internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:3.0.1
Branches Tags
internet:main internet:stable-2 internet:gh-pages internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0
...
compare: internet:2.26.3
Branches Tags
internet:main internet:stable-2 internet:gh-pages internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0

17 Commits
3.0.1 ... 2.26.3

Author SHA1 Message Date
Felix Fontein
5ca4ecb54b Release 2.26.3. 2025-06-14 16:44:49 +02:00
Felix Fontein
ea970a044f Stick to community.general 10.x.y for CI. 2025-06-13 06:11:49 +02:00
Felix Fontein
3e3318f059 acme_account: check for 'externalAccountRequired' error (#919) (#920) 
* Check for 'externalAccountRequired' error.

* Add changelog fragment.

(cherry picked from commit 056ae1cf69)
 2025-06-13 06:10:41 +02:00
Felix Fontein
ae6fb88896 Prepare 2.26.3. 2025-06-12 22:45:19 +02:00
patchback[bot]
66d7989222 Add HARICA to the list of tested CAs (#915) (#916) 
* Add HARICA to the list of tested CAs



* Add ZeroSSL to list.

---------



(cherry picked from commit ec063d8515)

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-06-08 21:08:04 +02:00
Felix Fontein
99d6a17653 Fix some ansible-lint issues (#907) (#908) 
* Fix fqcn[action-core].

* Fix fqcn[action].

* Fix jinja[spacing].

(cherry picked from commit 8792635bef)
 2025-05-30 22:43:43 +02:00
patchback[bot]
edeed24e8f Document supported curves for Elliptic Curve keys on ACME Accounts (#904) (#906) 
(cherry picked from commit 7241d5543a)

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
 2025-05-30 13:08:08 +02:00
Felix Fontein
2f3809c84b Next release will be 2.26.3. 2025-05-22 22:02:19 +02:00
Felix Fontein
4f92a02bc4 Release 2.26.2. 2025-05-22 21:19:40 +02:00
Felix Fontein
f7b01bae60 Prepare 2.26.2. 2025-05-22 19:58:28 +02:00
Felix Fontein
43d7868646 [stable-2] Remove entrust announcement (#901) 
* Announce removal of Entrust content from community.crypto 3.0.0.

* Add more information on Entrust removal.
 2025-05-22 19:57:08 +02:00
patchback[bot]
3fbf173674 Add RHEL 10.0 to CI. (#899) (#902) 
(cherry picked from commit 41b71bb60c)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-05-22 06:43:36 +02:00
Felix Fontein
d350b94ae6 Lint doc fragments. 
(cherry picked from commit ef230011fd)
 2025-05-01 16:48:13 +02:00
Felix Fontein
a75cc7345a Fix typo. 
(cherry picked from commit 718021b714)
 2025-04-29 08:13:56 +02:00
Felix Fontein
f7795f65b0 Remove 'upcoming' information on 2.0.0. 2025-04-28 12:06:34 +02:00
Felix Fontein
b5d3277798 The next release will be 2.26.2. 
There will be (very likely) no more minor releases from this branch.
 2025-04-28 11:59:23 +02:00
Felix Fontein
f1a170d427 This is now the stable-2 branch. 2025-04-28 11:58:55 +02:00
153 changed files with 2659 additions and 2507 deletions
Expand all files Collapse all files

2
.azure-pipelines/azure-pipelines.yml
View File

@@ -212,6 +212,8 @@ stages:
targets:
- name: macOS 15.3
test: macos/15.3
- name: RHEL 10.0
test: rhel/10.0
- name: RHEL 9.5
test: rhel/9.5
- name: FreeBSD 14.2

2
.github/workflows/ansible-test.yml vendored
View File

@@ -284,7 +284,7 @@ jobs:
pre-test-cmd: >-
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git ../../community/internal_test_tools
;
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.general.git ../../community/general
git clone --depth=1 --single-branch --branch stable-10 https://github.com/ansible-collections/community.general.git ../../community/general
pull-request-change-detection: 'true'
target: ${{ matrix.target }}
target-python-version: ${{ matrix.python }}

618
CHANGELOG.md
View File

File diff suppressed because it is too large Load Diff

30
CHANGELOG.rst
View File

@@ -4,6 +4,36 @@ Community Crypto Release Notes
.. contents:: Topics
v2.26.3
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- acme_account - make work with CAs that do not accept any account request without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918, https://github.com/ansible-collections/community.crypto/pull/919).
v2.26.2
=======
Release Summary
---------------
Maintenance release announcing removal of the Entrust content from community.crypto 3.0.0.
Deprecated Features
-------------------
- The Entrust service in currently being sunsetted after the sale of Entrust's Public Certificates Business to Sectigo; see `the announcement with key dates <https://www.entrust.com/tls-certificate-information-center>`__ and `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__ for details (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_certificate - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
v2.26.1
=======

26
README.md
View File

@@ -7,9 +7,9 @@ SPDX-License-Identifier: GPL-3.0-or-later
# Ansible Community Crypto Collection
[![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/crypto/)
[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions)
[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions)
[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=stable-2)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.crypto)](https://codecov.io/gh/ansible-collections/community.crypto)
[![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.crypto)](https://api.reuse.software/info/github.com/ansible-collections/community.crypto)
@@ -54,7 +54,7 @@ Browsing the [**latest** collection documentation](https://docs.ansible.com/ansi
Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/crypto) shows docs for the _latest version released on Galaxy_.
We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/) which shows docs for the _latest commit in the `main` branch_.
We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/) which shows docs for the _latest commit in the `stable-2` branch_.
If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
@@ -109,7 +109,7 @@ If you use the Ansible package and do not update collections independently, use
- luks_device module
- parse_serial and to_serial filters
You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/).
You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/).
## Using this collection
@@ -141,19 +141,15 @@ See [Ansible's dev guide](https://docs.ansible.com/ansible/devel/dev_guide/devel
## Release notes
See the [changelog](https://github.com/ansible-collections/community.crypto/blob/main/CHANGELOG.md).
See the [changelog](https://github.com/ansible-collections/community.crypto/blob/stable-2/CHANGELOG.md).
## Roadmap
We plan to regularly release minor and patch versions, whenever new features are added or bugs fixed. Our collection follows [semantic versioning](https://semver.org/), so breaking changes will only happen in major releases.
Most modules will drop PyOpenSSL support in version 2.0.0 of the collection, i.e. in the next major version. We currently plan to release 2.0.0 somewhen during 2021. Around then, the supported versions of the most common distributions will contain a new enough version of ``cryptography``.
Once 2.0.0 has been released, bugfixes will still be backported to 1.0.0 for some time, and some features might also be backported. If we do not want to backport something ourselves because we think it is not worth the effort, backport PRs by non-maintainers are usually accepted.
In 2.0.0, the following notable features will be removed:
* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which does not have a ``cryptography`` backend due to lack of support of PKCS#12 functionality in ``cryptography``.
* The ``assertonly`` provider of ``x509_certificate`` will be removed.
In 2.0.0, the following notable features have been removed:
* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which did now have a ``cryptography`` backend for a long time due to lack of support of PKCS#12 functionality in ``cryptography``. (This changed.)
* The ``assertonly`` provider of ``x509_certificate`` has been removed.
## More information
@@ -166,8 +162,8 @@ In 2.0.0, the following notable features will be removed:
This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/main/COPYING) for the full text.
See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/stable-2/COPYING) for the full text.
Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/).

36
changelogs/changelog.yaml
View File

@@ -1643,3 +1643,39 @@ releases:
- 867-passphrase-encoding-nolog.yml
- 868-luks-remove-keyslot.yml
release_date: '2025-04-28'
2.26.2:
changes:
deprecated_features:
- The Entrust service in currently being sunsetted after the sale of Entrust's
Public Certificates Business to Sectigo; see `the announcement with key
dates <https://www.entrust.com/tls-certificate-information-center>`__ and
`the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__
for details (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_certificate - the module will be removed from community.crypto 3.0.0
(https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate - the ``entrust`` provider will be removed from community.crypto
3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto
3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
release_summary: Maintenance release announcing removal of the Entrust content
from community.crypto 3.0.0.
fragments:
- 2.26.2.yml
- 901-remove-entrust.yml
release_date: '2025-05-22'
2.26.3:
changes:
bugfixes:
- acme_account - make work with CAs that do not accept any account request
without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918,
https://github.com/ansible-collections/community.crypto/pull/919).
release_summary: Bugfix release.
fragments:
- 2.26.3.yml
- 919-acme_account-ear.yml
release_date: '2025-06-14'

2
galaxy.yml
View File

@@ -5,7 +5,7 @@
namespace: community
name: crypto
version: 2.26.1
version: 2.26.3
readme: README.md
authors:
- Ansible (github.com/ansible)

8
plugins/doc_fragments/acme.py
View File

@@ -120,7 +120,7 @@ notes:
the module can in principle be used with any CA providing an ACME endpoint, such as L(Buypass Go SSL,https://www.buypass.com/ssl/products/acme).
- So far, the ACME modules have only been tested by the developers against Let's Encrypt (staging and production), Buypass
(staging and production), ZeroSSL (production), and L(Pebble testing server,https://github.com/letsencrypt/Pebble). We
have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with
have got community feedback that they also work with Sectigo ACME Service for InCommon and with HARICA. If you experience problems with
another ACME server, please L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose)
to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
requirements:
@@ -146,6 +146,7 @@ options:
- For B(Buypass), the production directory URL for ACME v2 and v1 is U(https://api.buypass.com/acme/directory).
- For B(ZeroSSL), the production directory URL for ACME v2 is U(https://acme.zerossl.com/v2/DV90).
- For B(Sectigo), the production directory URL for ACME v2 is U(https://acme-qa.secure.trust-provider.com/v2/DV).
- For B(HARICA), the production directory URL for ACME v2 is U(https://acme.harica.gr/XXX/directory) with XXX being specific to your account.
- The notes for this module contain a list of ACME services this module has been tested against.
required: true
type: str
@@ -185,6 +186,7 @@ options:
account_key_src:
description:
- Path to a file containing the ACME account RSA or Elliptic Curve key.
- "For Elliptic Curve keys only the following curves are supported: V(secp256r1), V(secp384r1), and V(secp521r1)."
- 'Private keys can be created with the M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe)
modules. If the requisite (cryptography) is not available, keys can also be created directly with the C(openssl) command
line tool: RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys can be created with C(openssl ecparam
@@ -192,10 +194,12 @@ options:
- Mutually exclusive with O(account_key_content).
- Required if O(account_key_content) is not used.
type: path
aliases: [account_key]
aliases:
- account_key
account_key_content:
description:
- Content of the ACME account RSA or Elliptic Curve key.
- "For Elliptic Curve keys only the following curves are supported: V(secp256r1), V(secp384r1), and V(secp521r1)."
- Mutually exclusive with O(account_key_src).
- Required if O(account_key_src) is not used.
- B(Warning:) the content will be written into a temporary file, which will be deleted by Ansible when the module completes.

6
plugins/doc_fragments/module_certificate.py
View File

@@ -377,7 +377,8 @@ options:
- This is only used by the V(selfsigned) provider.
type: str
default: +0s
aliases: [ selfsigned_notBefore ]
aliases:
- selfsigned_notBefore
selfsigned_not_after:
description:
@@ -395,7 +396,8 @@ options:
Please see U(https://support.apple.com/en-us/HT210176) for more details.
type: str
default: +3650d
aliases: [ selfsigned_notAfter ]
aliases:
- selfsigned_notAfter
selfsigned_create_subject_key_identifier:
description:

63
plugins/doc_fragments/module_csr.py
View File

@@ -75,37 +75,51 @@ options:
description:
- The countryName field of the certificate signing request subject.
type: str
aliases: [C, countryName]
aliases:
- C
- countryName
state_or_province_name:
description:
- The stateOrProvinceName field of the certificate signing request subject.
type: str
aliases: [ST, stateOrProvinceName]
aliases:
- ST
- stateOrProvinceName
locality_name:
description:
- The localityName field of the certificate signing request subject.
type: str
aliases: [L, localityName]
aliases:
- L
- localityName
organization_name:
description:
- The organizationName field of the certificate signing request subject.
type: str
aliases: [O, organizationName]
aliases:
- O
- organizationName
organizational_unit_name:
description:
- The organizationalUnitName field of the certificate signing request subject.
type: str
aliases: [OU, organizationalUnitName]
aliases:
- OU
- organizationalUnitName
common_name:
description:
- The commonName field of the certificate signing request subject.
type: str
aliases: [CN, commonName]
aliases:
- CN
- commonName
email_address:
description:
- The emailAddress field of the certificate signing request subject.
type: str
aliases: [E, emailAddress]
aliases:
- E
- emailAddress
subject_alt_name:
description:
- Subject Alternative Name (SAN) extension to attach to the certificate signing request.
@@ -116,63 +130,75 @@ options:
- More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6).
type: list
elements: str
aliases: [subjectAltName]
aliases:
- subjectAltName
subject_alt_name_critical:
description:
- Should the subjectAltName extension be considered as critical.
type: bool
default: false
aliases: [subjectAltName_critical]
aliases:
- subjectAltName_critical
use_common_name_for_san:
description:
- If set to V(true), the module will fill the common name in for O(subject_alt_name) with C(DNS:) prefix if no SAN is
specified.
type: bool
default: true
aliases: [useCommonNameForSAN]
aliases:
- useCommonNameForSAN
key_usage:
description:
- This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate.
type: list
elements: str
aliases: [keyUsage]
aliases:
- keyUsage
key_usage_critical:
description:
- Should the keyUsage extension be considered as critical.
type: bool
default: false
aliases: [keyUsage_critical]
aliases:
- keyUsage_critical
extended_key_usage:
description:
- Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which
the public key may be used.
type: list
elements: str
aliases: [extKeyUsage, extendedKeyUsage]
aliases:
- extKeyUsage
- extendedKeyUsage
extended_key_usage_critical:
description:
- Should the extkeyUsage extension be considered as critical.
type: bool
default: false
aliases: [extKeyUsage_critical, extendedKeyUsage_critical]
aliases:
- extKeyUsage_critical
- extendedKeyUsage_critical
basic_constraints:
description:
- Indicates basic constraints, such as if the certificate is a CA.
type: list
elements: str
aliases: [basicConstraints]
aliases:
- basicConstraints
basic_constraints_critical:
description:
- Should the basicConstraints extension be considered as critical.
type: bool
default: false
aliases: [basicConstraints_critical]
aliases:
- basicConstraints_critical
ocsp_must_staple:
description:
- Indicates that the certificate should contain the OCSP Must Staple extension (U(https://tools.ietf.org/html/rfc7633)).
type: bool
default: false
aliases: [ocspMustStaple]
aliases:
- ocspMustStaple
ocsp_must_staple_critical:
description:
- Should the OCSP Must Staple extension be considered as critical.
@@ -180,7 +206,8 @@ options:
OCSP Must Staple are required to reject such certificates (see U(https://tools.ietf.org/html/rfc7633#section-4)).
type: bool
default: false
aliases: [ocspMustStaple_critical]
aliases:
- ocspMustStaple_critical
name_constraints_permitted:
description:
- For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed

29
plugins/module_utils/acme/account.py
View File

@@ -73,13 +73,28 @@ class ACMEAccount(object):
# and provide external_account_binding credentials. Thus we first send a request with allow_creation=False
# to see whether the account already exists.
# Note that we pass contact here: ZeroSSL does not accept registration calls without contacts, even
# if onlyReturnExisting is set to true.
created, data = self._new_reg(contact=contact, allow_creation=False)
if data:
# An account already exists! Return data
return created, data
# An account does not yet exist. Try to create one next.
# Unfortunately, for other ACME servers it's the other way around: (at least some) HARICA endpoints
# do not allow *any* access without external account data. That's why we catch errors and check
# for 'externalAccountRequired'.
try:
# Note that we pass contact here: ZeroSSL does not accept registration calls without contacts, even
# if onlyReturnExisting is set to true.
created, data = self._new_reg(contact=contact, allow_creation=False)
if data:
# An account already exists! Return data
return created, data
# An account does not yet exist. Try to create one next.
except ACMEProtocolException as exc:
if (
exc.error_type
!= "urn:ietf:params:acme:error:externalAccountRequired"
or external_account_binding is None
):
# Either another error happened, or we got 'externalAccountRequired' and external account data was not supplied
# => re-raise exception!
raise
# In this case, the server really wants external account data.
# The below code tries to create the account with external account data present.
new_reg = {"contact": contact}
if not allow_creation:

4
plugins/modules/acme_account.py
View File

@@ -105,8 +105,8 @@ options:
external_account_binding:
description:
- Allows to provide external account binding data during account creation.
- This is used by CAs like Sectigo to bind a new ACME account to an existing CA-specific account, to be able to properly
identify a customer.
- This is used by CAs like Sectigo, HARICA, or ZeroSSL to bind a new ACME account to an existing CA-specific account,
to be able to properly identify a customer.
- Only used when creating a new account. Can not be specified for ACME v1.
type: dict
suboptions:

6
tests/ee/all.yml
View File

@@ -6,11 +6,11 @@
- hosts: localhost
tasks:
- name: Show Python info
debug:
ansible.builtin.debug:
var: ansible_python
- name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: cryptography_version
- name: Register pyOpenSSL version
@@ -19,7 +19,7 @@
register: pyopenssl_version
- name: Determine output directory
set_fact:
ansible.builtin.set_fact:
output_path: "{{ 'output-%0x' % ((2**32) | random) }}"
- name: Find all roles

4
tests/ee/roles/crypto_info/tasks/main.yml
View File

@@ -8,11 +8,11 @@
register: result
- name: Dump result
debug:
ansible.builtin.debug:
var: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.openssl_present
- result.python_cryptography_installed

6
tests/ee/roles/luks_device/tasks/main.yml
View File

@@ -24,13 +24,13 @@
when: false
block:
- name: Create lookback device
command: losetup -f {{ cryptfile_path }}
ansible.builtin.command: losetup -f {{ cryptfile_path }}
- name: Determine loop device name
command: losetup -j {{ cryptfile_path }} --output name
ansible.builtin.command: losetup -j {{ cryptfile_path }} --output name
register: cryptfile_device_output
- set_fact:
- ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}"
- name: Create LUKS container

4
tests/ee/roles/smoke/tasks/main.yml
View File

@@ -8,7 +8,7 @@
register: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.msg == 'Everything is ok'
@@ -17,6 +17,6 @@
register: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.msg == 'Everything is ok'

46
tests/integration/targets/acme_account/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
type: ECC
@@ -14,7 +14,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
return_private_key_data: true
@@ -30,7 +30,7 @@
- name: accountkey5
- name: Do not try to create account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -42,7 +42,7 @@
register: account_not_created
- name: Create it now (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -58,7 +58,7 @@
register: account_created_check
- name: Create it now
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -72,7 +72,7 @@
register: account_created
- name: Create it now (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -86,12 +86,12 @@
register: account_created_idempotent
- name: Read account key
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp
- name: Change email address (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -106,7 +106,7 @@
register: account_modified_check
- name: Change email address
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -119,7 +119,7 @@
register: account_modified
- name: Change email address (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri }}"
@@ -133,7 +133,7 @@
register: account_modified_idempotent
- name: Cannot access account with wrong URI
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
@@ -146,7 +146,7 @@
register: account_modified_wrong_uri
- name: Clear contact email addresses (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -160,7 +160,7 @@
register: account_modified_2_check
- name: Clear contact email addresses
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -172,7 +172,7 @@
register: account_modified_2
- name: Clear contact email addresses (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -184,7 +184,7 @@
register: account_modified_2_idempotent
- name: Change account key (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -200,7 +200,7 @@
register: account_change_key_check
- name: Change account key
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -214,7 +214,7 @@
register: account_change_key
- name: Deactivate account (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -227,7 +227,7 @@
register: account_deactivate_check
- name: Deactivate account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -238,7 +238,7 @@
register: account_deactivate
- name: Deactivate account (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -249,7 +249,7 @@
register: account_deactivate_idempotent
- name: Do not try to create account II
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -262,7 +262,7 @@
register: account_not_created_2
- name: Do not try to create account III
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -274,7 +274,7 @@
register: account_not_created_3
- name: Create account with External Account Binding
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem"
acme_version: 2
@@ -304,4 +304,4 @@
kid: kid-3
alg: HS512
key: zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W
- debug: var=account_created_eab
- ansible.builtin.debug: var=account_created_eab

12
tests/integration/targets/acme_account/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

38
tests/integration/targets/acme_account/tests/validate.yml
View File

@@ -4,13 +4,13 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't created in the first step
assert:
ansible.builtin.assert:
that:
- account_not_created is failed
- account_not_created.msg == 'Account does not exist or is deactivated.'
- name: Validate that account was created in the second step (check mode)
assert:
ansible.builtin.assert:
that:
- account_created_check is changed
- account_created_check.account_uri is none
@@ -21,19 +21,19 @@
- account_created_check.diff.after.contact[0] in ['mailto:example@example.org', 'mailto:********@********.org']
- name: Validate that account was created in the second step
assert:
ansible.builtin.assert:
that:
- account_created is changed
- account_created.account_uri is not none
- name: Validate that account was created in the second step (idempotency)
assert:
ansible.builtin.assert:
that:
- account_created_idempotent is not changed
- account_created_idempotent.account_uri is not none
- name: Validate that email address was changed (check mode)
assert:
ansible.builtin.assert:
that:
- account_modified_check is changed
- account_modified_check.account_uri is not none
@@ -44,24 +44,24 @@
- account_modified_check.diff.after.contact[0] in ['mailto:example@example.com', 'mailto:********@********.com']
- name: Validate that email address was changed
assert:
ansible.builtin.assert:
that:
- account_modified is changed
- account_modified.account_uri is not none
- name: Validate that email address was not changed a second time (idempotency)
assert:
ansible.builtin.assert:
that:
- account_modified_idempotent is not changed
- account_modified_idempotent.account_uri is not none
- name: Make sure that with the wrong account URI, the account cannot be changed
assert:
ansible.builtin.assert:
that:
- account_modified_wrong_uri is failed
- name: Validate that email address was cleared (check mode)
assert:
ansible.builtin.assert:
that:
- account_modified_2_check is changed
- account_modified_2_check.account_uri is not none
@@ -71,19 +71,19 @@
- account_modified_2_check.diff.after.contact | length == 0
- name: Validate that email address was cleared
assert:
ansible.builtin.assert:
that:
- account_modified_2 is changed
- account_modified_2.account_uri is not none
- name: Validate that email address was not cleared a second time (idempotency)
assert:
ansible.builtin.assert:
that:
- account_modified_2_idempotent is not changed
- account_modified_2_idempotent.account_uri is not none
- name: Validate that the account key was changed (check mode)
assert:
ansible.builtin.assert:
that:
- account_change_key_check is changed
- account_change_key_check.account_uri is not none
@@ -91,13 +91,13 @@
- account_change_key_check.diff.before.public_account_key != account_change_key_check.diff.after.public_account_key
- name: Validate that the account key was changed
assert:
ansible.builtin.assert:
that:
- account_change_key is changed
- account_change_key.account_uri is not none
- name: Validate that the account was deactivated (check mode)
assert:
ansible.builtin.assert:
that:
- account_deactivate_check is changed
- account_deactivate_check.account_uri is not none
@@ -106,13 +106,13 @@
- "account_deactivate_check.diff.after == {}"
- name: Validate that the account was deactivated
assert:
ansible.builtin.assert:
that:
- account_deactivate is changed
- account_deactivate.account_uri is not none
- name: Validate that the account was really deactivated (idempotency)
assert:
ansible.builtin.assert:
that:
- account_deactivate_idempotent is not changed
# The next condition should be true for all conforming ACME servers.
@@ -121,19 +121,19 @@
- account_deactivate_idempotent.account_uri is none
- name: Validate that the account is gone (new account key)
assert:
ansible.builtin.assert:
that:
- account_not_created_2 is failed
- account_not_created_2.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account is gone (old account key)
assert:
ansible.builtin.assert:
that:
- account_not_created_3 is failed
- account_not_created_3.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account with External Account Binding has been created
assert:
ansible.builtin.assert:
that:
- account_created_eab.results[0] is changed
- account_created_eab.results[1] is changed

20
tests/integration/targets/acme_account_info/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC
curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true
loop: "{{ account_keys }}"
@@ -24,7 +24,7 @@
- accountkey2
- name: Check that account does not exist
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -33,7 +33,7 @@
register: account_not_created
- name: Create it now
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -46,7 +46,7 @@
- mailto:example@example.org
- name: Check that account exists
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -55,12 +55,12 @@
register: account_created
- name: Read account key
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp
- name: Clear email address
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -71,7 +71,7 @@
contact: []
- name: Check that account was modified
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -81,7 +81,7 @@
register: account_modified
- name: Check with wrong account URI
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -91,7 +91,7 @@
register: account_not_exist
- name: Check with wrong account key
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
acme_version: 2

12
tests/integration/targets/acme_account_info/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

10
tests/integration/targets/acme_account_info/tests/validate.yml
View File

@@ -4,14 +4,14 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't there
assert:
ansible.builtin.assert:
that:
- not account_not_created.exists
- account_not_created.account_uri is none
- "'account' not in account_not_created"
- name: Validate that account was created
assert:
ansible.builtin.assert:
that:
- account_created.exists
- account_created.account_uri is not none
@@ -22,7 +22,7 @@
- "account_created.account.contact[0] == 'mailto:example@example.org'"
- name: Validate that account email was removed
assert:
ansible.builtin.assert:
that:
- account_modified.exists
- account_modified.account_uri is not none
@@ -32,13 +32,13 @@
- account_modified.account.contact | length == 0
- name: Validate that account does not exist with wrong account URI
assert:
ansible.builtin.assert:
that:
- not account_not_exist.exists
- account_not_exist.account_uri is none
- "'account' not in account_not_exist"
- name: Validate that account cannot be accessed with wrong key
assert:
ansible.builtin.assert:
that:
- account_wrong_key is failed

12
tests/integration/targets/acme_ari_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -21,7 +21,7 @@
curve: secp256r1
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for renewal check
certificate_name: cert-1
@@ -39,18 +39,18 @@
account_email: "example@example.org"
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
command:
ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Read certificate
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1
- name: Obtain certificate information
acme_ari_info:
community.crypto.acme_ari_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2

12
tests/integration/targets/acme_ari_info/tasks/main.yml
View File

@@ -14,31 +14,31 @@
block:
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

2
tests/integration/targets/acme_ari_info/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate results
assert:
ansible.builtin.assert:
that:
- cert_1 is not changed
- cert_1.renewal_info.explanationURL is not defined or cert_1.renewal_info.explanationURL is string

116
tests/integration/targets/acme_certificate/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -28,7 +28,7 @@
## SET UP ACCOUNTS ############################################################################
- name: Make sure ECC256 account hasn't been created yet
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -36,11 +36,11 @@
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
state: absent
- name: Read account key (EC384)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp
- name: Create ECC384 account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -53,7 +53,7 @@
- mailto:example@example.org
- mailto:example@example.com
- name: Create RSA account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -66,7 +66,7 @@
## OBTAIN CERTIFICATES ########################################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1
certificate_name: cert-1
@@ -89,11 +89,11 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 1
set_fact:
ansible.builtin.set_fact:
cert_1_obtain_results: "{{ certificate_obtain_result }}"
cert_1_alternate: "{{ 1 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 2
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 2
certificate_name: cert-2
@@ -122,15 +122,15 @@
issuer: "{{ acme_roots[2].subject }}"
use_csr_content: false
- name: Store obtain results for cert 2
set_fact:
ansible.builtin.set_fact:
cert_2_obtain_results: "{{ certificate_obtain_result }}"
cert_2_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Read account key (RSA)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key
- name: Obtain cert 3
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 3
certificate_name: cert-3
@@ -152,11 +152,11 @@
subject: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 3
set_fact:
ansible.builtin.set_fact:
cert_3_obtain_results: "{{ certificate_obtain_result }}"
cert_3_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 4
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 4
certificate_name: cert-4
@@ -181,11 +181,11 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: false
- name: Store obtain results for cert 4
set_fact:
ansible.builtin.set_fact:
cert_4_obtain_results: "{{ certificate_obtain_result }}"
cert_4_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 1/4
certificate_name: cert-5
@@ -202,11 +202,11 @@
account_email: ""
use_csr_content: true
- name: Store obtain results for cert 5a
set_fact:
ansible.builtin.set_fact:
cert_5a_obtain_results: "{{ certificate_obtain_result }}"
cert_5_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5 (should not, since already there and valid for more than 1 days)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 2/4
certificate_name: cert-5
@@ -223,10 +223,10 @@
account_email: ""
use_csr_content: false
- name: Store obtain results for cert 5b
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_1: "{{ challenge_data is changed }}"
- name: Obtain cert 5 (should again by less days)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 3/4
certificate_name: cert-5
@@ -245,15 +245,15 @@
acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}"
acme_certificate_include_renewal_cert_id: when_ari_supported
- name: Store obtain results for cert 5c
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_2: "{{ challenge_data is changed }}"
cert_5c_obtain_results: "{{ certificate_obtain_result }}"
- name: Read account key (EC384)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp_account_key
- name: Obtain cert 5 (should again by force)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 4/4
certificate_name: cert-5
@@ -270,12 +270,12 @@
account_email: ""
use_csr_content: false
- name: Store obtain results for cert 5d
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_3: "{{ challenge_data is changed }}"
cert_5d_obtain_results: "{{ certificate_obtain_result }}"
- block:
- name: Obtain cert 6
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 6
certificate_name: cert-6
@@ -303,13 +303,13 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 6
set_fact:
ansible.builtin.set_fact:
cert_6_obtain_results: "{{ certificate_obtain_result }}"
cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_intermediates[0].subject_key_identifier is defined
- block:
- name: Obtain cert 7
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 7
certificate_name: cert-7
@@ -333,13 +333,13 @@
authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}"
use_csr_content: false
- name: Store obtain results for cert 7
set_fact:
ansible.builtin.set_fact:
cert_7_obtain_results: "{{ certificate_obtain_result }}"
cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_roots[2].subject_key_identifier is defined
- block:
- name: Obtain cert 8
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 8
certificate_name: cert-8
@@ -361,7 +361,7 @@
account_email: "example@example.org"
use_csr_content: true
- name: Store obtain results for cert 8
set_fact:
ansible.builtin.set_fact:
cert_8_obtain_results: "{{ certificate_obtain_result }}"
cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: cryptography_version.stdout is version('1.3', '>=')
@@ -369,110 +369,110 @@
## DISSECT CERTIFICATES #######################################################################
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
- name: Verifying cert 1
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ignore_errors: true
register: cert_1_valid
- name: Verifying cert 2
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ignore_errors: true
register: cert_2_valid
- name: Verifying cert 3
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ignore_errors: true
register: cert_3_valid
- name: Verifying cert 4
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ignore_errors: true
register: cert_4_valid
- name: Verifying cert 5
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ignore_errors: true
register: cert_5_valid
- name: Verifying cert 6
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ignore_errors: true
register: cert_6_valid
when: acme_intermediates[0].subject_key_identifier is defined
- name: Verifying cert 7
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ignore_errors: true
register: cert_7_valid
when: acme_roots[2].subject_key_identifier is defined
- name: Verifying cert 8
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ignore_errors: true
register: cert_8_valid
when: cryptography_version.stdout is version('1.3', '>=')
# Dump certificate info
- name: Dumping cert 1
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
register: cert_1_text
- name: Dumping cert 2
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
register: cert_2_text
- name: Dumping cert 3
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
register: cert_3_text
- name: Dumping cert 4
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
register: cert_4_text
- name: Dumping cert 5
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
register: cert_5_text
- name: Dumping cert 6
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
register: cert_6_text
when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
register: cert_7_text
when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
register: cert_8_text
when: cryptography_version.stdout is version('1.3', '>=')
# Dump certificate info
- name: Dumping cert 1
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Dumping cert 2
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-2.pem"
register: cert_2_info
- name: Dumping cert 3
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-3.pem"
register: cert_3_info
- name: Dumping cert 4
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-4.pem"
register: cert_4_info
- name: Dumping cert 5
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-5.pem"
register: cert_5_info
- name: Dumping cert 6
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-6.pem"
register: cert_6_info
when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-7.pem"
register: cert_7_info
when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-8.pem"
register: cert_8_info
when: cryptography_version.stdout is version('1.3', '>=')
## GET ACCOUNT ORDERS #########################################################################
- name: Don't retrieve orders
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -481,7 +481,7 @@
retrieve_orders: ignore
register: account_orders_not
- name: Retrieve orders as URL list (1/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -490,7 +490,7 @@
retrieve_orders: url_list
register: account_orders_urls
- name: Retrieve orders as URL list (2/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2
@@ -499,7 +499,7 @@
retrieve_orders: url_list
register: account_orders_urls2
- name: Retrieve orders as object list (1/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -508,7 +508,7 @@
retrieve_orders: object_list
register: account_orders_full
- name: Retrieve orders as object list (2/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2

36
tests/integration/targets/acme_certificate/tasks/main.yml
View File

@@ -10,46 +10,46 @@
- block:
- name: Obtain root and intermediate certificates
get_url:
ansible.builtin.get_url:
url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}"
dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
loop: "{{ query('nested', types, root_numbers) }}"
- name: Analyze root certificates
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem"
loop: "{{ root_numbers }}"
register: acme_roots
- name: Analyze intermediate certificates
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem"
loop: "{{ root_numbers }}"
register: acme_intermediates
- name: Read root certificates
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}"
register: slurp_roots
- set_fact:
- ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_roots.results }}"
register: acme_roots_tmp
- name: Read intermediate certificates
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}"
register: slurp_intermediates
- set_fact:
- ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_intermediates.results }}"
register: acme_intermediates_tmp
- set_fact:
- ansible.builtin.set_fact:
acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}"
acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}"
acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}"
@@ -74,48 +74,48 @@
# - public_key_fingerprints
- name: ACME root certificate info
debug:
ansible.builtin.debug:
var: acme_roots
# - name: ACME root certificates as PEM
# debug:
# ansible.builtin.debug:
# var: acme_root_certs
- name: ACME intermediate certificate info
debug:
ansible.builtin.debug:
var: acme_intermediates
# - name: ACME intermediate certificates as PEM
# debug:
# ansible.builtin.debug:
# var: acme_intermediate_certs
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

62
tests/integration/targets/acme_certificate/tests/validate.yml
View File

@@ -4,15 +4,15 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 is valid
assert:
ansible.builtin.assert:
that:
- cert_1_valid is not failed
- name: Check that certificate 1 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.com' in cert_1_text.stdout"
- name: Read certificate 1 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-1.pem
@@ -20,7 +20,7 @@
- cert-1-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_1_obtain_results"
- "cert_1_obtain_results.all_chains | length > 1"
@@ -32,16 +32,16 @@
- "(slurp.results[2].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain"
- name: Check that certificate 2 is valid
assert:
ansible.builtin.assert:
that:
- cert_2_valid is not failed
- name: Check that certificate 2 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:*.example.com' in cert_2_text.stdout"
- "'DNS:example.com' in cert_2_text.stdout"
- name: Read certificate 2 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-2.pem
@@ -49,7 +49,7 @@
- cert-2-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_2_obtain_results"
- "cert_2_obtain_results.all_chains | length > 1"
@@ -61,17 +61,17 @@
- "(slurp.results[2].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain"
- name: Check that certificate 3 is valid
assert:
ansible.builtin.assert:
that:
- cert_3_valid is not failed
- name: Check that certificate 3 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:*.example.com' in cert_3_text.stdout"
- "'DNS:example.org' in cert_3_text.stdout"
- "'DNS:t1.example.com' in cert_3_text.stdout"
- name: Read certificate 3 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-3.pem
@@ -79,7 +79,7 @@
- cert-3-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_3_obtain_results"
- "cert_3_obtain_results.all_chains | length > 1"
@@ -91,11 +91,11 @@
- "(slurp.results[2].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain"
- name: Check that certificate 4 is valid
assert:
ansible.builtin.assert:
that:
- cert_4_valid is not failed
- name: Check that certificate 4 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.com' in cert_4_text.stdout"
- "'DNS:t1.example.com' in cert_4_text.stdout"
@@ -103,72 +103,72 @@
- "'DNS:example.org' in cert_4_text.stdout"
- "'DNS:TesT.example.org' in cert_4_text.stdout"
- name: Check that certificate 4 retrieval did not get all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' not in cert_4_obtain_results"
- name: Check that certificate 5 is valid
assert:
ansible.builtin.assert:
that:
- cert_5_valid is not failed
- name: Check that certificate 5 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:t2.example.com' in cert_5_text.stdout"
- name: Check that certificate 5 was not recreated on the first try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_1 == false
- name: Check that certificate 5 was recreated on the second try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_2 == true
- name: Check that certificate 5 was recreated on the third try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_3 == true
- block:
- name: Check that certificate 6 is valid
assert:
ansible.builtin.assert:
that:
- cert_6_valid is not failed
- name: Check that certificate 6 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.org' in cert_6_text.stdout"
when: acme_intermediates[0].subject_key_identifier is defined
- block:
- name: Check that certificate 7 is valid
assert:
ansible.builtin.assert:
that:
- cert_7_valid is not failed
- name: Check that certificate 7 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: acme_roots[2].subject_key_identifier is defined
- block:
- name: Check that certificate 8 is valid
assert:
ansible.builtin.assert:
that:
- cert_8_valid is not failed
- name: Check that certificate 8 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: cryptography_version.stdout is version('1.3', '>=')
- name: Validate that orders were not retrieved
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_not"
- "'orders' not in account_orders_not"
- name: Validate that orders were retrieved as list of URLs (1/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_urls"
- "'orders' not in account_orders_urls"
@@ -176,7 +176,7 @@
- "account_orders_urls.order_uris[0] is string"
- name: Validate that orders were retrieved as list of URLs (2/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_urls2"
- "'orders' not in account_orders_urls2"
@@ -184,7 +184,7 @@
- "account_orders_urls2.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (1/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_full"
- "'orders' in account_orders_full"
@@ -193,7 +193,7 @@
- "account_orders_full.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (2/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_full2"
- "'orders' in account_orders_full2"

36
tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml
View File

@@ -9,24 +9,24 @@
account_email: example@example.org
block:
- name: Generate account key
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
curve: secp256r1
force: true
- name: Create cert private key
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
type: ECC
curve: secp256r1
force: true
- name: Create cert CSR
openssl_csr:
community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.csr"
privatekey_path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
subject_alt_name: "{{ subject_alt_name }}"
- name: Start process of obtaining certificate
acme_certificate:
community.crypto.acme_certificate:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -42,7 +42,7 @@
register: certificate_data
- name: Inspect order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -52,11 +52,11 @@
method: get
register: order_1
- name: Show order
debug:
ansible.builtin.debug:
var: order_1.output_json
- name: Deactivate order (check mode)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -67,7 +67,7 @@
register: deactivate_1
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -77,11 +77,11 @@
method: get
register: order_2
- name: Show order
debug:
ansible.builtin.debug:
var: order_2.output_json
- name: Deactivate order
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -91,7 +91,7 @@
register: deactivate_2
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -101,11 +101,11 @@
method: get
register: order_3
- name: Show order
debug:
ansible.builtin.debug:
var: order_3.output_json
- name: Deactivate order (check mode, idempotent)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -116,7 +116,7 @@
register: deactivate_3
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -126,11 +126,11 @@
method: get
register: order_4
- name: Show order
debug:
ansible.builtin.debug:
var: order_4.output_json
- name: Deactivate order (idempotent)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -140,7 +140,7 @@
register: deactivate_4
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -150,5 +150,5 @@
method: get
register: order_5
- name: Show order
debug:
ansible.builtin.debug:
var: order_5.output_json

12
tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

2
tests/integration/targets/acme_certificate_deactivate_authz/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Checks
assert:
ansible.builtin.assert:
that:
- order_1.output_json.status == 'pending'
- deactivate_1 is changed

110
tests/integration/targets/acme_certificate_order/tasks/impl.yml
View File

@@ -4,23 +4,23 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate random domain name"
set_fact:
ansible.builtin.set_fact:
domain_name: "host{{ '%0x' % ((2**32) | random) }}.example.com"
- name: "({{ select_crypto_backend }}) Generate account key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/accountkey.pem"
type: ECC
curve: secp256r1
force: true
- name: "({{ select_crypto_backend }}) Parse account keys (to ease debugging some test failures)"
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/accountkey.pem"
return_private_key_data: true
- name: "({{ select_crypto_backend }}) Create ACME account"
acme_account:
community.crypto.acme_account:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -31,14 +31,14 @@
register: account
- name: "({{ select_crypto_backend }}) Generate certificate key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/cert.key"
type: ECC
curve: secp256r1
force: true
- name: "({{ select_crypto_backend }}) Generate certificate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/cert.csr"
privatekey_path: "{{ remote_tmp_dir }}/cert.key"
subject:
@@ -47,7 +47,7 @@
register: csr
- name: "({{ select_crypto_backend }}) Create certificate order"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -57,11 +57,11 @@
register: order_1
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_1
- name: "({{ select_crypto_backend }}) Check order"
assert:
ansible.builtin.assert:
that:
- order_1 is changed
- order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -81,7 +81,7 @@
- order_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -91,11 +91,11 @@
register: order_info_1
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_1
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_1 is not changed
- order_info_1.authorizations_by_identifier | length == 1
@@ -120,8 +120,8 @@
- order_info_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Create HTTP challenges"
uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT
body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}"
@@ -142,7 +142,7 @@
register: validate_1
- name: "({{ select_crypto_backend }}) Check validation result"
assert:
ansible.builtin.assert:
that:
- validate_1 is changed
- validate_1.account_uri == account.account_uri
@@ -153,7 +153,7 @@
when: ansible_version.full is version('2.12', '<')
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -163,11 +163,11 @@
register: order_info_2
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_2
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_2 is not changed
- order_info_2.authorizations_by_identifier | length == 1
@@ -203,7 +203,7 @@
register: validate_2
- name: "({{ select_crypto_backend }}) Check validation result"
assert:
ansible.builtin.assert:
that:
- validate_2 is not changed
- validate_2.account_uri == account.account_uri
@@ -225,7 +225,7 @@
register: finalize_1
- name: "({{ select_crypto_backend }}) Check finalization result"
assert:
ansible.builtin.assert:
that:
- finalize_1 is changed
- finalize_1.account_uri == account.account_uri
@@ -236,7 +236,7 @@
- finalize_1.selected_chain.full_chain == finalize_1.selected_chain.cert + finalize_1.selected_chain.chain
- name: "({{ select_crypto_backend }}) Read files from disk"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/{{ item }}.pem"
loop:
- cert
@@ -245,14 +245,14 @@
register: slurp
- name: "({{ select_crypto_backend }}) Compare finalization result with files on disk"
assert:
ansible.builtin.assert:
that:
- finalize_1.selected_chain.cert == slurp.results[0].content | b64decode
- finalize_1.selected_chain.chain == slurp.results[1].content | b64decode
- finalize_1.selected_chain.full_chain == slurp.results[2].content | b64decode
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -262,11 +262,11 @@
register: order_info_3
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_3
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_3 is not changed
- order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -304,7 +304,7 @@
register: finalize_2
- name: "({{ select_crypto_backend }}) Check finalization result"
assert:
ansible.builtin.assert:
that:
- finalize_2 is not changed
- finalize_2.account_uri == account.account_uri
@@ -316,7 +316,7 @@
- finalize_2.selected_chain == finalize_1.selected_chain
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -326,11 +326,11 @@
register: order_info_4
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_4
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_4 is not changed
- order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -356,7 +356,7 @@
- when: acme_supports_ari
block:
- name: "({{ select_crypto_backend }}) Get certificate renewal information"
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -366,14 +366,14 @@
register: cert_info
- name: "({{ select_crypto_backend }}) Verify information"
assert:
ansible.builtin.assert:
that:
- cert_info.supports_ari == true
- cert_info.should_renew == false
- cert_info.cert_id is string
- name: "({{ select_crypto_backend }}) Create replacement order 1"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -386,7 +386,7 @@
register: replacement_order_1
- name: "({{ select_crypto_backend }}) Get replacement order 1 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -396,7 +396,7 @@
register: order_info_5
- name: "({{ select_crypto_backend }}) Check replacement order 1"
assert:
ansible.builtin.assert:
that:
- replacement_order_1 is changed
- replacement_order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -417,7 +417,7 @@
- replacement_order_1.order_uri not in [order_1.order_uri]
- name: "({{ select_crypto_backend }}) Check replacement order 1 information"
assert:
ansible.builtin.assert:
that:
- order_info_5 is not changed
- order_info_5.authorizations_by_identifier | length == 1
@@ -446,7 +446,7 @@
- when: false # TODO get Pebble improved
block:
- name: "({{ select_crypto_backend }}) Create replacement order 2 (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -459,7 +459,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 2"
assert:
ansible.builtin.assert:
that:
- replacement_order_2 is failed
- >-
@@ -470,7 +470,7 @@
)
- name: "({{ select_crypto_backend }}) Create replacement order 3 with error handling"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -482,7 +482,7 @@
register: replacement_order_3
- name: "({{ select_crypto_backend }}) Get replacement order 3 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -492,7 +492,7 @@
register: order_info_6
- name: "({{ select_crypto_backend }}) Check replacement order 3"
assert:
ansible.builtin.assert:
that:
- replacement_order_3 is changed
- replacement_order_3.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -515,7 +515,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_3.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 3 information"
assert:
ansible.builtin.assert:
that:
- order_info_6 is not changed
- order_info_6.authorizations_by_identifier | length == 1
@@ -540,7 +540,7 @@
- order_info_6.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 3"
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -551,8 +551,8 @@
# Complete replacement order 1
- name: "({{ select_crypto_backend }}) Create HTTP challenges (replacement order 1)"
uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT
body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}"
@@ -590,7 +590,7 @@
- when: true
block:
- name: "({{ select_crypto_backend }}) Create replacement order 4 (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -603,7 +603,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 4"
assert:
ansible.builtin.assert:
that:
- replacement_order_4 is failed
- replacement_order_4.msg.startswith('Failed to start new order for https://' ~ acme_host)
@@ -611,7 +611,7 @@
' with status 409 Conflict. Error urn:ietf:params:acme:error:malformed: ' in replacement_order_4.msg
- name: "({{ select_crypto_backend }}) Create replacement order 5 with error handling"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -623,7 +623,7 @@
register: replacement_order_5
- name: "({{ select_crypto_backend }}) Get replacement order 5 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -633,7 +633,7 @@
register: order_info_7
- name: "({{ select_crypto_backend }}) Check replacement order 5"
assert:
ansible.builtin.assert:
that:
- replacement_order_5 is changed
- replacement_order_5.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -656,7 +656,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_5.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 5 information"
assert:
ansible.builtin.assert:
that:
- order_info_7 is not changed
- order_info_7.authorizations_by_identifier | length == 1
@@ -681,7 +681,7 @@
- order_info_7.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 5"
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -694,7 +694,7 @@
- when: acme_supports_profiles
block:
- name: "({{ select_crypto_backend }}) Create order with invalid profile (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -707,7 +707,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check invalid profile order"
assert:
ansible.builtin.assert:
that:
- invalid_profile_order is failed
- invalid_profile_order.msg == "The ACME CA does not support selected profile 'does-not-exist'."
@@ -717,7 +717,7 @@
- when: not acme_supports_profiles
block:
- name: "({{ select_crypto_backend }}) Create order with profile when server does not support it (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -729,7 +729,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check profile without server support order"
assert:
ansible.builtin.assert:
that:
- profile_without_server_support is failed
- profile_without_server_support.msg == 'The ACME CA does not support profiles. Please omit the "profile" option.'

8
tests/integration/targets/acme_certificate_order/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
@@ -18,18 +18,18 @@
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

34
tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -22,7 +22,7 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for renewal check
certificate_name: cert-1
@@ -41,18 +41,18 @@
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
command:
ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Read certificate
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1
- name: Obtain certificate information (1/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -60,7 +60,7 @@
validate_certs: false
register: cert_1_renewal_1
- name: Obtain certificate information (2/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -70,7 +70,7 @@
remaining_percentage: 0.5
register: cert_1_renewal_2
- name: Obtain certificate information (3/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_content: "{{ slurp_cert_1.content | b64decode }}"
acme_version: 2
@@ -79,7 +79,7 @@
now: +1800d
register: cert_1_renewal_3
- name: Obtain certificate information (4/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -90,7 +90,7 @@
remaining_percentage: 0.1
register: cert_1_renewal_4
- name: Obtain certificate information (5/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -101,7 +101,7 @@
remaining_percentage: 0.01
register: cert_1_renewal_5
- name: Obtain certificate information (6/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -112,7 +112,7 @@
remaining_percentage: 0.03
register: cert_1_renewal_6
- name: Obtain certificate information (7/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -121,7 +121,7 @@
now: +1830d
register: cert_1_renewal_7
- name: Obtain certificate information (8/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -129,7 +129,7 @@
now: +1830d
register: cert_1_renewal_8
- name: Obtain certificate information (9/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
acme_version: 2
@@ -137,12 +137,12 @@
validate_certs: false
register: cert_1_renewal_9
- name: Create broken file
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/cert-is-broken.pem"
content: |
--- THIS IS NOT A CERT ---
- name: Obtain certificate information (10/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: false
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
@@ -152,7 +152,7 @@
register: cert_1_renewal_10
ignore_errors: true
- name: Obtain certificate information (11/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: true
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"

12
tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
View File

@@ -13,31 +13,31 @@
block:
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

6
tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
View File

@@ -9,7 +9,7 @@
block:
- name: Validate results (generic)
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.should_renew == false
- cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
@@ -64,7 +64,7 @@
when: not acme_supports_ari
- name: Validate results without ARI
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.supports_ari == false
- cert_1_renewal_2.supports_ari == false
@@ -84,7 +84,7 @@
when: not acme_supports_ari
- name: Validate results with ARI
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.supports_ari == true
- cert_1_renewal_2.supports_ari == true

18
tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -28,11 +28,11 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Read account key (EC256)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec256.pem'
register: slurp_account_key
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for revocation
certificate_name: cert-1
@@ -49,7 +49,7 @@
terms_agreed: true
account_email: "example@example.org"
- name: Obtain cert 2
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 2 for revocation
certificate_name: cert-2
@@ -66,7 +66,7 @@
terms_agreed: true
account_email: "example@example.org"
- name: Obtain cert 3
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 3 for revocation
certificate_name: cert-3
@@ -84,7 +84,7 @@
## REVOKE CERTIFICATES ########################################################################
- name: Revoke certificate 1 via account key
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
certificate: "{{ remote_tmp_dir }}/cert-1.pem"
@@ -94,7 +94,7 @@
ignore_errors: true
register: cert_1_revoke
- name: Revoke certificate 2 via certificate private key
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
private_key_src: "{{ remote_tmp_dir }}/cert-2.key"
private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -105,11 +105,11 @@
ignore_errors: true
register: cert_2_revoke
- name: Read account key (RSA)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key
- name: Revoke certificate 3 via account key (fullchain)
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp_account_key.content | b64decode }}"
certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem"

12
tests/integration/targets/acme_certificate_revoke/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

6
tests/integration/targets/acme_certificate_revoke/tests/validate.yml
View File

@@ -4,17 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 was revoked
assert:
ansible.builtin.assert:
that:
- cert_1_revoke is changed
- cert_1_revoke is not failed
- name: Check that certificate 2 was revoked
assert:
ansible.builtin.assert:
that:
- cert_2_revoke is changed
- cert_2_revoke is not failed
- name: Check that certificate 3 was revoked
assert:
ansible.builtin.assert:
that:
- cert_3_revoke is changed
- cert_3_revoke is not failed

4
tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
View File

@@ -10,13 +10,13 @@
- block:
- name: Generate ECC256 account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
curve: secp256r1
force: true
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
select_crypto_backend: auto
certgen_title: Certificate 1

46
tests/integration/targets/acme_inspect/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC
curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true
loop: "{{ account_keys }}"
@@ -23,32 +23,32 @@
- accountkey
- name: Get directory
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
method: directory-only
select_crypto_backend: "{{ select_crypto_backend }}"
register: directory
- debug: var=directory
- ansible.builtin.debug: var=directory
- name: Create an account
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
url: "{{ directory.directory.newAccount}}"
url: "{{ directory.directory.newAccount }}"
method: post
content: '{"termsOfServiceAgreed":true}'
select_crypto_backend: "{{ select_crypto_backend }}"
register: account_creation
# account_creation.headers.location contains the account URI
# if creation was successful
- debug: var=account_creation
- ansible.builtin.debug: var=account_creation
- name: Get account information
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -58,10 +58,10 @@
method: get
select_crypto_backend: "{{ select_crypto_backend }}"
register: account_get
- debug: var=account_get
- ansible.builtin.debug: var=account_get
- name: Update account contacts
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -78,10 +78,10 @@
contact:
- mailto:me@example.com
register: account_update
- debug: var=account_update
- ansible.builtin.debug: var=account_update
- name: Create certificate order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -102,10 +102,10 @@
- type: dns
value: example.org
register: new_order
- debug: var=new_order
- ansible.builtin.debug: var=new_order
- name: Get order information
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -115,10 +115,10 @@
method: get
select_crypto_backend: "{{ select_crypto_backend }}"
register: order
- debug: var=order
- ansible.builtin.debug: var=order
- name: Get authzs for order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -129,10 +129,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
loop: "{{ order.output_json.authorizations }}"
register: authz
- debug: var=authz
- ansible.builtin.debug: var=authz
- name: Get HTTP-01 challenge for authz
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -143,10 +143,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: http01challenge
loop: "{{ authz.results | map(attribute='output_json') | list }}"
- debug: var=http01challenge
- ansible.builtin.debug: var=http01challenge
- name: Activate HTTP-01 challenge manually
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -158,10 +158,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: activation
loop: "{{ http01challenge.results | map(attribute='output_json') | list }}"
- debug: var=activation
- ansible.builtin.debug: var=activation
- name: Get HTTP-01 challenge results
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -175,4 +175,4 @@
until: "validation_result.output_json.status not in ['pending', 'processing']"
retries: 20
delay: 1
- debug: var=validation_result
- ansible.builtin.debug: var=validation_result

12
tests/integration/targets/acme_inspect/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

20
tests/integration/targets/acme_inspect/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check directory output
assert:
ansible.builtin.assert:
that:
- directory is not changed
- "'directory' in directory"
@@ -16,7 +16,7 @@
- "'output_json' not in directory"
- name: Check account creation output
assert:
ansible.builtin.assert:
that:
- account_creation is changed
- "'directory' in account_creation"
@@ -30,7 +30,7 @@
- account_creation.output_text | from_json == account_creation.output_json
- name: Check account get output
assert:
ansible.builtin.assert:
that:
- account_get is not changed
- "'directory' in account_get"
@@ -41,7 +41,7 @@
- account_get.output_json == account_creation.output_json
- name: Check account update output
assert:
ansible.builtin.assert:
that:
- account_update is changed
- "'directory' in account_update"
@@ -53,7 +53,7 @@
- account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com']
- name: Check certificate request output
assert:
ansible.builtin.assert:
that:
- new_order is changed
- "'directory' in new_order"
@@ -66,7 +66,7 @@
- "'finalize' in new_order.output_json"
- name: Check get order output
assert:
ansible.builtin.assert:
that:
- order is not changed
- "'directory' in order"
@@ -77,7 +77,7 @@
# - new_order.output_json == order.output_json
- name: Check get authz output
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"
@@ -90,7 +90,7 @@
loop: "{{ authz.results }}"
- name: Check get challenge output
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"
@@ -104,7 +104,7 @@
loop: "{{ http01challenge.results }}"
- name: Check challenge activation output
assert:
ansible.builtin.assert:
that:
- item is changed
- "'directory' in item"
@@ -118,7 +118,7 @@
loop: "{{ activation.results }}"
- name: Check validation result
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"

4
tests/integration/targets/certificate_complete_chain/tasks/create-single-certificate.yml
View File

@@ -9,14 +9,14 @@
####################################################################
- name: Generate CSR for {{ certificate.name }}
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'
subject: '{{ certificate.subject }}'
useCommonNameForSAN: false
- name: Generate certificate for {{ certificate.name }}
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'

8
tests/integration/targets/certificate_complete_chain/tasks/create.yml
View File

@@ -10,25 +10,25 @@
- block:
- name: Create private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
size: '{{ default_rsa_key_size_certificates }}'
loop: '{{ certificates }}'
- name: Generate certificates
include_tasks: create-single-certificate.yml
ansible.builtin.include_tasks: create-single-certificate.yml
loop: '{{ certificates }}'
loop_control:
loop_var: certificate
- name: Read certificates
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
loop: '{{ certificates }}'
register: certificates_read
- name: Store read certificates
set_fact:
ansible.builtin.set_fact:
read_certificates: >-
{{ certificates_read.results | map(attribute='content') | map('b64decode')
| zip(certificates | map(attribute='name'))

10
tests/integration/targets/certificate_complete_chain/tasks/created.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Case A => works
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem'
@@ -19,7 +19,7 @@
- name: Case B => doesn't work, but this is expected
failed_when: false
register: caseb
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -27,11 +27,11 @@
- '{{ remote_tmp_dir }}/a-root.pem'
- name: Assert that case B failed
assert:
ansible.builtin.assert:
that: "'Cannot complete chain' in caseb.msg"
- name: Case C => works
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -40,7 +40,7 @@
- '{{ remote_tmp_dir }}/a-root.pem'
- name: Case D => works as well after PR 403
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem'

32
tests/integration/targets/certificate_complete_chain/tasks/existing.yml
View File

@@ -10,13 +10,13 @@
- block:
- name: Find root for cert 1 using directory
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ fullchain | trim }}'
root_certificates:
- '{{ remote_tmp_dir }}/files/roots/'
register: cert1_root
- name: Verify root for cert 1
assert:
ansible.builtin.assert:
that:
- cert1_root.complete_chain | join('') == (fullchain ~ root)
- cert1_root.root == root
@@ -26,7 +26,7 @@
- block:
- name: Find rootchain for cert 1 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -34,7 +34,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert1_rootchain
- name: Verify rootchain for cert 1
assert:
ansible.builtin.assert:
that:
- cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert1_rootchain.chain[:-1] | join('') == chain
@@ -46,13 +46,13 @@
- block:
- name: Find root for cert 2 using directory
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ fullchain | trim }}"
root_certificates:
- '{{ remote_tmp_dir }}/files/roots/'
register: cert2_root
- name: Verify root for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_root.complete_chain | join('') == (fullchain ~ root)
- cert2_root.root == root
@@ -62,7 +62,7 @@
- block:
- name: Find rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-chain.pem'
@@ -70,7 +70,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain.chain[:-1] | join('') == chain
@@ -82,7 +82,7 @@
- block:
- name: Find alternate rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
@@ -90,7 +90,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain_alt
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain_alt.chain[:-1] | join('') == chain
@@ -102,13 +102,13 @@
- block:
- name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert ~ chain ~ root }}'
root_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_complete_chain
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_complete_chain.chain == []
@@ -119,7 +119,7 @@
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
- name: Check failure when no intermediate certificate can be found
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert2.pem", rstrip=true) }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -128,13 +128,13 @@
register: cert2_no_intermediate
ignore_errors: true
- name: Verify failure
assert:
ansible.builtin.assert:
that:
- cert2_no_intermediate is failed
- "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
- name: Check failure when infinite loop is found
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=true) }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem'
@@ -143,7 +143,7 @@
register: cert2_infinite_loop
ignore_errors: true
- name: Verify failure
assert:
ansible.builtin.assert:
that:
- cert2_infinite_loop is failed
- "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"

8
tests/integration/targets/certificate_complete_chain/tasks/main.yml
View File

@@ -16,17 +16,17 @@
state: directory
when: ansible_version.string is version('2.10', '<')
- name: Copy test files to testhost
copy:
ansible.builtin.copy:
src: '{{ role_path }}/files/'
dest: '{{ remote_tmp_dir }}/files/'
- name: Run tests with copied certificates
import_tasks: existing.yml
ansible.builtin.import_tasks: existing.yml
- name: Create more certificates
import_tasks: create.yml
ansible.builtin.import_tasks: create.yml
- name: Run tests with created certificates
import_tasks: created.yml
ansible.builtin.import_tasks: created.yml
when: cryptography_version.stdout is version('1.5', '>=')

16
tests/integration/targets/crypto_info/tasks/main.yml
View File

@@ -9,19 +9,19 @@
####################################################################
- name: Retrieve information
crypto_info:
community.crypto.crypto_info:
register: result
- name: Display information
debug:
ansible.builtin.debug:
var: result
- name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: local_cryptography_version
- name: Determine complex version-based capabilities
set_fact:
ansible.builtin.set_fact:
supports_ed25519: >-
{{
local_cryptography_version.stdout is version("2.6", ">=")
@@ -42,7 +42,7 @@
}}
- name: Verify cryptography information
assert:
ansible.builtin.assert:
that:
- result.python_cryptography_installed
- "'python_cryptography_import_error' not in result"
@@ -63,15 +63,15 @@
- result.python_cryptography_capabilities.has_x448 == (local_cryptography_version.stdout is version('2.5', '>='))
- name: Find OpenSSL binary
command: which openssl
ansible.builtin.command: which openssl
register: local_openssl_path
- name: Find OpenSSL version
command: openssl version
ansible.builtin.command: openssl version
register: local_openssl_version_full
- name: Verify OpenSSL information
assert:
ansible.builtin.assert:
that:
- result.openssl_present
- result.openssl.path == local_openssl_path.stdout

32
tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info }}
result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='unicode') }}
- name: "Check whether subject and extensions behaves as expected"
assert:
ansible.builtin.assert:
that:
- result.subject.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
@@ -40,7 +40,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: "Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -57,17 +57,17 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_2.csr') | community.crypto.openssl_csr_info }}
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_3.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -79,12 +79,12 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_4.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
@@ -92,53 +92,53 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.openssl_csr_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.openssl_csr_info input must be a text type, not ")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_csr_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Unable to load (?:request|PEM file)(?:\.|$)")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_csr_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.openssl_csr_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

16
tests/integration/targets/filter_openssl_csr_info/tasks/main.yml
View File

@@ -9,23 +9,23 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -94,7 +94,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -103,7 +103,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -121,12 +121,12 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.3', '>=')

24
tests/integration/targets/filter_openssl_privatekey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_1.pem') | community.crypto.openssl_privatekey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -21,12 +21,12 @@
- "'private_data' not in result"
- name: Get key 2 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_2.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -41,26 +41,26 @@
- "result.private_data.exponent > 5"
- name: Get key 3 info (without passphrase)
set_fact:
ansible.builtin.set_fact:
result_: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
ignore_errors: true
register: result
- name: Check that loading passphrase protected key without passphrase failed
assert:
ansible.builtin.assert:
that:
- result is failed
- >-
'Wrong or empty passphrase provided for private key' in result.msg
- name: Get key 3 info (with passphrase)
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(passphrase='hunter2', return_private_key_data=true) }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -74,12 +74,12 @@
- "result.private_data.exponent > 5"
- name: Get key 4 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_4.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -94,12 +94,12 @@
- "result.private_data.multiplier > 1024"
- name: Get key 5 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_5.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"

12
tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml
View File

@@ -9,34 +9,34 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (with password)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 4 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
# ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead
- name: Generate privatekey 5 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_5.pem'
type: DSA
size: 1024
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2.3', '>=')

24
tests/integration/targets/filter_openssl_publickey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_1.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -19,12 +19,12 @@
- "result.public_data.exponent > 5"
- name: Get key 2 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_2.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -35,12 +35,12 @@
- "result.public_data.exponent > 5"
- name: Get key 3 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_3.pem') | community.crypto.openssl_publickey_info }}
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -52,12 +52,12 @@
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- name: Get key 4 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_4.pem') | community.crypto.openssl_publickey_info }}
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -69,27 +69,27 @@
- "result.public_data.y > 2"
- name: Get invalid key info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.openssl_publickey_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.openssl_publickey_info input must be a text type, not ")
- name: Get invalid key info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_publickey_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- 'output.msg is search("Error while deserializing key: ")'

12
tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml
View File

@@ -9,17 +9,17 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
@@ -27,13 +27,13 @@
select_crypto_backend: cryptography
- name: Generate privatekey 4 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: DSA
size: 1024
- name: Generate public keys
openssl_publickey:
community.crypto.openssl_publickey:
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
path: '{{ remote_tmp_dir }}/publickey_{{ item }}.pem'
loop:
@@ -43,5 +43,5 @@
- 4
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2.3', '>=')

12
tests/integration/targets/filter_parse_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test parse_serial filter
assert:
ansible.builtin.assert:
that:
- >-
'0' | community.crypto.parse_serial == 0
@@ -22,35 +22,35 @@
'1:2:3' | community.crypto.parse_serial == 66051
- name: "Test error 1: empty string"
debug:
ansible.builtin.debug:
msg: >-
{{ '' | community.crypto.parse_serial }}
ignore_errors: true
register: error_1
- name: "Test error 2: invalid type"
debug:
ansible.builtin.debug:
msg: >-
{{ [] | community.crypto.parse_serial }}
ignore_errors: true
register: error_2
- name: "Test error 3: invalid values (range)"
debug:
ansible.builtin.debug:
msg: >-
{{ '100' | community.crypto.parse_serial }}
ignore_errors: true
register: error_3
- name: "Test error 4: invalid values (digits)"
debug:
ansible.builtin.debug:
msg: >-
{{ 'abcdefg' | community.crypto.parse_serial }}
ignore_errors: true
register: error_4
- name: Validate errors
assert:
ansible.builtin.assert:
that:
- >-
error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg

6
tests/integration/targets/filter_split_pem/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Run tests that raise no errors
assert:
ansible.builtin.assert:
that:
- >-
'' | community.crypto.split_pem == []
@@ -49,13 +49,13 @@
AAb=
- name: Invalid input
debug:
ansible.builtin.debug:
msg: "{{ [] | community.crypto.split_pem }}"
ignore_errors: true
register: output
- name: Validate error
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.split_pem input must be a text type, not ")

8
tests/integration/targets/filter_to_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test to_serial filter
assert:
ansible.builtin.assert:
that:
- 0 | community.crypto.to_serial == '00'
- 1 | community.crypto.to_serial == '01'
@@ -13,21 +13,21 @@
- 65536 | community.crypto.to_serial == '01:00:00'
- name: "Test error 1: negative number"
debug:
ansible.builtin.debug:
msg: >-
{{ (-1) | community.crypto.to_serial }}
ignore_errors: true
register: error_1
- name: "Test error 2: invalid type"
debug:
ansible.builtin.debug:
msg: >-
{{ [] | community.crypto.to_serial }}
ignore_errors: true
register: error_2
- name: Validate error
assert:
ansible.builtin.assert:
that:
- >-
error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg

38
tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info }}
result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info(name_encoding='unicode') }}
- name: Check whether issuer and subject and extensions behave as expected
assert:
ansible.builtin.assert:
that:
- result.issuer.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered"
@@ -72,7 +72,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -89,17 +89,17 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_2.pem') | community.crypto.x509_certificate_info }}
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_3.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -111,12 +111,12 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_4.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
@@ -124,11 +124,11 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info for packaged cert 1
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', role_path ~ '/../x509_certificate_info/files/cert1.pem') | community.crypto.x509_certificate_info }}
- name: Check extensions
assert:
ansible.builtin.assert:
that:
- "'ocsp_uri' in result"
- "result.ocsp_uri == 'http://ocsp.foobarbaz.example.com'"
@@ -165,59 +165,59 @@
- result.extensions_by_oid['2.5.29.37'].critical == false
- result.extensions_by_oid['2.5.29.37'].value == 'MBQGCCsGAQUFBwMBBggrBgEFBQcDAg=='
- name: Check fingerprints
assert:
ansible.builtin.assert:
that:
- (result.fingerprints.sha256 == '08:26:60:3d:29:11:f2:88:09:3f:40:71:bb:67:cb:59:9c:6e:cf:e0:49:22:ab:e8:60:bd:f6:9a:01:e3:0e:2c' if result.fingerprints.sha256 is defined else true)
- (result.fingerprints.sha1 == '5a:32:7f:22:61:f3:2e:ad:a7:d8:77:07:1c:7f:08:cd:ab:7f:bc:11' if result.fingerprints.sha1 is defined else true)
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.x509_certificate_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.x509_certificate_info input must be a text type, not ")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_certificate_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Unable to load (?:certificate|PEM file)(?:\.|$)")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_certificate_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_certificate_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

18
tests/integration/targets/filter_x509_certificate_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size_certificates }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size_certificates }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -97,7 +97,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -106,7 +106,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -124,14 +124,14 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Generate selfsigned certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
@@ -146,5 +146,5 @@
- 4
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.6', '>=')

56
tests/integration/targets/filter_x509_crl_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create CRL 1
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -23,17 +23,17 @@
revocation_date: 20191001000000Z
- name: Retrieve CRL 1 infos
set_fact:
ansible.builtin.set_fact:
crl_1_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | community.crypto.x509_crl_info }}
- name: Retrieve CRL 1 infos
set_fact:
ansible.builtin.set_fact:
crl_1_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | b64encode | community.crypto.x509_crl_info }}
- name: Validate CRL 1 info
assert:
ansible.builtin.assert:
that:
- crl_1_info_1.format == 'pem'
- crl_1_info_1.digest == 'ecdsa-with-SHA256'
@@ -70,7 +70,7 @@
- crl_1_info_1 == crl_1_info_2
- name: Recreate CRL 1 as DER file
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
@@ -90,7 +90,7 @@
revocation_date: 20191001000000Z
- name: Read ca-crl1.crl
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/ca-crl1.crl"
register: content
@@ -102,19 +102,19 @@
when: ansible_version.string is version('2.11', '>=') or ansible_python.version.major > 2
- name: Retrieve CRL 1 infos from DER (Base64 encoded)
set_fact:
ansible.builtin.set_fact:
crl_1_info_5: >-
{{ content.content | community.crypto.x509_crl_info }}
- name: Validate CRL 1
assert:
ansible.builtin.assert:
that:
- crl_1_info_4 is not defined or crl_1_info_4.format == 'der'
- crl_1_info_5.format == 'der'
- crl_1_info_4 is not defined or crl_1_info_4 == crl_1_info_5
- name: Create CRL 2
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
@@ -135,12 +135,12 @@
register: crl_2_change
- name: Retrieve CRL 2 infos
set_fact:
ansible.builtin.set_fact:
crl_2_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Create CRL 2 (changed order)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
@@ -161,12 +161,12 @@
register: crl_2_change_order
- name: Retrieve CRL 2 infos again
set_fact:
ansible.builtin.set_fact:
crl_2_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Validate CRL 2 info
assert:
ansible.builtin.assert:
that:
- "'revoked_certificates' not in crl_2_info_1"
- >
@@ -185,7 +185,7 @@
]
- name: Create CRL 3
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -215,7 +215,7 @@
register: crl_3
- name: Create CRL 3 (IDNA encoding)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -240,7 +240,7 @@
register: crl_3_idna
- name: Create CRL 3 (Unicode encoding)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -265,7 +265,7 @@
register: crl_3_unicode
- name: Retrieve CRL 3 infos
set_fact:
ansible.builtin.set_fact:
crl_3_info: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true) }}
crl_3_info_idna: >-
@@ -274,73 +274,73 @@
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true, name_encoding='unicode') }}
- name: Validate CRL 3 info
assert:
ansible.builtin.assert:
that:
- crl_3.revoked_certificates == crl_3_info.revoked_certificates
- crl_3_idna.revoked_certificates == crl_3_info_idna.revoked_certificates
- crl_3_unicode.revoked_certificates == crl_3_info_unicode.revoked_certificates
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.x509_crl_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.x509_crl_info input must be a text type, not ")
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_crl_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Error while decoding CRL")
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_crl_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_crl_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")
- name: Get invalid list_revoked_certificates parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_crl_info(list_revoked_certificates=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The list_revoked_certificates option must be a boolean, not ")

16
tests/integration/targets/filter_x509_crl_info/tasks/main.yml
View File

@@ -9,11 +9,11 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- set_fact:
- ansible.builtin.set_fact:
certificates:
- name: ca
subject:
@@ -39,14 +39,14 @@
- DNS:b64.ansible.com
- name: Generate private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
type: ECC
curve: secp256r1
loop: "{{ certificates }}"
- name: Generate CSRs
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
subject: "{{ item.subject | default(omit) }}"
@@ -56,7 +56,7 @@
loop: "{{ certificates }}"
- name: Generate CA certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
@@ -65,7 +65,7 @@
when: item.is_ca | default(false)
- name: Generate other certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
provider: ownca
@@ -75,7 +75,7 @@
when: not (item.is_ca | default(false))
- name: Get certificate infos
x509_certificate_info:
community.crypto.x509_certificate_info:
path: '{{ remote_tmp_dir }}/{{ item }}.pem'
loop:
- cert-1
@@ -86,6 +86,6 @@
- block:
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2', '>=')

10
tests/integration/targets/get_certificate/tasks/main.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
skip_tests: false
has_get_certificate_chain: >-
{{ ansible_facts.python_version is version('3.10.0', '>=') }}
@@ -16,14 +16,14 @@
- block:
- name: Get servers certificate with backend auto-detection
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}"
ignore_errors: true
register: result
- set_fact:
- ansible.builtin.set_fact:
skip_tests: |
{{
result is failed and (
@@ -33,7 +33,7 @@
)
}}
- assert:
- ansible.builtin.assert:
that:
- result is success or skip_tests
@@ -41,7 +41,7 @@
- block:
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

52
tests/integration/targets/get_certificate/tests/validate.yml
View File

@@ -4,16 +4,16 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get servers certificate for SNI test part 1
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
server_name: "{{ sni_host }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -22,16 +22,16 @@
- "'{{ sni_host }}' == result.subject.CN"
- name: Get servers certificate for SNI test part 2
get_certificate:
community.crypto.get_certificate:
host: "{{ sni_host }}"
port: 443
server_name: "{{ httpbin_host }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -40,16 +40,16 @@
- "'{{ httpbin_host }}' == result.subject.CN"
- name: Get servers certificate
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
select_crypto_backend: "{{ select_crypto_backend }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -58,7 +58,7 @@
- "'North Carolina' == result.subject.ST"
- name: Connect to http port (will fail because there is no SSL cert to get)
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 80
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -66,7 +66,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -78,7 +78,7 @@
or 'record layer failure' in result.msg
- name: Test timeout option
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 1234
timeout: 1
@@ -87,7 +87,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -95,7 +95,7 @@
- "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"
- name: Test failure if ca_cert is not a valid file
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
ca_cert: dn.e
@@ -104,7 +104,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -112,12 +112,12 @@
- "'ca_cert file does not exist' == result.msg"
- name: Download CA Cert as pem from server
get_url:
ansible.builtin.get_url:
url: "http://ansible.http.tests/cacert.pem"
dest: "{{ remote_tmp_dir }}/temp.pem"
- name: Get servers certificate comparing it to its own ca_cert file
get_certificate:
community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/temp.pem'
host: "{{ httpbin_host }}"
port: 443
@@ -126,19 +126,19 @@
get_certificate_chain: "{{ has_get_certificate_chain }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is not failed
- name: Read CA cert
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/temp.pem'
register: cacert
when: has_get_certificate_chain
- name: Validate get_certificate_chain=true results
assert:
ansible.builtin.assert:
that:
- result.verified_chain is sequence
- result.unverified_chain is sequence
@@ -149,20 +149,20 @@
when: has_get_certificate_chain
- name: Validate get_certificate_chain=false results
assert:
ansible.builtin.assert:
that:
- result.verified_chain is undefined
- result.unverified_chain is undefined
when: not has_get_certificate_chain
- name: Generate bogus CA privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/bogus_ca.key'
type: ECC
curve: secp256r1
- name: Generate bogus CA CSR
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
subject:
@@ -173,7 +173,7 @@
basic_constraints_critical: true
- name: Generate selfsigned bogus CA certificate
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/bogus_ca.pem'
csr_path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
@@ -181,7 +181,7 @@
selfsigned_digest: sha256
- name: Get servers certificate comparing it to an invalid ca_cert file
get_certificate:
community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/bogus_ca.pem'
host: "{{ httpbin_host }}"
port: 443
@@ -190,7 +190,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed

28
tests/integration/targets/luks_device/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Copy keyfiles
copy:
ansible.builtin.copy:
src: '{{ item }}'
dest: '{{ remote_tmp_dir }}/{{ item }}'
loop:
@@ -17,7 +17,7 @@
- keyfile2
- name: Include OS-specific variables
include_vars: '{{ lookup("first_found", search) }}'
ansible.builtin.include_vars: '{{ lookup("first_found", search) }}'
vars:
search:
files:
@@ -30,62 +30,62 @@
- vars
- name: Make sure cryptsetup is installed
package:
ansible.builtin.package:
name: '{{ cryptsetup_package }}'
state: present
become: true
- name: Install additionally required packages
package:
ansible.builtin.package:
name: '{{ luks_extra_packages }}'
state: present
become: true
when: luks_extra_packages | length > 0
- name: Determine cryptsetup version
command: cryptsetup --version
ansible.builtin.command: cryptsetup --version
register: cryptsetup_version
- name: Extract cryptsetup version
set_fact:
ansible.builtin.set_fact:
cryptsetup_version: >-
{{ cryptsetup_version.stdout_lines[0] | regex_search('cryptsetup ([0-9]+\.[0-9]+\.[0-9]+)') | split | last }}
- name: Create cryptfile
command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
ansible.builtin.command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
- name: Figure out next loopback device
command: losetup -f
ansible.builtin.command: losetup -f
become: true
register: cryptfile_device_output
- name: Create lookback device
command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
ansible.builtin.command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
become: true
- name: Store some common data for tests
set_fact:
ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[0] }}"
cryptfile_passphrase1: "uNiJ9vKG2mUOEWDiQVuBHJlfMHE"
cryptfile_passphrase2: "HW4Ak2HtE2vvne0qjJMPTtmbV4M"
cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM"
- block:
- include_tasks: run-test.yml
- ansible.builtin.include_tasks: run-test.yml
with_fileglob:
- "tests/*.yml"
always:
- name: Make sure LUKS device is gone
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
ignore_errors: true
- command: losetup -d "{{ cryptfile_device }}"
- ansible.builtin.command: losetup -d "{{ cryptfile_device }}"
become: true
- file:
- ansible.builtin.file:
dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile"
state: absent

4
tests/integration/targets/luks_device/tasks/run-test.yml
View File

@@ -4,9 +4,9 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Make sure LUKS device is gone
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
- name: "Loading tasks from {{ item }}"
include_tasks: "{{ item }}"
ansible.builtin.include_tasks: "{{ item }}"

54
tests/integration/targets/luks_device/tasks/tests/create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -14,7 +14,7 @@
become: true
register: create_check
- name: Create
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -23,7 +23,7 @@
become: true
register: create
- name: Create (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -32,7 +32,7 @@
become: true
register: create_idem
- name: Create (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -41,7 +41,7 @@
check_mode: true
become: true
register: create_idem_check
- assert:
- ansible.builtin.assert:
that:
- create_check is changed
- create is changed
@@ -49,7 +49,7 @@
- create_idem_check is not changed
- name: Open (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -57,28 +57,28 @@
become: true
register: open_check
- name: Open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
register: open
- name: Open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
register: open_idem
- name: Open (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
check_mode: true
become: true
register: open_idem_check
- assert:
- ansible.builtin.assert:
that:
- open_check is changed
- open is changed
@@ -86,32 +86,32 @@
- open_idem_check is not changed
- name: Closed (via name, check)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
check_mode: true
become: true
register: close_check
- name: Closed (via name)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
become: true
register: close
- name: Closed (via name, idempotent)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
become: true
register: close_idem
- name: Closed (via name, idempotent, check)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
check_mode: true
become: true
register: close_idem_check
- assert:
- ansible.builtin.assert:
that:
- close_check is changed
- close is changed
@@ -119,39 +119,39 @@
- close_idem_check is not changed
- name: Re-open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
- name: Closed (via device, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
check_mode: true
become: true
register: close_check
- name: Closed (via device)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
register: close
- name: Closed (via device, idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
register: close_idem
- name: Closed (via device, idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
check_mode: true
become: true
register: close_idem_check
- assert:
- ansible.builtin.assert:
that:
- close_check is changed
- close is changed
@@ -159,39 +159,39 @@
- close_idem_check is not changed
- name: Re-opened
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
- name: Absent (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
check_mode: true
become: true
register: absent_check
- name: Absent
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
register: absent
- name: Absent (idempotence)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
register: absent_idem
- name: Absent (idempotence, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
check_mode: true
become: true
register: absent_idem_check
- assert:
- ansible.builtin.assert:
that:
- absent_check is changed
- absent is changed

16
tests/integration/targets/luks_device/tasks/tests/cryptname.yml
View File

@@ -4,11 +4,11 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Fix name
set_fact:
ansible.builtin.set_fact:
cryptname: "crypt{{ '%0x' % ((2**32) | random) }}"
- name: Create
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: present
@@ -18,7 +18,7 @@
become: true
register: create
- name: Open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: opened
@@ -26,7 +26,7 @@
become: true
register: open
- name: Open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: opened
@@ -34,25 +34,25 @@
become: true
register: open_idem
- name: Closed (via name)
luks_device:
community.crypto.luks_device:
name: "{{ cryptname }}"
state: closed
become: true
register: close
- name: Closed (via name, idempotent)
luks_device:
community.crypto.luks_device:
name: "{{ cryptname }}"
state: closed
become: true
register: close_idem
- name: Absent
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: absent
become: true
register: absent
- assert:
- ansible.builtin.assert:
that:
- create is changed
- open is changed

12
tests/integration/targets/luks_device/tasks/tests/device-check.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with invalid device name (check)
luks_device:
community.crypto.luks_device:
device: /dev/asdfasdfasdf
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_check
- name: Create with invalid device name
luks_device:
community.crypto.luks_device:
device: /dev/asdfasdfasdf
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -24,7 +24,7 @@
ignore_errors: true
become: true
register: create
- assert:
- ansible.builtin.assert:
that:
- create_check is failed
- create is failed
@@ -32,7 +32,7 @@
- "'o such file or directory' in create.msg"
- name: Create with something which is not a device (check)
luks_device:
community.crypto.luks_device:
device: /tmp/
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -43,7 +43,7 @@
become: true
register: create_check
- name: Create with something which is not a device
luks_device:
community.crypto.luks_device:
device: /tmp/
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
ignore_errors: true
become: true
register: create
- assert:
- ansible.builtin.assert:
that:
- create_check is failed
- create is failed

60
tests/integration/targets/luks_device/tasks/tests/key-management.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,36 +15,36 @@
# Access: keyfile1
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -55,7 +55,7 @@
register: result_1
- name: Give access to keyfile2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -63,7 +63,7 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
@@ -71,28 +71,28 @@
# Access: keyfile1 and keyfile2
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
- name: Remove access from keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -101,7 +101,7 @@
register: result_1
- name: Remove access from keyfile1 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -109,7 +109,7 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
@@ -117,40 +117,40 @@
# Access: keyfile2
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
- name: Remove access from keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -158,7 +158,7 @@
become: true
ignore_errors: true
register: remove_last_key
- assert:
- ansible.builtin.assert:
that:
- remove_last_key is failed
- "'force_remove_last_key' in remove_last_key.msg"
@@ -166,24 +166,24 @@
# Access: keyfile2
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Remove access from keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -194,13 +194,13 @@
# Access: none
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed

26
tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -21,7 +21,7 @@
register: create_passphrase_1
- name: Create with keyfile3 (without argon2i)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -32,7 +32,7 @@
when: create_passphrase_1 is failed
- name: Open with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ keyfile3 }}"
@@ -40,29 +40,29 @@
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -73,7 +73,7 @@
become: true
- name: Remove access for keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ keyfile3 }}"
@@ -81,25 +81,25 @@
become: true
- name: Try to open with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ keyfile3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed

50
tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create luks with keyslot 4 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_luks_slot4_check
- name: Create luks with keyslot 4
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -25,7 +25,7 @@
become: true
register: create_luks_slot4
- name: Create luks with keyslot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -35,7 +35,7 @@
become: true
register: create_luks_slot4_idem
- name: Create luks with keyslot 4 (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -46,10 +46,10 @@
become: true
register: create_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4
- assert:
- ansible.builtin.assert:
that:
- create_luks_slot4_check is changed
- create_luks_slot4 is changed
@@ -58,7 +58,7 @@
- "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
- name: Add key in slot 2 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -70,7 +70,7 @@
become: true
register: add_luks_slot2_check
- name: Add key in slot 2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -81,7 +81,7 @@
become: true
register: add_luks_slot2
- name: Add key in slot 2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -92,7 +92,7 @@
become: true
register: add_luks_slot2_idem
- name: Add key in slot 2 (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -104,10 +104,10 @@
become: true
register: add_luks_slot2_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot2
- assert:
- ansible.builtin.assert:
that:
- add_luks_slot2_check is changed
- add_luks_slot2 is changed
@@ -116,27 +116,27 @@
- "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
- name: Check remove slot 4 without key
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
ignore_errors: true
become: true
register: kill_slot4_nokey
- name: Check remove slot 4 with slot 4 key
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
keyfile: "{{ remote_tmp_dir }}/keyfile1"
ignore_errors: true
become: true
register: kill_slot4_key_slot4
- assert:
- ansible.builtin.assert:
that:
- kill_slot4_nokey is failed
- kill_slot4_key_slot4 is failed
- name: Remove key in slot 4 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
@@ -144,21 +144,21 @@
become: true
register: kill_luks_slot4_check
- name: Remove key in slot 4
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4
- name: Remove key in slot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4_idem
- name: Remove key in slot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
@@ -166,10 +166,10 @@
become: true
register: kill_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4_removed
- assert:
- ansible.builtin.assert:
that:
- kill_luks_slot4_check is changed
- kill_luks_slot4 is changed
@@ -178,7 +178,7 @@
- "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"
- name: Add key in slot 0
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -189,17 +189,17 @@
become: true
register: add_luks_slot0
- name: Remove key in slot 0
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 0
become: true
register: kill_luks_slot0
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot0_removed
- assert:
- ansible.builtin.assert:
that:
- add_luks_slot0 is changed
- kill_luks_slot0 is changed

8
tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create new luks
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -12,7 +12,7 @@
iteration_time: 0.1
become: true
- name: Add new keyslot with same keyfile (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
new_keyslot: 1
@@ -23,7 +23,7 @@
check_mode: true
register: keyslot_duplicate_check
- name: Add new keyslot with same keyfile
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
new_keyslot: 1
@@ -32,7 +32,7 @@
become: true
ignore_errors: true
register: keyslot_duplicate
- assert:
- ansible.builtin.assert:
that:
- keyslot_duplicate_check is failed
- "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg"

16
tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check invalid slot (luks1, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks1
@@ -16,7 +16,7 @@
become: true
register: create_luks1_slot8
- name: Check invalid slot (luks2, 32)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
@@ -28,7 +28,7 @@
become: true
register: create_luks2_slot32
- name: Check invalid slot (no luks type, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -38,14 +38,14 @@
ignore_errors: true
become: true
register: create_luks_slot8
- assert:
- ansible.builtin.assert:
that:
- create_luks1_slot8 is failed
- create_luks2_slot32 is failed
- create_luks_slot8 is failed
- name: Check valid slot (luks2, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
@@ -57,12 +57,12 @@
ignore_errors: true
register: create_luks2_slot8
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
ansible.builtin.assert:
that:
- "'Unknown option --type' in create_luks2_slot8.msg"
when: create_luks2_slot8 is failed
- name: Check add valid slot (no luks type, 10)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -73,7 +73,7 @@
become: true
register: create_luks_slot10
when: create_luks2_slot8 is changed
- assert:
- ansible.builtin.assert:
that:
- create_luks_slot10 is changed
when: create_luks2_slot8 is changed

10
tests/integration/targets/luks_device/tasks/tests/options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keysize
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_with_keysize
- name: Create with keysize (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -26,7 +26,7 @@
become: true
register: create_idem_with_keysize
- name: Create with different keysize (idempotent since we do not update keysize)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true
register: create_idem_with_diff_keysize
- name: Create with ambiguous arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -49,7 +49,7 @@
become: true
register: create_with_ambiguous
- assert:
- ansible.builtin.assert:
that:
- create_with_keysize is changed
- create_idem_with_keysize is not changed

70
tests/integration/targets/luks_device/tasks/tests/passphrase.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -20,13 +20,13 @@
register: create_passphrase_1
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
ansible.builtin.assert:
that:
- "'Unknown option --type' in create_passphrase_1.msg"
when: create_passphrase_1 is failed
- name: Create with passphrase1 (without argon2i)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -36,7 +36,7 @@
when: create_passphrase_1 is failed
- name: Open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
# Encode passphrase with Base64 to test passphrase_encoding
@@ -45,17 +45,17 @@
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Give access with ambiguous new_ arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -66,24 +66,24 @@
become: true
ignore_errors: true
register: new_try
- assert:
- ansible.builtin.assert:
that:
- new_try is failed
- name: Try to open with passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase2 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -94,7 +94,7 @@
register: result_1
- name: Give access to passphrase2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -102,42 +102,42 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
- name: Open with passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase2 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to keyfile1 from passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -147,7 +147,7 @@
become: true
- name: Remove access with ambiguous remove_ arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -155,29 +155,29 @@
become: true
ignore_errors: true
register: remove_try
- assert:
- ansible.builtin.assert:
that:
- remove_try is failed
- name: Open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Remove access for passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}"
@@ -185,44 +185,44 @@
register: result_1
- name: Remove access for passphrase1 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}"
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
- name: Try to open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Try to open with passphrase3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase3 from keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -232,18 +232,18 @@
become: true
- name: Open with passphrase3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true

20
tests/integration/targets/luks_device/tasks/tests/performance.yml
View File

@@ -6,7 +6,7 @@
- name: On kernel >= 5.9 use performance flags
block:
- name: Create and open (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -22,7 +22,7 @@
become: true
register: create_open_check
- name: Create and open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true
register: create_open
- name: Create and open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
become: true
register: create_open_idem
- name: Create and open (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -67,7 +67,7 @@
check_mode: true
become: true
register: create_open_idem_check
- assert:
- ansible.builtin.assert:
that:
- create_open_check is changed
- create_open is changed
@@ -75,10 +75,10 @@
- create_open_idem_check is not changed
- name: Dump LUKS Header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header
- assert:
- ansible.builtin.assert:
that:
- "'no-read-workqueue' in luks_header.stdout"
- "'no-write-workqueue' in luks_header.stdout"
@@ -87,10 +87,10 @@
- "'allow-discards' in luks_header.stdout"
- name: Dump device mapper table
command: "dmsetup table {{ create_open.name }}"
ansible.builtin.command: "dmsetup table {{ create_open.name }}"
become: true
register: dm_table
- assert:
- ansible.builtin.assert:
that:
- "'no_read_workqueue' in dm_table.stdout"
- "'no_write_workqueue' in dm_table.stdout"
@@ -99,7 +99,7 @@
- "'allow_discards' in dm_table.stdout"
- name: Closed and Removed
luks_device:
community.crypto.luks_device:
name: "{{ cryptfile_device }}"
state: absent
become: true

18
tests/integration/targets/openssh_cert/tasks/main.yml
View File

@@ -9,39 +9,39 @@
####################################################################
- name: Declare global variables
set_fact:
ansible.builtin.set_fact:
signing_key: '{{ remote_tmp_dir }}/id_key'
public_key: '{{ remote_tmp_dir }}/id_key.pub'
certificate_path: '{{ remote_tmp_dir }}/id_cert'
- name: Generate keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ signing_key }}"
type: rsa
size: 1024
- block:
- name: Import idempotency tests
import_tasks: ../tests/idempotency.yml
ansible.builtin.import_tasks: ../tests/idempotency.yml
- name: Import key_idempotency tests
import_tasks: ../tests/key_idempotency.yml
ansible.builtin.import_tasks: ../tests/key_idempotency.yml
- name: Import options tests
import_tasks: ../tests/options_idempotency.yml
ansible.builtin.import_tasks: ../tests/options_idempotency.yml
- name: Import regenerate tests
import_tasks: ../tests/regenerate.yml
ansible.builtin.import_tasks: ../tests/regenerate.yml
- name: Import remove tests
import_tasks: ../tests/remove.yml
ansible.builtin.import_tasks: ../tests/remove.yml
when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6")
- name: Import ssh-agent tests
import_tasks: ../tests/ssh-agent.yml
ansible.builtin.import_tasks: ../tests/ssh-agent.yml
when: openssh_version is version("7.6",">=")
- name: Remove keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ signing_key }}"
state: absent

8
tests/integration/targets/openssh_cert/tests/idempotency.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate cert - force option (check_mode)
force: true
@@ -253,7 +253,7 @@
changed: true
- name: Execute idempotency tests
openssh_cert:
community.crypto.openssh_cert:
force: "{{ test_case.force | default(omit) }}"
identifier: "{{ test_case.identifier | default(omit) }}"
options: "{{ test_case.options | default(omit) }}"
@@ -275,7 +275,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ idempotency_test_output.results }}"
@@ -284,6 +284,6 @@
loop_var: result
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

38
tests/integration/targets/openssh_cert/tests/key_idempotency.yml
View File

@@ -8,16 +8,16 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
new_signing_key: "{{ remote_tmp_dir }}/new_key"
new_public_key: "{{ remote_tmp_dir }}/new_key.pub"
- name: Generate new test key
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ new_signing_key }}"
- name: Generate cert with original keys
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -27,7 +27,7 @@
- block:
- name: Generate cert with updated signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -38,12 +38,12 @@
register: updated_signature_algorithm
- name: Assert signature algorithm update causes change
assert:
ansible.builtin.assert:
that:
- updated_signature_algorithm is changed
- name: Generate cert with updated signature algorithm (idempotent)
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -54,13 +54,13 @@
register: updated_signature_algorithm_idempotent
- name: Assert signature algorithm update is idempotent
assert:
ansible.builtin.assert:
that:
- updated_signature_algorithm_idempotent is not changed
- block:
- name: Generate cert with original signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -71,7 +71,7 @@
register: second_signature_algorithm
- name: Assert second signature algorithm update causes change
assert:
ansible.builtin.assert:
that:
- second_signature_algorithm is changed
# RHEL9, Fedora 41 and Rocky 9 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error.
@@ -81,7 +81,7 @@
- not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41)
- name: Omit signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -91,12 +91,12 @@
register: omitted_signature_algorithm
- name: Assert omitted_signature_algorithm does not cause change
assert:
ansible.builtin.assert:
that:
- omitted_signature_algorithm is not changed
- name: Revert to original certificate
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -107,7 +107,7 @@
when: openssh_version is version("7.3", ">=")
- name: Generate cert with new signing key
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: new_signing_key_output
- name: Generate cert with new public key
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}"
@@ -127,7 +127,7 @@
register: new_public_key_output
- name: Generate cert with new signing key - full idempotency
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -138,7 +138,7 @@
register: new_signing_key_full_idempotency_output
- name: Generate cert with new pubic key - full idempotency
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}"
@@ -149,7 +149,7 @@
register: new_public_key_full_idempotency_output
- name: Assert changes to public key or signing key results in no change unless idempotency=full
assert:
ansible.builtin.assert:
that:
- new_signing_key_output is not changed
- new_public_key_output is not changed
@@ -157,11 +157,11 @@
- new_public_key_full_idempotency_output is changed
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent
- name: Remove new keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ new_signing_key }}"
state: absent

28
tests/integration/targets/openssh_cert/tests/options_idempotency.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Generate cert with no options
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -22,7 +22,7 @@
register: no_options
- name: Generate cert with no options with explicit directives
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -39,7 +39,7 @@
register: no_options_explicit_directives
- name: Generate cert with explicit extension
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -53,7 +53,7 @@
register: explicit_extension_before
- name: Generate cert with explicit extension (idempotency)
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -67,7 +67,7 @@
register: explicit_extension_after
- name: Generate cert with explicit extension and corresponding directive
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -81,7 +81,7 @@
register: explicit_extension_and_directive
- name: Generate cert with default options
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -92,7 +92,7 @@
register: default_options
- name: Generate cert with relative timestamp
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -104,7 +104,7 @@
register: relative_timestamp
- name: Generate cert with ignore_timestamp true
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: relative_timestamp_true
- name: Generate cert with ignore_timestamp false
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -130,7 +130,7 @@
register: relative_timestamp_false
- name: Generate cert with ignore_timestamp true
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -143,7 +143,7 @@
register: relative_timestamp_invalid_at
- name: Generate host cert full_idempotence
openssh_cert:
community.crypto.openssh_cert:
type: host
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -153,7 +153,7 @@
regenerate: full_idempotence
- name: Generate host cert full_idempotence again
openssh_cert:
community.crypto.openssh_cert:
type: host
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -164,7 +164,7 @@
register: host_cert_full_idempotence
- name: Assert options results
assert:
ansible.builtin.assert:
that:
- no_options is changed
- no_options_explicit_directives is not changed
@@ -179,6 +179,6 @@
- host_cert_full_idempotence is not changed
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

8
tests/integration/targets/openssh_cert/tests/regenerate.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate certificate
type: user
@@ -104,7 +104,7 @@
changed: true
- name: Execute regenerate tests
openssh_cert:
community.crypto.openssh_cert:
force: "{{ test_case.force | default(omit) }}"
options: "{{ test_case.options | default(omit) }}"
path: "{{ test_case.path | default(omit) }}"
@@ -126,7 +126,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ regenerate_tests_output.results }}"
@@ -135,6 +135,6 @@
loop_var: result
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

6
tests/integration/targets/openssh_cert/tests/remove.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate certificate
type: user
@@ -38,7 +38,7 @@
changed: false
- name: Execute remove tests
openssh_cert:
community.crypto.openssh_cert:
options: "{{ test_case.options | default(omit) }}"
path: "{{ test_case.path | default(omit) }}"
public_key: "{{ test_case.public_key | default(omit) }}"
@@ -57,7 +57,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ remove_test_output.results }}"

18
tests/integration/targets/openssh_cert/tests/ssh-agent.yml
View File

@@ -14,7 +14,7 @@
block:
- name: Generate always valid cert using agent without key in agent (should fail)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -26,16 +26,16 @@
ignore_errors: true
- name: Make sure cert creation with agent fails if key not in agent
assert:
ansible.builtin.assert:
that:
- rc_no_key_in_agent is failed
- "'agent contains no identities' in rc_no_key_in_agent.msg or 'not found in agent' in rc_no_key_in_agent.msg"
- name: Add key to agent
command: 'ssh-add {{ signing_key }}'
ansible.builtin.command: 'ssh-add {{ signing_key }}'
- name: Generate always valid cert with agent (check mode)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -46,7 +46,7 @@
check_mode: true
- name: Generate always valid cert with agent
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -56,7 +56,7 @@
valid_to: forever
- name: Generate always valid cert with agent (idempotent)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -67,13 +67,13 @@
register: rc_cert_with_agent_idempotent
- name: Check agent idempotency
assert:
ansible.builtin.assert:
that:
- rc_cert_with_agent_idempotent is not changed
msg: OpenSSH certificate generation without serial number is idempotent.
- name: Generate always valid cert with agent (idempotent, check mode)
openssh_cert:
community.crypto.openssh_cert:
type: user
signing_key: "{{ signing_key }}"
public_key: "{{ public_key }}"
@@ -84,6 +84,6 @@
check_mode: true
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
state: absent
path: '{{ remote_tmp_dir }}/id_cert_with_agent'

18
tests/integration/targets/openssh_keypair/tasks/main.yml
View File

@@ -9,42 +9,42 @@
####################################################################
- name: Backend auto-detection test
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/auto_backend_key'
state: "{{ item }}"
loop: ['present', 'absent']
- set_fact:
- ansible.builtin.set_fact:
backends: ['opensshbin']
- set_fact:
- ansible.builtin.set_fact:
backends: "{{ backends + ['cryptography'] }}"
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
- include_tasks: ../tests/core.yml
- ansible.builtin.include_tasks: ../tests/core.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/invalid.yml
- ansible.builtin.include_tasks: ../tests/invalid.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/options.yml
- ansible.builtin.include_tasks: ../tests/options.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/regenerate.yml
- ansible.builtin.include_tasks: ../tests/regenerate.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/state.yml
- ansible.builtin.include_tasks: ../tests/state.yml
loop: "{{ backends }}"
loop_control:
loop_var: backend
- include_tasks: ../tests/cryptography_backend.yml
- ansible.builtin.include_tasks: ../tests/cryptography_backend.yml
when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

30
tests/integration/targets/openssh_keypair/tests/core.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: "({{ backend }}) Generate key (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/core"
size: 1280
backend: "{{ backend }}"
@@ -17,14 +17,14 @@
check_mode: true
- name: "({{ backend }}) Generate key"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/core"
size: 1280
backend: "{{ backend }}"
register: core_output
- name: "({{ backend }}) Generate key (check mode idempotent)"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/core"
size: 1280
backend: "{{ backend }}"
@@ -32,18 +32,18 @@
check_mode: true
- name: "({{ backend }}) Generate key (idempotent)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/core'
size: 1280
backend: "{{ backend }}"
register: idempotency_core_output
- name: "({{ backend }}) Log key return values"
debug:
ansible.builtin.debug:
msg: "{{ core_output }}"
- name: "({{ backend }}) Assert core behavior"
assert:
ansible.builtin.assert:
that:
- check_core_output is changed
- core_output is changed
@@ -52,7 +52,7 @@
- idempotency_core_output is not changed
- name: "({{ backend }}) Assert key returns fingerprint"
assert:
ansible.builtin.assert:
that:
- core_output['fingerprint'] is string
- core_output['fingerprint'].startswith('SHA256:')
@@ -60,44 +60,44 @@
when: not (backend == 'opensshbin' and openssh_version is version('6.8', '<'))
- name: "({{ backend }}) Assert key returns public_key"
assert:
ansible.builtin.assert:
that:
- core_output['public_key'] is string
- core_output['public_key'].startswith('ssh-rsa ')
- name: "({{ backend }}) Assert key returns size value"
assert:
ansible.builtin.assert:
that:
- core_output['size']|type_debug == 'int'
- core_output['size'] == 1280
- name: "({{ backend }}) Assert key returns key type"
assert:
ansible.builtin.assert:
that:
- core_output['type'] is string
- core_output['type'] == 'rsa'
- name: "({{ backend }}) Retrieve key size from 'ssh-keygen'"
shell: "ssh-keygen -lf {{ remote_tmp_dir }}/core | grep -o -E '^[0-9]+'"
ansible.builtin.shell: "ssh-keygen -lf {{ remote_tmp_dir }}/core | grep -o -E '^[0-9]+'"
register: core_size_ssh_keygen
- name: "({{ backend }}) Assert key size matches 'ssh-keygen' output"
assert:
ansible.builtin.assert:
that:
- core_size_ssh_keygen.stdout == '1280'
- name: "({{ backend }}) Read core.pub"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/core.pub'
register: slurp
- name: "({{ backend }}) Assert public key module return equal to the public key content"
assert:
ansible.builtin.assert:
that:
- "core_output.public_key == (slurp.content | b64decode).strip('\n ')"
- name: "({{ backend }}) Remove key"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/core'
backend: "{{ backend }}"
state: absent

54
tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml
View File

@@ -4,10 +4,10 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Generate a password protected key
command: 'ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}'
- name: Modify the password protected key with passphrase
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/password_protected'
size: 1024
passphrase: "{{ passphrase }}"
@@ -15,7 +15,7 @@
register: password_protected_output
- name: Check password protected key idempotency
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/password_protected'
size: 1024
passphrase: "{{ passphrase }}"
@@ -23,29 +23,29 @@
register: password_protected_idempotency_output
- name: Ensure that ssh-keygen can read keys generated with passphrase
command: 'ssh-keygen -yf {{ remote_tmp_dir }}/password_protected -P {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -yf {{ remote_tmp_dir }}/password_protected -P {{ passphrase }}'
register: password_protected_ssh_keygen_output
- name: Check that password protected key with passphrase was regenerated
assert:
ansible.builtin.assert:
that:
- password_protected_output is changed
- password_protected_idempotency_output is not changed
- password_protected_ssh_keygen_output is success
- name: Remove password protected key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/password_protected'
backend: cryptography
state: absent
- name: Generate an unprotected key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
backend: cryptography
- name: Modify unprotected key with passphrase
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
size: 1280
passphrase: "{{ passphrase }}"
@@ -54,7 +54,7 @@
register: unprotected_modification_output
- name: Modify unprotected key with passphrase (force)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
size: 1280
passphrase: "{{ passphrase }}"
@@ -63,22 +63,22 @@
register: force_unprotected_modification_output
- name: Check that unprotected key was modified
assert:
ansible.builtin.assert:
that:
- unprotected_modification_output is failed
- force_unprotected_modification_output is changed
- name: Remove unprotected key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/unprotected'
backend: cryptography
state: absent
- name: Generate PEM encoded key with passphrase
command: 'ssh-keygen -t rsa -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
ansible.builtin.command: 'ssh-keygen -t rsa -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
- name: Try to verify a PEM encoded key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/pem_encoded'
passphrase: "{{ passphrase }}"
backend: cryptography
@@ -86,84 +86,84 @@
register: pem_encoded_output
- name: Check that PEM encoded file is read without errors
assert:
ansible.builtin.assert:
that:
- pem_encoded_output is not changed
- name: Remove PEM encoded key
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/pem_encoded'
backend: cryptography
state: absent
- name: Generate a private key with specified format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs1
backend: cryptography
- name: Generate a private key with specified format (Idempotent)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs1
backend: cryptography
register: private_key_format_idempotent
- name: Check that private key with specified format is idempotent
assert:
ansible.builtin.assert:
that:
- private_key_format_idempotent is not changed
- name: Change to PKCS8 format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs8
backend: cryptography
register: private_key_format_pkcs8
- name: Check that format change causes regeneration
assert:
ansible.builtin.assert:
that:
- private_key_format_pkcs8 is changed
- name: Change to PKCS8 format (Idempotent)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: pkcs8
backend: cryptography
register: private_key_format_pkcs8_idempotent
- name: Check that private key with PKCS8 format is idempotent
assert:
ansible.builtin.assert:
that:
- private_key_format_pkcs8_idempotent is not changed
- name: Change to SSH format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: ssh
backend: cryptography
register: private_key_format_ssh
- name: Check that format change causes regeneration
assert:
ansible.builtin.assert:
that:
- private_key_format_ssh is changed
- name: Change to SSH format (Idempotent)
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
private_key_format: ssh
backend: cryptography
register: private_key_format_ssh_idempotent
- name: Check that private key with SSH format is idempotent
assert:
ansible.builtin.assert:
that:
- private_key_format_ssh_idempotent is not changed
- name: Remove private key with specified format
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/private_key_format'
backend: cryptography
state: absent

42
tests/integration/targets/openssh_keypair/tests/invalid.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: "({{ backend }}) Generate key - broken"
copy:
ansible.builtin.copy:
dest: '{{ item }}'
content: ''
mode: '0700'
@@ -18,91 +18,91 @@
- "{{ remote_tmp_dir }}/broken.pub"
- name: "({{ backend }}) Regenerate key - broken"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/broken"
backend: "{{ backend }}"
register: broken_output
ignore_errors: true
- name: "({{ backend }}) Assert broken key causes failure - broken"
assert:
ansible.builtin.assert:
that:
- broken_output is failed
- "'Unable to read the key. The key is protected with a passphrase or broken.' in broken_output.msg"
- name: "({{ backend }}) Regenerate key with force - broken"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/broken"
backend: "{{ backend }}"
force: true
register: force_broken_output
- name: "({{ backend }}) Assert broken key regenerated when 'force=true' - broken"
assert:
ansible.builtin.assert:
that:
- force_broken_output is changed
- name: "({{ backend }}) Remove key - broken"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/broken"
backend: "{{ backend }}"
state: absent
- name: "({{ backend }}) Generate key - write-only"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/write-only"
mode: "0200"
backend: "{{ backend }}"
- name: "({{ backend }}) Check private key status - write-only"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/write-only'
register: write_only_private_key
- name: "({{ backend }}) Check public key status - write-only"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/write-only.pub'
register: write_only_public_key
- name: "({{ backend }}) Assert that private and public keys match permissions - write-only"
assert:
ansible.builtin.assert:
that:
- write_only_private_key.stat.mode == '0200'
- write_only_public_key.stat.mode == '0200'
- name: "({{ backend }}) Regenerate key with force - write-only"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/write-only"
backend: "{{ backend }}"
force: true
register: write_only_output
- name: "({{ backend }}) Check private key status after regeneration - write-only"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/write-only'
register: write_only_private_key_after
- name: "({{ backend }}) Assert key is regenerated - write-only"
assert:
ansible.builtin.assert:
that:
- write_only_output is changed
- name: "({{ backend }}) Assert key permissions are preserved with 'opensshbin'"
assert:
ansible.builtin.assert:
that:
- write_only_private_key_after.stat.mode == '0200'
- name: "({{ backend }}) Remove key - write-only"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/write-only"
backend: "{{ backend }}"
state: absent
- name: "({{ backend }}) Generate key with ssh-keygen - password_protected"
command: "ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}"
ansible.builtin.command: "ssh-keygen -f {{ remote_tmp_dir }}/password_protected -N {{ passphrase }}"
- name: "({{ backend }}) Modify key - password_protected"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/password_protected"
size: 1280
backend: "{{ backend }}"
@@ -110,13 +110,13 @@
ignore_errors: true
- name: "({{ backend }}) Assert key cannot be read - password_protected"
assert:
ansible.builtin.assert:
that:
- password_protected_output is failed
- "'Unable to read the key. The key is protected with a passphrase or broken.' in password_protected_output.msg"
- name: "({{ backend }}) Modify key with 'force=true' - password_protected"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/password_protected"
size: 1280
backend: "{{ backend }}"
@@ -124,12 +124,12 @@
register: force_password_protected_output
- name: "({{ backend }}) Assert key regenerated with 'force=true' - password_protected"
assert:
ansible.builtin.assert:
that:
- force_password_protected_output is changed
- name: "({{ backend }}) Remove key - password_protected"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/password_protected"
backend: "{{ backend }}"
state: absent

38
tests/integration/targets/openssh_keypair/tests/options.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
key_types: "{{ key_types_src | reject('equalto', '') | list }}"
vars:
key_types_src:
@@ -17,61 +17,61 @@
- ecdsa
- name: "({{ backend }}) Generate keys with default size - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_{{ item }}"
type: "{{ item }}"
backend: "{{ backend }}"
loop: "{{ key_types }}"
- name: "({{ backend }}) Retrieve key size from 'ssh-keygen' - size"
shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_{{ item }} | grep -o -E '^[0-9]+'"
ansible.builtin.shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_{{ item }} | grep -o -E '^[0-9]+'"
loop: "{{ key_types }}"
register: key_size_output
- name: "({{ backend }}) Assert key sizes match default size - size"
assert:
ansible.builtin.assert:
that:
- (key_size_output.results | selectattr('item', 'equalto', 'rsa') | first).stdout == '4096'
- not openssh_supports_dsa or (key_size_output.results | selectattr('item', 'equalto', 'dsa') | first).stdout == '1024'
- (key_size_output.results | selectattr('item', 'equalto', 'ecdsa') | first).stdout == '256'
- name: "({{ backend }}) Remove keys - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_{{ item }}"
state: absent
loop: "{{ key_types }}"
- block:
- name: "({{ backend }}) Generate ed25519 key with default size - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_ed25519"
type: ed25519
backend: "{{ backend }}"
- name: "({{ backend }}) Retrieve ed25519 key size from 'ssh-keygen' - size"
shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_ed25519 | grep -o -E '^[0-9]+'"
ansible.builtin.shell: "ssh-keygen -lf {{ remote_tmp_dir }}/default_size_ed25519 | grep -o -E '^[0-9]+'"
register: ed25519_key_size_output
- name: "({{ backend }}) Assert ed25519 key size matches default size - size"
assert:
ansible.builtin.assert:
that:
- ed25519_key_size_output.stdout == '256'
- name: "({{ backend }}) Remove ed25519 key - size"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/default_size_ed25519"
state: absent
# Support for ed25519 keys was added in OpenSSH 6.5
when: not (backend == 'opensshbin' and openssh_version is version('6.5', '<'))
- name: "({{ backend }}) Generate key - force"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/force"
type: rsa
backend: "{{ backend }}"
- name: "({{ backend }}) Regenerate key - force"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/force"
type: rsa
force: true
@@ -79,25 +79,25 @@
register: force_output
- name: "({{ backend }}) Assert key regenerated - force"
assert:
ansible.builtin.assert:
that:
- force_output is changed
- name: "({{ backend }}) Remove key - force"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/force"
state: absent
backend: "{{ backend }}"
- name: "({{ backend }}) Generate key - comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
comment: "test@comment"
backend: "{{ backend }}"
register: comment_output
- name: "({{ backend }}) Modify comment - comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
comment: "test_modified@comment"
backend: "{{ backend }}"
@@ -106,13 +106,13 @@
- name: "({{ backend }}) Assert comment preserved public key - comment"
when: modified_comment_output is succeeded
assert:
ansible.builtin.assert:
that:
- comment_output.public_key == modified_comment_output.public_key
- comment_output.comment == 'test@comment'
- name: "({{ backend }}) Assert comment changed - comment"
assert:
ansible.builtin.assert:
that:
- modified_comment_output.comment == 'test_modified@comment'
- modified_comment_output is succeeded
@@ -120,14 +120,14 @@
when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
- name: "({{ backend }}) Assert comment not changed - comment"
assert:
ansible.builtin.assert:
that:
- modified_comment_output is failed
# Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
when: backend == 'opensshbin' and openssh_version is version('7.2', '<')
- name: "({{ backend }}) Remove key - comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
state: absent
backend: "{{ backend }}"

68
tests/integration/targets/openssh_keypair/tests/regenerate.yml
View File

@@ -23,7 +23,7 @@
loop: "{{ old_test_artifacts.files }}"
- name: "({{ backend }}) Regenerate - setup simple keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1024
@@ -31,11 +31,11 @@
regenerate: "{{ item }}"
loop: "{{ regenerate_values }}"
- name: "({{ backend }}) Regenerate - setup password protected keys"
command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
loop: "{{ regenerate_values }}"
- name: "({{ backend }}) Regenerate - setup broken keys"
copy:
ansible.builtin.copy:
dest: '{{ remote_tmp_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
content: 'broken key'
mode: '0700'
@@ -44,11 +44,11 @@
- ['', '.pub']
- name: "({{ backend }}) Regenerate - setup password protected keys for passphrse test"
command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
ansible.builtin.command: 'ssh-keygen -f {{ remote_tmp_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
loop: "{{ regenerate_values }}"
- name: "({{ backend }}) Regenerate - modify broken keys (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}'
type: rsa
size: 1024
@@ -58,7 +58,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -70,7 +70,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify broken keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-c-{{ item }}'
type: rsa
size: 1024
@@ -79,7 +79,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -91,7 +91,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify password protected keys (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
type: rsa
size: 1024
@@ -101,7 +101,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -113,7 +113,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify password protected keys with passphrase (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
type: rsa
size: 1024
@@ -126,7 +126,7 @@
register: result
when: backend == 'cryptography'
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success
- result.results[1] is failed
@@ -137,7 +137,7 @@
when: backend == 'cryptography'
- name: "({{ backend }}) Regenerate - modify password protected keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-b-{{ item }}'
type: rsa
size: 1024
@@ -146,7 +146,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is failed
- "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
@@ -158,7 +158,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - modify password protected keys with passphrase"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-d-{{ item }}'
type: rsa
size: 1024
@@ -170,7 +170,7 @@
register: result
when: backend == 'cryptography'
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success
- result.results[1] is failed
@@ -181,7 +181,7 @@
when: backend == 'cryptography'
- name: "({{ backend }}) Regenerate - not modify regular keys (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1024
@@ -190,7 +190,7 @@
check_mode: true
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
@@ -199,7 +199,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - not modify regular keys"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1024
@@ -207,7 +207,7 @@
backend: "{{ backend }}"
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is not changed
- result.results[1] is not changed
@@ -216,7 +216,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - adjust key size (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1048
@@ -226,7 +226,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -236,7 +236,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - adjust key size"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: rsa
size: 1048
@@ -245,7 +245,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -255,7 +255,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
remote_src: true
@@ -270,7 +270,7 @@
block:
- name: "({{ backend }}) Regenerate - adjust key type (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -280,7 +280,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -290,7 +290,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - adjust key type"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -299,7 +299,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result.results[0] is success and result.results[0] is not changed
- result.results[1] is failed
@@ -309,7 +309,7 @@
- result.results[4] is changed
- name: "({{ backend }}) Regenerate - redistribute keys"
copy:
ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/regenerate-a-always{{ item.1 }}'
dest: '{{ remote_tmp_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
remote_src: true
@@ -319,7 +319,7 @@
when: "item.0 != 'always'"
- name: "({{ backend }}) Regenerate - adjust comment (check mode)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -330,7 +330,7 @@
loop: "{{ regenerate_values }}"
ignore_errors: true
register: result
- assert:
- ansible.builtin.assert:
that:
- result is changed
@@ -338,7 +338,7 @@
- when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
block:
- name: "({{ backend }}) Regenerate - adjust comment"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
type: '{{ ssh_type }}'
size: '{{ ssh_size }}'
@@ -347,7 +347,7 @@
backend: "{{ backend }}"
loop: "{{ regenerate_values }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result is changed
# for all values but 'always', the key should not be regenerated.

14
tests/integration/targets/openssh_keypair/tests/state.yml
View File

@@ -9,41 +9,41 @@
####################################################################
- name: "({{ backend }}) Generate key"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
state: present
- name: "({{ backend }}) Generate key (idempotency)"
openssh_keypair:
community.crypto.openssh_keypair:
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
state: present
- name: "({{ backend }}) Remove key"
openssh_keypair:
community.crypto.openssh_keypair:
state: absent
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
- name: "({{ backend }}) Remove key (idempotency)"
openssh_keypair:
community.crypto.openssh_keypair:
state: absent
path: '{{ remote_tmp_dir }}/removed'
backend: "{{ backend }}"
- name: "({{ backend }}) Check private key status"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/removed'
register: removed_private_key
- name: "({{ backend }}) Check public key status"
stat:
ansible.builtin.stat:
path: '{{ remote_tmp_dir }}/removed.pub'
register: removed_public_key
- name: "({{ backend }}) Assert key pair files are removed"
assert:
ansible.builtin.assert:
that:
- not removed_private_key.stat.exists
- not removed_public_key.stat.exists

134
tests/integration/targets/openssl_csr/tasks/impl.yml
View File

@@ -4,17 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate privatekey"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Read privatekey"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekey.pem'
register: privatekey
- name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -25,7 +25,7 @@
register: generate_csr_check
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -35,7 +35,7 @@
register: generate_csr
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_content: '{{ privatekey.content | b64decode }}'
subject_ordered:
@@ -45,7 +45,7 @@
register: generate_csr_idempotent
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -56,7 +56,7 @@
register: generate_csr_idempotent_check
- name: "({{ select_crypto_backend }}) Generate CSR without SAN (check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -67,7 +67,7 @@
register: generate_csr_nosan_check
- name: "({{ select_crypto_backend }}) Generate CSR without SAN"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -77,7 +77,7 @@
register: generate_csr_nosan
- name: "({{ select_crypto_backend }}) Generate CSR without SAN (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -87,7 +87,7 @@
register: generate_csr_nosan_check_idempotent
- name: "({{ select_crypto_backend }}) Generate CSR without SAN (idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr-nosan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -102,7 +102,7 @@
# but the short name is used to test idempotency for ipsecuser
# and vice-versa for biometricInfo
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -118,7 +118,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -135,7 +135,7 @@
register: csr_ku_xku
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test XKU change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -151,7 +151,7 @@
register: csr_ku_xku_change
- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (test KU change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -166,14 +166,14 @@
register: csr_ku_xku_change_2
- name: "({{ select_crypto_backend }}) Generate CSR with old API"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_oldapi.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
commonName: www.ansible.com
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with invalid SAN (1/2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csrinvsan.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: invalid-san.example.com
@@ -182,7 +182,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate CSR with invalid SAN (2/2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csrinvsan2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: "DNS:system:kube-controller-manager"
@@ -191,7 +191,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate CSR with OCSP Must Staple"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ocsp.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: "DNS:www.ansible.com"
@@ -199,7 +199,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with OCSP Must Staple (test idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ocsp.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_alt_name: "DNS:www.ansible.com"
@@ -208,13 +208,13 @@
register: csr_ocsp_idempotency
- name: "({{ select_crypto_backend }}) Generate ECC privatekey"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey2.pem'
type: ECC
curve: secp384r1
- name: "({{ select_crypto_backend }}) Generate CSR with ECC privatekey"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -222,7 +222,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with text common name"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -231,7 +231,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
- name: "({{ select_crypto_backend }}) Generate CSR with country name"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
country_name: de
@@ -239,7 +239,7 @@
register: country_idempotent_1
- name: "({{ select_crypto_backend }}) Generate CSR with country name (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
country_name: de
@@ -247,7 +247,7 @@
register: country_idempotent_2
- name: "({{ select_crypto_backend }}) Generate CSR with country name (idempotent 2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -256,7 +256,7 @@
register: country_idempotent_3
- name: "({{ select_crypto_backend }}) Generate CSR with country name (bad country name)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -266,19 +266,19 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate privatekey with password"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Read privatekey"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/privatekeypw.pem'
register: privatekeypw
- name: "({{ select_crypto_backend }}) Generate CSR with privatekey passphrase"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -286,7 +286,7 @@
register: passphrase_1
- name: "({{ select_crypto_backend }}) Generate CSR with privatekey passphrase and private key content"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw.csr'
privatekey_content: '{{ privatekeypw.content | b64decode }}'
privatekey_passphrase: hunter2
@@ -294,7 +294,7 @@
register: passphrase_1_content
- name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 1)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
privatekey_passphrase: hunter2
@@ -303,7 +303,7 @@
register: passphrase_error_1
- name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 2)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: wrong_password
@@ -312,7 +312,7 @@
register: passphrase_error_2
- name: "({{ select_crypto_backend }}) Generate CSR (failed passphrase 3)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_pw3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
@@ -320,11 +320,11 @@
register: passphrase_error_3
- name: "({{ select_crypto_backend }}) Create broken CSR"
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/csrbroken.csr"
content: "broken"
- name: "({{ select_crypto_backend }}) Regenerate broken CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csrbroken.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey2.pem'
subject:
@@ -334,7 +334,7 @@
register: output_broken
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -343,7 +343,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_1
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -352,7 +352,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_2
- name: "({{ select_crypto_backend }}) Generate CSR (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -361,7 +361,7 @@
select_crypto_backend: '{{ select_crypto_backend }}'
register: csr_backup_3
- name: "({{ select_crypto_backend }}) Generate CSR (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
state: absent
backup: true
@@ -369,7 +369,7 @@
return_content: true
register: csr_backup_4
- name: "({{ select_crypto_backend }}) Generate CSR (remove, idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backup.csr'
state: absent
backup: true
@@ -377,7 +377,7 @@
register: csr_backup_5
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -387,7 +387,7 @@
register: subject_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -397,7 +397,7 @@
register: subject_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -407,7 +407,7 @@
register: subject_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -417,7 +417,7 @@
register: subject_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (auto-create idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -427,7 +427,7 @@
register: subject_key_identifier_5
- name: "({{ select_crypto_backend }}) Generate CSR with subject key identifier (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_ski.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -436,7 +436,7 @@
register: subject_key_identifier_6
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -446,7 +446,7 @@
register: authority_key_identifier_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -456,7 +456,7 @@
register: authority_key_identifier_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -466,7 +466,7 @@
register: authority_key_identifier_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority key identifier (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_aki.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -475,7 +475,7 @@
register: authority_key_identifier_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -488,7 +488,7 @@
register: authority_cert_issuer_sn_1
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (idempotency)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -501,7 +501,7 @@
register: authority_cert_issuer_sn_2
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change issuer)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -514,7 +514,7 @@
register: authority_cert_issuer_sn_3
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (change serial number)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -527,7 +527,7 @@
register: authority_cert_issuer_sn_4
- name: "({{ select_crypto_backend }}) Generate CSR with authority cert issuer / serial number (remove)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_acisn.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -535,7 +535,7 @@
register: authority_cert_issuer_sn_5
- name: "({{ select_crypto_backend }}) Generate CSR with everything"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_ordered:
@@ -620,7 +620,7 @@
register: everything_1
- name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_ordered:
@@ -706,7 +706,7 @@
register: everything_2
- name: "({{ select_crypto_backend }}) Generate CSR with everything (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -792,7 +792,7 @@
register: everything_3
- name: "({{ select_crypto_backend }}) Generate CSR with everything (not idempotent, check mode)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_everything.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject_ordered:
@@ -887,7 +887,7 @@
- name: "({{ select_crypto_backend }}) Ed25519 and Ed448 tests (for cryptography >= 2.6)"
block:
- name: "({{ select_crypto_backend }}) Generate privatekeys"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
type: '{{ item }}'
loop:
@@ -901,7 +901,7 @@
block:
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
subject:
@@ -914,7 +914,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
subject:
@@ -931,7 +931,7 @@
- name: "({{ select_crypto_backend }}) CRL distribution endpoints (for cryptography >= 1.6)"
block:
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -953,7 +953,7 @@
register: crl_distribution_endpoints_1
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (idempotence)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -975,7 +975,7 @@
register: crl_distribution_endpoints_2
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (change)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -995,7 +995,7 @@
register: crl_distribution_endpoints_3
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints (no endpoints)"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -1004,7 +1004,7 @@
register: crl_distribution_endpoints_4
- name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_crl_d_e.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:

8
tests/integration/targets/openssl_csr/tasks/main.yml
View File

@@ -10,22 +10,22 @@
- block:
- name: Prepare private key for backend autodetection test
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_backend_selection.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

70
tests/integration/targets/openssl_csr/tests/validate.yml
View File

@@ -4,25 +4,25 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
ansible.builtin.shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
register: privatekey_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
ansible.builtin.shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
register: csr_cn
- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
ansible.builtin.shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
register: csr_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_modulus.stdout == privatekey_modulus.stdout
- name: "({{ select_crypto_backend }}) Validate CSR (check mode, idempotency)"
assert:
ansible.builtin.assert:
that:
- generate_csr_check is changed
- generate_csr is changed
@@ -30,12 +30,12 @@
- generate_csr_idempotent_check is not changed
- name: "({{ select_crypto_backend }}) Read CSR"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/csr.csr'
register: slurp
- name: "({{ select_crypto_backend }}) Validate CSR (data retrieval)"
assert:
ansible.builtin.assert:
that:
- generate_csr_check.csr is none
- generate_csr.csr == (slurp.content | b64decode)
@@ -43,7 +43,7 @@
- generate_csr.csr == generate_csr_idempotent_check.csr
- name: "({{ select_crypto_backend }}) Validate CSR without SAN (check mode, idempotency)"
assert:
ansible.builtin.assert:
that:
- generate_csr_nosan_check is changed
- generate_csr_nosan is changed
@@ -51,28 +51,28 @@
- generate_csr_nosan_check_idempotent_check is not changed
- name: "({{ select_crypto_backend }}) Validate CSR_KU_XKU (assert idempotency, change)"
assert:
ansible.builtin.assert:
that:
- csr_ku_xku is not changed
- csr_ku_xku_change is changed
- csr_ku_xku_change_2 is changed
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
ansible.builtin.shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
register: csr_oldapi_cn
- name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)"
shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
ansible.builtin.shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
register: csr_oldapi_modulus
- name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_oldapi_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_oldapi_modulus.stdout == privatekey_modulus.stdout
- name: "({{ select_crypto_backend }}) Validate invalid SAN (1/2)"
assert:
ansible.builtin.assert:
that:
- generate_csr_invalid_san is failed
- "'Subject Alternative Name' in generate_csr_invalid_san.msg"
@@ -87,49 +87,49 @@
when: cryptography_version.stdout is version('2.0', '<')
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
ansible.builtin.shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
register: csr_ocsp
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)"
assert:
ansible.builtin.assert:
that:
- "(csr_ocsp.stdout is search('\\s+TLS Feature:\\s*\\n\\s+status_request\\s+')) or
(csr_ocsp.stdout is search('\\s+1.3.6.1.5.5.7.1.24:\\s*\\n\\s+0\\.\\.\\.\\.\\s+'))"
- name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert idempotency)"
assert:
ansible.builtin.assert:
that:
- csr_ocsp_idempotency is not changed
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)"
shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
ansible.builtin.shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
register: privatekey_ecc_key
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)"
shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
ansible.builtin.shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
register: csr_ecc_cn
- name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)"
shell: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
ansible.builtin.shell: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
register: csr_ecc_pubkey
- name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_ecc_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
- name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)"
shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
ansible.builtin.shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
register: csr3_cn
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr3_cn.stdout.split('=')[-1] == 'This is for Ansible'
- name: "({{ select_crypto_backend }}) Validate country name idempotency and validation"
assert:
ansible.builtin.assert:
that:
- country_idempotent_1 is changed
- country_idempotent_2 is not changed
@@ -137,13 +137,13 @@
- country_fail_4 is failed
- name: "({{ select_crypto_backend }}) Validate idempotency of privatekey_passphrase"
assert:
ansible.builtin.assert:
that:
- passphrase_1 is changed
- passphrase_1_content is not changed
- name: "({{ select_crypto_backend }}) Validate private key passphrase errors"
assert:
ansible.builtin.assert:
that:
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
@@ -153,12 +153,12 @@
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: "({{ select_crypto_backend }}) Verify that broken CSR will be regenerated"
assert:
ansible.builtin.assert:
that:
- output_broken is changed
- name: "({{ select_crypto_backend }}) Verify that subject key identifier handling works"
assert:
ansible.builtin.assert:
that:
- subject_key_identifier_1 is changed
- subject_key_identifier_2 is not changed
@@ -168,7 +168,7 @@
- subject_key_identifier_6 is changed
- name: "({{ select_crypto_backend }}) Verify that authority key identifier handling works"
assert:
ansible.builtin.assert:
that:
- authority_key_identifier_1 is changed
- authority_key_identifier_2 is not changed
@@ -176,7 +176,7 @@
- authority_key_identifier_4 is changed
- name: "({{ select_crypto_backend }}) Verify that authority cert issuer / serial number handling works"
assert:
ansible.builtin.assert:
that:
- authority_cert_issuer_sn_1 is changed
- authority_cert_issuer_sn_2 is not changed
@@ -185,7 +185,7 @@
- authority_cert_issuer_sn_5 is changed
- name: "({{ select_crypto_backend }}) Check backup"
assert:
ansible.builtin.assert:
that:
- csr_backup_1 is changed
- csr_backup_1.backup_file is undefined
@@ -200,7 +200,7 @@
- csr_backup_4.csr is none
- name: "({{ select_crypto_backend }}) Check CSR with everything"
assert:
ansible.builtin.assert:
that:
- everything_1 is changed
- everything_2 is not changed
@@ -271,7 +271,7 @@
- everything_info.name_constraints_critical == true
- name: "({{ select_crypto_backend }}) Check CSR with everything"
assert:
ansible.builtin.assert:
that:
- everything_info.authority_cert_issuer == [
"DNS:ca.example.org",
@@ -314,7 +314,7 @@
]
- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)"
assert:
ansible.builtin.assert:
that:
- generate_csr_ed25519_ed448.results[0] is failed
- generate_csr_ed25519_ed448.results[1] is failed
@@ -325,7 +325,7 @@
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and generate_csr_ed25519_ed448_privatekey is not failed
- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)"
assert:
ansible.builtin.assert:
that:
- generate_csr_ed25519_ed448 is succeeded
- generate_csr_ed25519_ed448.results[0] is changed
@@ -336,7 +336,7 @@
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and generate_csr_ed25519_ed448_privatekey is not failed
- name: "({{ select_crypto_backend }}) Verify CRL distribution endpoints (for cryptography >= 1.6)"
assert:
ansible.builtin.assert:
that:
- crl_distribution_endpoints_1 is changed
- crl_distribution_endpoints_2 is not changed

28
tests/integration/targets/openssl_csr_info/tasks/impl.yml
View File

@@ -3,31 +3,31 @@
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- debug:
- ansible.builtin.debug:
msg: "Executing tests with backend {{ select_crypto_backend }}"
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_1.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Get CSR info (IDNA encoding)"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_1.csr'
name_encoding: idna
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_idna
- name: "({{ select_crypto_backend }}) Get CSR info (Unicode encoding)"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_1.csr'
name_encoding: unicode
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_unicode
- name: "({{ select_crypto_backend }}) Check whether subject and extensions behaves as expected"
assert:
ansible.builtin.assert:
that:
- result.subject.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
@@ -54,7 +54,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: "({{ select_crypto_backend }}) Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -71,18 +71,18 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Read CSR"
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/csr_1.csr'
register: slurp
- name: "({{ select_crypto_backend }}) Get CSR info directly"
openssl_csr_info:
community.crypto.openssl_csr_info:
content: '{{ slurp.content | b64decode }}'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result_direct
- name: "({{ select_crypto_backend }}) Compare output of direct and loaded info"
assert:
ansible.builtin.assert:
that:
- >-
(result | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
@@ -90,19 +90,19 @@
(result_direct | dict2items | rejectattr("key", "equalto", "warnings") | list | items2dict)
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_2.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_3.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -114,13 +114,13 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: "({{ select_crypto_backend }}) Get CSR info"
openssl_csr_info:
community.crypto.openssl_csr_info:
path: '{{ remote_tmp_dir }}/csr_4.csr'
select_crypto_backend: '{{ select_crypto_backend }}'
register: result
- name: "({{ select_crypto_backend }}) Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none

16
tests/integration/targets/openssl_csr_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -95,7 +95,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -104,7 +104,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -122,14 +122,14 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
when: cryptography_version.stdout is version('1.3', '>=')

24
tests/integration/targets/openssl_csr_pipe/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate privatekey"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
@@ -18,7 +18,7 @@
register: generate_csr_check
- name: "({{ select_crypto_backend }}) Generate CSR"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
@@ -26,7 +26,7 @@
register: generate_csr
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -35,7 +35,7 @@
register: generate_csr_idempotent
- name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -45,7 +45,7 @@
register: generate_csr_idempotent_check
- name: "({{ select_crypto_backend }}) Generate CSR (changed)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -54,7 +54,7 @@
register: generate_csr_changed
- name: "({{ select_crypto_backend }}) Generate CSR (changed, check mode)"
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
content: "{{ generate_csr.csr }}"
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -64,29 +64,29 @@
register: generate_csr_changed_check
- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
ansible.builtin.shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
register: privatekey_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
ansible.builtin.shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
args:
stdin: "{{ generate_csr.csr }}"
register: csr_cn
- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
ansible.builtin.shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
args:
stdin: "{{ generate_csr.csr }}"
register: csr_modulus
- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
assert:
ansible.builtin.assert:
that:
- csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
- csr_modulus.stdout == privatekey_modulus.stdout
- name: "({{ select_crypto_backend }}) Validate CSR (check mode, idempotency)"
assert:
ansible.builtin.assert:
that:
- generate_csr_check is changed
- generate_csr is changed

6
tests/integration/targets/openssl_csr_pipe/tasks/main.yml
View File

@@ -9,18 +9,18 @@
####################################################################
- name: Prepare private key for backend autodetection test
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
size: '{{ default_rsa_key_size }}'
- name: Run module with backend autodetection
openssl_csr_pipe:
community.crypto.openssl_csr_pipe:
privatekey_path: '{{ remote_tmp_dir }}/privatekey_backend_selection.pem'
subject:
commonName: www.ansible.com
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

32
tests/integration/targets/openssl_dhparam/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
# The tests for this module generate unsafe parameters for testing purposes;
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
- name: "[{{ select_crypto_backend }}] Generate parameter (check mode)"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -15,7 +15,7 @@
register: dhparam_check
- name: "[{{ select_crypto_backend }}] Generate parameter"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -23,7 +23,7 @@
register: dhparam
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change (check mode)"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -32,7 +32,7 @@
register: dhparam_changed_check
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change"
openssl_dhparam:
community.crypto.openssl_dhparam:
size: 768
path: '{{ remote_tmp_dir }}/dh768.pem'
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -40,32 +40,32 @@
register: dhparam_changed
- name: "[{{ select_crypto_backend }}] Generate parameters with size option"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
select_crypto_backend: "{{ select_crypto_backend }}"
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with size option and no change"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_changed_512
- copy:
- ansible.builtin.copy:
src: '{{ remote_tmp_dir }}/dh768.pem'
remote_src: true
dest: '{{ remote_tmp_dir }}/dh512.pem'
- name: "[{{ select_crypto_backend }}] Re-generate if size is different"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_changed_to_512
- name: "[{{ select_crypto_backend }}] Force re-generate parameters with size option"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh512.pem'
size: 512
force: true
@@ -73,11 +73,11 @@
register: dhparam_changed_force
- name: "[{{ select_crypto_backend }}] Create broken params"
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/dhbroken.pem"
content: "broken"
- name: "[{{ select_crypto_backend }}] Regenerate broken params"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dhbroken.pem'
size: 512
force: true
@@ -85,21 +85,21 @@
register: output_broken
- name: "[{{ select_crypto_backend }}] Generate params"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
size: 512
backup: true
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_backup_1
- name: "[{{ select_crypto_backend }}] Generate params (idempotent)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
size: 512
backup: true
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_backup_2
- name: "[{{ select_crypto_backend }}] Generate params (change)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
size: 512
force: true
@@ -107,7 +107,7 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: dhparam_backup_3
- name: "[{{ select_crypto_backend }}] Generate params (remove)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
state: absent
backup: true
@@ -115,7 +115,7 @@
return_content: true
register: dhparam_backup_4
- name: "[{{ select_crypto_backend }}] Generate params (remove, idempotent)"
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backup.pem'
state: absent
backup: true

14
tests/integration/targets/openssl_dhparam/tasks/main.yml
View File

@@ -12,35 +12,35 @@
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
- name: Run module with backend autodetection
openssl_dhparam:
community.crypto.openssl_dhparam:
path: '{{ remote_tmp_dir }}/dh_backend_selection.pem'
size: 512
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: openssl
# when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

Some files were not shown because too many files have changed in this diff Show More