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
|
||||
- name: "({{ backend }}) Regenerate - modify broken keys (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-c-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - modify broken keys"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-c-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - modify password protected keys (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-b-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - modify password protected keys with passphrase (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-b-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
passphrase: "{{ passphrase }}"
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- name: "({{ backend }}) Regenerate - modify password protected keys"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-b-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - modify password protected keys with passphrase"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-d-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
passphrase: "{{ passphrase }}"
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
when: backend == 'cryptography'
|
||||
|
||||
- name: "({{ backend }}) Regenerate - not modify regular keys (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is not changed
|
||||
- result.results[1] is not changed
|
||||
- result.results[2] is not changed
|
||||
- result.results[3] is not changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - not modify regular keys"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is not changed
|
||||
- result.results[1] is not changed
|
||||
- result.results[2] is not changed
|
||||
- result.results[3] is not changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - adjust key size (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1048
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - adjust key size"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1048
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - redistribute keys"
|
||||
copy:
|
||||
src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
|
||||
dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
|
||||
remote_src: true
|
||||
with_nested:
|
||||
- "{{ regenerate_values }}"
|
||||
- [ '', '.pub' ]
|
||||
when: "item.0 != 'always'"
|
||||
|
||||
- name: "({{ backend }}) Regenerate - adjust key type (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - adjust key type"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - redistribute keys"
|
||||
copy:
|
||||
src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
|
||||
dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
|
||||
remote_src: true
|
||||
with_nested:
|
||||
- "{{ regenerate_values }}"
|
||||
- [ '', '.pub' ]
|
||||
when: "item.0 != 'always'"
|
||||
|
||||
- name: "({{ backend }}) Regenerate - adjust comment (check mode)"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
comment: test comment
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: "({{ backend }}) Regenerate - adjust comment"
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
comment: test comment
|
||||
regenerate: '{{ item }}'
|
||||
backend: "{{ backend }}"
|
||||
loop: "{{ regenerate_values }}"
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
# for all values but 'always', the key should have not been regenerated.
|
||||
# verify this by comparing fingerprints:
|
||||
- result.results[0].fingerprint == result.results[1].fingerprint
|
||||
- result.results[0].fingerprint == result.results[2].fingerprint
|
||||
- result.results[0].fingerprint == result.results[3].fingerprint
|
||||
- result.results[0].fingerprint != result.results[4].fingerprint
|
||||
@@ -4,509 +4,20 @@
|
||||
# and should not be used as examples of how to write Ansible roles #
|
||||
####################################################################
|
||||
|
||||
# Bumps up cryptography and bcrypt versions to be compatible with OpenSSH >= 7.8
|
||||
- import_tasks: ./setup_bcrypt.yml
|
||||
|
||||
- name: Generate privatekey1 - standard (check mode)
|
||||
- name: Backend auto-detection test
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
register: privatekey1_result_check
|
||||
check_mode: true
|
||||
path: '{{ output_dir }}/auto_backend_key'
|
||||
state: "{{ item }}"
|
||||
loop: ['present', 'absent']
|
||||
|
||||
- name: Generate privatekey1 - standard
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
register: privatekey1_result
|
||||
- set_fact:
|
||||
backends: ['opensshbin']
|
||||
|
||||
- name: Generate privatekey1 - standard (check mode idempotent)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
register: privatekey1_idem_result_check
|
||||
check_mode: true
|
||||
|
||||
- name: Generate privatekey1 - standard (idempotent)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
size: 2048
|
||||
register: privatekey1_idem_result
|
||||
|
||||
- name: Generate privatekey2 - default size
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey2'
|
||||
|
||||
- name: Generate privatekey3 - type dsa
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey3'
|
||||
type: dsa
|
||||
|
||||
- name: Generate privatekey4 - standard
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey4'
|
||||
size: 2048
|
||||
|
||||
- name: Delete privatekey4 - standard
|
||||
openssh_keypair:
|
||||
state: absent
|
||||
path: '{{ output_dir }}/privatekey4'
|
||||
|
||||
- name: Generate privatekey5 - standard
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey5'
|
||||
size: 2048
|
||||
register: publickey_gen
|
||||
|
||||
- name: Generate privatekey6
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey6'
|
||||
type: rsa
|
||||
size: 2048
|
||||
|
||||
- name: Regenerate privatekey6 via force
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey6'
|
||||
type: rsa
|
||||
size: 2048
|
||||
force: yes
|
||||
register: output_regenerated_via_force
|
||||
|
||||
- name: Create broken key
|
||||
copy:
|
||||
dest: '{{ item }}'
|
||||
content: ''
|
||||
mode: '0700'
|
||||
loop:
|
||||
- '{{ output_dir }}/privatekeybroken'
|
||||
- '{{ output_dir }}/privatekeybroken.pub'
|
||||
|
||||
- name: Regenerate broken key - should fail
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
size: 2048
|
||||
register: output_broken
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Regenerate broken key with force
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
force: yes
|
||||
size: 2048
|
||||
register: output_broken_force
|
||||
|
||||
- name: Generate read-only private key
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeyreadonly'
|
||||
type: rsa
|
||||
mode: '0200'
|
||||
size: 2048
|
||||
|
||||
- name: Regenerate read-only private key via force
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeyreadonly'
|
||||
type: rsa
|
||||
force: yes
|
||||
size: 2048
|
||||
register: output_read_only
|
||||
|
||||
- name: Generate privatekey7 - standard with comment
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey7'
|
||||
comment: 'test@privatekey7'
|
||||
size: 2048
|
||||
register: privatekey7_result
|
||||
|
||||
- name: Modify privatekey7 comment
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey7'
|
||||
comment: 'test_modified@privatekey7'
|
||||
size: 2048
|
||||
register: privatekey7_modified_result
|
||||
|
||||
- name: Generate password protected key
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N {{ passphrase }}'
|
||||
|
||||
- name: Try to modify the password protected key - should fail
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey8'
|
||||
size: 2048
|
||||
register: privatekey8_result
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Try to modify the password protected key with force=yes
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey8'
|
||||
force: yes
|
||||
size: 2048
|
||||
register: privatekey8_result_force
|
||||
|
||||
- name: Generate another password protected key
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey9 -N {{ passphrase }}'
|
||||
|
||||
- name: Try to modify the password protected key with passphrase
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey9'
|
||||
size: 1024
|
||||
passphrase: "{{ passphrase }}"
|
||||
register: privatekey9_modified_result
|
||||
- set_fact:
|
||||
backends: "{{ backends + ['cryptography'] }}"
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- name: Generate another unprotected key
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey10'
|
||||
size: 2048
|
||||
|
||||
- name: Try to Modify unprotected key with passphrase
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey10'
|
||||
size: 2048
|
||||
passphrase: "{{ passphrase }}"
|
||||
ignore_errors: true
|
||||
register: privatekey10_result
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
|
||||
- name: Try to force modify the password protected key with force=true
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey10'
|
||||
size: 2048
|
||||
passphrase: "{{ passphrase }}"
|
||||
force: true
|
||||
register: privatekey10_result_force
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- name: Ensure that ssh-keygen can read keys generated with passphrase
|
||||
command: 'ssh-keygen -yf {{ output_dir }}/privatekey10 -P {{ passphrase }}'
|
||||
register: privatekey10_result_sshkeygen
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- name: Generate PEM encoded key with passphrase
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey11 -N {{ passphrase }} -m PEM'
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- name: Try to verify a PEM encoded key
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey11'
|
||||
size: 2048
|
||||
passphrase: "{{ passphrase }}"
|
||||
register: privatekey11_result
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- import_tasks: ../tests/validate.yml
|
||||
|
||||
|
||||
# Test regenerate option
|
||||
|
||||
- name: Regenerate - setup simple keys
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
loop: "{{ regenerate_values }}"
|
||||
- name: Regenerate - setup password protected keys
|
||||
command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
|
||||
- name: Regenerate - setup broken keys
|
||||
copy:
|
||||
dest: '{{ output_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
|
||||
content: 'broken key'
|
||||
mode: '0700'
|
||||
with_nested:
|
||||
- "{{ regenerate_values }}"
|
||||
- [ '', '.pub' ]
|
||||
-
|
||||
- name: Regenerate - setup password protected keys for passphrse test
|
||||
command: 'ssh-keygen -f {{ output_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
|
||||
- name: Regenerate - modify broken keys (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-c-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - modify broken keys
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-c-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - modify password protected keys (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-b-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - modify password protected keys with passphrase (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-b-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
passphrase: "{{ passphrase }}"
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- name: Regenerate - modify password protected keys
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-b-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
|
||||
- result.results[1] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - modify password protected keys with passphrase
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-d-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
passphrase: "{{ passphrase }}"
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
|
||||
- name: Regenerate - not modify regular keys (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is not changed
|
||||
- result.results[1] is not changed
|
||||
- result.results[2] is not changed
|
||||
- result.results[3] is not changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - not modify regular keys
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is not changed
|
||||
- result.results[1] is not changed
|
||||
- result.results[2] is not changed
|
||||
- result.results[3] is not changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - adjust key size (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1048
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - adjust key size
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: rsa
|
||||
size: 1048
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - redistribute keys
|
||||
copy:
|
||||
src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
|
||||
dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
|
||||
remote_src: true
|
||||
with_nested:
|
||||
- "{{ regenerate_values }}"
|
||||
- [ '', '.pub' ]
|
||||
when: "item.0 != 'always'"
|
||||
|
||||
- name: Regenerate - adjust key type (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - adjust key type
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result.results[0] is success and result.results[0] is not changed
|
||||
- result.results[1] is failed
|
||||
- "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
|
||||
- result.results[2] is changed
|
||||
- result.results[3] is changed
|
||||
- result.results[4] is changed
|
||||
|
||||
- name: Regenerate - redistribute keys
|
||||
copy:
|
||||
src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
|
||||
dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
|
||||
remote_src: true
|
||||
with_nested:
|
||||
- "{{ regenerate_values }}"
|
||||
- [ '', '.pub' ]
|
||||
when: "item.0 != 'always'"
|
||||
|
||||
- name: Regenerate - adjust comment (check mode)
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
comment: test comment
|
||||
regenerate: '{{ item }}'
|
||||
check_mode: yes
|
||||
loop: "{{ regenerate_values }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Regenerate - adjust comment
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/regenerate-a-{{ item }}'
|
||||
type: dsa
|
||||
size: 1024
|
||||
comment: test comment
|
||||
regenerate: '{{ item }}'
|
||||
loop: "{{ regenerate_values }}"
|
||||
register: result
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
# for all values but 'always', the key should have not been regenerated.
|
||||
# verify this by comparing fingerprints:
|
||||
- result.results[0].fingerprint == result.results[1].fingerprint
|
||||
- result.results[0].fingerprint == result.results[2].fingerprint
|
||||
- result.results[0].fingerprint == result.results[3].fingerprint
|
||||
- result.results[0].fingerprint != result.results[4].fingerprint
|
||||
- include_tasks: ./impl.yml
|
||||
loop: "{{ backends }}"
|
||||
loop_control:
|
||||
loop_var: backend
|
||||
@@ -1,9 +1,9 @@
|
||||
---
|
||||
- name: Log privatekey1 return values
|
||||
- name: "({{ backend }}) Log privatekey1 return values"
|
||||
debug:
|
||||
var: privatekey1_result
|
||||
|
||||
- name: Validate general behavior
|
||||
- name: "({{ backend }}) Validate general behavior"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1_result_check is changed
|
||||
@@ -12,7 +12,7 @@
|
||||
- privatekey1_idem_result_check.public_key.startswith("ssh-rsa")
|
||||
- privatekey1_idem_result is not changed
|
||||
|
||||
- name: Validate privatekey1 return fingerprint
|
||||
- name: "({{ backend }}) Validate privatekey1 return fingerprint"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1_result["fingerprint"] is string
|
||||
@@ -20,150 +20,150 @@
|
||||
# only distro old enough that it still gives md5 with no prefix
|
||||
when: ansible_distribution != 'CentOS' and ansible_distribution_major_version != '6'
|
||||
|
||||
- name: Validate privatekey1 return public_key
|
||||
- name: "({{ backend }}) Validate privatekey1 return public_key"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1_result["public_key"] is string
|
||||
- privatekey1_result["public_key"].startswith("ssh-rsa ")
|
||||
|
||||
- name: Validate privatekey1 return size value
|
||||
- name: "({{ backend }}) Validate privatekey1 return size value"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1_result["size"]|type_debug == 'int'
|
||||
- privatekey1_result["size"] == 2048
|
||||
|
||||
- name: Validate privatekey1 return key type
|
||||
- name: "({{ backend }}) Validate privatekey1 return key type"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1_result["type"] is string
|
||||
- privatekey1_result["type"] == "rsa"
|
||||
|
||||
- name: Validate privatekey1 (test - RSA key with size 2048 bits)
|
||||
- name: "({{ backend }}) Validate privatekey1 (test - RSA key with size 2048 bits)"
|
||||
shell: "ssh-keygen -lf {{ output_dir }}/privatekey1 | grep -o -E '^[0-9]+'"
|
||||
register: privatekey1
|
||||
|
||||
- name: Validate privatekey1 (assert - RSA key with size 2048 bits)
|
||||
- name: "({{ backend }}) Validate privatekey1 (assert - RSA key with size 2048 bits)"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1.stdout == '2048'
|
||||
|
||||
- name: Validate privatekey1 idempotence
|
||||
- name: "({{ backend }}) Validate privatekey1 idempotence"
|
||||
assert:
|
||||
that:
|
||||
- privatekey1_idem_result is not changed
|
||||
|
||||
|
||||
- name: Validate privatekey2 (test - RSA key with default size 4096 bits)
|
||||
- name: "({{ backend }}) Validate privatekey2 (test - RSA key with default size 4096 bits)"
|
||||
shell: "ssh-keygen -lf {{ output_dir }}/privatekey2 | grep -o -E '^[0-9]+'"
|
||||
register: privatekey2
|
||||
|
||||
- name: Validate privatekey2 (assert - RSA key with size 4096 bits)
|
||||
- name: "({{ backend }}) Validate privatekey2 (assert - RSA key with size 4096 bits)"
|
||||
assert:
|
||||
that:
|
||||
- privatekey2.stdout == '4096'
|
||||
|
||||
|
||||
- name: Validate privatekey3 (test - DSA key with size 1024 bits)
|
||||
- name: "({{ backend }}) Validate privatekey3 (test - DSA key with size 1024 bits)"
|
||||
shell: "ssh-keygen -lf {{ output_dir }}/privatekey3 | grep -o -E '^[0-9]+'"
|
||||
register: privatekey3
|
||||
|
||||
- name: Validate privatekey3 (assert - DSA key with size 4096 bits)
|
||||
- name: "({{ backend }}) Validate privatekey3 (assert - DSA key with size 4096 bits)"
|
||||
assert:
|
||||
that:
|
||||
- privatekey3.stdout == '1024'
|
||||
|
||||
|
||||
- name: Validate privatekey4 (test - Ensure key has been removed)
|
||||
- name: "({{ backend }}) Validate privatekey4 (test - Ensure key has been removed)"
|
||||
stat:
|
||||
path: '{{ output_dir }}/privatekey4'
|
||||
register: privatekey4
|
||||
|
||||
- name: Validate privatekey4 (assert - Ensure key has been removed)
|
||||
- name: "({{ backend }}) Validate privatekey4 (assert - Ensure key has been removed)"
|
||||
assert:
|
||||
that:
|
||||
- privatekey4.stat.exists == False
|
||||
|
||||
|
||||
- name: Validate privatekey5 (assert - Public key module output equal to the public key on host)
|
||||
- name: "({{ backend }}) Validate privatekey5 (assert - Public key module output equal to the public key on host)"
|
||||
assert:
|
||||
that:
|
||||
- "publickey_gen.public_key == lookup('file', output_dir ~ '/privatekey5.pub').strip('\n')"
|
||||
|
||||
- name: Verify that privatekey6 will be regenerated via force
|
||||
- name: "({{ backend }}) Verify that privatekey6 will be regenerated via force"
|
||||
assert:
|
||||
that:
|
||||
- output_regenerated_via_force is changed
|
||||
|
||||
|
||||
- name: Verify that broken key will cause failure
|
||||
- name: "({{ backend }}) Verify that broken key will cause failure"
|
||||
assert:
|
||||
that:
|
||||
- output_broken is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken.' in output_broken.msg"
|
||||
|
||||
|
||||
- name: Verify that broken key will be regenerated if force=yes is specified
|
||||
- name: "({{ backend }}) Verify that broken key will be regenerated if force=yes is specified"
|
||||
assert:
|
||||
that:
|
||||
- output_broken_force is changed
|
||||
|
||||
|
||||
- name: Verify that read-only key will be regenerated
|
||||
- name: "({{ backend }}) Verify that read-only key will be regenerated"
|
||||
assert:
|
||||
that:
|
||||
- output_read_only is changed
|
||||
|
||||
|
||||
- name: Validate privatekey7 (assert - Public key remains the same after comment change)
|
||||
- name: "({{ backend }}) Validate privatekey7 (assert - Public key remains the same after comment change)"
|
||||
assert:
|
||||
that:
|
||||
- privatekey7_result.public_key == privatekey7_modified_result.public_key
|
||||
|
||||
- name: Validate privatekey7 comment on creation
|
||||
- name: "({{ backend }}) Validate privatekey7 comment on creation"
|
||||
assert:
|
||||
that:
|
||||
- privatekey7_result.comment == 'test@privatekey7'
|
||||
|
||||
- name: Validate privatekey7 comment update
|
||||
- name: "({{ backend }}) Validate privatekey7 comment update"
|
||||
assert:
|
||||
that:
|
||||
- privatekey7_modified_result.comment == 'test_modified@privatekey7'
|
||||
|
||||
- name: Check that password protected key made module fail
|
||||
- name: "({{ backend }}) Check that password protected key made module fail"
|
||||
assert:
|
||||
that:
|
||||
- privatekey8_result is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken.' in privatekey8_result.msg"
|
||||
|
||||
- name: Check that password protected key was regenerated with force=yes
|
||||
- name: "({{ backend }}) Check that password protected key was regenerated with force=yes"
|
||||
assert:
|
||||
that:
|
||||
- privatekey8_result_force is changed
|
||||
|
||||
- block:
|
||||
- name: Check that password protected key with passphrase was regenerated
|
||||
- name: "({{ backend }}) Check that password protected key with passphrase was regenerated"
|
||||
assert:
|
||||
that:
|
||||
- privatekey9_modified_result is changed
|
||||
|
||||
- name: Check that modifying unprotected key with passphrase fails
|
||||
- name: "({{ backend }}) Check that modifying unprotected key with passphrase fails"
|
||||
assert:
|
||||
that:
|
||||
- privatekey10_result is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken.' in privatekey8_result.msg"
|
||||
|
||||
- name: Check that unprotected key was regenerated with force=yes and passphrase supplied
|
||||
- name: "({{ backend }}) Check that unprotected key was regenerated with force=yes and passphrase supplied"
|
||||
assert:
|
||||
that:
|
||||
- privatekey10_result_force is changed
|
||||
|
||||
- name: Check that ssh-keygen output from passphrase protected key matches openssh_keypair
|
||||
- name: "({{ backend }}) Check that ssh-keygen output from passphrase protected key matches openssh_keypair"
|
||||
assert:
|
||||
that:
|
||||
- privatekey10_result_force.public_key == privatekey10_result_sshkeygen.stdout
|
||||
|
||||
- name: Check that PEM encoded private keys are loaded successfully
|
||||
- name: "({{ backend }}) Check that PEM encoded private keys are loaded successfully"
|
||||
assert:
|
||||
that:
|
||||
- privatekey11_result is success
|
||||
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
|
||||
when: backend == 'cryptography'
|
||||
|
||||
3
tests/integration/targets/setup_bcrypt/meta/main.yml
Normal file
3
tests/integration/targets/setup_bcrypt/meta/main.yml
Normal file
@@ -0,0 +1,3 @@
|
||||
dependencies:
|
||||
- setup_remote_constraints
|
||||
- setup_pkg_mgr
|
||||
@@ -21,4 +21,4 @@
|
||||
set_fact:
|
||||
bcrypt_version:
|
||||
stdout: 0.0
|
||||
when: bcrypt_version is not defined
|
||||
when: bcrypt_version is not defined
|
||||
@@ -13,8 +13,8 @@ from os import remove, rmdir
|
||||
from socket import gethostname
|
||||
from tempfile import mkdtemp
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography_openssh import (
|
||||
Asymmetric_Keypair,
|
||||
from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import (
|
||||
AsymmetricKeypair,
|
||||
HAS_OPENSSH_SUPPORT,
|
||||
InvalidCommentError,
|
||||
InvalidPrivateKeyFileError,
|
||||
@@ -22,7 +22,7 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptogra
|
||||
InvalidKeySizeError,
|
||||
InvalidKeyTypeError,
|
||||
InvalidPassphraseError,
|
||||
OpenSSH_Keypair
|
||||
OpensshKeypair
|
||||
)
|
||||
|
||||
DEFAULT_KEY_PARAMS = [
|
||||
@@ -147,9 +147,9 @@ def test_default_key_params(keytype, size, passphrase, comment):
|
||||
}
|
||||
|
||||
default_comment = "%s@%s" % (getuser(), gethostname())
|
||||
pair = OpenSSH_Keypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
pair = OpensshKeypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
try:
|
||||
pair = OpenSSH_Keypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
pair = OpensshKeypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
if pair.size != default_sizes[pair.key_type] or pair.comment != default_comment:
|
||||
result = False
|
||||
except Exception as e:
|
||||
@@ -165,7 +165,7 @@ def test_valid_user_key_params(keytype, size, passphrase, comment):
|
||||
result = True
|
||||
|
||||
try:
|
||||
pair = OpenSSH_Keypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
pair = OpensshKeypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
if pair.key_type != keytype or pair.size != size or pair.comment != comment:
|
||||
result = False
|
||||
except Exception as e:
|
||||
@@ -181,7 +181,7 @@ def test_invalid_user_key_params(keytype, size, passphrase, comment):
|
||||
result = False
|
||||
|
||||
try:
|
||||
OpenSSH_Keypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
OpensshKeypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
except (InvalidCommentError, InvalidKeyTypeError, InvalidPassphraseError):
|
||||
result = True
|
||||
except Exception as e:
|
||||
@@ -197,7 +197,7 @@ def test_invalid_key_sizes(keytype, size, passphrase, comment):
|
||||
result = False
|
||||
|
||||
try:
|
||||
OpenSSH_Keypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
OpensshKeypair.generate(keytype=keytype, size=size, passphrase=passphrase, comment=comment)
|
||||
except InvalidKeySizeError:
|
||||
result = True
|
||||
except Exception as e:
|
||||
@@ -210,7 +210,7 @@ def test_invalid_key_sizes(keytype, size, passphrase, comment):
|
||||
@pytest.mark.skipif(not HAS_OPENSSH_SUPPORT, reason="requires cryptography")
|
||||
def test_valid_comment_update():
|
||||
|
||||
pair = OpenSSH_Keypair.generate()
|
||||
pair = OpensshKeypair.generate()
|
||||
new_comment = "comment"
|
||||
try:
|
||||
pair.comment = new_comment
|
||||
@@ -225,7 +225,7 @@ def test_valid_comment_update():
|
||||
def test_invalid_comment_update():
|
||||
result = False
|
||||
|
||||
pair = OpenSSH_Keypair.generate()
|
||||
pair = OpensshKeypair.generate()
|
||||
new_comment = [1, 2, 3]
|
||||
try:
|
||||
pair.comment = new_comment
|
||||
@@ -245,7 +245,7 @@ def test_valid_passphrase_update():
|
||||
tmpdir = mkdtemp()
|
||||
keyfilename = os.path.join(tmpdir, "id_rsa")
|
||||
|
||||
pair1 = OpenSSH_Keypair.generate()
|
||||
pair1 = OpensshKeypair.generate()
|
||||
pair1.update_passphrase(passphrase)
|
||||
|
||||
with open(keyfilename, "w+b") as keyfile:
|
||||
@@ -254,7 +254,7 @@ def test_valid_passphrase_update():
|
||||
with open(keyfilename + '.pub', "w+b") as pubkeyfile:
|
||||
pubkeyfile.write(pair1.public_key)
|
||||
|
||||
pair2 = OpenSSH_Keypair.load(path=keyfilename, passphrase=passphrase)
|
||||
pair2 = OpensshKeypair.load(path=keyfilename, passphrase=passphrase)
|
||||
|
||||
if pair1 == pair2:
|
||||
result = True
|
||||
@@ -274,7 +274,7 @@ def test_invalid_passphrase_update():
|
||||
result = False
|
||||
|
||||
passphrase = [1, 2, 3]
|
||||
pair = OpenSSH_Keypair.generate()
|
||||
pair = OpensshKeypair.generate()
|
||||
try:
|
||||
pair.update_passphrase(passphrase)
|
||||
except InvalidPassphraseError:
|
||||
@@ -291,7 +291,7 @@ def test_invalid_privatekey():
|
||||
tmpdir = mkdtemp()
|
||||
keyfilename = os.path.join(tmpdir, "id_rsa")
|
||||
|
||||
pair = OpenSSH_Keypair.generate()
|
||||
pair = OpensshKeypair.generate()
|
||||
|
||||
with open(keyfilename, "w+b") as keyfile:
|
||||
keyfile.write(pair.private_key[1:])
|
||||
@@ -299,7 +299,7 @@ def test_invalid_privatekey():
|
||||
with open(keyfilename + '.pub', "w+b") as pubkeyfile:
|
||||
pubkeyfile.write(pair.public_key)
|
||||
|
||||
OpenSSH_Keypair.load(path=keyfilename)
|
||||
OpensshKeypair.load(path=keyfilename)
|
||||
except InvalidPrivateKeyFileError:
|
||||
result = True
|
||||
finally:
|
||||
@@ -321,8 +321,8 @@ def test_mismatched_keypair():
|
||||
tmpdir = mkdtemp()
|
||||
keyfilename = os.path.join(tmpdir, "id_rsa")
|
||||
|
||||
pair1 = OpenSSH_Keypair.generate()
|
||||
pair2 = OpenSSH_Keypair.generate()
|
||||
pair1 = OpensshKeypair.generate()
|
||||
pair2 = OpensshKeypair.generate()
|
||||
|
||||
with open(keyfilename, "w+b") as keyfile:
|
||||
keyfile.write(pair1.private_key)
|
||||
@@ -330,7 +330,7 @@ def test_mismatched_keypair():
|
||||
with open(keyfilename + '.pub', "w+b") as pubkeyfile:
|
||||
pubkeyfile.write(pair2.public_key)
|
||||
|
||||
OpenSSH_Keypair.load(path=keyfilename)
|
||||
OpensshKeypair.load(path=keyfilename)
|
||||
except InvalidPublicKeyFileError:
|
||||
result = True
|
||||
finally:
|
||||
@@ -346,24 +346,24 @@ def test_mismatched_keypair():
|
||||
|
||||
@pytest.mark.skipif(not HAS_OPENSSH_SUPPORT, reason="requires cryptography")
|
||||
def test_keypair_comparison():
|
||||
assert OpenSSH_Keypair.generate() != OpenSSH_Keypair.generate()
|
||||
assert OpenSSH_Keypair.generate() != OpenSSH_Keypair.generate(keytype='dsa')
|
||||
assert OpenSSH_Keypair.generate() != OpenSSH_Keypair.generate(keytype='ed25519')
|
||||
assert OpenSSH_Keypair.generate(keytype='ed25519') != OpenSSH_Keypair.generate(keytype='ed25519')
|
||||
assert OpensshKeypair.generate() != OpensshKeypair.generate()
|
||||
assert OpensshKeypair.generate() != OpensshKeypair.generate(keytype='dsa')
|
||||
assert OpensshKeypair.generate() != OpensshKeypair.generate(keytype='ed25519')
|
||||
assert OpensshKeypair.generate(keytype='ed25519') != OpensshKeypair.generate(keytype='ed25519')
|
||||
try:
|
||||
tmpdir = mkdtemp()
|
||||
|
||||
keys = {
|
||||
'rsa': {
|
||||
'pair': OpenSSH_Keypair.generate(),
|
||||
'pair': OpensshKeypair.generate(),
|
||||
'filename': os.path.join(tmpdir, "id_rsa"),
|
||||
},
|
||||
'dsa': {
|
||||
'pair': OpenSSH_Keypair.generate(keytype='dsa', passphrase='change_me'.encode('UTF-8')),
|
||||
'pair': OpensshKeypair.generate(keytype='dsa', passphrase='change_me'.encode('UTF-8')),
|
||||
'filename': os.path.join(tmpdir, "id_dsa"),
|
||||
},
|
||||
'ed25519': {
|
||||
'pair': OpenSSH_Keypair.generate(keytype='ed25519'),
|
||||
'pair': OpensshKeypair.generate(keytype='ed25519'),
|
||||
'filename': os.path.join(tmpdir, "id_ed25519"),
|
||||
}
|
||||
}
|
||||
@@ -374,9 +374,9 @@ def test_keypair_comparison():
|
||||
with open(v['filename'] + '.pub', "w+b") as pubkeyfile:
|
||||
pubkeyfile.write(v['pair'].public_key)
|
||||
|
||||
assert keys['rsa']['pair'] == OpenSSH_Keypair.load(path=keys['rsa']['filename'])
|
||||
assert keys['rsa']['pair'] == OpensshKeypair.load(path=keys['rsa']['filename'])
|
||||
|
||||
loaded_dsa_key = OpenSSH_Keypair.load(path=keys['dsa']['filename'], passphrase='change_me'.encode('UTF-8'))
|
||||
loaded_dsa_key = OpensshKeypair.load(path=keys['dsa']['filename'], passphrase='change_me'.encode('UTF-8'))
|
||||
assert keys['dsa']['pair'] == loaded_dsa_key
|
||||
|
||||
loaded_dsa_key.update_passphrase('change_me_again'.encode('UTF-8'))
|
||||
@@ -388,7 +388,7 @@ def test_keypair_comparison():
|
||||
loaded_dsa_key.comment = "comment"
|
||||
assert keys['dsa']['pair'] != loaded_dsa_key
|
||||
|
||||
assert keys['ed25519']['pair'] == OpenSSH_Keypair.load(path=keys['ed25519']['filename'])
|
||||
assert keys['ed25519']['pair'] == OpensshKeypair.load(path=keys['ed25519']['filename'])
|
||||
finally:
|
||||
for v in keys.values():
|
||||
if os.path.exists(v['filename']):
|
||||
@@ -397,4 +397,4 @@ def test_keypair_comparison():
|
||||
remove(v['filename'] + '.pub')
|
||||
if os.path.exists(tmpdir):
|
||||
rmdir(tmpdir)
|
||||
assert OpenSSH_Keypair.generate() != []
|
||||
assert OpensshKeypair.generate() != []
|
||||
Reference in New Issue
Block a user