internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:3.0.5
Branches Tags
internet:main internet:stable-2 internet:gh-pages internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0
...
compare: internet:2.26.7
Branches Tags
internet:main internet:stable-2 internet:gh-pages internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0

55 Commits
3.0.5 ... 2.26.7

Author SHA1 Message Date
Felix Fontein
cea0f7639c Release 2.26.7. 2026-02-12 06:51:29 +01:00
Felix Fontein
edfb82772c Fix EC detection. (#981) (#982) 
(cherry picked from commit 911ed33c2e)
 2026-02-11 22:11:21 +01:00
Felix Fontein
3091b2f997 Prepare 2.26.7. 2026-02-11 21:51:51 +01:00
Felix Fontein
3bfebd8805 CI: Install c.g from git. 
(cherry picked from commit e91f8ec520)
 2026-01-25 13:22:12 +01:00
patchback[bot]
9750cd1187 [PR #978/9b497ddd backport][stable-2] CI: Arch Linux switched to Python 3.14 / remove Arch from CI matrix (#979) 
* Arch Linux switched to Python 3.14. (#978)

(cherry picked from commit 9b497dddbc)

* Remove Arch Linux from CI matrix.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
 2026-01-11 12:44:37 +01:00
Felix Fontein
578a79d968 Replace RHEL 10.0 with 10.1. (#977) 2026-01-08 08:51:13 +01:00
Felix Fontein
4331ebfa2e Update RHEL 9.x to 9.7 in CI. (#975) 
(cherry picked from commit 8049b0f013)
 2026-01-06 17:02:56 +01:00
patchback[bot]
b596625374 Bump actions/checkout from 5 to 6 in the ci group (#970) (#971) 
Bumps the ci group with 1 update: [actions/checkout](https://github.com/actions/checkout).

Updates `actions/checkout` from 5 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: ci
...



(cherry picked from commit 663d1a1321)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-24 06:37:20 +01:00
Felix Fontein
2c72af252b Move ansible-core 2.17 to EOL CI. (#969) 2025-11-12 19:59:26 +01:00
Felix Fontein
dd82c009d6 The next release will be 2.26.7. 2025-10-29 22:11:55 +01:00
Felix Fontein
45d5db3d98 Release 2.26.6. 2025-10-29 21:27:53 +01:00
patchback[bot]
79c49f5b75 Stop mentioning Buypass. (#964) (#965) 
https://community.buypass.com/t/y4y130p
(cherry picked from commit 1b86848a6f)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-10-29 21:23:43 +01:00
Felix Fontein
da5f524ee6 Prepare 2.26.6. 2025-10-29 20:59:34 +01:00
Felix Fontein
cb137cfb1c Move ansible-core 2.16 to EOL CI. (#962) 2025-10-27 19:16:18 +01:00
Felix Fontein
be91644e04 Fix/improve docs. 
(cherry picked from commit 6f0c58f483)
 2025-10-25 14:32:49 +02:00
Felix Fontein
b515b76278 Sort imports. 2025-10-11 15:56:14 +02:00
Felix Fontein
68907ac994 Stick to older community.general branch. 2025-10-11 15:39:18 +02:00
Felix Fontein
63cdc07ee1 Add repo configuration to antsibull-nox.toml. 
(cherry picked from commit c5135496c8)
 2025-09-26 06:57:24 +02:00
patchback[bot]
dbbc936b11 Bump actions/checkout from 4 to 5 in the ci group (#954) (#955) 
Bumps the ci group with 1 update: [actions/checkout](https://github.com/actions/checkout).

Updates `actions/checkout` from 4 to 5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: ci
...



(cherry picked from commit 62b4535465)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-08-18 06:41:08 +02:00
Felix Fontein
b1c5665590 The next release will be 2.26.6. 2025-08-04 19:43:35 +02:00
Felix Fontein
0148434e36 Release 2.26.5. 2025-08-04 19:17:29 +02:00
patchback[bot]
f9f3c3d4ee Increase number of retries from 10 to 20. (#949) (#950) 
(cherry picked from commit ba5c551a29)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-08-03 11:55:04 +02:00
Felix Fontein
5b1382c799 Prepare 2.26.5. 2025-08-02 21:02:06 +02:00
patchback[bot]
2d70e14250 Also retry on HTTP statuses 502 and 504. (#947) (#948) 
(cherry picked from commit 75413d0b08)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-08-02 19:04:22 +02:00
Felix Fontein
1fed428d76 Update Azure Pipelines test container. 2025-07-30 06:22:07 +02:00
Felix Fontein
02e7c2ed77 Normalize changelog configs. 
(cherry picked from commit bc16487882)
 2025-07-27 16:35:49 +02:00
Felix Fontein
b4cb931621 The next release will be 2.26.5. 2025-07-26 15:20:46 +02:00
Felix Fontein
ded8568802 Release 2.26.4. 2025-07-26 14:37:51 +02:00
Felix Fontein
e145fe71a9 Move EE tests to nox. (#941) (#942) 
(cherry picked from commit 0636123f56)
 2025-07-25 20:44:16 +02:00
Felix Fontein
b6887ab1f4 Improve error message when lodaing corrupt private key or private key with wrong passphrase. (#939) (#940) 
(cherry picked from commit f219cac94c)
 2025-07-25 15:08:45 +00:00
Felix Fontein
71e9d2273a Prepare 2.26.4. 2025-07-25 14:41:18 +02:00
patchback[bot]
0f2f5a5fe9 Replace FreeBSD 13.3 with 13.5. (#937) (#938) 
(cherry picked from commit b4303b3a32)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-07-24 21:58:15 +02:00
patchback[bot]
d0099b4f3e Ensure consistent SSH key format with idempotent Ed25519 key regeneration (#932) (#933) 
* Ensure consistent SSH key format with idempotent Ed25519 key regeneration

* Update plugins/modules/openssh_keypair.py



* removed extra whitespace

---------


(cherry picked from commit b2ab04861e)

Co-authored-by: Aditya Putta <puttaa@yahoo.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-07-11 12:35:16 +02:00
patchback[bot]
b1dfcf89a4 Docs: mention RFC 9773 instead of the ARI draft (#929) (#930) 
* Mention RFC 9773 instead of the ARI draft.

* Remove mentions of the draft.

(cherry picked from commit fcb50ed142)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-07-06 17:24:28 +02:00
Felix Fontein
e200d363f2 Change devel to 2.19. (#926) 2025-07-01 21:34:01 +02:00
patchback[bot]
513c2fd5a0 [PR #921/bd070e85 backport][stable-2] Docs: use :ansplugin: (#922) 
* Use :ansplugin:. (#921)

(cherry picked from commit bd070e85a3)

* Add ignore.txt entries.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-06-25 22:52:26 +02:00
Felix Fontein
63d347e9f2 Add YAML lint config for extra docs. 
(cherry picked from commits d4fa1d094a
and 087aa70fe9)
 2025-06-17 17:47:47 +02:00
Felix Fontein
5eccff6190 Next release will be 2.26.4. 2025-06-14 17:05:06 +02:00
Felix Fontein
5ca4ecb54b Release 2.26.3. 2025-06-14 16:44:49 +02:00
Felix Fontein
ea970a044f Stick to community.general 10.x.y for CI. 2025-06-13 06:11:49 +02:00
Felix Fontein
3e3318f059 acme_account: check for 'externalAccountRequired' error (#919) (#920) 
* Check for 'externalAccountRequired' error.

* Add changelog fragment.

(cherry picked from commit 056ae1cf69)
 2025-06-13 06:10:41 +02:00
Felix Fontein
ae6fb88896 Prepare 2.26.3. 2025-06-12 22:45:19 +02:00
patchback[bot]
66d7989222 Add HARICA to the list of tested CAs (#915) (#916) 
* Add HARICA to the list of tested CAs



* Add ZeroSSL to list.

---------



(cherry picked from commit ec063d8515)

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-06-08 21:08:04 +02:00
Felix Fontein
99d6a17653 Fix some ansible-lint issues (#907) (#908) 
* Fix fqcn[action-core].

* Fix fqcn[action].

* Fix jinja[spacing].

(cherry picked from commit 8792635bef)
 2025-05-30 22:43:43 +02:00
patchback[bot]
edeed24e8f Document supported curves for Elliptic Curve keys on ACME Accounts (#904) (#906) 
(cherry picked from commit 7241d5543a)

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
 2025-05-30 13:08:08 +02:00
Felix Fontein
2f3809c84b Next release will be 2.26.3. 2025-05-22 22:02:19 +02:00
Felix Fontein
4f92a02bc4 Release 2.26.2. 2025-05-22 21:19:40 +02:00
Felix Fontein
f7b01bae60 Prepare 2.26.2. 2025-05-22 19:58:28 +02:00
Felix Fontein
43d7868646 [stable-2] Remove entrust announcement (#901) 
* Announce removal of Entrust content from community.crypto 3.0.0.

* Add more information on Entrust removal.
 2025-05-22 19:57:08 +02:00
patchback[bot]
3fbf173674 Add RHEL 10.0 to CI. (#899) (#902) 
(cherry picked from commit 41b71bb60c)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-05-22 06:43:36 +02:00
Felix Fontein
d350b94ae6 Lint doc fragments. 
(cherry picked from commit ef230011fd)
 2025-05-01 16:48:13 +02:00
Felix Fontein
a75cc7345a Fix typo. 
(cherry picked from commit 718021b714)
 2025-04-29 08:13:56 +02:00
Felix Fontein
f7795f65b0 Remove 'upcoming' information on 2.0.0. 2025-04-28 12:06:34 +02:00
Felix Fontein
b5d3277798 The next release will be 2.26.2. 
There will be (very likely) no more minor releases from this branch.
 2025-04-28 11:59:23 +02:00
Felix Fontein
f1a170d427 This is now the stable-2 branch. 2025-04-28 11:58:55 +02:00
191 changed files with 3234 additions and 2950 deletions
Expand all files Collapse all files

193
.azure-pipelines/azure-pipelines.yml
View File

@@ -44,23 +44,23 @@ variables:
resources:
containers:
- container: default
image: quay.io/ansible/azure-pipelines-test-container:6.0.0
image: quay.io/ansible/azure-pipelines-test-container:7.0.0
pool: Standard
stages:
### Sanity & units
- stage: Ansible_devel
displayName: Sanity & Units devel
- stage: Ansible_2_19
displayName: Sanity & Units 2.19
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: 'devel/sanity/1'
test: '2.19/sanity/1'
- name: Units
test: 'devel/units/1'
test: '2.19/units/1'
- stage: Ansible_2_18
displayName: Sanity & Units 2.18
dependsOn: []
@@ -72,36 +72,14 @@ stages:
test: '2.18/sanity/1'
- name: Units
test: '2.18/units/1'
- stage: Ansible_2_17
displayName: Sanity & Units 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.17/sanity/1'
- name: Units
test: '2.17/units/1'
- stage: Ansible_2_16
displayName: Sanity & Units 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.16/sanity/1'
- name: Units
test: '2.16/units/1'
### Docker
- stage: Docker_devel
displayName: Docker devel
- stage: Docker_2_19
displayName: Docker 2.19
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/linux/{0}
testFormat: 2.19/linux/{0}
targets:
- name: Fedora 41
test: fedora41
@@ -129,68 +107,32 @@ stages:
groups:
- 1
- 2
- stage: Docker_2_17
displayName: Docker 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.17/linux/{0}
targets:
- name: Fedora 39
test: fedora39
- name: Ubuntu 22.04
test: ubuntu2204
- name: Alpine 3.19
test: alpine319
groups:
- 1
- 2
- stage: Docker_2_16
displayName: Docker 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.16/linux/{0}
targets:
- name: Fedora 38
test: fedora38
- name: openSUSE 15
test: opensuse15
- name: Alpine 3
test: alpine3
groups:
- 1
- 2
### Community Docker
- stage: Docker_community_devel
displayName: Docker (community images) devel
- stage: Docker_community_2_19
displayName: Docker (community images) 2.19
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/linux-community/{0}
testFormat: 2.19/linux-community/{0}
targets:
- name: Debian Bullseye
test: debian-bullseye/3.9
- name: Debian Bookworm
test: debian-bookworm/3.11
- name: ArchLinux
test: archlinux/3.13
groups:
- 1
- 2
### Remote
- stage: Remote_devel_extra_vms
displayName: Remote devel extra VMs
- stage: Remote_2_19_extra_vms
displayName: Remote 2.19 extra VMs
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/{0}
testFormat: 2.19/{0}
targets:
- name: Alpine 3.21
test: alpine/3.21
@@ -202,18 +144,18 @@ stages:
test: ubuntu/24.04
groups:
- vm
- stage: Remote_devel
displayName: Remote devel
- stage: Remote_2_19
displayName: Remote 2.19
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/{0}
testFormat: 2.19/{0}
targets:
- name: macOS 15.3
test: macos/15.3
- name: RHEL 9.5
test: rhel/9.5
- name: RHEL 10.1
test: rhel/10.1
- name: RHEL 9.7
test: rhel/9.7
- name: FreeBSD 14.2
test: freebsd/14.2
- name: FreeBSD 13.5
@@ -231,58 +173,20 @@ stages:
targets:
- name: macOS 14.3
test: macos/14.3
- name: RHEL 9.4
test: rhel/9.4
- name: FreeBSD 14.1
test: freebsd/14.1
groups:
- 1
- 2
- stage: Remote_2_17
displayName: Remote 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.17/{0}
targets:
- name: RHEL 9.3
test: rhel/9.3
- name: FreeBSD 13.3
test: freebsd/13.3
groups:
- 1
- 2
- stage: Remote_2_16
displayName: Remote 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.16/{0}
targets:
- name: macOS 13.2
test: macos/13.2
- name: RHEL 9.2
test: rhel/9.2
- name: RHEL 8.8
test: rhel/8.8
- name: RHEL 7.9
test: rhel/7.9
# - name: FreeBSD 13.2
# test: freebsd/13.2
groups:
- 1
- 2
### Generic
- stage: Generic_devel
displayName: Generic devel
- stage: Generic_2_19
displayName: Generic 2.19
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: devel/generic/{0}
testFormat: 2.19/generic/{0}
targets:
- test: "3.8"
# - test: "3.9"
@@ -306,58 +210,21 @@ stages:
groups:
- 1
- 2
- stage: Generic_2_17
displayName: Generic 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.17/generic/{0}
targets:
- test: "3.7"
- test: "3.12"
groups:
- 1
- 2
- stage: Generic_2_16
displayName: Generic 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.16/generic/{0}
targets:
- test: "2.7"
- test: "3.6"
- test: "3.11"
groups:
- 1
- 2
## Finally
- stage: Summary
condition: succeededOrFailed()
dependsOn:
- Ansible_devel
- Ansible_2_19
- Ansible_2_18
- Ansible_2_17
- Ansible_2_16
- Remote_devel_extra_vms
- Remote_devel
- Remote_2_19_extra_vms
- Remote_2_19
- Remote_2_18
- Remote_2_17
- Remote_2_16
- Docker_devel
- Docker_2_19
- Docker_2_18
- Docker_2_17
- Docker_2_16
- Docker_community_devel
- Generic_devel
- Docker_community_2_19
- Generic_2_19
- Generic_2_18
- Generic_2_17
- Generic_2_16
jobs:
- template: templates/coverage.yml

96
.github/workflows/ansible-test.yml vendored
View File

@@ -36,6 +36,8 @@ jobs:
- '2.13'
- '2.14'
- '2.15'
- '2.16'
- '2.17'
runs-on: ubuntu-latest
steps:
- name: Perform sanity testing
@@ -65,6 +67,8 @@ jobs:
- '2.13'
- '2.14'
- '2.15'
- '2.16'
- '2.17'
steps:
- name: >-
@@ -265,6 +269,96 @@ jobs:
docker: default
python: '3.10'
target: azp/generic/2/
# 2.16
- ansible: '2.16'
docker: fedora38
python: ''
target: azp/posix/1/
- ansible: '2.16'
docker: fedora38
python: ''
target: azp/posix/2/
- ansible: '2.16'
docker: opensuse15
python: ''
target: azp/posix/1/
- ansible: '2.16'
docker: opensuse15
python: ''
target: azp/posix/2/
- ansible: '2.16'
docker: alpine3
python: ''
target: azp/posix/1/
- ansible: '2.16'
docker: alpine3
python: ''
target: azp/posix/2/
- ansible: '2.16'
docker: default
python: '2.7'
target: azp/generic/1/
- ansible: '2.16'
docker: default
python: '2.7'
target: azp/generic/2/
- ansible: '2.16'
docker: default
python: '3.6'
target: azp/generic/1/
- ansible: '2.16'
docker: default
python: '3.6'
target: azp/generic/2/
- ansible: '2.16'
docker: default
python: '3.11'
target: azp/generic/1/
- ansible: '2.16'
docker: default
python: '3.11'
target: azp/generic/2/
# 2.17
- ansible: '2.17'
docker: fedora39
python: ''
target: azp/posix/1/
- ansible: '2.17'
docker: fedora39
python: ''
target: azp/posix/2/
- ansible: '2.17'
docker: ubuntu2204
python: ''
target: azp/posix/1/
- ansible: '2.17'
docker: ubuntu2204
python: ''
target: azp/posix/2/
- ansible: '2.17'
docker: alpine319
python: ''
target: azp/posix/1/
- ansible: '2.17'
docker: alpine319
python: ''
target: azp/posix/2/
- ansible: '2.17'
docker: default
python: '3.7'
target: azp/generic/1/
- ansible: '2.17'
docker: default
python: '3.7'
target: azp/generic/2/
- ansible: '2.17'
docker: default
python: '3.12'
target: azp/generic/1/
- ansible: '2.17'
docker: default
python: '3.12'
target: azp/generic/2/
steps:
- name: >-
@@ -284,7 +378,7 @@ jobs:
pre-test-cmd: >-
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git ../../community/internal_test_tools
;
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.general.git ../../community/general
git clone --depth=1 --single-branch --branch stable-10 https://github.com/ansible-collections/community.general.git ../../community/general
pull-request-change-detection: 'true'
target: ${{ matrix.target }}
target-python-version: ${{ matrix.python }}

180
.github/workflows/ee.yml vendored
View File

@@ -1,180 +0,0 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
name: execution environment
'on':
# Run CI against all pushes (direct commits, also merged PRs), Pull Requests
push:
branches:
- main
- stable-*
pull_request:
# Run CI once per day (at 09:00 UTC)
# This ensures that even if there haven't been commits that we are still testing against latest version of ansible-builder
schedule:
- cron: '0 9 * * *'
env:
NAMESPACE: community
COLLECTION_NAME: crypto
jobs:
build:
name: Build and test EE (${{ matrix.name }})
strategy:
fail-fast: false
matrix:
name:
- ''
ansible_core:
- ''
ansible_runner:
- ''
base_image:
- ''
pre_base:
- ''
extra_vars:
- ''
other_deps:
- ''
exclude:
- ansible_core: ''
include:
- name: ansible-core devel @ RHEL UBI 9
ansible_core: https://github.com/ansible/ansible/archive/devel.tar.gz
ansible_runner: ansible-runner
other_deps: |2
python_interpreter:
package_system: python3.11 python3.11-pip python3.11-wheel python3.11-cryptography
python_path: "/usr/bin/python3.11"
base_image: docker.io/redhat/ubi9:latest
pre_base: '"#"'
# For some reason ansible-builder will not install EPEL dependencies on RHEL
extra_vars: -e has_no_pyopenssl=true
- name: ansible-core 2.15 @ Rocky Linux 9
ansible_core: https://github.com/ansible/ansible/archive/stable-2.15.tar.gz
ansible_runner: ansible-runner
base_image: quay.io/rockylinux/rockylinux:9
pre_base: RUN dnf install -y epel-release
# For some reason ansible-builder will not install EPEL dependencies on Rocky Linux
extra_vars: -e has_no_pyopenssl=true
- name: ansible-core 2.14 @ CentOS Stream 9
ansible_core: https://github.com/ansible/ansible/archive/stable-2.14.tar.gz
ansible_runner: ansible-runner
base_image: quay.io/centos/centos:stream9
pre_base: RUN dnf install -y epel-release epel-next-release
# For some reason, PyOpenSSL is **broken** on CentOS Stream 9 / EPEL
extra_vars: -e has_no_pyopenssl=true
- name: ansible-core 2.13 @ RHEL UBI 8
ansible_core: https://github.com/ansible/ansible/archive/stable-2.13.tar.gz
ansible_runner: ansible-runner
other_deps: |2
python_interpreter:
package_system: python39 python39-pip python39-wheel python39-cryptography
base_image: docker.io/redhat/ubi8:latest
pre_base: '"#"'
# We don't have PyOpenSSL for Python 3.9
extra_vars: -e has_no_pyopenssl=true
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install ansible-builder and ansible-navigator
run: pip install ansible-builder ansible-navigator
- name: Verify requirements
run: ansible-builder introspect --sanitize .
- name: Make sure galaxy.yml has version entry
run: >-
python -c
'import yaml ;
f = open("galaxy.yml", "rb") ;
data = yaml.safe_load(f) ;
f.close() ;
data["version"] = data.get("version") or "0.0.1" ;
f = open("galaxy.yml", "wb") ;
f.write(yaml.dump(data).encode("utf-8")) ;
f.close() ;
'
working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Build collection
run: |
ansible-galaxy collection build --output-path ../../../
working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Create files for building execution environment
run: |
COLLECTION_FILENAME="$(ls "${NAMESPACE}-${COLLECTION_NAME}"-*.tar.gz)"
# EE config
cat > execution-environment.yml <<EOF
---
version: 3
dependencies:
ansible_core:
package_pip: ${{ matrix.ansible_core }}
ansible_runner:
package_pip: ${{ matrix.ansible_runner }}
galaxy: requirements.yml
${{ matrix.other_deps }}
images:
base_image:
name: ${{ matrix.base_image }}
additional_build_files:
- src: ${COLLECTION_FILENAME}
dest: src
additional_build_steps:
prepend_base:
- ${{ matrix.pre_base }}
EOF
echo "::group::execution-environment.yml"
cat execution-environment.yml
echo "::endgroup::"
# Requirements
cat > requirements.yml <<EOF
---
collections:
- name: src/${COLLECTION_FILENAME}
type: file
EOF
echo "::group::requirements.yml"
cat requirements.yml
echo "::endgroup::"
- name: Build image based on ${{ matrix.base_image }}
run: |
ansible-builder build --verbosity 3 --tag test-ee:latest --container-runtime podman
- name: Show images
run: podman image ls
- name: Run basic tests
run: >
ansible-navigator run
--mode stdout
--container-engine podman
--pull-policy never
--set-environment-variable ANSIBLE_PRIVATE_ROLE_VARS=true
--execution-environment-image test-ee:latest
-v
all.yml
${{ matrix.extra_vars }}
working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}/tests/ee

5
.github/workflows/nox.yml vendored
View File

@@ -21,8 +21,11 @@ jobs:
name: "Run extra sanity tests"
steps:
- name: Check out collection
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Run nox
uses: ansible-community/antsibull-nox@main
ansible-test:
uses: ansible-community/antsibull-nox/.github/workflows/reusable-nox-matrix.yml@main

53
.yamllint-extra-docs Normal file
View File

@@ -0,0 +1,53 @@
---
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
extends: default
ignore: |
/changelogs/
rules:
line-length:
max: 160
level: error
document-start: disable
document-end:
present: false
truthy:
level: error
allowed-values:
- 'true'
- 'false'
indentation:
spaces: 2
indent-sequences: true
key-duplicates: enable
trailing-spaces: enable
new-line-at-end-of-file: disable
hyphens:
max-spaces-after: 1
empty-lines:
max: 2
max-start: 0
max-end: 0
commas:
max-spaces-before: 0
min-spaces-after: 1
max-spaces-after: 1
colons:
max-spaces-before: 0
max-spaces-after: 1
brackets:
min-spaces-inside: 0
max-spaces-inside: 0
braces:
min-spaces-inside: 0
max-spaces-inside: 1
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
comments:
min-spaces-from-content: 1
comments-indentation: false

697
CHANGELOG.md
View File

File diff suppressed because it is too large Load Diff

78
CHANGELOG.rst
View File

@@ -4,6 +4,84 @@ Community Crypto Release Notes
.. contents:: Topics
v2.26.7
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- crypto_info, openssl_privatekey, openssl_privatekey_pipe - fix detection of EC support for cryptography 46.0.5+ (https://github.com/ansible-collections/community.crypto/pull/981).
v2.26.6
=======
Release Summary
---------------
Maintenance release.
v2.26.5
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- acme_* modules - also retry on HTTP responses 502 Bad Gateway and 504 Gateway Timeout. The latter is needed for ZeroSSL, which seems to have a lot of 504s (https://github.com/ansible-collections/community.crypto/issues/945, https://github.com/ansible-collections/community.crypto/pull/947).
- acme_* modules - increase the maximum amount of retries from 10 to 20 to accomodate ZeroSSL's buggy implementation (https://github.com/ansible-collections/community.crypto/pull/949).
v2.26.4
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- Improve error message when loading a private key fails due to correct private key files or wrong passwords. Also include the original cryptography error since it likely contains more helpful information (https://github.com/ansible-collections/community.crypto/issues/936, https://github.com/ansible-collections/community.crypto/pull/939).
v2.26.3
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- acme_account - make work with CAs that do not accept any account request without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918, https://github.com/ansible-collections/community.crypto/pull/919).
v2.26.2
=======
Release Summary
---------------
Maintenance release announcing removal of the Entrust content from community.crypto 3.0.0.
Deprecated Features
-------------------
- The Entrust service in currently being sunsetted after the sale of Entrust's Public Certificates Business to Sectigo; see `the announcement with key dates <https://www.entrust.com/tls-certificate-information-center>`__ and `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__ for details (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_certificate - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
v2.26.1
=======

28
README.md
View File

@@ -7,9 +7,9 @@ SPDX-License-Identifier: GPL-3.0-or-later
# Ansible Community Crypto Collection
[![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/crypto/)
[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions)
[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions)
[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=stable-2)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.crypto)](https://codecov.io/gh/ansible-collections/community.crypto)
[![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.crypto)](https://api.reuse.software/info/github.com/ansible-collections/community.crypto)
@@ -40,7 +40,7 @@ For more information about communication, see the [Ansible communication guide](
## Tested with Ansible
Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, ansible-core 2.16, ansible-core-2.17, and ansible-core 2.18 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, ansible-core 2.16, ansible-core-2.17, ansible-core-2.18, and ansible-core 2.19 releases. Ansible versions before 2.9.10 are not supported.
## External requirements
@@ -54,7 +54,7 @@ Browsing the [**latest** collection documentation](https://docs.ansible.com/ansi
Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/crypto) shows docs for the _latest version released on Galaxy_.
We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/) which shows docs for the _latest commit in the `main` branch_.
We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/) which shows docs for the _latest commit in the `stable-2` branch_.
If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
@@ -109,7 +109,7 @@ If you use the Ansible package and do not update collections independently, use
- luks_device module
- parse_serial and to_serial filters
You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/).
You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/).
## Using this collection
@@ -141,19 +141,15 @@ See [Ansible's dev guide](https://docs.ansible.com/ansible/devel/dev_guide/devel
## Release notes
See the [changelog](https://github.com/ansible-collections/community.crypto/blob/main/CHANGELOG.md).
See the [changelog](https://github.com/ansible-collections/community.crypto/blob/stable-2/CHANGELOG.md).
## Roadmap
We plan to regularly release minor and patch versions, whenever new features are added or bugs fixed. Our collection follows [semantic versioning](https://semver.org/), so breaking changes will only happen in major releases.
Most modules will drop PyOpenSSL support in version 2.0.0 of the collection, i.e. in the next major version. We currently plan to release 2.0.0 somewhen during 2021. Around then, the supported versions of the most common distributions will contain a new enough version of ``cryptography``.
Once 2.0.0 has been released, bugfixes will still be backported to 1.0.0 for some time, and some features might also be backported. If we do not want to backport something ourselves because we think it is not worth the effort, backport PRs by non-maintainers are usually accepted.
In 2.0.0, the following notable features will be removed:
* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which does not have a ``cryptography`` backend due to lack of support of PKCS#12 functionality in ``cryptography``.
* The ``assertonly`` provider of ``x509_certificate`` will be removed.
In 2.0.0, the following notable features have been removed:
* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which did now have a ``cryptography`` backend for a long time due to lack of support of PKCS#12 functionality in ``cryptography``. (This changed.)
* The ``assertonly`` provider of ``x509_certificate`` has been removed.
## More information
@@ -166,8 +162,8 @@ In 2.0.0, the following notable features will be removed:
This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/main/COPYING) for the full text.
See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/stable-2/COPYING) for the full text.
Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/).

60
antsibull-nox.toml
View File

@@ -3,8 +3,14 @@
# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
[collection_sources]
"community.general" = "git+https://github.com/ansible-collections/community.general.git,main"
"community.internal_test_tools" = "git+https://github.com/ansible-collections/community.internal_test_tools.git,main"
[vcs]
vcs = "git"
development_branch = "main"
stable_branches = [ "stable-*" ]
[sessions]
[sessions.lint]
@@ -18,6 +24,7 @@ run_yamllint = true
yamllint_config = ".yamllint"
yamllint_config_plugins = ".yamllint-docs"
yamllint_config_plugins_examples = ".yamllint-examples"
yamllint_config_extra_docs = ".yamllint-extra-docs"
run_mypy = false
[sessions.docs_check]
@@ -46,3 +53,56 @@ doc_fragment = "community.crypto.attributes.actiongroup_acme"
run_galaxy_importer = true
# [sessions.ansible_lint]
[[sessions.ee_check.execution_environments]]
name = "devel-ubi-9"
description = "ansible-core devel @ RHEL UBI 9"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "docker.io/redhat/ubi9:latest"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/devel.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.dependencies.python_interpreter.package_system = "python3.12 python3.12-pip python3.12-wheel python3.12-cryptography"
config.dependencies.python_interpreter.python_path = "/usr/bin/python3.12"
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# For some reason ansible-builder will not install EPEL dependencies on RHEL
runtime_extra_vars = { "has_no_pyopenssl" = "true" }
[[sessions.ee_check.execution_environments]]
name = "2.15-rocky-9"
description = "ansible-core 2.15 @ Rocky Linux 9"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "quay.io/rockylinux/rockylinux:9"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.15.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.additional_build_steps.prepend_base = [
"RUN dnf install -y epel-release",
]
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# For some reason ansible-builder will not install EPEL dependencies on Rocky Linux
runtime_extra_vars = { "has_no_pyopenssl" = "true" }
[[sessions.ee_check.execution_environments]]
name = "2.14-centos-stream-9"
description = "ansible-core 2.14 @ CentOS Stream 9"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "quay.io/centos/centos:stream9"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.14.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.additional_build_steps.prepend_base = [
"RUN dnf install -y epel-release epel-next-release",
]
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# For some reason, PyOpenSSL is **broken** on CentOS Stream 9 / EPEL
runtime_extra_vars = { "has_no_pyopenssl" = "true" }
[[sessions.ee_check.execution_environments]]
name = "2.13-ubi-8"
description = "ansible-core 2.13 @ RHEL UBI 8"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "docker.io/redhat/ubi8:latest"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.13.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.dependencies.python_interpreter.package_system = "python39 python39-pip python39-wheel python39-cryptography"
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# We don't have PyOpenSSL for Python 3.9
runtime_extra_vars = { "has_no_pyopenssl" = "true" }

79
changelogs/changelog.yaml
View File

@@ -1643,3 +1643,82 @@ releases:
- 867-passphrase-encoding-nolog.yml
- 868-luks-remove-keyslot.yml
release_date: '2025-04-28'
2.26.2:
changes:
deprecated_features:
- The Entrust service in currently being sunsetted after the sale of Entrust's
Public Certificates Business to Sectigo; see `the announcement with key
dates <https://www.entrust.com/tls-certificate-information-center>`__ and
`the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__
for details (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_certificate - the module will be removed from community.crypto 3.0.0
(https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate - the ``entrust`` provider will be removed from community.crypto
3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto
3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
release_summary: Maintenance release announcing removal of the Entrust content
from community.crypto 3.0.0.
fragments:
- 2.26.2.yml
- 901-remove-entrust.yml
release_date: '2025-05-22'
2.26.3:
changes:
bugfixes:
- acme_account - make work with CAs that do not accept any account request
without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918,
https://github.com/ansible-collections/community.crypto/pull/919).
release_summary: Bugfix release.
fragments:
- 2.26.3.yml
- 919-acme_account-ear.yml
release_date: '2025-06-14'
2.26.4:
changes:
bugfixes:
- Improve error message when loading a private key fails due to correct private
key files or wrong passwords. Also include the original cryptography error
since it likely contains more helpful information (https://github.com/ansible-collections/community.crypto/issues/936,
https://github.com/ansible-collections/community.crypto/pull/939).
release_summary: Bugfix release.
fragments:
- 2.26.4.yml
- 939-private-key-errors.yml
release_date: '2025-07-26'
2.26.5:
changes:
bugfixes:
- acme_* modules - also retry on HTTP responses 502 Bad Gateway and 504 Gateway
Timeout. The latter is needed for ZeroSSL, which seems to have a lot of
504s (https://github.com/ansible-collections/community.crypto/issues/945,
https://github.com/ansible-collections/community.crypto/pull/947).
- acme_* modules - increase the maximum amount of retries from 10 to 20 to
accomodate ZeroSSL's buggy implementation (https://github.com/ansible-collections/community.crypto/pull/949).
release_summary: Bugfix release.
fragments:
- 2.26.5.yml
- 947-acme-retry.yml
- 949-acme-retry.yml
release_date: '2025-08-04'
2.26.6:
changes:
release_summary: Maintenance release.
fragments:
- 2.26.6.yml
release_date: '2025-10-29'
2.26.7:
changes:
bugfixes:
- crypto_info, openssl_privatekey, openssl_privatekey_pipe - fix detection
of EC support for cryptography 46.0.5+ (https://github.com/ansible-collections/community.crypto/pull/981).
release_summary: Bugfix release.
fragments:
- 2.26.7.yml
- 981-ec.yml
release_date: '2026-02-12'

2
changelogs/config.yaml
View File

@@ -7,6 +7,7 @@ changelog_filename_template: ../CHANGELOG.rst
changelog_filename_version_depth: 0
changes_file: changelog.yaml
changes_format: combined
ignore_other_fragment_extensions: true
keep_fragments: false
mention_ancestor: true
new_plugins_after_name: removed_features
@@ -39,3 +40,4 @@ use_fqcn: true
add_plugin_period: true
changelog_nice_yaml: true
changelog_sort: version
vcs: auto

4
docs/docsite/rst/guide_ownca.rst
View File

@@ -51,7 +51,7 @@ The following instructions show how to set up a simple self-signed CA certificat
Use the CA to sign a certificate
--------------------------------
To sign a certificate, you must pass a CSR to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>` or :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`.
To sign a certificate, you must pass a CSR to the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>` or :ansplugin:`community.crypto.x509_certificate_pipe module <community.crypto.x509_certificate_pipe#module>`.
In the following example, we assume that the certificate to sign (including its private key) are on ``server_1``, while our CA certificate is on ``server_2``. We do not want any key material to leave each respective server.
@@ -94,7 +94,7 @@ In the following example, we assume that the certificate to sign (including its
delegate_to: server_1
run_once: true
Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`, and only writes the result back if it was changed:
Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ansplugin:`community.crypto.x509_certificate_pipe module <community.crypto.x509_certificate_pipe#module>`, and only writes the result back if it was changed:
.. code-block:: yaml+jinja

6
docs/docsite/rst/guide_selfsigned.rst
View File

@@ -10,7 +10,7 @@ How to create self-signed certificates
The `community.crypto collection <https://galaxy.ansible.com/ui/repo/published/community/crypto/>`_ offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.
For creating any kind of certificate, you always have to start with a private key. You can use the :ref:`community.crypto.openssl_privatekey module <ansible_collections.community.crypto.openssl_privatekey_module>` to create a private key. If you only specify :ansopt:`community.crypto.openssl_privatekey#module:path`, the default parameters will be used. This will result in a 4096 bit RSA private key:
For creating any kind of certificate, you always have to start with a private key. You can use the :ansplugin:`community.crypto.openssl_privatekey module <community.crypto.openssl_privatekey#module>` to create a private key. If you only specify :ansopt:`community.crypto.openssl_privatekey#module:path`, the default parameters will be used. This will result in a 4096 bit RSA private key:
.. code-block:: yaml+jinja
@@ -28,7 +28,7 @@ You can specify :ansopt:`community.crypto.openssl_privatekey#module:type` to sel
type: X25519
passphrase: changeme
To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`:
To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>`:
.. code-block:: yaml+jinja
@@ -42,7 +42,7 @@ To create a very simple self-signed certificate with no specific information, yo
You can use :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_after` to define when the certificate expires (default: in roughly 10 years), and :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_before` to define from when the certificate is valid (default: now).
To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`. If you do not need the CSR file, you can use the :ref:`community.crypto.openssl_csr_pipe module <ansible_collections.community.crypto.openssl_csr_pipe_module>` as in the example below. (To store it to disk, use the :ref:`community.crypto.openssl_csr module <ansible_collections.community.crypto.openssl_csr_module>` instead.)
To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>`. If you do not need the CSR file, you can use the :ansplugin:`community.crypto.openssl_csr_pipe module <community.crypto.openssl_csr_pipe#module>` as in the example below. (To store it to disk, use the :ansplugin:`community.crypto.openssl_csr module <community.crypto.openssl_csr#module>` instead.)
.. code-block:: yaml+jinja

2
galaxy.yml
View File

@@ -5,7 +5,7 @@
namespace: community
name: crypto
version: 2.26.1
version: 2.26.7
readme: README.md
authors:
- Ansible (github.com/ansible)

21
plugins/doc_fragments/acme.py
View File

@@ -117,11 +117,12 @@ options:
BASIC = r"""
notes:
- Although the defaults are chosen so that the module can be used with the L(Let's Encrypt,https://letsencrypt.org/) CA,
the module can in principle be used with any CA providing an ACME endpoint, such as L(Buypass Go SSL,https://www.buypass.com/ssl/products/acme).
- So far, the ACME modules have only been tested by the developers against Let's Encrypt (staging and production), Buypass
(staging and production), ZeroSSL (production), and L(Pebble testing server,https://github.com/letsencrypt/Pebble). We
have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with
another ACME server, please L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose)
the module can in principle be used with any CA providing an ACME endpoint.
- So far, the ACME modules have only been tested by the developers against Let's Encrypt (staging and production),
ZeroSSL (production), and L(Pebble testing server,https://github.com/letsencrypt/Pebble).
We have got community feedback that they also work with Sectigo ACME Service for InCommon and with HARICA.
If you experience problems with another ACME server, please
L(create an issue, https://github.com/ansible-collections/community.crypto/issues/new/choose)
to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
requirements:
- either openssl or L(cryptography,https://cryptography.io/) >= 1.5
@@ -140,12 +141,11 @@ options:
- The ACME directory to use. This is the entry point URL to access the ACME CA server API.
- For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create
technically correct, but untrusted certificates.
- "For Let's Encrypt, all staging endpoints can be found here: U(https://letsencrypt.org/docs/staging-environment/).
For Buypass, all endpoints can be found here: U(https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints)."
- "For Let's Encrypt, all staging endpoints can be found here: U(https://letsencrypt.org/docs/staging-environment/)."
- For B(Let's Encrypt), the production directory URL for ACME v2 is U(https://acme-v02.api.letsencrypt.org/directory).
- For B(Buypass), the production directory URL for ACME v2 and v1 is U(https://api.buypass.com/acme/directory).
- For B(ZeroSSL), the production directory URL for ACME v2 is U(https://acme.zerossl.com/v2/DV90).
- For B(Sectigo), the production directory URL for ACME v2 is U(https://acme-qa.secure.trust-provider.com/v2/DV).
- For B(HARICA), the production directory URL for ACME v2 is U(https://acme.harica.gr/XXX/directory) with XXX being specific to your account.
- The notes for this module contain a list of ACME services this module has been tested against.
required: true
type: str
@@ -185,6 +185,7 @@ options:
account_key_src:
description:
- Path to a file containing the ACME account RSA or Elliptic Curve key.
- "For Elliptic Curve keys only the following curves are supported: V(secp256r1), V(secp384r1), and V(secp521r1)."
- 'Private keys can be created with the M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe)
modules. If the requisite (cryptography) is not available, keys can also be created directly with the C(openssl) command
line tool: RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys can be created with C(openssl ecparam
@@ -192,10 +193,12 @@ options:
- Mutually exclusive with O(account_key_content).
- Required if O(account_key_content) is not used.
type: path
aliases: [account_key]
aliases:
- account_key
account_key_content:
description:
- Content of the ACME account RSA or Elliptic Curve key.
- "For Elliptic Curve keys only the following curves are supported: V(secp256r1), V(secp384r1), and V(secp521r1)."
- Mutually exclusive with O(account_key_src).
- Required if O(account_key_src) is not used.
- B(Warning:) the content will be written into a temporary file, which will be deleted by Ansible when the module completes.

8
plugins/doc_fragments/module_certificate.py
View File

@@ -125,7 +125,7 @@ options:
acme_directory:
description:
- "The ACME directory to use. You can use any directory that supports the ACME protocol, such as Buypass or Let's Encrypt."
- "The ACME directory to use. You can use any directory that supports the ACME protocol, such as Let's Encrypt."
- "Let's Encrypt recommends using their staging server while developing jobs. U(https://letsencrypt.org/docs/staging-environment/)."
type: str
default: https://acme-v02.api.letsencrypt.org/directory
@@ -377,7 +377,8 @@ options:
- This is only used by the V(selfsigned) provider.
type: str
default: +0s
aliases: [ selfsigned_notBefore ]
aliases:
- selfsigned_notBefore
selfsigned_not_after:
description:
@@ -395,7 +396,8 @@ options:
Please see U(https://support.apple.com/en-us/HT210176) for more details.
type: str
default: +3650d
aliases: [ selfsigned_notAfter ]
aliases:
- selfsigned_notAfter
selfsigned_create_subject_key_identifier:
description:

63
plugins/doc_fragments/module_csr.py
View File

@@ -75,37 +75,51 @@ options:
description:
- The countryName field of the certificate signing request subject.
type: str
aliases: [C, countryName]
aliases:
- C
- countryName
state_or_province_name:
description:
- The stateOrProvinceName field of the certificate signing request subject.
type: str
aliases: [ST, stateOrProvinceName]
aliases:
- ST
- stateOrProvinceName
locality_name:
description:
- The localityName field of the certificate signing request subject.
type: str
aliases: [L, localityName]
aliases:
- L
- localityName
organization_name:
description:
- The organizationName field of the certificate signing request subject.
type: str
aliases: [O, organizationName]
aliases:
- O
- organizationName
organizational_unit_name:
description:
- The organizationalUnitName field of the certificate signing request subject.
type: str
aliases: [OU, organizationalUnitName]
aliases:
- OU
- organizationalUnitName
common_name:
description:
- The commonName field of the certificate signing request subject.
type: str
aliases: [CN, commonName]
aliases:
- CN
- commonName
email_address:
description:
- The emailAddress field of the certificate signing request subject.
type: str
aliases: [E, emailAddress]
aliases:
- E
- emailAddress
subject_alt_name:
description:
- Subject Alternative Name (SAN) extension to attach to the certificate signing request.
@@ -116,63 +130,75 @@ options:
- More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6).
type: list
elements: str
aliases: [subjectAltName]
aliases:
- subjectAltName
subject_alt_name_critical:
description:
- Should the subjectAltName extension be considered as critical.
type: bool
default: false
aliases: [subjectAltName_critical]
aliases:
- subjectAltName_critical
use_common_name_for_san:
description:
- If set to V(true), the module will fill the common name in for O(subject_alt_name) with C(DNS:) prefix if no SAN is
specified.
type: bool
default: true
aliases: [useCommonNameForSAN]
aliases:
- useCommonNameForSAN
key_usage:
description:
- This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate.
type: list
elements: str
aliases: [keyUsage]
aliases:
- keyUsage
key_usage_critical:
description:
- Should the keyUsage extension be considered as critical.
type: bool
default: false
aliases: [keyUsage_critical]
aliases:
- keyUsage_critical
extended_key_usage:
description:
- Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which
the public key may be used.
type: list
elements: str
aliases: [extKeyUsage, extendedKeyUsage]
aliases:
- extKeyUsage
- extendedKeyUsage
extended_key_usage_critical:
description:
- Should the extkeyUsage extension be considered as critical.
type: bool
default: false
aliases: [extKeyUsage_critical, extendedKeyUsage_critical]
aliases:
- extKeyUsage_critical
- extendedKeyUsage_critical
basic_constraints:
description:
- Indicates basic constraints, such as if the certificate is a CA.
type: list
elements: str
aliases: [basicConstraints]
aliases:
- basicConstraints
basic_constraints_critical:
description:
- Should the basicConstraints extension be considered as critical.
type: bool
default: false
aliases: [basicConstraints_critical]
aliases:
- basicConstraints_critical
ocsp_must_staple:
description:
- Indicates that the certificate should contain the OCSP Must Staple extension (U(https://tools.ietf.org/html/rfc7633)).
type: bool
default: false
aliases: [ocspMustStaple]
aliases:
- ocspMustStaple
ocsp_must_staple_critical:
description:
- Should the OCSP Must Staple extension be considered as critical.
@@ -180,7 +206,8 @@ options:
OCSP Must Staple are required to reject such certificates (see U(https://tools.ietf.org/html/rfc7633#section-4)).
type: bool
default: false
aliases: [ocspMustStaple_critical]
aliases:
- ocspMustStaple_critical
name_constraints_permitted:
description:
- For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed

29
plugins/module_utils/acme/account.py
View File

@@ -73,13 +73,28 @@ class ACMEAccount(object):
# and provide external_account_binding credentials. Thus we first send a request with allow_creation=False
# to see whether the account already exists.
# Note that we pass contact here: ZeroSSL does not accept registration calls without contacts, even
# if onlyReturnExisting is set to true.
created, data = self._new_reg(contact=contact, allow_creation=False)
if data:
# An account already exists! Return data
return created, data
# An account does not yet exist. Try to create one next.
# Unfortunately, for other ACME servers it's the other way around: (at least some) HARICA endpoints
# do not allow *any* access without external account data. That's why we catch errors and check
# for 'externalAccountRequired'.
try:
# Note that we pass contact here: ZeroSSL does not accept registration calls without contacts, even
# if onlyReturnExisting is set to true.
created, data = self._new_reg(contact=contact, allow_creation=False)
if data:
# An account already exists! Return data
return created, data
# An account does not yet exist. Try to create one next.
except ACMEProtocolException as exc:
if (
exc.error_type
!= "urn:ietf:params:acme:error:externalAccountRequired"
or external_account_binding is None
):
# Either another error happened, or we got 'externalAccountRequired' and external account data was not supplied
# => re-raise exception!
raise
# In this case, the server really wants external account data.
# The below code tries to create the account with external account data present.
new_reg = {"contact": contact}
if not allow_creation:

4
plugins/module_utils/acme/acme.py
View File

@@ -60,9 +60,9 @@ else:
# -1 usually means connection problems
RETRY_STATUS_CODES = (-1, 408, 429, 503)
RETRY_STATUS_CODES = (-1, 408, 429, 502, 503, 504)
RETRY_COUNT = 10
RETRY_COUNT = 20
def _decode_retry(module, response, info, retry_count):

2
plugins/module_utils/crypto/module_backends/privatekey.py
View File

@@ -276,7 +276,7 @@ class PrivateKeyBackend:
class PrivateKeyCryptographyBackend(PrivateKeyBackend):
def _get_ec_class(self, ectype):
ecclass = cryptography.hazmat.primitives.asymmetric.ec.__dict__.get(ectype)
ecclass = getattr(cryptography.hazmat.primitives.asymmetric.ec, ectype, None)
if ecclass is None:
self.module.fail_json(
msg="Your cryptography version does not support {0}".format(ectype)

9
plugins/module_utils/crypto/support.py
View File

@@ -40,6 +40,7 @@ except (ImportError, AttributeError):
try:
from cryptography import x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends import default_backend as cryptography_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.serialization import load_pem_private_key
@@ -213,12 +214,16 @@ def load_privatekey(
None if passphrase is None else to_bytes(passphrase),
cryptography_backend(),
)
except UnsupportedAlgorithm as exc:
raise OpenSSLBadPassphraseError("Unsupported private key type: {exc}".format(exc=exc))
except TypeError:
raise OpenSSLBadPassphraseError(
"Wrong or empty passphrase provided for private key"
)
except ValueError:
raise OpenSSLBadPassphraseError("Wrong passphrase provided for private key")
except ValueError as exc:
raise OpenSSLBadPassphraseError(
"Wrong passphrase provided for private key, or private key cannot be parsed: {exc}".format(exc=exc)
)
return result

4
plugins/modules/acme_account.py
View File

@@ -105,8 +105,8 @@ options:
external_account_binding:
description:
- Allows to provide external account binding data during account creation.
- This is used by CAs like Sectigo to bind a new ACME account to an existing CA-specific account, to be able to properly
identify a customer.
- This is used by CAs like Sectigo, HARICA, or ZeroSSL to bind a new ACME account to an existing CA-specific account,
to be able to properly identify a customer.
- Only used when creating a new account. Can not be specified for ACME v1.
type: dict
suboptions:

5
plugins/modules/acme_ari_info.py
View File

@@ -19,8 +19,7 @@ short_description: Retrieves ACME Renewal Information (ARI) for a certificate
description:
- Allows to retrieve renewal information on a certificate obtained with the L(ACME protocol,https://tools.ietf.org/html/rfc8555).
- This module only works with the ACME v2 protocol, and requires the ACME server to support the ARI extension
(U(https://datatracker.ietf.org/doc/draft-ietf-acme-ari/)).
This module implements version 3 of the ARI draft.
(L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html)).
extends_documentation_fragment:
- community.crypto.acme.basic
- community.crypto.acme.no_account
@@ -59,7 +58,7 @@ EXAMPLES = r"""
RETURN = r"""
renewal_info:
description: The ARI renewal info object (U(https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.2)).
description: The ARI renewal info object (U(https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2)).
returned: success
type: dict
contains:

11
plugins/modules/acme_certificate.py
View File

@@ -17,8 +17,8 @@ author: "Michael Gruener (@mgruener)"
short_description: Create SSL/TLS certificates with the ACME protocol
description:
- Create and renew SSL/TLS certificates with a CA supporting the L(ACME protocol,https://tools.ietf.org/html/rfc8555), such
as L(Let's Encrypt,https://letsencrypt.org/) or L(Buypass,https://www.buypass.com/). The current implementation supports
the V(http-01), V(dns-01) and V(tls-alpn-01) challenges.
as L(Let's Encrypt,https://letsencrypt.org/).
The current implementation supports the V(http-01), V(dns-01) and V(tls-alpn-01) challenges.
- To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note
that the output of the first run needs to be recorded and passed to the second run as the module argument O(data).
- Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For
@@ -40,9 +40,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority. Provides useful information for example on rate
limits.
link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority. Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555
@@ -242,8 +239,8 @@ options:
type: str
include_renewal_cert_id:
description:
- Determines whether to request renewal of an existing certificate according to L(the ACME ARI draft 3,
https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-5).
- Determines whether to request renewal of an existing certificate according to L(Section 5 of RFC 9773,
https://www.rfc-editor.org/rfc/rfc9773.html#section-5).
- This is only used when the certificate specified in O(dest) or O(fullchain_dest) already exists.
- Generally you should use V(when_ari_supported) if you know that the ACME service supports a compatible draft (or final
version, once it is out) of the ARI extension. V(always) should never be necessary. If you are not sure, or if you

15
plugins/modules/acme_certificate_order_create.py
View File

@@ -19,9 +19,9 @@ short_description: Create an ACME v2 order
description:
- Creates an ACME v2 order. This is the first step of obtaining a new certificate
with the L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the
original version of the ACME protocol before standardization.
Authority such as L(Let's Encrypt,https://letsencrypt.org/).
This module does not support ACME v1, the original version of the ACME protocol
before standardization.
- The current implementation supports the V(http-01), V(dns-01) and V(tls-alpn-01)
challenges.
- This module needs to be used in conjunction with the
@@ -60,10 +60,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority.
Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority.
Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555
@@ -111,9 +107,9 @@ options:
replaces_cert_id:
description:
- If provided, will request the order to replace the certificate identified by this certificate ID
according to L(the ACME ARI draft 3, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-5).
according to L(Section 5 of RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-5).
- This certificate ID must be computed as specified in
L(the ACME ARI draft 3, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1).
L(Section 4.1 of RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-4.1).
It is returned as return value RV(community.crypto.acme_certificate_renewal_info#module:cert_id) of the
M(community.crypto.acme_certificate_renewal_info) module.
- ACME servers might refuse to create new orders that indicate to replace a certificate for which
@@ -281,6 +277,7 @@ challenge_data:
challenges:
description:
- Information for different challenge types supported for this identifier.
- Note that the keys are not valid Jinja2 identifiers.
type: dict
contains:
http-01:

9
plugins/modules/acme_certificate_order_finalize.py
View File

@@ -20,9 +20,8 @@ description:
- Finalizes an ACME v2 order and obtains the certificate and certificate chains.
This is the final step of obtaining a new certificate with the
L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the
original version of the ACME protocol before standardization.
Authority such as L(Let's Encrypt,https://letsencrypt.org/).
This module does not support ACME v1, the original version of the ACME protocol before standardization.
- This module needs to be used in conjunction with the
M(community.crypto.acme_certificate_order_create) and.
M(community.crypto.acme_certificate_order_validate) modules.
@@ -37,10 +36,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority.
Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority.
Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555

11
plugins/modules/acme_certificate_order_info.py
View File

@@ -20,9 +20,8 @@ description:
- Obtain information for an ACME v2 order.
This can be used during the process of obtaining a new certificate with the
L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the
original version of the ACME protocol before standardization.
Authority such as L(Let's Encrypt,https://letsencrypt.org/).
This module does not support ACME v1, the original version of the ACME protocol before standardization.
- This module needs to be used in conjunction with the
M(community.crypto.acme_certificate_order_create),
M(community.crypto.acme_certificate_order_validate), and
@@ -141,7 +140,7 @@ order:
- Encoded in the date format defined in L(RFC 3339, https://www.rfc-editor.org/rfc/rfc3339).
type: str
returned: depending on order
notAfter (optional, string):
notAfter:
description:
- The requested value of the C(notAfter) field in the certificate.
- Encoded in the date format defined in L(RFC 3339, https://www.rfc-editor.org/rfc/rfc3339).
@@ -180,10 +179,10 @@ order:
replaces:
description:
- If the order was created to replace an existing certificate using the C(replaces) mechanism from
L(draft-ietf-acme-ari, https://datatracker.ietf.org/doc/draft-ietf-acme-ari/), this provides the
L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html), this provides the
certificate ID of the certificate that will be replaced by this order.
type: str
returned: when the certificate order is replacing a certificate through draft-ietf-acme-ari
returned: when the certificate order is replacing a certificate through RFC 9773
profile:
description:
- If the ACME CA supports profiles through the L(draft-aaron-acme-profiles,

9
plugins/modules/acme_certificate_order_validate.py
View File

@@ -20,9 +20,8 @@ description:
- Validates pending authorizations of an ACME v2 order.
This is the second to last step of obtaining a new certificate with the
L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the
original version of the ACME protocol before standardization.
Authority such as L(Let's Encrypt,https://letsencrypt.org/).
This module does not support ACME v1, the original version of the ACME protocol before standardization.
- This module needs to be used in conjunction with the
M(community.crypto.acme_certificate_order_create) and
M(community.crypto.acme_certificate_order_finalize) modules.
@@ -37,10 +36,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority.
Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority.
Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555

8
plugins/modules/acme_certificate_renewal_info.py
View File

@@ -18,8 +18,8 @@ version_added: 2.20.0
short_description: Determine whether a certificate should be renewed or not
description:
- Uses various information to determine whether a certificate should be renewed or not.
- If available, the ARI extension (ACME Renewal Information, U(https://datatracker.ietf.org/doc/draft-ietf-acme-ari/)) is
used. This module implements version 3 of the ARI draft.".
- If available, the ARI extension (ACME Renewal Information, L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html)) is
used.
extends_documentation_fragment:
- community.crypto.acme.basic
- community.crypto.acme.no_account
@@ -54,7 +54,7 @@ options:
description:
- If ARI information is used, selects which algorithm is used to determine whether to renew now.
- V(standard) selects the L(algorithm provided in the the ARI specification,
https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#name-renewalinfo-objects).
https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2).
- V(start) returns RV(should_renew=true) once the start of the renewal interval has been reached.
type: str
choices:
@@ -157,7 +157,7 @@ supports_ari:
cert_id:
description:
- The certificate ID according to the L(ARI specification, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1).
- The certificate ID according to L(Section 4.1 in RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-4.1).
returned: success, the certificate exists, and has an Authority Key Identifier X.509 extension
type: str
sample: aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE

6
plugins/modules/crypto_info.py
View File

@@ -286,10 +286,8 @@ def add_crypto_information(module):
backend = cryptography.hazmat.backends.default_backend()
for curve_name, constructor_name in CURVES:
ecclass = cryptography.hazmat.primitives.asymmetric.ec.__dict__.get(
constructor_name
)
if ecclass:
ecclass = getattr(cryptography.hazmat.primitives.asymmetric.ec, constructor_name, None)
if ecclass is not None:
try:
cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(
curve=ecclass(), backend=backend

7
plugins/modules/openssh_keypair.py
View File

@@ -164,6 +164,13 @@ EXAMPLES = r"""
path: /tmp/id_ssh_rsa
force: true
- name: Regenerate SSH keypair only if format or options mismatch
community.crypto.openssh_keypair:
path: /home/devops/.ssh/id_ed25519
type: ed25519
regenerate: full_idempotence
private_key_format: ssh
- name: Generate an OpenSSH keypair with a different algorithm (dsa)
community.crypto.openssh_keypair:
path: /tmp/id_ssh_dsa

6
tests/ee/all.yml
View File

@@ -6,11 +6,11 @@
- hosts: localhost
tasks:
- name: Show Python info
debug:
ansible.builtin.debug:
var: ansible_python
- name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: cryptography_version
- name: Register pyOpenSSL version
@@ -19,7 +19,7 @@
register: pyopenssl_version
- name: Determine output directory
set_fact:
ansible.builtin.set_fact:
output_path: "{{ 'output-%0x' % ((2**32) | random) }}"
- name: Find all roles

4
tests/ee/roles/crypto_info/tasks/main.yml
View File

@@ -8,11 +8,11 @@
register: result
- name: Dump result
debug:
ansible.builtin.debug:
var: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.openssl_present
- result.python_cryptography_installed

6
tests/ee/roles/luks_device/tasks/main.yml
View File

@@ -24,13 +24,13 @@
when: false
block:
- name: Create lookback device
command: losetup -f {{ cryptfile_path }}
ansible.builtin.command: losetup -f {{ cryptfile_path }}
- name: Determine loop device name
command: losetup -j {{ cryptfile_path }} --output name
ansible.builtin.command: losetup -j {{ cryptfile_path }} --output name
register: cryptfile_device_output
- set_fact:
- ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}"
- name: Create LUKS container

4
tests/ee/roles/smoke/tasks/main.yml
View File

@@ -8,7 +8,7 @@
register: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.msg == 'Everything is ok'
@@ -17,6 +17,6 @@
register: result
- name: Validate result
assert:
ansible.builtin.assert:
that:
- result.msg == 'Everything is ok'

46
tests/integration/targets/acme_account/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
type: ECC
@@ -14,7 +14,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
return_private_key_data: true
@@ -30,7 +30,7 @@
- name: accountkey5
- name: Do not try to create account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -42,7 +42,7 @@
register: account_not_created
- name: Create it now (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -58,7 +58,7 @@
register: account_created_check
- name: Create it now
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -72,7 +72,7 @@
register: account_created
- name: Create it now (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -86,12 +86,12 @@
register: account_created_idempotent
- name: Read account key
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp
- name: Change email address (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -106,7 +106,7 @@
register: account_modified_check
- name: Change email address
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -119,7 +119,7 @@
register: account_modified
- name: Change email address (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri }}"
@@ -133,7 +133,7 @@
register: account_modified_idempotent
- name: Cannot access account with wrong URI
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
@@ -146,7 +146,7 @@
register: account_modified_wrong_uri
- name: Clear contact email addresses (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -160,7 +160,7 @@
register: account_modified_2_check
- name: Clear contact email addresses
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -172,7 +172,7 @@
register: account_modified_2
- name: Clear contact email addresses (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -184,7 +184,7 @@
register: account_modified_2_idempotent
- name: Change account key (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -200,7 +200,7 @@
register: account_change_key_check
- name: Change account key
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -214,7 +214,7 @@
register: account_change_key
- name: Deactivate account (check mode, diff)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -227,7 +227,7 @@
register: account_deactivate_check
- name: Deactivate account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -238,7 +238,7 @@
register: account_deactivate
- name: Deactivate account (idempotent)
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -249,7 +249,7 @@
register: account_deactivate_idempotent
- name: Do not try to create account II
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -262,7 +262,7 @@
register: account_not_created_2
- name: Do not try to create account III
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -274,7 +274,7 @@
register: account_not_created_3
- name: Create account with External Account Binding
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem"
acme_version: 2
@@ -304,4 +304,4 @@
kid: kid-3
alg: HS512
key: zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W
- debug: var=account_created_eab
- ansible.builtin.debug: var=account_created_eab

12
tests/integration/targets/acme_account/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

38
tests/integration/targets/acme_account/tests/validate.yml
View File

@@ -4,13 +4,13 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't created in the first step
assert:
ansible.builtin.assert:
that:
- account_not_created is failed
- account_not_created.msg == 'Account does not exist or is deactivated.'
- name: Validate that account was created in the second step (check mode)
assert:
ansible.builtin.assert:
that:
- account_created_check is changed
- account_created_check.account_uri is none
@@ -21,19 +21,19 @@
- account_created_check.diff.after.contact[0] in ['mailto:example@example.org', 'mailto:********@********.org']
- name: Validate that account was created in the second step
assert:
ansible.builtin.assert:
that:
- account_created is changed
- account_created.account_uri is not none
- name: Validate that account was created in the second step (idempotency)
assert:
ansible.builtin.assert:
that:
- account_created_idempotent is not changed
- account_created_idempotent.account_uri is not none
- name: Validate that email address was changed (check mode)
assert:
ansible.builtin.assert:
that:
- account_modified_check is changed
- account_modified_check.account_uri is not none
@@ -44,24 +44,24 @@
- account_modified_check.diff.after.contact[0] in ['mailto:example@example.com', 'mailto:********@********.com']
- name: Validate that email address was changed
assert:
ansible.builtin.assert:
that:
- account_modified is changed
- account_modified.account_uri is not none
- name: Validate that email address was not changed a second time (idempotency)
assert:
ansible.builtin.assert:
that:
- account_modified_idempotent is not changed
- account_modified_idempotent.account_uri is not none
- name: Make sure that with the wrong account URI, the account cannot be changed
assert:
ansible.builtin.assert:
that:
- account_modified_wrong_uri is failed
- name: Validate that email address was cleared (check mode)
assert:
ansible.builtin.assert:
that:
- account_modified_2_check is changed
- account_modified_2_check.account_uri is not none
@@ -71,19 +71,19 @@
- account_modified_2_check.diff.after.contact | length == 0
- name: Validate that email address was cleared
assert:
ansible.builtin.assert:
that:
- account_modified_2 is changed
- account_modified_2.account_uri is not none
- name: Validate that email address was not cleared a second time (idempotency)
assert:
ansible.builtin.assert:
that:
- account_modified_2_idempotent is not changed
- account_modified_2_idempotent.account_uri is not none
- name: Validate that the account key was changed (check mode)
assert:
ansible.builtin.assert:
that:
- account_change_key_check is changed
- account_change_key_check.account_uri is not none
@@ -91,13 +91,13 @@
- account_change_key_check.diff.before.public_account_key != account_change_key_check.diff.after.public_account_key
- name: Validate that the account key was changed
assert:
ansible.builtin.assert:
that:
- account_change_key is changed
- account_change_key.account_uri is not none
- name: Validate that the account was deactivated (check mode)
assert:
ansible.builtin.assert:
that:
- account_deactivate_check is changed
- account_deactivate_check.account_uri is not none
@@ -106,13 +106,13 @@
- "account_deactivate_check.diff.after == {}"
- name: Validate that the account was deactivated
assert:
ansible.builtin.assert:
that:
- account_deactivate is changed
- account_deactivate.account_uri is not none
- name: Validate that the account was really deactivated (idempotency)
assert:
ansible.builtin.assert:
that:
- account_deactivate_idempotent is not changed
# The next condition should be true for all conforming ACME servers.
@@ -121,19 +121,19 @@
- account_deactivate_idempotent.account_uri is none
- name: Validate that the account is gone (new account key)
assert:
ansible.builtin.assert:
that:
- account_not_created_2 is failed
- account_not_created_2.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account is gone (old account key)
assert:
ansible.builtin.assert:
that:
- account_not_created_3 is failed
- account_not_created_3.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account with External Account Binding has been created
assert:
ansible.builtin.assert:
that:
- account_created_eab.results[0] is changed
- account_created_eab.results[1] is changed

20
tests/integration/targets/acme_account_info/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC
curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true
loop: "{{ account_keys }}"
@@ -24,7 +24,7 @@
- accountkey2
- name: Check that account does not exist
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -33,7 +33,7 @@
register: account_not_created
- name: Create it now
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -46,7 +46,7 @@
- mailto:example@example.org
- name: Check that account exists
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -55,12 +55,12 @@
register: account_created
- name: Read account key
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp
- name: Clear email address
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2
@@ -71,7 +71,7 @@
contact: []
- name: Check that account was modified
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -81,7 +81,7 @@
register: account_modified
- name: Check with wrong account URI
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2
@@ -91,7 +91,7 @@
register: account_not_exist
- name: Check with wrong account key
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
acme_version: 2

12
tests/integration/targets/acme_account_info/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

10
tests/integration/targets/acme_account_info/tests/validate.yml
View File

@@ -4,14 +4,14 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't there
assert:
ansible.builtin.assert:
that:
- not account_not_created.exists
- account_not_created.account_uri is none
- "'account' not in account_not_created"
- name: Validate that account was created
assert:
ansible.builtin.assert:
that:
- account_created.exists
- account_created.account_uri is not none
@@ -22,7 +22,7 @@
- "account_created.account.contact[0] == 'mailto:example@example.org'"
- name: Validate that account email was removed
assert:
ansible.builtin.assert:
that:
- account_modified.exists
- account_modified.account_uri is not none
@@ -32,13 +32,13 @@
- account_modified.account.contact | length == 0
- name: Validate that account does not exist with wrong account URI
assert:
ansible.builtin.assert:
that:
- not account_not_exist.exists
- account_not_exist.account_uri is none
- "'account' not in account_not_exist"
- name: Validate that account cannot be accessed with wrong key
assert:
ansible.builtin.assert:
that:
- account_wrong_key is failed

12
tests/integration/targets/acme_ari_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -21,7 +21,7 @@
curve: secp256r1
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for renewal check
certificate_name: cert-1
@@ -39,18 +39,18 @@
account_email: "example@example.org"
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
command:
ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Read certificate
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1
- name: Obtain certificate information
acme_ari_info:
community.crypto.acme_ari_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2

12
tests/integration/targets/acme_ari_info/tasks/main.yml
View File

@@ -14,31 +14,31 @@
block:
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

2
tests/integration/targets/acme_ari_info/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate results
assert:
ansible.builtin.assert:
that:
- cert_1 is not changed
- cert_1.renewal_info.explanationURL is not defined or cert_1.renewal_info.explanationURL is string

116
tests/integration/targets/acme_certificate/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -28,7 +28,7 @@
## SET UP ACCOUNTS ############################################################################
- name: Make sure ECC256 account hasn't been created yet
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -36,11 +36,11 @@
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
state: absent
- name: Read account key (EC384)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp
- name: Create ECC384 account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -53,7 +53,7 @@
- mailto:example@example.org
- mailto:example@example.com
- name: Create RSA account
acme_account:
community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -66,7 +66,7 @@
## OBTAIN CERTIFICATES ########################################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1
certificate_name: cert-1
@@ -89,11 +89,11 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 1
set_fact:
ansible.builtin.set_fact:
cert_1_obtain_results: "{{ certificate_obtain_result }}"
cert_1_alternate: "{{ 1 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 2
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 2
certificate_name: cert-2
@@ -122,15 +122,15 @@
issuer: "{{ acme_roots[2].subject }}"
use_csr_content: false
- name: Store obtain results for cert 2
set_fact:
ansible.builtin.set_fact:
cert_2_obtain_results: "{{ certificate_obtain_result }}"
cert_2_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Read account key (RSA)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key
- name: Obtain cert 3
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 3
certificate_name: cert-3
@@ -152,11 +152,11 @@
subject: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 3
set_fact:
ansible.builtin.set_fact:
cert_3_obtain_results: "{{ certificate_obtain_result }}"
cert_3_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 4
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 4
certificate_name: cert-4
@@ -181,11 +181,11 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: false
- name: Store obtain results for cert 4
set_fact:
ansible.builtin.set_fact:
cert_4_obtain_results: "{{ certificate_obtain_result }}"
cert_4_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 1/4
certificate_name: cert-5
@@ -202,11 +202,11 @@
account_email: ""
use_csr_content: true
- name: Store obtain results for cert 5a
set_fact:
ansible.builtin.set_fact:
cert_5a_obtain_results: "{{ certificate_obtain_result }}"
cert_5_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5 (should not, since already there and valid for more than 1 days)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 2/4
certificate_name: cert-5
@@ -223,10 +223,10 @@
account_email: ""
use_csr_content: false
- name: Store obtain results for cert 5b
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_1: "{{ challenge_data is changed }}"
- name: Obtain cert 5 (should again by less days)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 3/4
certificate_name: cert-5
@@ -245,15 +245,15 @@
acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}"
acme_certificate_include_renewal_cert_id: when_ari_supported
- name: Store obtain results for cert 5c
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_2: "{{ challenge_data is changed }}"
cert_5c_obtain_results: "{{ certificate_obtain_result }}"
- name: Read account key (EC384)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp_account_key
- name: Obtain cert 5 (should again by force)
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 5, Iteration 4/4
certificate_name: cert-5
@@ -270,12 +270,12 @@
account_email: ""
use_csr_content: false
- name: Store obtain results for cert 5d
set_fact:
ansible.builtin.set_fact:
cert_5_recreate_3: "{{ challenge_data is changed }}"
cert_5d_obtain_results: "{{ certificate_obtain_result }}"
- block:
- name: Obtain cert 6
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 6
certificate_name: cert-6
@@ -303,13 +303,13 @@
issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true
- name: Store obtain results for cert 6
set_fact:
ansible.builtin.set_fact:
cert_6_obtain_results: "{{ certificate_obtain_result }}"
cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_intermediates[0].subject_key_identifier is defined
- block:
- name: Obtain cert 7
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 7
certificate_name: cert-7
@@ -333,13 +333,13 @@
authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}"
use_csr_content: false
- name: Store obtain results for cert 7
set_fact:
ansible.builtin.set_fact:
cert_7_obtain_results: "{{ certificate_obtain_result }}"
cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_roots[2].subject_key_identifier is defined
- block:
- name: Obtain cert 8
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 8
certificate_name: cert-8
@@ -361,7 +361,7 @@
account_email: "example@example.org"
use_csr_content: true
- name: Store obtain results for cert 8
set_fact:
ansible.builtin.set_fact:
cert_8_obtain_results: "{{ certificate_obtain_result }}"
cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: cryptography_version.stdout is version('1.3', '>=')
@@ -369,110 +369,110 @@
## DISSECT CERTIFICATES #######################################################################
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
- name: Verifying cert 1
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ignore_errors: true
register: cert_1_valid
- name: Verifying cert 2
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ignore_errors: true
register: cert_2_valid
- name: Verifying cert 3
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ignore_errors: true
register: cert_3_valid
- name: Verifying cert 4
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ignore_errors: true
register: cert_4_valid
- name: Verifying cert 5
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ignore_errors: true
register: cert_5_valid
- name: Verifying cert 6
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ignore_errors: true
register: cert_6_valid
when: acme_intermediates[0].subject_key_identifier is defined
- name: Verifying cert 7
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ignore_errors: true
register: cert_7_valid
when: acme_roots[2].subject_key_identifier is defined
- name: Verifying cert 8
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ignore_errors: true
register: cert_8_valid
when: cryptography_version.stdout is version('1.3', '>=')
# Dump certificate info
- name: Dumping cert 1
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
register: cert_1_text
- name: Dumping cert 2
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
register: cert_2_text
- name: Dumping cert 3
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
register: cert_3_text
- name: Dumping cert 4
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
register: cert_4_text
- name: Dumping cert 5
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
register: cert_5_text
- name: Dumping cert 6
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
register: cert_6_text
when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
register: cert_7_text
when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
register: cert_8_text
when: cryptography_version.stdout is version('1.3', '>=')
# Dump certificate info
- name: Dumping cert 1
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Dumping cert 2
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-2.pem"
register: cert_2_info
- name: Dumping cert 3
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-3.pem"
register: cert_3_info
- name: Dumping cert 4
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-4.pem"
register: cert_4_info
- name: Dumping cert 5
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-5.pem"
register: cert_5_info
- name: Dumping cert 6
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-6.pem"
register: cert_6_info
when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-7.pem"
register: cert_7_info
when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-8.pem"
register: cert_8_info
when: cryptography_version.stdout is version('1.3', '>=')
## GET ACCOUNT ORDERS #########################################################################
- name: Don't retrieve orders
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -481,7 +481,7 @@
retrieve_orders: ignore
register: account_orders_not
- name: Retrieve orders as URL list (1/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -490,7 +490,7 @@
retrieve_orders: url_list
register: account_orders_urls
- name: Retrieve orders as URL list (2/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2
@@ -499,7 +499,7 @@
retrieve_orders: url_list
register: account_orders_urls2
- name: Retrieve orders as object list (1/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2
@@ -508,7 +508,7 @@
retrieve_orders: object_list
register: account_orders_full
- name: Retrieve orders as object list (2/2)
acme_account_info:
community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2

36
tests/integration/targets/acme_certificate/tasks/main.yml
View File

@@ -10,46 +10,46 @@
- block:
- name: Obtain root and intermediate certificates
get_url:
ansible.builtin.get_url:
url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}"
dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
loop: "{{ query('nested', types, root_numbers) }}"
- name: Analyze root certificates
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem"
loop: "{{ root_numbers }}"
register: acme_roots
- name: Analyze intermediate certificates
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem"
loop: "{{ root_numbers }}"
register: acme_intermediates
- name: Read root certificates
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}"
register: slurp_roots
- set_fact:
- ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_roots.results }}"
register: acme_roots_tmp
- name: Read intermediate certificates
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}"
register: slurp_intermediates
- set_fact:
- ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_intermediates.results }}"
register: acme_intermediates_tmp
- set_fact:
- ansible.builtin.set_fact:
acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}"
acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}"
acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}"
@@ -74,48 +74,48 @@
# - public_key_fingerprints
- name: ACME root certificate info
debug:
ansible.builtin.debug:
var: acme_roots
# - name: ACME root certificates as PEM
# debug:
# ansible.builtin.debug:
# var: acme_root_certs
- name: ACME intermediate certificate info
debug:
ansible.builtin.debug:
var: acme_intermediates
# - name: ACME intermediate certificates as PEM
# debug:
# ansible.builtin.debug:
# var: acme_intermediate_certs
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

62
tests/integration/targets/acme_certificate/tests/validate.yml
View File

@@ -4,15 +4,15 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 is valid
assert:
ansible.builtin.assert:
that:
- cert_1_valid is not failed
- name: Check that certificate 1 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.com' in cert_1_text.stdout"
- name: Read certificate 1 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-1.pem
@@ -20,7 +20,7 @@
- cert-1-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_1_obtain_results"
- "cert_1_obtain_results.all_chains | length > 1"
@@ -32,16 +32,16 @@
- "(slurp.results[2].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain"
- name: Check that certificate 2 is valid
assert:
ansible.builtin.assert:
that:
- cert_2_valid is not failed
- name: Check that certificate 2 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:*.example.com' in cert_2_text.stdout"
- "'DNS:example.com' in cert_2_text.stdout"
- name: Read certificate 2 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-2.pem
@@ -49,7 +49,7 @@
- cert-2-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_2_obtain_results"
- "cert_2_obtain_results.all_chains | length > 1"
@@ -61,17 +61,17 @@
- "(slurp.results[2].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain"
- name: Check that certificate 3 is valid
assert:
ansible.builtin.assert:
that:
- cert_3_valid is not failed
- name: Check that certificate 3 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:*.example.com' in cert_3_text.stdout"
- "'DNS:example.org' in cert_3_text.stdout"
- "'DNS:t1.example.com' in cert_3_text.stdout"
- name: Read certificate 3 files
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}'
loop:
- cert-3.pem
@@ -79,7 +79,7 @@
- cert-3-fullchain.pem
register: slurp
- name: Check that certificate 1 retrieval got all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' in cert_3_obtain_results"
- "cert_3_obtain_results.all_chains | length > 1"
@@ -91,11 +91,11 @@
- "(slurp.results[2].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain"
- name: Check that certificate 4 is valid
assert:
ansible.builtin.assert:
that:
- cert_4_valid is not failed
- name: Check that certificate 4 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.com' in cert_4_text.stdout"
- "'DNS:t1.example.com' in cert_4_text.stdout"
@@ -103,72 +103,72 @@
- "'DNS:example.org' in cert_4_text.stdout"
- "'DNS:TesT.example.org' in cert_4_text.stdout"
- name: Check that certificate 4 retrieval did not get all chains
assert:
ansible.builtin.assert:
that:
- "'all_chains' not in cert_4_obtain_results"
- name: Check that certificate 5 is valid
assert:
ansible.builtin.assert:
that:
- cert_5_valid is not failed
- name: Check that certificate 5 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:t2.example.com' in cert_5_text.stdout"
- name: Check that certificate 5 was not recreated on the first try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_1 == false
- name: Check that certificate 5 was recreated on the second try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_2 == true
- name: Check that certificate 5 was recreated on the third try
assert:
ansible.builtin.assert:
that:
- cert_5_recreate_3 == true
- block:
- name: Check that certificate 6 is valid
assert:
ansible.builtin.assert:
that:
- cert_6_valid is not failed
- name: Check that certificate 6 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'DNS:example.org' in cert_6_text.stdout"
when: acme_intermediates[0].subject_key_identifier is defined
- block:
- name: Check that certificate 7 is valid
assert:
ansible.builtin.assert:
that:
- cert_7_valid is not failed
- name: Check that certificate 7 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: acme_roots[2].subject_key_identifier is defined
- block:
- name: Check that certificate 8 is valid
assert:
ansible.builtin.assert:
that:
- cert_8_valid is not failed
- name: Check that certificate 8 contains correct SANs
assert:
ansible.builtin.assert:
that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: cryptography_version.stdout is version('1.3', '>=')
- name: Validate that orders were not retrieved
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_not"
- "'orders' not in account_orders_not"
- name: Validate that orders were retrieved as list of URLs (1/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_urls"
- "'orders' not in account_orders_urls"
@@ -176,7 +176,7 @@
- "account_orders_urls.order_uris[0] is string"
- name: Validate that orders were retrieved as list of URLs (2/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_urls2"
- "'orders' not in account_orders_urls2"
@@ -184,7 +184,7 @@
- "account_orders_urls2.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (1/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_full"
- "'orders' in account_orders_full"
@@ -193,7 +193,7 @@
- "account_orders_full.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (2/2)
assert:
ansible.builtin.assert:
that:
- "'account' in account_orders_full2"
- "'orders' in account_orders_full2"

36
tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml
View File

@@ -9,24 +9,24 @@
account_email: example@example.org
block:
- name: Generate account key
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
curve: secp256r1
force: true
- name: Create cert private key
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
type: ECC
curve: secp256r1
force: true
- name: Create cert CSR
openssl_csr:
community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.csr"
privatekey_path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
subject_alt_name: "{{ subject_alt_name }}"
- name: Start process of obtaining certificate
acme_certificate:
community.crypto.acme_certificate:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -42,7 +42,7 @@
register: certificate_data
- name: Inspect order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -52,11 +52,11 @@
method: get
register: order_1
- name: Show order
debug:
ansible.builtin.debug:
var: order_1.output_json
- name: Deactivate order (check mode)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -67,7 +67,7 @@
register: deactivate_1
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -77,11 +77,11 @@
method: get
register: order_2
- name: Show order
debug:
ansible.builtin.debug:
var: order_2.output_json
- name: Deactivate order
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -91,7 +91,7 @@
register: deactivate_2
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -101,11 +101,11 @@
method: get
register: order_3
- name: Show order
debug:
ansible.builtin.debug:
var: order_3.output_json
- name: Deactivate order (check mode, idempotent)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -116,7 +116,7 @@
register: deactivate_3
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -126,11 +126,11 @@
method: get
register: order_4
- name: Show order
debug:
ansible.builtin.debug:
var: order_4.output_json
- name: Deactivate order (idempotent)
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -140,7 +140,7 @@
register: deactivate_4
- name: Inspect order again
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -150,5 +150,5 @@
method: get
register: order_5
- name: Show order
debug:
ansible.builtin.debug:
var: order_5.output_json

12
tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

2
tests/integration/targets/acme_certificate_deactivate_authz/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Checks
assert:
ansible.builtin.assert:
that:
- order_1.output_json.status == 'pending'
- deactivate_1 is changed

110
tests/integration/targets/acme_certificate_order/tasks/impl.yml
View File

@@ -4,23 +4,23 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate random domain name"
set_fact:
ansible.builtin.set_fact:
domain_name: "host{{ '%0x' % ((2**32) | random) }}.example.com"
- name: "({{ select_crypto_backend }}) Generate account key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/accountkey.pem"
type: ECC
curve: secp256r1
force: true
- name: "({{ select_crypto_backend }}) Parse account keys (to ease debugging some test failures)"
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/accountkey.pem"
return_private_key_data: true
- name: "({{ select_crypto_backend }}) Create ACME account"
acme_account:
community.crypto.acme_account:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -31,14 +31,14 @@
register: account
- name: "({{ select_crypto_backend }}) Generate certificate key"
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/cert.key"
type: ECC
curve: secp256r1
force: true
- name: "({{ select_crypto_backend }}) Generate certificate CSR"
openssl_csr:
community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/cert.csr"
privatekey_path: "{{ remote_tmp_dir }}/cert.key"
subject:
@@ -47,7 +47,7 @@
register: csr
- name: "({{ select_crypto_backend }}) Create certificate order"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -57,11 +57,11 @@
register: order_1
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_1
- name: "({{ select_crypto_backend }}) Check order"
assert:
ansible.builtin.assert:
that:
- order_1 is changed
- order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -81,7 +81,7 @@
- order_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -91,11 +91,11 @@
register: order_info_1
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_1
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_1 is not changed
- order_info_1.authorizations_by_identifier | length == 1
@@ -120,8 +120,8 @@
- order_info_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Create HTTP challenges"
uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT
body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}"
@@ -142,7 +142,7 @@
register: validate_1
- name: "({{ select_crypto_backend }}) Check validation result"
assert:
ansible.builtin.assert:
that:
- validate_1 is changed
- validate_1.account_uri == account.account_uri
@@ -153,7 +153,7 @@
when: ansible_version.full is version('2.12', '<')
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -163,11 +163,11 @@
register: order_info_2
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_2
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_2 is not changed
- order_info_2.authorizations_by_identifier | length == 1
@@ -203,7 +203,7 @@
register: validate_2
- name: "({{ select_crypto_backend }}) Check validation result"
assert:
ansible.builtin.assert:
that:
- validate_2 is not changed
- validate_2.account_uri == account.account_uri
@@ -225,7 +225,7 @@
register: finalize_1
- name: "({{ select_crypto_backend }}) Check finalization result"
assert:
ansible.builtin.assert:
that:
- finalize_1 is changed
- finalize_1.account_uri == account.account_uri
@@ -236,7 +236,7 @@
- finalize_1.selected_chain.full_chain == finalize_1.selected_chain.cert + finalize_1.selected_chain.chain
- name: "({{ select_crypto_backend }}) Read files from disk"
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/{{ item }}.pem"
loop:
- cert
@@ -245,14 +245,14 @@
register: slurp
- name: "({{ select_crypto_backend }}) Compare finalization result with files on disk"
assert:
ansible.builtin.assert:
that:
- finalize_1.selected_chain.cert == slurp.results[0].content | b64decode
- finalize_1.selected_chain.chain == slurp.results[1].content | b64decode
- finalize_1.selected_chain.full_chain == slurp.results[2].content | b64decode
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -262,11 +262,11 @@
register: order_info_3
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_3
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_3 is not changed
- order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -304,7 +304,7 @@
register: finalize_2
- name: "({{ select_crypto_backend }}) Check finalization result"
assert:
ansible.builtin.assert:
that:
- finalize_2 is not changed
- finalize_2.account_uri == account.account_uri
@@ -316,7 +316,7 @@
- finalize_2.selected_chain == finalize_1.selected_chain
- name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -326,11 +326,11 @@
register: order_info_4
- name: "({{ select_crypto_backend }}) Show order information"
debug:
ansible.builtin.debug:
var: order_info_4
- name: "({{ select_crypto_backend }}) Check order information"
assert:
ansible.builtin.assert:
that:
- order_info_4 is not changed
- order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -356,7 +356,7 @@
- when: acme_supports_ari
block:
- name: "({{ select_crypto_backend }}) Get certificate renewal information"
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -366,14 +366,14 @@
register: cert_info
- name: "({{ select_crypto_backend }}) Verify information"
assert:
ansible.builtin.assert:
that:
- cert_info.supports_ari == true
- cert_info.should_renew == false
- cert_info.cert_id is string
- name: "({{ select_crypto_backend }}) Create replacement order 1"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -386,7 +386,7 @@
register: replacement_order_1
- name: "({{ select_crypto_backend }}) Get replacement order 1 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -396,7 +396,7 @@
register: order_info_5
- name: "({{ select_crypto_backend }}) Check replacement order 1"
assert:
ansible.builtin.assert:
that:
- replacement_order_1 is changed
- replacement_order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -417,7 +417,7 @@
- replacement_order_1.order_uri not in [order_1.order_uri]
- name: "({{ select_crypto_backend }}) Check replacement order 1 information"
assert:
ansible.builtin.assert:
that:
- order_info_5 is not changed
- order_info_5.authorizations_by_identifier | length == 1
@@ -446,7 +446,7 @@
- when: false # TODO get Pebble improved
block:
- name: "({{ select_crypto_backend }}) Create replacement order 2 (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -459,7 +459,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 2"
assert:
ansible.builtin.assert:
that:
- replacement_order_2 is failed
- >-
@@ -470,7 +470,7 @@
)
- name: "({{ select_crypto_backend }}) Create replacement order 3 with error handling"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -482,7 +482,7 @@
register: replacement_order_3
- name: "({{ select_crypto_backend }}) Get replacement order 3 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -492,7 +492,7 @@
register: order_info_6
- name: "({{ select_crypto_backend }}) Check replacement order 3"
assert:
ansible.builtin.assert:
that:
- replacement_order_3 is changed
- replacement_order_3.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -515,7 +515,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_3.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 3 information"
assert:
ansible.builtin.assert:
that:
- order_info_6 is not changed
- order_info_6.authorizations_by_identifier | length == 1
@@ -540,7 +540,7 @@
- order_info_6.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 3"
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -551,8 +551,8 @@
# Complete replacement order 1
- name: "({{ select_crypto_backend }}) Create HTTP challenges (replacement order 1)"
uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT
body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}"
@@ -590,7 +590,7 @@
- when: true
block:
- name: "({{ select_crypto_backend }}) Create replacement order 4 (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -603,7 +603,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 4"
assert:
ansible.builtin.assert:
that:
- replacement_order_4 is failed
- replacement_order_4.msg.startswith('Failed to start new order for https://' ~ acme_host)
@@ -611,7 +611,7 @@
' with status 409 Conflict. Error urn:ietf:params:acme:error:malformed: ' in replacement_order_4.msg
- name: "({{ select_crypto_backend }}) Create replacement order 5 with error handling"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -623,7 +623,7 @@
register: replacement_order_5
- name: "({{ select_crypto_backend }}) Get replacement order 5 information"
acme_certificate_order_info:
community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -633,7 +633,7 @@
register: order_info_7
- name: "({{ select_crypto_backend }}) Check replacement order 5"
assert:
ansible.builtin.assert:
that:
- replacement_order_5 is changed
- replacement_order_5.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -656,7 +656,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_5.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 5 information"
assert:
ansible.builtin.assert:
that:
- order_info_7 is not changed
- order_info_7.authorizations_by_identifier | length == 1
@@ -681,7 +681,7 @@
- order_info_7.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 5"
acme_certificate_deactivate_authz:
community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -694,7 +694,7 @@
- when: acme_supports_profiles
block:
- name: "({{ select_crypto_backend }}) Create order with invalid profile (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -707,7 +707,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check invalid profile order"
assert:
ansible.builtin.assert:
that:
- invalid_profile_order is failed
- invalid_profile_order.msg == "The ACME CA does not support selected profile 'does-not-exist'."
@@ -717,7 +717,7 @@
- when: not acme_supports_profiles
block:
- name: "({{ select_crypto_backend }}) Create order with profile when server does not support it (should fail)"
acme_certificate_order_create:
community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -729,7 +729,7 @@
ignore_errors: true
- name: "({{ select_crypto_backend }}) Check profile without server support order"
assert:
ansible.builtin.assert:
that:
- profile_without_server_support is failed
- profile_without_server_support.msg == 'The ACME CA does not support profiles. Please omit the "profile" option.'

8
tests/integration/targets/acme_certificate_order/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
@@ -18,18 +18,18 @@
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography

34
tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -22,7 +22,7 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for renewal check
certificate_name: cert-1
@@ -41,18 +41,18 @@
## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info
command:
ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information
x509_certificate_info:
community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info
- name: Read certificate
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1
- name: Obtain certificate information (1/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -60,7 +60,7 @@
validate_certs: false
register: cert_1_renewal_1
- name: Obtain certificate information (2/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -70,7 +70,7 @@
remaining_percentage: 0.5
register: cert_1_renewal_2
- name: Obtain certificate information (3/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_content: "{{ slurp_cert_1.content | b64decode }}"
acme_version: 2
@@ -79,7 +79,7 @@
now: +1800d
register: cert_1_renewal_3
- name: Obtain certificate information (4/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -90,7 +90,7 @@
remaining_percentage: 0.1
register: cert_1_renewal_4
- name: Obtain certificate information (5/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -101,7 +101,7 @@
remaining_percentage: 0.01
register: cert_1_renewal_5
- name: Obtain certificate information (6/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -112,7 +112,7 @@
remaining_percentage: 0.03
register: cert_1_renewal_6
- name: Obtain certificate information (7/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2
@@ -121,7 +121,7 @@
now: +1830d
register: cert_1_renewal_7
- name: Obtain certificate information (8/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2
acme_directory: "{{ acme_directory_url }}"
@@ -129,7 +129,7 @@
now: +1830d
register: cert_1_renewal_8
- name: Obtain certificate information (9/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
acme_version: 2
@@ -137,12 +137,12 @@
validate_certs: false
register: cert_1_renewal_9
- name: Create broken file
copy:
ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/cert-is-broken.pem"
content: |
--- THIS IS NOT A CERT ---
- name: Obtain certificate information (10/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: false
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
@@ -152,7 +152,7 @@
register: cert_1_renewal_10
ignore_errors: true
- name: Obtain certificate information (11/11)
acme_certificate_renewal_info:
community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: true
select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"

12
tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
View File

@@ -13,31 +13,31 @@
block:
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

6
tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
View File

@@ -9,7 +9,7 @@
block:
- name: Validate results (generic)
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.should_renew == false
- cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
@@ -64,7 +64,7 @@
when: not acme_supports_ari
- name: Validate results without ARI
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.supports_ari == false
- cert_1_renewal_2.supports_ari == false
@@ -84,7 +84,7 @@
when: not acme_supports_ari
- name: Validate results with ARI
assert:
ansible.builtin.assert:
that:
- cert_1_renewal_1.supports_ari == true
- cert_1_renewal_2.supports_ari == true

18
tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ########################################################################
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}"
@@ -28,11 +28,11 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Read account key (EC256)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec256.pem'
register: slurp_account_key
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 1 for revocation
certificate_name: cert-1
@@ -49,7 +49,7 @@
terms_agreed: true
account_email: "example@example.org"
- name: Obtain cert 2
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 2 for revocation
certificate_name: cert-2
@@ -66,7 +66,7 @@
terms_agreed: true
account_email: "example@example.org"
- name: Obtain cert 3
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 3 for revocation
certificate_name: cert-3
@@ -84,7 +84,7 @@
## REVOKE CERTIFICATES ########################################################################
- name: Revoke certificate 1 via account key
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
certificate: "{{ remote_tmp_dir }}/cert-1.pem"
@@ -94,7 +94,7 @@
ignore_errors: true
register: cert_1_revoke
- name: Revoke certificate 2 via certificate private key
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
private_key_src: "{{ remote_tmp_dir }}/cert-2.key"
private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -105,11 +105,11 @@
ignore_errors: true
register: cert_2_revoke
- name: Read account key (RSA)
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key
- name: Revoke certificate 3 via account key (fullchain)
acme_certificate_revoke:
community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp_account_key.content | b64decode }}"
certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem"

12
tests/integration/targets/acme_certificate_revoke/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

6
tests/integration/targets/acme_certificate_revoke/tests/validate.yml
View File

@@ -4,17 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 was revoked
assert:
ansible.builtin.assert:
that:
- cert_1_revoke is changed
- cert_1_revoke is not failed
- name: Check that certificate 2 was revoked
assert:
ansible.builtin.assert:
that:
- cert_2_revoke is changed
- cert_2_revoke is not failed
- name: Check that certificate 3 was revoked
assert:
ansible.builtin.assert:
that:
- cert_3_revoke is changed
- cert_3_revoke is not failed

4
tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
View File

@@ -10,13 +10,13 @@
- block:
- name: Generate ECC256 account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
curve: secp256r1
force: true
- name: Obtain cert 1
include_tasks: obtain-cert.yml
ansible.builtin.include_tasks: obtain-cert.yml
vars:
select_crypto_backend: auto
certgen_title: Certificate 1

46
tests/integration/targets/acme_inspect/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block:
- name: Generate account keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC
curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info:
community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true
loop: "{{ account_keys }}"
@@ -23,32 +23,32 @@
- accountkey
- name: Get directory
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
method: directory-only
select_crypto_backend: "{{ select_crypto_backend }}"
register: directory
- debug: var=directory
- ansible.builtin.debug: var=directory
- name: Create an account
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
url: "{{ directory.directory.newAccount}}"
url: "{{ directory.directory.newAccount }}"
method: post
content: '{"termsOfServiceAgreed":true}'
select_crypto_backend: "{{ select_crypto_backend }}"
register: account_creation
# account_creation.headers.location contains the account URI
# if creation was successful
- debug: var=account_creation
- ansible.builtin.debug: var=account_creation
- name: Get account information
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -58,10 +58,10 @@
method: get
select_crypto_backend: "{{ select_crypto_backend }}"
register: account_get
- debug: var=account_get
- ansible.builtin.debug: var=account_get
- name: Update account contacts
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -78,10 +78,10 @@
contact:
- mailto:me@example.com
register: account_update
- debug: var=account_update
- ansible.builtin.debug: var=account_update
- name: Create certificate order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -102,10 +102,10 @@
- type: dns
value: example.org
register: new_order
- debug: var=new_order
- ansible.builtin.debug: var=new_order
- name: Get order information
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -115,10 +115,10 @@
method: get
select_crypto_backend: "{{ select_crypto_backend }}"
register: order
- debug: var=order
- ansible.builtin.debug: var=order
- name: Get authzs for order
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -129,10 +129,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
loop: "{{ order.output_json.authorizations }}"
register: authz
- debug: var=authz
- ansible.builtin.debug: var=authz
- name: Get HTTP-01 challenge for authz
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -143,10 +143,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: http01challenge
loop: "{{ authz.results | map(attribute='output_json') | list }}"
- debug: var=http01challenge
- ansible.builtin.debug: var=http01challenge
- name: Activate HTTP-01 challenge manually
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -158,10 +158,10 @@
select_crypto_backend: "{{ select_crypto_backend }}"
register: activation
loop: "{{ http01challenge.results | map(attribute='output_json') | list }}"
- debug: var=activation
- ansible.builtin.debug: var=activation
- name: Get HTTP-01 challenge results
acme_inspect:
community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}"
acme_version: 2
validate_certs: false
@@ -175,4 +175,4 @@
until: "validation_result.output_json.status not in ['pending', 'processing']"
retries: 20
delay: 1
- debug: var=validation_result
- ansible.builtin.debug: var=validation_result

12
tests/integration/targets/acme_inspect/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block:
- name: Running tests with OpenSSL backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: absent
- name: Re-create output directory
file:
ansible.builtin.file:
path: "{{ remote_tmp_dir }}"
state: directory
- block:
- name: Running tests with cryptography backend
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
vars:
select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml
- ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=')

20
tests/integration/targets/acme_inspect/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check directory output
assert:
ansible.builtin.assert:
that:
- directory is not changed
- "'directory' in directory"
@@ -16,7 +16,7 @@
- "'output_json' not in directory"
- name: Check account creation output
assert:
ansible.builtin.assert:
that:
- account_creation is changed
- "'directory' in account_creation"
@@ -30,7 +30,7 @@
- account_creation.output_text | from_json == account_creation.output_json
- name: Check account get output
assert:
ansible.builtin.assert:
that:
- account_get is not changed
- "'directory' in account_get"
@@ -41,7 +41,7 @@
- account_get.output_json == account_creation.output_json
- name: Check account update output
assert:
ansible.builtin.assert:
that:
- account_update is changed
- "'directory' in account_update"
@@ -53,7 +53,7 @@
- account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com']
- name: Check certificate request output
assert:
ansible.builtin.assert:
that:
- new_order is changed
- "'directory' in new_order"
@@ -66,7 +66,7 @@
- "'finalize' in new_order.output_json"
- name: Check get order output
assert:
ansible.builtin.assert:
that:
- order is not changed
- "'directory' in order"
@@ -77,7 +77,7 @@
# - new_order.output_json == order.output_json
- name: Check get authz output
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"
@@ -90,7 +90,7 @@
loop: "{{ authz.results }}"
- name: Check get challenge output
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"
@@ -104,7 +104,7 @@
loop: "{{ http01challenge.results }}"
- name: Check challenge activation output
assert:
ansible.builtin.assert:
that:
- item is changed
- "'directory' in item"
@@ -118,7 +118,7 @@
loop: "{{ activation.results }}"
- name: Check validation result
assert:
ansible.builtin.assert:
that:
- item is not changed
- "'directory' in item"

4
tests/integration/targets/certificate_complete_chain/tasks/create-single-certificate.yml
View File

@@ -9,14 +9,14 @@
####################################################################
- name: Generate CSR for {{ certificate.name }}
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'
subject: '{{ certificate.subject }}'
useCommonNameForSAN: false
- name: Generate certificate for {{ certificate.name }}
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'

8
tests/integration/targets/certificate_complete_chain/tasks/create.yml
View File

@@ -10,25 +10,25 @@
- block:
- name: Create private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
size: '{{ default_rsa_key_size_certificates }}'
loop: '{{ certificates }}'
- name: Generate certificates
include_tasks: create-single-certificate.yml
ansible.builtin.include_tasks: create-single-certificate.yml
loop: '{{ certificates }}'
loop_control:
loop_var: certificate
- name: Read certificates
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
loop: '{{ certificates }}'
register: certificates_read
- name: Store read certificates
set_fact:
ansible.builtin.set_fact:
read_certificates: >-
{{ certificates_read.results | map(attribute='content') | map('b64decode')
| zip(certificates | map(attribute='name'))

10
tests/integration/targets/certificate_complete_chain/tasks/created.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Case A => works
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem'
@@ -19,7 +19,7 @@
- name: Case B => doesn't work, but this is expected
failed_when: false
register: caseb
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -27,11 +27,11 @@
- '{{ remote_tmp_dir }}/a-root.pem'
- name: Assert that case B failed
assert:
ansible.builtin.assert:
that: "'Cannot complete chain' in caseb.msg"
- name: Case C => works
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -40,7 +40,7 @@
- '{{ remote_tmp_dir }}/a-root.pem'
- name: Case D => works as well after PR 403
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem'

32
tests/integration/targets/certificate_complete_chain/tasks/existing.yml
View File

@@ -10,13 +10,13 @@
- block:
- name: Find root for cert 1 using directory
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ fullchain | trim }}'
root_certificates:
- '{{ remote_tmp_dir }}/files/roots/'
register: cert1_root
- name: Verify root for cert 1
assert:
ansible.builtin.assert:
that:
- cert1_root.complete_chain | join('') == (fullchain ~ root)
- cert1_root.root == root
@@ -26,7 +26,7 @@
- block:
- name: Find rootchain for cert 1 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -34,7 +34,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert1_rootchain
- name: Verify rootchain for cert 1
assert:
ansible.builtin.assert:
that:
- cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert1_rootchain.chain[:-1] | join('') == chain
@@ -46,13 +46,13 @@
- block:
- name: Find root for cert 2 using directory
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: "{{ fullchain | trim }}"
root_certificates:
- '{{ remote_tmp_dir }}/files/roots/'
register: cert2_root
- name: Verify root for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_root.complete_chain | join('') == (fullchain ~ root)
- cert2_root.root == root
@@ -62,7 +62,7 @@
- block:
- name: Find rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-chain.pem'
@@ -70,7 +70,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain.chain[:-1] | join('') == chain
@@ -82,7 +82,7 @@
- block:
- name: Find alternate rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
@@ -90,7 +90,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain_alt
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain_alt.chain[:-1] | join('') == chain
@@ -102,13 +102,13 @@
- block:
- name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ cert ~ chain ~ root }}'
root_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_complete_chain
- name: Verify rootchain for cert 2
assert:
ansible.builtin.assert:
that:
- cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_complete_chain.chain == []
@@ -119,7 +119,7 @@
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
- name: Check failure when no intermediate certificate can be found
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert2.pem", rstrip=true) }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -128,13 +128,13 @@
register: cert2_no_intermediate
ignore_errors: true
- name: Verify failure
assert:
ansible.builtin.assert:
that:
- cert2_no_intermediate is failed
- "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
- name: Check failure when infinite loop is found
certificate_complete_chain:
community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=true) }}'
intermediate_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem'
@@ -143,7 +143,7 @@
register: cert2_infinite_loop
ignore_errors: true
- name: Verify failure
assert:
ansible.builtin.assert:
that:
- cert2_infinite_loop is failed
- "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"

8
tests/integration/targets/certificate_complete_chain/tasks/main.yml
View File

@@ -16,17 +16,17 @@
state: directory
when: ansible_version.string is version('2.10', '<')
- name: Copy test files to testhost
copy:
ansible.builtin.copy:
src: '{{ role_path }}/files/'
dest: '{{ remote_tmp_dir }}/files/'
- name: Run tests with copied certificates
import_tasks: existing.yml
ansible.builtin.import_tasks: existing.yml
- name: Create more certificates
import_tasks: create.yml
ansible.builtin.import_tasks: create.yml
- name: Run tests with created certificates
import_tasks: created.yml
ansible.builtin.import_tasks: created.yml
when: cryptography_version.stdout is version('1.5', '>=')

16
tests/integration/targets/crypto_info/tasks/main.yml
View File

@@ -9,19 +9,19 @@
####################################################################
- name: Retrieve information
crypto_info:
community.crypto.crypto_info:
register: result
- name: Display information
debug:
ansible.builtin.debug:
var: result
- name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: local_cryptography_version
- name: Determine complex version-based capabilities
set_fact:
ansible.builtin.set_fact:
supports_ed25519: >-
{{
local_cryptography_version.stdout is version("2.6", ">=")
@@ -42,7 +42,7 @@
}}
- name: Verify cryptography information
assert:
ansible.builtin.assert:
that:
- result.python_cryptography_installed
- "'python_cryptography_import_error' not in result"
@@ -63,15 +63,15 @@
- result.python_cryptography_capabilities.has_x448 == (local_cryptography_version.stdout is version('2.5', '>='))
- name: Find OpenSSL binary
command: which openssl
ansible.builtin.command: which openssl
register: local_openssl_path
- name: Find OpenSSL version
command: openssl version
ansible.builtin.command: openssl version
register: local_openssl_version_full
- name: Verify OpenSSL information
assert:
ansible.builtin.assert:
that:
- result.openssl_present
- result.openssl.path == local_openssl_path.stdout

32
tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info }}
result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='unicode') }}
- name: "Check whether subject and extensions behaves as expected"
assert:
ansible.builtin.assert:
that:
- result.subject.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
@@ -40,7 +40,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: "Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -57,17 +57,17 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_2.csr') | community.crypto.openssl_csr_info }}
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_3.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -79,12 +79,12 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: "Get CSR info"
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_4.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier"
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
@@ -92,53 +92,53 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.openssl_csr_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.openssl_csr_info input must be a text type, not ")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_csr_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Unable to load (?:request|PEM file)(?:\.|$)")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_csr_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.openssl_csr_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

16
tests/integration/targets/filter_openssl_csr_info/tasks/main.yml
View File

@@ -9,23 +9,23 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -94,7 +94,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -103,7 +103,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -121,12 +121,12 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.3', '>=')

24
tests/integration/targets/filter_openssl_privatekey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_1.pem') | community.crypto.openssl_privatekey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -21,12 +21,12 @@
- "'private_data' not in result"
- name: Get key 2 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_2.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -41,26 +41,26 @@
- "result.private_data.exponent > 5"
- name: Get key 3 info (without passphrase)
set_fact:
ansible.builtin.set_fact:
result_: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
ignore_errors: true
register: result
- name: Check that loading passphrase protected key without passphrase failed
assert:
ansible.builtin.assert:
that:
- result is failed
- >-
'Wrong or empty passphrase provided for private key' in result.msg
- name: Get key 3 info (with passphrase)
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(passphrase='hunter2', return_private_key_data=true) }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -74,12 +74,12 @@
- "result.private_data.exponent > 5"
- name: Get key 4 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_4.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"
@@ -94,12 +94,12 @@
- "result.private_data.multiplier > 1024"
- name: Get key 5 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_5.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'public_key' in result"
- "'public_key_fingerprints' in result"

12
tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml
View File

@@ -9,34 +9,34 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (with password)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
passphrase: hunter2
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 4 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
# ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead
- name: Generate privatekey 5 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_5.pem'
type: DSA
size: 1024
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2.3', '>=')

24
tests/integration/targets/filter_openssl_publickey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_1.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -19,12 +19,12 @@
- "result.public_data.exponent > 5"
- name: Get key 2 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_2.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -35,12 +35,12 @@
- "result.public_data.exponent > 5"
- name: Get key 3 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_3.pem') | community.crypto.openssl_publickey_info }}
- name: Check that ECC key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -52,12 +52,12 @@
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- name: Get key 4 info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_4.pem') | community.crypto.openssl_publickey_info }}
- name: Check that DSA key info is ok
assert:
ansible.builtin.assert:
that:
- "'fingerprints' in result"
- "'type' in result"
@@ -69,27 +69,27 @@
- "result.public_data.y > 2"
- name: Get invalid key info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.openssl_publickey_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.openssl_publickey_info input must be a text type, not ")
- name: Get invalid key info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.openssl_publickey_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- 'output.msg is search("Error while deserializing key: ")'

12
tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml
View File

@@ -9,17 +9,17 @@
####################################################################
- name: Generate privatekey 1
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA
size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (ECC)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem'
type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
@@ -27,13 +27,13 @@
select_crypto_backend: cryptography
- name: Generate privatekey 4 (DSA)
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: DSA
size: 1024
- name: Generate public keys
openssl_publickey:
community.crypto.openssl_publickey:
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
path: '{{ remote_tmp_dir }}/publickey_{{ item }}.pem'
loop:
@@ -43,5 +43,5 @@
- 4
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2.3', '>=')

12
tests/integration/targets/filter_parse_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test parse_serial filter
assert:
ansible.builtin.assert:
that:
- >-
'0' | community.crypto.parse_serial == 0
@@ -22,35 +22,35 @@
'1:2:3' | community.crypto.parse_serial == 66051
- name: "Test error 1: empty string"
debug:
ansible.builtin.debug:
msg: >-
{{ '' | community.crypto.parse_serial }}
ignore_errors: true
register: error_1
- name: "Test error 2: invalid type"
debug:
ansible.builtin.debug:
msg: >-
{{ [] | community.crypto.parse_serial }}
ignore_errors: true
register: error_2
- name: "Test error 3: invalid values (range)"
debug:
ansible.builtin.debug:
msg: >-
{{ '100' | community.crypto.parse_serial }}
ignore_errors: true
register: error_3
- name: "Test error 4: invalid values (digits)"
debug:
ansible.builtin.debug:
msg: >-
{{ 'abcdefg' | community.crypto.parse_serial }}
ignore_errors: true
register: error_4
- name: Validate errors
assert:
ansible.builtin.assert:
that:
- >-
error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg

6
tests/integration/targets/filter_split_pem/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Run tests that raise no errors
assert:
ansible.builtin.assert:
that:
- >-
'' | community.crypto.split_pem == []
@@ -49,13 +49,13 @@
AAb=
- name: Invalid input
debug:
ansible.builtin.debug:
msg: "{{ [] | community.crypto.split_pem }}"
ignore_errors: true
register: output
- name: Validate error
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.split_pem input must be a text type, not ")

8
tests/integration/targets/filter_to_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Test to_serial filter
assert:
ansible.builtin.assert:
that:
- 0 | community.crypto.to_serial == '00'
- 1 | community.crypto.to_serial == '01'
@@ -13,21 +13,21 @@
- 65536 | community.crypto.to_serial == '01:00:00'
- name: "Test error 1: negative number"
debug:
ansible.builtin.debug:
msg: >-
{{ (-1) | community.crypto.to_serial }}
ignore_errors: true
register: error_1
- name: "Test error 2: invalid type"
debug:
ansible.builtin.debug:
msg: >-
{{ [] | community.crypto.to_serial }}
ignore_errors: true
register: error_2
- name: Validate error
assert:
ansible.builtin.assert:
that:
- >-
error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg

38
tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info }}
result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info(name_encoding='unicode') }}
- name: Check whether issuer and subject and extensions behave as expected
assert:
ansible.builtin.assert:
that:
- result.issuer.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered"
@@ -72,7 +72,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77"
@@ -89,17 +89,17 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_2.pem') | community.crypto.x509_certificate_info }}
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_3.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer
@@ -111,12 +111,12 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_4.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier
assert:
ansible.builtin.assert:
that:
- result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none
@@ -124,11 +124,11 @@
when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info for packaged cert 1
set_fact:
ansible.builtin.set_fact:
result: >-
{{ lookup('file', role_path ~ '/../x509_certificate_info/files/cert1.pem') | community.crypto.x509_certificate_info }}
- name: Check extensions
assert:
ansible.builtin.assert:
that:
- "'ocsp_uri' in result"
- "result.ocsp_uri == 'http://ocsp.foobarbaz.example.com'"
@@ -165,59 +165,59 @@
- result.extensions_by_oid['2.5.29.37'].critical == false
- result.extensions_by_oid['2.5.29.37'].value == 'MBQGCCsGAQUFBwMBBggrBgEFBQcDAg=='
- name: Check fingerprints
assert:
ansible.builtin.assert:
that:
- (result.fingerprints.sha256 == '08:26:60:3d:29:11:f2:88:09:3f:40:71:bb:67:cb:59:9c:6e:cf:e0:49:22:ab:e8:60:bd:f6:9a:01:e3:0e:2c' if result.fingerprints.sha256 is defined else true)
- (result.fingerprints.sha1 == '5a:32:7f:22:61:f3:2e:ad:a7:d8:77:07:1c:7f:08:cd:ab:7f:bc:11' if result.fingerprints.sha1 is defined else true)
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.x509_certificate_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.x509_certificate_info input must be a text type, not ")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_certificate_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Unable to load (?:certificate|PEM file)(?:\.|$)")
- name: Get invalid certificate info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_certificate_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_certificate_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

18
tests/integration/targets/filter_x509_certificate_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- name: Generate privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size_certificates }}'
- name: Generate privatekey with password
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2
select_crypto_backend: cryptography
size: '{{ default_rsa_key_size_certificates }}'
- name: Generate CSR 1
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject:
@@ -97,7 +97,7 @@
- "IP:1.2.3.4"
- name: Generate CSR 2
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2
@@ -106,7 +106,7 @@
- "CA:TRUE"
- name: Generate CSR 3
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
@@ -124,14 +124,14 @@
- "IP:1.2.3.4"
- name: Generate CSR 4
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Generate selfsigned certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
@@ -146,5 +146,5 @@
- 4
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.6', '>=')

56
tests/integration/targets/filter_x509_crl_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create CRL 1
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -23,17 +23,17 @@
revocation_date: 20191001000000Z
- name: Retrieve CRL 1 infos
set_fact:
ansible.builtin.set_fact:
crl_1_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | community.crypto.x509_crl_info }}
- name: Retrieve CRL 1 infos
set_fact:
ansible.builtin.set_fact:
crl_1_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | b64encode | community.crypto.x509_crl_info }}
- name: Validate CRL 1 info
assert:
ansible.builtin.assert:
that:
- crl_1_info_1.format == 'pem'
- crl_1_info_1.digest == 'ecdsa-with-SHA256'
@@ -70,7 +70,7 @@
- crl_1_info_1 == crl_1_info_2
- name: Recreate CRL 1 as DER file
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der
@@ -90,7 +90,7 @@
revocation_date: 20191001000000Z
- name: Read ca-crl1.crl
slurp:
ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/ca-crl1.crl"
register: content
@@ -102,19 +102,19 @@
when: ansible_version.string is version('2.11', '>=') or ansible_python.version.major > 2
- name: Retrieve CRL 1 infos from DER (Base64 encoded)
set_fact:
ansible.builtin.set_fact:
crl_1_info_5: >-
{{ content.content | community.crypto.x509_crl_info }}
- name: Validate CRL 1
assert:
ansible.builtin.assert:
that:
- crl_1_info_4 is not defined or crl_1_info_4.format == 'der'
- crl_1_info_5.format == 'der'
- crl_1_info_4 is not defined or crl_1_info_4 == crl_1_info_5
- name: Create CRL 2
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
@@ -135,12 +135,12 @@
register: crl_2_change
- name: Retrieve CRL 2 infos
set_fact:
ansible.builtin.set_fact:
crl_2_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Create CRL 2 (changed order)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered:
@@ -161,12 +161,12 @@
register: crl_2_change_order
- name: Retrieve CRL 2 infos again
set_fact:
ansible.builtin.set_fact:
crl_2_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Validate CRL 2 info
assert:
ansible.builtin.assert:
that:
- "'revoked_certificates' not in crl_2_info_1"
- >
@@ -185,7 +185,7 @@
]
- name: Create CRL 3
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -215,7 +215,7 @@
register: crl_3
- name: Create CRL 3 (IDNA encoding)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -240,7 +240,7 @@
register: crl_3_idna
- name: Create CRL 3 (Unicode encoding)
x509_crl:
community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer:
@@ -265,7 +265,7 @@
register: crl_3_unicode
- name: Retrieve CRL 3 infos
set_fact:
ansible.builtin.set_fact:
crl_3_info: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true) }}
crl_3_info_idna: >-
@@ -274,73 +274,73 @@
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true, name_encoding='unicode') }}
- name: Validate CRL 3 info
assert:
ansible.builtin.assert:
that:
- crl_3.revoked_certificates == crl_3_info.revoked_certificates
- crl_3_idna.revoked_certificates == crl_3_info_idna.revoked_certificates
- crl_3_unicode.revoked_certificates == crl_3_info_unicode.revoked_certificates
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ [] | community.crypto.x509_crl_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The community.crypto.x509_crl_info input must be a text type, not ")
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_crl_info }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("Error while decoding CRL")
- name: Get invalid CRL info
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'foo' | community.crypto.x509_crl_info(name_encoding=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_crl_info(name_encoding='foo') }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")
- name: Get invalid list_revoked_certificates parameter
set_fact:
ansible.builtin.set_fact:
result: >-
{{ 'bar' | community.crypto.x509_crl_info(list_revoked_certificates=[]) }}
ignore_errors: true
register: output
- name: Check that task failed and error message is OK
assert:
ansible.builtin.assert:
that:
- output is failed
- output.msg is search("The list_revoked_certificates option must be a boolean, not ")

16
tests/integration/targets/filter_x509_crl_info/tasks/main.yml
View File

@@ -9,11 +9,11 @@
####################################################################
- name: Make sure the Python idna library is installed
pip:
ansible.builtin.pip:
name: idna
state: present
- set_fact:
- ansible.builtin.set_fact:
certificates:
- name: ca
subject:
@@ -39,14 +39,14 @@
- DNS:b64.ansible.com
- name: Generate private keys
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
type: ECC
curve: secp256r1
loop: "{{ certificates }}"
- name: Generate CSRs
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
subject: "{{ item.subject | default(omit) }}"
@@ -56,7 +56,7 @@
loop: "{{ certificates }}"
- name: Generate CA certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
@@ -65,7 +65,7 @@
when: item.is_ca | default(false)
- name: Generate other certificates
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
provider: ownca
@@ -75,7 +75,7 @@
when: not (item.is_ca | default(false))
- name: Get certificate infos
x509_certificate_info:
community.crypto.x509_certificate_info:
path: '{{ remote_tmp_dir }}/{{ item }}.pem'
loop:
- cert-1
@@ -86,6 +86,6 @@
- block:
- name: Running tests
include_tasks: impl.yml
ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2', '>=')

10
tests/integration/targets/get_certificate/tasks/main.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
skip_tests: false
has_get_certificate_chain: >-
{{ ansible_facts.python_version is version('3.10.0', '>=') }}
@@ -16,14 +16,14 @@
- block:
- name: Get servers certificate with backend auto-detection
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}"
ignore_errors: true
register: result
- set_fact:
- ansible.builtin.set_fact:
skip_tests: |
{{
result is failed and (
@@ -33,7 +33,7 @@
)
}}
- assert:
- ansible.builtin.assert:
that:
- result is success or skip_tests
@@ -41,7 +41,7 @@
- block:
- include_tasks: ../tests/validate.yml
- ansible.builtin.include_tasks: ../tests/validate.yml
vars:
select_crypto_backend: cryptography

52
tests/integration/targets/get_certificate/tests/validate.yml
View File

@@ -4,16 +4,16 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Get servers certificate for SNI test part 1
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
server_name: "{{ sni_host }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -22,16 +22,16 @@
- "'{{ sni_host }}' == result.subject.CN"
- name: Get servers certificate for SNI test part 2
get_certificate:
community.crypto.get_certificate:
host: "{{ sni_host }}"
port: 443
server_name: "{{ httpbin_host }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -40,16 +40,16 @@
- "'{{ httpbin_host }}' == result.subject.CN"
- name: Get servers certificate
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
select_crypto_backend: "{{ select_crypto_backend }}"
asn1_base64: true
register: result
- debug: var=result
- ansible.builtin.debug: var=result
- assert:
- ansible.builtin.assert:
that:
# This module should never change anything
- result is not changed
@@ -58,7 +58,7 @@
- "'North Carolina' == result.subject.ST"
- name: Connect to http port (will fail because there is no SSL cert to get)
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 80
select_crypto_backend: "{{ select_crypto_backend }}"
@@ -66,7 +66,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -78,7 +78,7 @@
or 'record layer failure' in result.msg
- name: Test timeout option
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 1234
timeout: 1
@@ -87,7 +87,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -95,7 +95,7 @@
- "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"
- name: Test failure if ca_cert is not a valid file
get_certificate:
community.crypto.get_certificate:
host: "{{ httpbin_host }}"
port: 443
ca_cert: dn.e
@@ -104,7 +104,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed
@@ -112,12 +112,12 @@
- "'ca_cert file does not exist' == result.msg"
- name: Download CA Cert as pem from server
get_url:
ansible.builtin.get_url:
url: "http://ansible.http.tests/cacert.pem"
dest: "{{ remote_tmp_dir }}/temp.pem"
- name: Get servers certificate comparing it to its own ca_cert file
get_certificate:
community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/temp.pem'
host: "{{ httpbin_host }}"
port: 443
@@ -126,19 +126,19 @@
get_certificate_chain: "{{ has_get_certificate_chain }}"
register: result
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is not failed
- name: Read CA cert
slurp:
ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/temp.pem'
register: cacert
when: has_get_certificate_chain
- name: Validate get_certificate_chain=true results
assert:
ansible.builtin.assert:
that:
- result.verified_chain is sequence
- result.unverified_chain is sequence
@@ -149,20 +149,20 @@
when: has_get_certificate_chain
- name: Validate get_certificate_chain=false results
assert:
ansible.builtin.assert:
that:
- result.verified_chain is undefined
- result.unverified_chain is undefined
when: not has_get_certificate_chain
- name: Generate bogus CA privatekey
openssl_privatekey:
community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/bogus_ca.key'
type: ECC
curve: secp256r1
- name: Generate bogus CA CSR
openssl_csr:
community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
subject:
@@ -173,7 +173,7 @@
basic_constraints_critical: true
- name: Generate selfsigned bogus CA certificate
x509_certificate:
community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/bogus_ca.pem'
csr_path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
@@ -181,7 +181,7 @@
selfsigned_digest: sha256
- name: Get servers certificate comparing it to an invalid ca_cert file
get_certificate:
community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/bogus_ca.pem'
host: "{{ httpbin_host }}"
port: 443
@@ -190,7 +190,7 @@
register: result
ignore_errors: true
- assert:
- ansible.builtin.assert:
that:
- result is not changed
- result is failed

28
tests/integration/targets/luks_device/tasks/main.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Copy keyfiles
copy:
ansible.builtin.copy:
src: '{{ item }}'
dest: '{{ remote_tmp_dir }}/{{ item }}'
loop:
@@ -17,7 +17,7 @@
- keyfile2
- name: Include OS-specific variables
include_vars: '{{ lookup("first_found", search) }}'
ansible.builtin.include_vars: '{{ lookup("first_found", search) }}'
vars:
search:
files:
@@ -30,62 +30,62 @@
- vars
- name: Make sure cryptsetup is installed
package:
ansible.builtin.package:
name: '{{ cryptsetup_package }}'
state: present
become: true
- name: Install additionally required packages
package:
ansible.builtin.package:
name: '{{ luks_extra_packages }}'
state: present
become: true
when: luks_extra_packages | length > 0
- name: Determine cryptsetup version
command: cryptsetup --version
ansible.builtin.command: cryptsetup --version
register: cryptsetup_version
- name: Extract cryptsetup version
set_fact:
ansible.builtin.set_fact:
cryptsetup_version: >-
{{ cryptsetup_version.stdout_lines[0] | regex_search('cryptsetup ([0-9]+\.[0-9]+\.[0-9]+)') | split | last }}
- name: Create cryptfile
command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
ansible.builtin.command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
- name: Figure out next loopback device
command: losetup -f
ansible.builtin.command: losetup -f
become: true
register: cryptfile_device_output
- name: Create lookback device
command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
ansible.builtin.command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
become: true
- name: Store some common data for tests
set_fact:
ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[0] }}"
cryptfile_passphrase1: "uNiJ9vKG2mUOEWDiQVuBHJlfMHE"
cryptfile_passphrase2: "HW4Ak2HtE2vvne0qjJMPTtmbV4M"
cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM"
- block:
- include_tasks: run-test.yml
- ansible.builtin.include_tasks: run-test.yml
with_fileglob:
- "tests/*.yml"
always:
- name: Make sure LUKS device is gone
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
ignore_errors: true
- command: losetup -d "{{ cryptfile_device }}"
- ansible.builtin.command: losetup -d "{{ cryptfile_device }}"
become: true
- file:
- ansible.builtin.file:
dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile"
state: absent

4
tests/integration/targets/luks_device/tasks/run-test.yml
View File

@@ -4,9 +4,9 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Make sure LUKS device is gone
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
- name: "Loading tasks from {{ item }}"
include_tasks: "{{ item }}"
ansible.builtin.include_tasks: "{{ item }}"

54
tests/integration/targets/luks_device/tasks/tests/create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -14,7 +14,7 @@
become: true
register: create_check
- name: Create
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -23,7 +23,7 @@
become: true
register: create
- name: Create (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -32,7 +32,7 @@
become: true
register: create_idem
- name: Create (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -41,7 +41,7 @@
check_mode: true
become: true
register: create_idem_check
- assert:
- ansible.builtin.assert:
that:
- create_check is changed
- create is changed
@@ -49,7 +49,7 @@
- create_idem_check is not changed
- name: Open (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -57,28 +57,28 @@
become: true
register: open_check
- name: Open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
register: open
- name: Open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
register: open_idem
- name: Open (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
check_mode: true
become: true
register: open_idem_check
- assert:
- ansible.builtin.assert:
that:
- open_check is changed
- open is changed
@@ -86,32 +86,32 @@
- open_idem_check is not changed
- name: Closed (via name, check)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
check_mode: true
become: true
register: close_check
- name: Closed (via name)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
become: true
register: close
- name: Closed (via name, idempotent)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
become: true
register: close_idem
- name: Closed (via name, idempotent, check)
luks_device:
community.crypto.luks_device:
name: "{{ open.name }}"
state: closed
check_mode: true
become: true
register: close_idem_check
- assert:
- ansible.builtin.assert:
that:
- close_check is changed
- close is changed
@@ -119,39 +119,39 @@
- close_idem_check is not changed
- name: Re-open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
- name: Closed (via device, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
check_mode: true
become: true
register: close_check
- name: Closed (via device)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
register: close
- name: Closed (via device, idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
register: close_idem
- name: Closed (via device, idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
check_mode: true
become: true
register: close_idem_check
- assert:
- ansible.builtin.assert:
that:
- close_check is changed
- close is changed
@@ -159,39 +159,39 @@
- close_idem_check is not changed
- name: Re-opened
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
- name: Absent (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
check_mode: true
become: true
register: absent_check
- name: Absent
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
register: absent
- name: Absent (idempotence)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
become: true
register: absent_idem
- name: Absent (idempotence, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: absent
check_mode: true
become: true
register: absent_idem_check
- assert:
- ansible.builtin.assert:
that:
- absent_check is changed
- absent is changed

16
tests/integration/targets/luks_device/tasks/tests/cryptname.yml
View File

@@ -4,11 +4,11 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Fix name
set_fact:
ansible.builtin.set_fact:
cryptname: "crypt{{ '%0x' % ((2**32) | random) }}"
- name: Create
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: present
@@ -18,7 +18,7 @@
become: true
register: create
- name: Open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: opened
@@ -26,7 +26,7 @@
become: true
register: open
- name: Open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: opened
@@ -34,25 +34,25 @@
become: true
register: open_idem
- name: Closed (via name)
luks_device:
community.crypto.luks_device:
name: "{{ cryptname }}"
state: closed
become: true
register: close
- name: Closed (via name, idempotent)
luks_device:
community.crypto.luks_device:
name: "{{ cryptname }}"
state: closed
become: true
register: close_idem
- name: Absent
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
name: "{{ cryptname }}"
state: absent
become: true
register: absent
- assert:
- ansible.builtin.assert:
that:
- create is changed
- open is changed

12
tests/integration/targets/luks_device/tasks/tests/device-check.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with invalid device name (check)
luks_device:
community.crypto.luks_device:
device: /dev/asdfasdfasdf
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_check
- name: Create with invalid device name
luks_device:
community.crypto.luks_device:
device: /dev/asdfasdfasdf
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -24,7 +24,7 @@
ignore_errors: true
become: true
register: create
- assert:
- ansible.builtin.assert:
that:
- create_check is failed
- create is failed
@@ -32,7 +32,7 @@
- "'o such file or directory' in create.msg"
- name: Create with something which is not a device (check)
luks_device:
community.crypto.luks_device:
device: /tmp/
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -43,7 +43,7 @@
become: true
register: create_check
- name: Create with something which is not a device
luks_device:
community.crypto.luks_device:
device: /tmp/
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
ignore_errors: true
become: true
register: create
- assert:
- ansible.builtin.assert:
that:
- create_check is failed
- create is failed

60
tests/integration/targets/luks_device/tasks/tests/key-management.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,36 +15,36 @@
# Access: keyfile1
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -55,7 +55,7 @@
register: result_1
- name: Give access to keyfile2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -63,7 +63,7 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
@@ -71,28 +71,28 @@
# Access: keyfile1 and keyfile2
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
- name: Remove access from keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -101,7 +101,7 @@
register: result_1
- name: Remove access from keyfile1 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -109,7 +109,7 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
@@ -117,40 +117,40 @@
# Access: keyfile2
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
- name: Remove access from keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -158,7 +158,7 @@
become: true
ignore_errors: true
register: remove_last_key
- assert:
- ansible.builtin.assert:
that:
- remove_last_key is failed
- "'force_remove_last_key' in remove_last_key.msg"
@@ -166,24 +166,24 @@
# Access: keyfile2
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Remove access from keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -194,13 +194,13 @@
# Access: none
- name: Try to open with keyfile2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed

26
tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -21,7 +21,7 @@
register: create_passphrase_1
- name: Create with keyfile3 (without argon2i)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -32,7 +32,7 @@
when: create_passphrase_1 is failed
- name: Open with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ keyfile3 }}"
@@ -40,29 +40,29 @@
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ keyfile3 }}"
@@ -73,7 +73,7 @@
become: true
- name: Remove access for keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ keyfile3 }}"
@@ -81,25 +81,25 @@
become: true
- name: Try to open with keyfile3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ keyfile3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed

50
tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create luks with keyslot 4 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_luks_slot4_check
- name: Create luks with keyslot 4
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -25,7 +25,7 @@
become: true
register: create_luks_slot4
- name: Create luks with keyslot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -35,7 +35,7 @@
become: true
register: create_luks_slot4_idem
- name: Create luks with keyslot 4 (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -46,10 +46,10 @@
become: true
register: create_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4
- assert:
- ansible.builtin.assert:
that:
- create_luks_slot4_check is changed
- create_luks_slot4 is changed
@@ -58,7 +58,7 @@
- "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
- name: Add key in slot 2 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -70,7 +70,7 @@
become: true
register: add_luks_slot2_check
- name: Add key in slot 2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -81,7 +81,7 @@
become: true
register: add_luks_slot2
- name: Add key in slot 2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -92,7 +92,7 @@
become: true
register: add_luks_slot2_idem
- name: Add key in slot 2 (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -104,10 +104,10 @@
become: true
register: add_luks_slot2_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot2
- assert:
- ansible.builtin.assert:
that:
- add_luks_slot2_check is changed
- add_luks_slot2 is changed
@@ -116,27 +116,27 @@
- "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
- name: Check remove slot 4 without key
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
ignore_errors: true
become: true
register: kill_slot4_nokey
- name: Check remove slot 4 with slot 4 key
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
keyfile: "{{ remote_tmp_dir }}/keyfile1"
ignore_errors: true
become: true
register: kill_slot4_key_slot4
- assert:
- ansible.builtin.assert:
that:
- kill_slot4_nokey is failed
- kill_slot4_key_slot4 is failed
- name: Remove key in slot 4 (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
@@ -144,21 +144,21 @@
become: true
register: kill_luks_slot4_check
- name: Remove key in slot 4
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4
- name: Remove key in slot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4_idem
- name: Remove key in slot 4 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
@@ -166,10 +166,10 @@
become: true
register: kill_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4_removed
- assert:
- ansible.builtin.assert:
that:
- kill_luks_slot4_check is changed
- kill_luks_slot4 is changed
@@ -178,7 +178,7 @@
- "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"
- name: Add key in slot 0
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -189,17 +189,17 @@
become: true
register: add_luks_slot0
- name: Remove key in slot 0
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 0
become: true
register: kill_luks_slot0
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot0_removed
- assert:
- ansible.builtin.assert:
that:
- add_luks_slot0 is changed
- kill_luks_slot0 is changed

8
tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create new luks
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -12,7 +12,7 @@
iteration_time: 0.1
become: true
- name: Add new keyslot with same keyfile (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
new_keyslot: 1
@@ -23,7 +23,7 @@
check_mode: true
register: keyslot_duplicate_check
- name: Add new keyslot with same keyfile
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
new_keyslot: 1
@@ -32,7 +32,7 @@
become: true
ignore_errors: true
register: keyslot_duplicate
- assert:
- ansible.builtin.assert:
that:
- keyslot_duplicate_check is failed
- "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg"

16
tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check invalid slot (luks1, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks1
@@ -16,7 +16,7 @@
become: true
register: create_luks1_slot8
- name: Check invalid slot (luks2, 32)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
@@ -28,7 +28,7 @@
become: true
register: create_luks2_slot32
- name: Check invalid slot (no luks type, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -38,14 +38,14 @@
ignore_errors: true
become: true
register: create_luks_slot8
- assert:
- ansible.builtin.assert:
that:
- create_luks1_slot8 is failed
- create_luks2_slot32 is failed
- create_luks_slot8 is failed
- name: Check valid slot (luks2, 8)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
@@ -57,12 +57,12 @@
ignore_errors: true
register: create_luks2_slot8
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
ansible.builtin.assert:
that:
- "'Unknown option --type' in create_luks2_slot8.msg"
when: create_luks2_slot8 is failed
- name: Check add valid slot (no luks type, 10)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -73,7 +73,7 @@
become: true
register: create_luks_slot10
when: create_luks2_slot8 is changed
- assert:
- ansible.builtin.assert:
that:
- create_luks_slot10 is changed
when: create_luks2_slot8 is changed

10
tests/integration/targets/luks_device/tasks/tests/options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keysize
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true
register: create_with_keysize
- name: Create with keysize (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -26,7 +26,7 @@
become: true
register: create_idem_with_keysize
- name: Create with different keysize (idempotent since we do not update keysize)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true
register: create_idem_with_diff_keysize
- name: Create with ambiguous arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -49,7 +49,7 @@
become: true
register: create_with_ambiguous
- assert:
- ansible.builtin.assert:
that:
- create_with_keysize is changed
- create_idem_with_keysize is not changed

70
tests/integration/targets/luks_device/tasks/tests/passphrase.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -20,13 +20,13 @@
register: create_passphrase_1
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
ansible.builtin.assert:
that:
- "'Unknown option --type' in create_passphrase_1.msg"
when: create_passphrase_1 is failed
- name: Create with passphrase1 (without argon2i)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -36,7 +36,7 @@
when: create_passphrase_1 is failed
- name: Open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
# Encode passphrase with Base64 to test passphrase_encoding
@@ -45,17 +45,17 @@
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Give access with ambiguous new_ arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -66,24 +66,24 @@
become: true
ignore_errors: true
register: new_try
- assert:
- ansible.builtin.assert:
that:
- new_try is failed
- name: Try to open with passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase2 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -94,7 +94,7 @@
register: result_1
- name: Give access to passphrase2 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -102,42 +102,42 @@
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
- name: Open with passphrase2
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase2 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Try to open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to keyfile1 from passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
passphrase: "{{ cryptfile_passphrase1 }}"
@@ -147,7 +147,7 @@
become: true
- name: Remove access with ambiguous remove_ arguments
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -155,29 +155,29 @@
become: true
ignore_errors: true
register: remove_try
- assert:
- ansible.builtin.assert:
that:
- remove_try is failed
- name: Open with keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true
- name: Remove access for passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}"
@@ -185,44 +185,44 @@
register: result_1
- name: Remove access for passphrase1 (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}"
become: true
register: result_2
- assert:
- ansible.builtin.assert:
that:
- result_1 is changed
- result_2 is not changed
- name: Try to open with passphrase1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase1 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Try to open with passphrase3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is failed
- name: Give access to passphrase3 from keyfile1
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -232,18 +232,18 @@
become: true
- name: Open with passphrase3
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
passphrase: "{{ cryptfile_passphrase3 }}"
become: true
ignore_errors: true
register: open_try
- assert:
- ansible.builtin.assert:
that:
- open_try is not failed
- name: Close
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: closed
become: true

20
tests/integration/targets/luks_device/tasks/tests/performance.yml
View File

@@ -6,7 +6,7 @@
- name: On kernel >= 5.9 use performance flags
block:
- name: Create and open (check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -22,7 +22,7 @@
become: true
register: create_open_check
- name: Create and open
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true
register: create_open
- name: Create and open (idempotent)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
become: true
register: create_open_idem
- name: Create and open (idempotent, check)
luks_device:
community.crypto.luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -67,7 +67,7 @@
check_mode: true
become: true
register: create_open_idem_check
- assert:
- ansible.builtin.assert:
that:
- create_open_check is changed
- create_open is changed
@@ -75,10 +75,10 @@
- create_open_idem_check is not changed
- name: Dump LUKS Header
command: "cryptsetup luksDump {{ cryptfile_device }}"
ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header
- assert:
- ansible.builtin.assert:
that:
- "'no-read-workqueue' in luks_header.stdout"
- "'no-write-workqueue' in luks_header.stdout"
@@ -87,10 +87,10 @@
- "'allow-discards' in luks_header.stdout"
- name: Dump device mapper table
command: "dmsetup table {{ create_open.name }}"
ansible.builtin.command: "dmsetup table {{ create_open.name }}"
become: true
register: dm_table
- assert:
- ansible.builtin.assert:
that:
- "'no_read_workqueue' in dm_table.stdout"
- "'no_write_workqueue' in dm_table.stdout"
@@ -99,7 +99,7 @@
- "'allow_discards' in dm_table.stdout"
- name: Closed and Removed
luks_device:
community.crypto.luks_device:
name: "{{ cryptfile_device }}"
state: absent
become: true

18
tests/integration/targets/openssh_cert/tasks/main.yml
View File

@@ -9,39 +9,39 @@
####################################################################
- name: Declare global variables
set_fact:
ansible.builtin.set_fact:
signing_key: '{{ remote_tmp_dir }}/id_key'
public_key: '{{ remote_tmp_dir }}/id_key.pub'
certificate_path: '{{ remote_tmp_dir }}/id_cert'
- name: Generate keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ signing_key }}"
type: rsa
size: 1024
- block:
- name: Import idempotency tests
import_tasks: ../tests/idempotency.yml
ansible.builtin.import_tasks: ../tests/idempotency.yml
- name: Import key_idempotency tests
import_tasks: ../tests/key_idempotency.yml
ansible.builtin.import_tasks: ../tests/key_idempotency.yml
- name: Import options tests
import_tasks: ../tests/options_idempotency.yml
ansible.builtin.import_tasks: ../tests/options_idempotency.yml
- name: Import regenerate tests
import_tasks: ../tests/regenerate.yml
ansible.builtin.import_tasks: ../tests/regenerate.yml
- name: Import remove tests
import_tasks: ../tests/remove.yml
ansible.builtin.import_tasks: ../tests/remove.yml
when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6")
- name: Import ssh-agent tests
import_tasks: ../tests/ssh-agent.yml
ansible.builtin.import_tasks: ../tests/ssh-agent.yml
when: openssh_version is version("7.6",">=")
- name: Remove keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ signing_key }}"
state: absent

8
tests/integration/targets/openssh_cert/tests/idempotency.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
test_cases:
- test_name: Generate cert - force option (check_mode)
force: true
@@ -253,7 +253,7 @@
changed: true
- name: Execute idempotency tests
openssh_cert:
community.crypto.openssh_cert:
force: "{{ test_case.force | default(omit) }}"
identifier: "{{ test_case.identifier | default(omit) }}"
options: "{{ test_case.options | default(omit) }}"
@@ -275,7 +275,7 @@
loop_var: test_case
- name: Assert task statuses
assert:
ansible.builtin.assert:
that:
- result.changed == test_cases[index].changed
loop: "{{ idempotency_test_output.results }}"
@@ -284,6 +284,6 @@
loop_var: result
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

38
tests/integration/targets/openssh_cert/tests/key_idempotency.yml
View File

@@ -8,16 +8,16 @@
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
- ansible.builtin.set_fact:
new_signing_key: "{{ remote_tmp_dir }}/new_key"
new_public_key: "{{ remote_tmp_dir }}/new_key.pub"
- name: Generate new test key
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ new_signing_key }}"
- name: Generate cert with original keys
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -27,7 +27,7 @@
- block:
- name: Generate cert with updated signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -38,12 +38,12 @@
register: updated_signature_algorithm
- name: Assert signature algorithm update causes change
assert:
ansible.builtin.assert:
that:
- updated_signature_algorithm is changed
- name: Generate cert with updated signature algorithm (idempotent)
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -54,13 +54,13 @@
register: updated_signature_algorithm_idempotent
- name: Assert signature algorithm update is idempotent
assert:
ansible.builtin.assert:
that:
- updated_signature_algorithm_idempotent is not changed
- block:
- name: Generate cert with original signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -71,7 +71,7 @@
register: second_signature_algorithm
- name: Assert second signature algorithm update causes change
assert:
ansible.builtin.assert:
that:
- second_signature_algorithm is changed
# RHEL9, Fedora 41 and Rocky 9 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error.
@@ -81,7 +81,7 @@
- not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41)
- name: Omit signature algorithm
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -91,12 +91,12 @@
register: omitted_signature_algorithm
- name: Assert omitted_signature_algorithm does not cause change
assert:
ansible.builtin.assert:
that:
- omitted_signature_algorithm is not changed
- name: Revert to original certificate
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -107,7 +107,7 @@
when: openssh_version is version("7.3", ">=")
- name: Generate cert with new signing key
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: new_signing_key_output
- name: Generate cert with new public key
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}"
@@ -127,7 +127,7 @@
register: new_public_key_output
- name: Generate cert with new signing key - full idempotency
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -138,7 +138,7 @@
register: new_signing_key_full_idempotency_output
- name: Generate cert with new pubic key - full idempotency
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}"
@@ -149,7 +149,7 @@
register: new_public_key_full_idempotency_output
- name: Assert changes to public key or signing key results in no change unless idempotency=full
assert:
ansible.builtin.assert:
that:
- new_signing_key_output is not changed
- new_public_key_output is not changed
@@ -157,11 +157,11 @@
- new_public_key_full_idempotency_output is changed
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent
- name: Remove new keypair
openssh_keypair:
community.crypto.openssh_keypair:
path: "{{ new_signing_key }}"
state: absent

28
tests/integration/targets/openssh_cert/tests/options_idempotency.yml
View File

@@ -9,7 +9,7 @@
####################################################################
- name: Generate cert with no options
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -22,7 +22,7 @@
register: no_options
- name: Generate cert with no options with explicit directives
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -39,7 +39,7 @@
register: no_options_explicit_directives
- name: Generate cert with explicit extension
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -53,7 +53,7 @@
register: explicit_extension_before
- name: Generate cert with explicit extension (idempotency)
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -67,7 +67,7 @@
register: explicit_extension_after
- name: Generate cert with explicit extension and corresponding directive
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -81,7 +81,7 @@
register: explicit_extension_and_directive
- name: Generate cert with default options
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -92,7 +92,7 @@
register: default_options
- name: Generate cert with relative timestamp
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -104,7 +104,7 @@
register: relative_timestamp
- name: Generate cert with ignore_timestamp true
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: relative_timestamp_true
- name: Generate cert with ignore_timestamp false
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -130,7 +130,7 @@
register: relative_timestamp_false
- name: Generate cert with ignore_timestamp true
openssh_cert:
community.crypto.openssh_cert:
type: user
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -143,7 +143,7 @@
register: relative_timestamp_invalid_at
- name: Generate host cert full_idempotence
openssh_cert:
community.crypto.openssh_cert:
type: host
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -153,7 +153,7 @@
regenerate: full_idempotence
- name: Generate host cert full_idempotence again
openssh_cert:
community.crypto.openssh_cert:
type: host
path: "{{ certificate_path }}"
public_key: "{{ public_key }}"
@@ -164,7 +164,7 @@
register: host_cert_full_idempotence
- name: Assert options results
assert:
ansible.builtin.assert:
that:
- no_options is changed
- no_options_explicit_directives is not changed
@@ -179,6 +179,6 @@
- host_cert_full_idempotence is not changed
- name: Remove certificate
openssh_cert:
community.crypto.openssh_cert:
path: "{{ certificate_path }}"
state: absent

Some files were not shown because too many files have changed in this diff Show More