luks_device - make add/removal of keyfile/passphrase idempotent (#168)

* Update documentation, adjust tests, add changelog fragment. * Move module unit test to correct place. * Implement keyfile / passphrase test.
2026-05-06 13:22:58 +00:00 · 2021-01-03 11:22:41 +01:00
parent fb2f3ef2b5
commit ccb25eab36
6 changed files with 103 additions and 13 deletions
--- a/tests/integration/targets/luks_device/tasks/tests/key-management.yml
+++ b/tests/integration/targets/luks_device/tasks/tests/key-management.yml
@@ -44,6 +44,21 @@
    keyfile: "{{ role_path }}/files/keyfile1"
    new_keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
+  register: result_1
+
+- name: Give access to keyfile2 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: closed
+    keyfile: "{{ role_path }}/files/keyfile1"
+    new_keyfile: "{{ role_path }}/files/keyfile2"
+  become: yes
+  register: result_2
+
+- assert:
+    that:
+      - result_1 is changed
+      - result_2 is not changed

 # Access: keyfile1 and keyfile2

@@ -75,6 +90,21 @@
    keyfile: "{{ role_path }}/files/keyfile1"
    remove_keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
+  register: result_1
+
+- name: Remove access from keyfile1 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: closed
+    keyfile: "{{ role_path }}/files/keyfile1"
+    remove_keyfile: "{{ role_path }}/files/keyfile1"
+  become: yes
+  register: result_2
+
+- assert:
+    that:
+      - result_1 is changed
+      - result_2 is not changed

 # Access: keyfile2

--- a/tests/integration/targets/luks_device/tasks/tests/passphrase.yml
+++ b/tests/integration/targets/luks_device/tasks/tests/passphrase.yml
@@ -56,6 +56,21 @@
    passphrase: "{{ cryptfile_passphrase1 }}"
    new_passphrase: "{{ cryptfile_passphrase2 }}"
  become: yes
+  register: result_1
+
+- name: Give access to passphrase2 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: closed
+    passphrase: "{{ cryptfile_passphrase1 }}"
+    new_passphrase: "{{ cryptfile_passphrase2 }}"
+  become: yes
+  register: result_2
+
+- assert:
+    that:
+      - result_1 is changed
+      - result_2 is not changed

 - name: Open with passphrase2
  luks_device:
@@ -130,6 +145,20 @@
    state: closed
    remove_passphrase: "{{ cryptfile_passphrase1 }}"
  become: yes
+  register: result_1
+
+- name: Remove access for passphrase1 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: closed
+    remove_passphrase: "{{ cryptfile_passphrase1 }}"
+  become: yes
+  register: result_2
+
+- assert:
+    that:
+      - result_1 is changed
+      - result_2 is not changed

 - name: Try to open with passphrase1
  luks_device:
--- a/tests/unit/plugins/modules/crypto/init.py
+++ b/tests/unit/plugins/modules/crypto/init.py
--- a/tests/unit/plugins/modules/crypto/test_luks_device.py
+++ b/tests/unit/plugins/modules/crypto/test_luks_device.py
@@ -275,9 +275,12 @@ def test_luks_add_key(device, keyfile, passphrase, new_keyfile, new_passphrase,

    monkeypatch.setattr(luks_device.Handler, "get_device_by_label",
                        lambda x, y: [0, "/dev/dummy", ""])
+    monkeypatch.setattr(luks_device.CryptHandler, "luks_test_key",
+                        lambda x, y, z, w: False)

+    crypt = luks_device.CryptHandler(module)
    try:
-        conditions = luks_device.ConditionsHandler(module, module)
+        conditions = luks_device.ConditionsHandler(module, crypt)
        assert conditions.luks_add_key() == expected
    except ValueError:
        assert expected == "exception"
@@ -301,6 +304,8 @@ def test_luks_remove_key(device, remove_keyfile, remove_passphrase, state,
                        lambda x, y: [0, "/dev/dummy", ""])
    monkeypatch.setattr(luks_device.Handler, "_run_command",
                        lambda x, y: [0, device, ""])
+    monkeypatch.setattr(luks_device.CryptHandler, "luks_test_key",
+                        lambda x, y, z, w: True)

    crypt = luks_device.CryptHandler(module)
    try: